oidfed

package module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 17, 2025 License: MIT Imports: 43 Imported by: 6

README

Implementation of OpenID Federations for Golang

License GitHub go.mod Go version Go Report DeepSource DeepSource

This repository holds a work-in-process implementation of OpenID Federation in the go language with the goal to enable go applications to make use of OpenID federation.

The implementation mainly focuses on the Relying Party and Intermediate / Trust Anchor side, but not on the OP side. However, building blocks can also be utilized for OPs or other entity types. We provide a basic library as well as a configurable and flexible federation entity to support higher level functionality.

  • This repository contains:
    • The basic go-oidfed library with the core oidfed functionalities.
    • It can be used to build all kind of oidfed capable entities.
  • The LightHouse repository at https://github.com/go-oidfed/lighthouse contains:
    • Higher level implementation for various federation endpoints
    • The LightHouse federation entity. This is a configurable and flexible federation entity that can be used as a
      • Trust Anchor
      • Intermediate Authority
      • Trust Mark Issuer
      • Resolver
      • Entity Collector
      • Everything at the same time.
  • The whoami-rp repository at https://github.com/go-oidfed/whoami-rp contains:
    • A simple - but not very useful - example RP.
  • The OFFA repository at https://github.com/go-oidfed/offa:
    • OFFA stands for Openid Federation Forward Auth
    • OFFA can be deployed next to existing services to add oidfed authentication to services that do not natively support it.
    • OFFA can be used with Apache, Caddy, NGINX, and Traefik.
Implementation State

The library is not considered stable and some features might be missing. We encourage everybody to give feedback on things that are missing, not working, or weird, also suggestions for improvements and of course we are open for pull requests.

We try to be up-to-date with the latest version of the spec, but this might not always be the case.

Here we try to sum up the current implementation state, (but it's very likely that the list is not complete)

Feature Library Entity
OpenID Configuration Yes Yes
Trust Chain Building Yes When needed
Trust Chain Verification Yes Yes
Applying Metadata Policies Yes Yes
Applying Metadata from Superiors No No
Support for Custom Metadata Policy Operators Yes Yes
Filter Trust Chains Yes Yes
Configure Trust Anchors Yes Yes
Set Authority Hints N/A Yes
Resolve Endpoint Yes
IA Fetch Endpoint Yes
IA Listing Endpoint Yes
Trust Mark Endpoint Yes
Trust Marked Entities Endpoint Yes
Trust Mark Status Endpoint Yes
Trust Mark Owner Delegation Yes Yes
Trust Mark JWT Verification Yes Yes
Trust Mark JWT Verification including Delegation Yes Yes
Trust Mark Verification through Trust Mark Status Endpoint No No
JWT Type Verification Yes Yes
Requests using GET Yes
Requests using POST No
Client Authentication No
Automatic Client Registration Yes Yes
Authorization Code Flow with Automatic Client Registration using oidc key from jwks Yes
Authorization Code Flow with Automatic Client Registration using oidc key from jwks_uri No
Authorization Code Flow with Automatic Client Registration using oidc key from signed_jwks_uri No
Explicit Client Registration No No
Constraints Yes Yes
Federation Historical Keys Endpoint No No
Automatic Key Rollover No
Enrollment of Entities Yes
Configurable Checks for Enrollment Yes
Custom Checks for Enrollment Yes
Request Enrollment Yes
Configurable Checks for Trust Mark Issuance Yes
Custom Checks for Trust Mark Issuance Yes
Request to become entitled for a Trust Mark Yes
Automatically refresh trust marks in Entity Configuration Yes

This work was started in and supported by the Geant Trust & Identity Incubator.

Documentation

Overview

Code generated by go generate; DO NOT EDIT.

Index

Constants

View Source 
const (
	MatchModeSubstringCaseInsensitive matchMode = "substring-case-insensitive"
	MatchModeSubstringCaseSensitive   matchMode = "substring-case-sensitive"
	MatchModeExactCaseSensitive       matchMode = "exact-case-sensitive"
	MatchModeExactCaseInsensitive     matchMode = "exact-case-insensitive"
	MatchModeFuzzy                    matchMode = "fuzzy"
)
View Source 
const (
	InvalidRequest         = "invalid_request"
	InvalidClient          = "invalid_client"
	InvalidIssuer          = "invalid_issuer"
	InvalidSubject         = "invalid_subject"
	InvalidTrustAnchor     = "invalid_trust_anchor"
	InvalidTrustChain      = "invalid_trust_chain"
	InvalidMetadata        = "invalid_metadata"
	NotFound               = "not_found"
	ServerError            = "server_error"
	TemporarilyUnavailable = "temporarily_unavailable"
	UnsupportedParameter   = "unsupported_parameter"
)

Constants for some error

Variables

View Source 
var OperatorOrder = []PolicyOperatorName{
	PolicyOperatorValue,
	PolicyOperatorAdd,
	PolicyOperatorDefault,
	PolicyOperatorOneOf,
	PolicyOperatorSubsetOf,
	PolicyOperatorSupersetOf,
	PolicyOperatorEssential,
}

OperatorOrder defines the order in which the PolicyOperator are applied. If custom PolicyOperator are implemented they must be added to this slice at the correct position

View Source 
var ResolverCacheGracePeriod = time.Hour

ResolverCacheGracePeriod is a grace period for the resolver. If a cached statement is not yet expired but will expire within that period, the cached statement will be used but a fresh statement might be requested in the background ( see also ResolverCacheLifetimeElapsedGraceFactor).

View Source 
var ResolverCacheLifetimeElapsedGraceFactor = 0.5

ResolverCacheLifetimeElapsedGraceFactor is a factor relevant for the grace period for the resolver. If a cached stmt will expire within the ResolverCacheGracePeriod it might be requested in the background before expiration. A fresh statement will only be requested if a certain time already has elapsed. This factor defines how much time (relative to the total lifetime of that statement) must have elapsed so that the statement is refreshed. E.g. a factor of 0. 75 means that a statement will only be refreshed if the statement expires within the ResolverCacheGracePeriod and 75% of the statement's lifetime already have elapsed. The purpose of this factor is to allow a bigger ResolverCacheGracePeriod and still deal with smaller statement lifetimes.

View Source 
var TrustChainsFilterValidMetadata = NewTrustChainsFilterFromCheckerFnc(
	func(chain TrustChain) bool {
		_, err := chain.Metadata()
		return err == nil
	},
)

TrustChainsFilterValidMetadata returns a TrustChainsFilter that filters the TrustChains to the ones with valid Metadata

Functions

func DisableDebugLogging 

func DisableDebugLogging()

DisableDebugLogging disables debug logging

func EnableDebugLogging 

func EnableDebugLogging()

EnableDebugLogging enables debug logging

func RegisterPolicyOperator 

func RegisterPolicyOperator(operator PolicyOperator)

RegisterPolicyOperator registers a new PolicyOperator and therefore makes it available to be used

func RegisterPolicyVerifier 

func RegisterPolicyVerifier(v PolicyVerifier)

RegisterPolicyVerifier registers a PolicyVerifier

func TrustChainScoringPathLen 

func TrustChainScoringPathLen(c TrustChain) int

TrustChainScoringPathLen is a TrustChainScoringFnc that uses the chain's path len

Types

type AllowedTrustMarkIssuers 

type AllowedTrustMarkIssuers map[string][]string

AllowedTrustMarkIssuers is type for defining which TrustMark can be issued by which entities

type CollectedEntity 

type CollectedEntity struct {
	EntityID   string         `json:"entity_id"`
	TrustMarks TrustMarkInfos `json:"trust_marks,omitempty"`
	TrustChain JWSMessages    `json:"trust_chain,omitempty"`

	EntityTypes []string          `json:"entity_types,omitempty"`
	UIInfos     map[string]UIInfo `json:"ui_infos,omitempty"`
	Extra       map[string]any    `json:"-"`
	// contains filtered or unexported fields
}

CollectedEntity is a type describing a single collected entity

func (CollectedEntity) MarshalJSON 

func (e CollectedEntity) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*CollectedEntity) UnmarshalJSON 

func (e *CollectedEntity) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type ConstraintSpecification 

type ConstraintSpecification struct {
	MaxPathLength      *int               `json:"max_path_length,omitempty"`
	NamingConstraints  *NamingConstraints `json:"naming_constraints,omitempty"`
	AllowedEntityTypes []string           `json:"allowed_entity_types,omitempty"`
}

ConstraintSpecification is type for holding constraints according to the oidc fed spec

type DelegationJWT 

type DelegationJWT struct {
	Issuer        string                 `json:"iss"`
	Subject       string                 `json:"sub"`
	TrustMarkType string                 `json:"trust_mark_type"`
	IssuedAt      unixtime.Unixtime      `json:"iat"`
	ExpiresAt     *unixtime.Unixtime     `json:"exp,omitempty"`
	Ref           string                 `json:"ref,omitempty"`
	Extra         map[string]interface{} `json:"-"`
	// contains filtered or unexported fields
}

DelegationJWT is a type for holding information about a delegation jwt

func (DelegationJWT) MarshalJSON 

func (djwt DelegationJWT) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*DelegationJWT) UnmarshalJSON 

func (djwt *DelegationJWT) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (DelegationJWT) VerifyExternal 

func (djwt DelegationJWT) VerifyExternal(jwks jwks.JWKS) error

VerifyExternal verifies the DelegationJWT by using the passed trust mark owner jwks

func (DelegationJWT) VerifyFederation 

func (djwt DelegationJWT) VerifyFederation(ta *EntityStatementPayload) error

VerifyFederation verifies the DelegationJWT by using the passed trust anchor

type DisplayNameGuesser 

type DisplayNameGuesser interface {
	GuessDisplayName() string
}

DisplayNameGuesser is an interface for types to return a (guessed) display name

type EntityCollectionFilter 

type EntityCollectionFilter interface {
	Filter(*CollectedEntity) bool
}

EntityCollectionFilter is an interface to filter discovered entities

func EntityCollectionFilterOPSupportedGrantTypesIncludes 

func EntityCollectionFilterOPSupportedGrantTypesIncludes(
	trustAnchorIDs []string, neededGrantTypes ...string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportedGrantTypesIncludes returns an EntityCollectionFilter that filters to OPs that support the passed grant types

func EntityCollectionFilterOPSupportedScopesIncludes 

func EntityCollectionFilterOPSupportedScopesIncludes(
	trustAnchorIDs []string,
	neededScopes ...string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportedScopesIncludes returns an EntityCollectionFilter that filters to OPs that support the passed scopes

func EntityCollectionFilterOPSupportsAutomaticRegistration 

func EntityCollectionFilterOPSupportsAutomaticRegistration(
	trustAnchorIDs []string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportsAutomaticRegistration returns an EntityCollectionFilter that filters to OPs that support automatic registration

func EntityCollectionFilterOPSupportsExplicitRegistration 

func EntityCollectionFilterOPSupportsExplicitRegistration(
	trustAnchorIDs []string,
) EntityCollectionFilter

EntityCollectionFilterOPSupportsExplicitRegistration returns an EntityCollectionFilter that filters to OPs that support explicit registration

func EntityCollectionFilterOPs 

func EntityCollectionFilterOPs() EntityCollectionFilter

EntityCollectionFilterOPs returns an EntityCollectionFilter that filters to OPs

func NewEntityCollectionFilter 

func NewEntityCollectionFilter(filter func(entity *CollectedEntity) bool) EntityCollectionFilter

NewEntityCollectionFilter returns an EntityCollectionFilter for a filter func

type EntityCollectionFilterVerifiedChains 

type EntityCollectionFilterVerifiedChains struct {
	TrustAnchors TrustAnchors
}

EntityCollectionFilterVerifiedChains is a EntityCollectionFilter that filters the discovered OPs to the one that have a valid TrustChain to one of the specified TrustAnchors

func (EntityCollectionFilterVerifiedChains) Filter 

func (f EntityCollectionFilterVerifiedChains) Filter(e *CollectedEntity) bool

Filter implements the EntityCollectionFilter interface

type EntityCollectionResponse 

type EntityCollectionResponse struct {
	FederationEntities []*CollectedEntity `json:"federation_entities"`
	NextEntityID       string             `json:"next_entity_id,omitempty"`
	LastUpdated        *unixtime.Unixtime `json:"last_updated,omitempty"`
	Extra              map[string]any     `json:"-"`
}

EntityCollectionResponse is a type describing the response of an entity collection request

type EntityCollector 

type EntityCollector interface {
	CollectEntities(req apimodel.EntityCollectionRequest) []*CollectedEntity
}

EntityCollector is an interface that discovers / collects Entities in a federation

type EntityConfigurationTrustMarkConfig 

type EntityConfigurationTrustMarkConfig struct {
	TrustMarkType      string                     `yaml:"trust_mark_type"`
	TrustMarkIssuer    string                     `yaml:"trust_mark_issuer"`
	SelfIssued         bool                       `yaml:"self_issued"`
	SelfIssuanceSpec   TrustMarkSpec              `yaml:"self_issuance_spec"`
	JWT                string                     `yaml:"trust_mark_jwt"`
	Refresh            bool                       `yaml:"refresh"`
	MinLifetime        unixtime.DurationInSeconds `yaml:"min_lifetime"`
	RefreshGracePeriod unixtime.DurationInSeconds `yaml:"refresh_grace_period"`
	// contains filtered or unexported fields
}

EntityConfigurationTrustMarkConfig is a type for specifying the configuration of a TrustMark that should be included in an EntityConfiguration

func (*EntityConfigurationTrustMarkConfig) TrustMarkJWT 

func (c *EntityConfigurationTrustMarkConfig) TrustMarkJWT() (string, error)

TrustMarkJWT returns a trust mark jwt for the linked trust mark, if needed the trust mark is refreshed using the trust mark issuer's trust mark endpoint

func (*EntityConfigurationTrustMarkConfig) Verify 

func (c *EntityConfigurationTrustMarkConfig) Verify(
	sub, ownTrustMarkEndpoint string, ownTrustMarkSigner *TrustMarkSigner,
) error

Verify verifies that the EntityConfigurationTrustMarkConfig is correct and also extracts trust mark id and issuer if a trust mark jwt is given as well as sets default values

type EntityStatement 

type EntityStatement struct {
	EntityStatementPayload
	// contains filtered or unexported fields
}

EntityStatement is a type for holding an entity statement, more precisely an entity statement that was obtained as a jwt and created by us

func FetchEntityStatement 

func FetchEntityStatement(fetchEndpoint, subID, issID string) (*EntityStatement, error)

FetchEntityStatement fetches an EntityStatement from a fetch endpoint

func GetEntityConfiguration 

func GetEntityConfiguration(entityID string) (*EntityStatement, error)

GetEntityConfiguration obtains the entity configuration for the passed entity id and returns it as an EntityStatement

func ParseEntityStatement 

func ParseEntityStatement(statementJWT []byte) (*EntityStatement, error)

ParseEntityStatement parses a jwt into an EntityStatement

func (EntityStatement) MarshalMsgpack 

func (e EntityStatement) MarshalMsgpack() ([]byte, error)

MarshalMsgpack implements the msgpack.Marshaler interface for usage with caching

func (*EntityStatement) UnmarshalMsgpack 

func (e *EntityStatement) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface for usage with caching

func (EntityStatement) Verify 

func (e EntityStatement) Verify(keys jwks.JWKS) bool

Verify verifies that the EntityStatement jwt is valid

type EntityStatementPayload 

type EntityStatementPayload struct {
	Issuer             string                   `json:"iss"`
	Subject            string                   `json:"sub"`
	IssuedAt           unixtime.Unixtime        `json:"iat"`
	ExpiresAt          unixtime.Unixtime        `json:"exp"`
	JWKS               jwks.JWKS                `json:"jwks"`
	Audience           string                   `json:"aud,omitempty"`
	AuthorityHints     []string                 `json:"authority_hints,omitempty"`
	Metadata           *Metadata                `json:"metadata,omitempty"`
	MetadataPolicy     *MetadataPolicies        `json:"metadata_policy,omitempty"`
	Constraints        *ConstraintSpecification `json:"constraints,omitempty"`
	CriticalExtensions []string                 `json:"crit,omitempty"`
	MetadataPolicyCrit []PolicyOperatorName     `json:"metadata_policy_crit,omitempty"`
	TrustMarks         TrustMarkInfos           `json:"trust_marks,omitempty"`
	TrustMarkIssuers   AllowedTrustMarkIssuers  `json:"trust_mark_issuers,omitempty"`
	TrustMarkOwners    TrustMarkOwners          `json:"trust_mark_owners,omitempty"`
	SourceEndpoint     string                   `json:"source_endpoint,omitempty"`
	TrustAnchorID      string                   `json:"trust_anchor_id,omitempty"`
	Extra              map[string]interface{}   `json:"-"`
}

EntityStatementPayload is a type for holding the actual payload of an EntityStatement or EntityConfiguration; additional fields can be set in the Extra claim

func (EntityStatementPayload) MarshalJSON 

func (e EntityStatementPayload) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (EntityStatementPayload) TimeValid 

func (e EntityStatementPayload) TimeValid() bool

TimeValid checks if the EntityStatementPayload is already valid and not yet expired.

func (*EntityStatementPayload) UnmarshalJSON 

func (e *EntityStatementPayload) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (*EntityStatementPayload) UnmarshalMsgpack 

func (e *EntityStatementPayload) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface.

type EntityStatementSigner 

type EntityStatementSigner struct {
	*GeneralJWTSigner
}

EntityStatementSigner is a JWTSigner for oidfedconst.JWTTypeEntityStatement

func NewEntityStatementSigner 

func NewEntityStatementSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *EntityStatementSigner

NewEntityStatementSigner creates a new EntityStatementSigner

func (EntityStatementSigner) JWT 

func (s EntityStatementSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type Error 

type Error struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
}

Error is type for holding an error

func ErrorInvalidClient 

func ErrorInvalidClient(description string) Error

ErrorInvalidClient returns an Error for using InvalidClient

func ErrorInvalidIssuer 

func ErrorInvalidIssuer(description string) Error

ErrorInvalidIssuer returns an Error for using InvalidIssuer

func ErrorInvalidMetadata 

func ErrorInvalidMetadata(description string) Error

ErrorInvalidMetadata returns an Error for using InvalidMetadata

func ErrorInvalidRequest 

func ErrorInvalidRequest(description string) Error

ErrorInvalidRequest returns an Error for using InvalidRequest

func ErrorInvalidSubject 

func ErrorInvalidSubject(description string) Error

ErrorInvalidSubject returns an Error for using InvalidSubject

func ErrorInvalidTrustAnchor 

func ErrorInvalidTrustAnchor(description string) Error

ErrorInvalidTrustAnchor returns an Error for using InvalidTrustAnchor

func ErrorInvalidTrustChain 

func ErrorInvalidTrustChain(description string) Error

ErrorInvalidTrustChain returns an Error for using InvalidTrustChain

func ErrorNotFound 

func ErrorNotFound(description string) Error

ErrorNotFound returns an Error for using NotFound

func ErrorServerError 

func ErrorServerError(description string) Error

ErrorServerError returns an Error for using ServerError

func ErrorTemporarilyUnavailable 

func ErrorTemporarilyUnavailable(description string) Error

ErrorTemporarilyUnavailable returns an Error for using TemporarilyUnavailable

func ErrorUnsupportedParameter 

func ErrorUnsupportedParameter(description string) Error

ErrorUnsupportedParameter returns an Error for using UnsupportedParameter

type FederationEntity 

type FederationEntity struct {
	EntityID              string
	Metadata              *Metadata
	AuthorityHints        []string
	ConfigurationLifetime int64
	*EntityStatementSigner

	TrustMarks       []*EntityConfigurationTrustMarkConfig
	TrustMarkIssuers AllowedTrustMarkIssuers
	TrustMarkOwners  TrustMarkOwners
	Extra            map[string]any
	// contains filtered or unexported fields
}

FederationEntity is a type for an entity participating in federations. It holds all relevant information about the federation entity and can be used to create an EntityConfiguration about it

func NewFederationEntity 

func NewFederationEntity(
	entityID string, authorityHints []string, metadata *Metadata,
	signer *EntityStatementSigner, configurationLifetime int64, extra map[string]any,
) (*FederationEntity, error)

NewFederationEntity creates a new FederationEntity with the passed properties

func (FederationEntity) EntityConfigurationJWT 

func (f FederationEntity) EntityConfigurationJWT() ([]byte, error)

EntityConfigurationJWT creates and returns the signed jwt as a []byte for the entity's entity configuration

func (FederationEntity) EntityConfigurationPayload 

func (f FederationEntity) EntityConfigurationPayload() *EntityStatementPayload

EntityConfigurationPayload returns an EntityStatementPayload for this FederationEntity

func (FederationEntity) SignEntityStatement 

func (f FederationEntity) SignEntityStatement(payload EntityStatementPayload) ([]byte, error)

SignEntityStatement creates a signed JWT for the given EntityStatementPayload; this function is intended to be used on TA/IA

type FederationEntityMetadata 

type FederationEntityMetadata struct {
	FederationFetchEndpoint           string         `json:"federation_fetch_endpoint,omitempty"`
	FederationListEndpoint            string         `json:"federation_list_endpoint,omitempty"`
	FederationResolveEndpoint         string         `json:"federation_resolve_endpoint,omitempty"`
	FederationTrustMarkStatusEndpoint string         `json:"federation_trust_mark_status_endpoint,omitempty"`
	FederationTrustMarkListEndpoint   string         `json:"federation_trust_mark_list_endpoint,omitempty"`
	FederationTrustMarkEndpoint       string         `json:"federation_trust_mark_endpoint,omitempty"`
	FederationHistoricalLKeysEndpoint string         `json:"federation_historical_keys_endpoint,omitempty"`
	Extra                             map[string]any `json:"-"`
	DisplayName                       string         `json:"display_name,omitempty"`
	Description                       string         `json:"description,omitempty"`
	Keywords                          []string       `json:"keywords,omitempty"`
	Contacts                          []string       `json:"contacts,omitempty"`
	LogoURI                           string         `json:"logo_uri,omitempty"`
	PolicyURI                         string         `json:"policy_uri,omitempty"`
	InformationURI                    string         `json:"information_uri,omitempty"`
	OrganizationName                  string         `json:"organization_name,omitempty"`
	OrganizationURI                   string         `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (FederationEntityMetadata) ApplyPolicy 

func (m FederationEntityMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the FederationEntityMetadata

func (FederationEntityMetadata) GuessDisplayName 

func (m FederationEntityMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (FederationEntityMetadata) MarshalJSON 

func (m FederationEntityMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*FederationEntityMetadata) UnmarshalJSON 

func (m *FederationEntityMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*FederationEntityMetadata) UnmarshalMsgpack 

func (m *FederationEntityMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type FederationLeaf 

type FederationLeaf struct {
	FederationEntity
	TrustAnchors TrustAnchors
	// contains filtered or unexported fields
}

FederationLeaf is a type for a leaf entity and holds all relevant information about it; it can also be used to create an EntityConfiguration about it or to start OIDC flows

func NewFederationLeaf 

func NewFederationLeaf(
	entityID string, authorityHints []string, trustAnchors TrustAnchors, metadata *Metadata,
	signer *EntityStatementSigner, configurationLifetime int64,
	oidcSigningKey crypto.Signer, oidcSigningAlg jwa.SignatureAlgorithm, extra map[string]any,
) (*FederationLeaf, error)

NewFederationLeaf creates a new FederationLeaf with the passed properties

func (FederationLeaf) CodeExchange 

func (f FederationLeaf) CodeExchange(
	issuer, code, redirectURI string,
	additionalParameter url.Values,
) (*OIDCTokenResponse, *OIDCErrorResponse, error)

CodeExchange performs an oidc code exchange it creates the mytoken and stores it in the database

func (FederationLeaf) GetAuthorizationURL 

func (f FederationLeaf) GetAuthorizationURL(
	issuer, redirectURI, state, scope string, additionalParams url.Values,
) (string, error)

GetAuthorizationURL creates an authorization url

func (FederationLeaf) RequestObjectProducer 

func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer

RequestObjectProducer returns the entity's RequestObjectProducer

func (FederationLeaf) ResolveOPMetadata 

func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error)

ResolveOPMetadata resolves and returns OpenIDProviderMetadata for the passed issuer url

type FilterableVerifiedChainsEntityCollector 

type FilterableVerifiedChainsEntityCollector struct {
	Collector EntityCollector
	Filters   []EntityCollectionFilter
}

FilterableVerifiedChainsEntityCollector is a type implementing EntityCollector that is able to filter the discovered OPs through a number of EntityCollectionFilter

func (FilterableVerifiedChainsEntityCollector) CollectEntities 

func (d FilterableVerifiedChainsEntityCollector) CollectEntities(req apimodel.EntityCollectionRequest) (entities []*CollectedEntity)

CollectEntities implements the EntityCollector interface

type GeneralJWTSigner 

type GeneralJWTSigner struct {
	// contains filtered or unexported fields
}

GeneralJWTSigner is a general jwt signer with no specific typ

func NewGeneralJWTSigner 

func NewGeneralJWTSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *GeneralJWTSigner

NewGeneralJWTSigner creates a new GeneralJWTSigner

func (*GeneralJWTSigner) EntityStatementSigner 

func (s *GeneralJWTSigner) EntityStatementSigner() *EntityStatementSigner

EntityStatementSigner returns an EntityStatementSigner using the same crypto.Signer

func (*GeneralJWTSigner) JWKS 

func (s *GeneralJWTSigner) JWKS() jwks.JWKS

JWKS returns the jwks.JWKS used with this signer

func (GeneralJWTSigner) JWT 

func (s GeneralJWTSigner) JWT(i any, headerType string) (jwt []byte, err error)

JWT returns a signed jwt representation of the passed data with the passed header type

func (*GeneralJWTSigner) ResolveResponseSigner 

func (s *GeneralJWTSigner) ResolveResponseSigner() *ResolveResponseSigner

ResolveResponseSigner returns an ResolveResponseSigner using the same crypto.Signer

func (*GeneralJWTSigner) TrustMarkDelegationSigner 

func (s *GeneralJWTSigner) TrustMarkDelegationSigner() *TrustMarkDelegationSigner

TrustMarkDelegationSigner returns an TrustMarkDelegationSigner using the same crypto.Signer

func (*GeneralJWTSigner) TrustMarkSigner 

func (s *GeneralJWTSigner) TrustMarkSigner() *TrustMarkSigner

TrustMarkSigner returns an TrustMarkSigner using the same crypto.Signer

func (*GeneralJWTSigner) Typed 

func (s *GeneralJWTSigner) Typed(headerType string) *TypedJWTSigner

Typed returns a TypedJWTSigner for the passed header type using the same crypto.Signer

type JWSMessages 

type JWSMessages []*jwx.ParsedJWT

JWSMessages is a slices of jwx.ParseJWT

func (JWSMessages) MarshalJSON 

func (m JWSMessages) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

func (*JWSMessages) UnmarshalJSON 

func (m *JWSMessages) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Marshaler interface.

type JWTSigner 

type JWTSigner interface {
	JWT(i any) (jwt []byte, err error)
	JWKS() jwk.Set
}

JWTSigner is an interface that can give signed jwts

type LocalMetadataResolver 

type LocalMetadataResolver struct{}

LocalMetadataResolver is a MetadataResolver that resolves trust chains and evaluates metadata policies to obtain the final Metadata; it does not use a resolve endpoint

func (LocalMetadataResolver) Resolve 

func (r LocalMetadataResolver) Resolve(req apimodel.ResolveRequest) (*Metadata, error)

Resolve implements the MetadataResolver interface

func (LocalMetadataResolver) ResolvePossible 

func (LocalMetadataResolver) ResolvePossible(req apimodel.ResolveRequest) (bool, bool)

ResolvePossible implements the MetadataResolver interface

func (LocalMetadataResolver) ResolveResponsePayload 

func (r LocalMetadataResolver) ResolveResponsePayload(req apimodel.ResolveRequest) (
	res ResolveResponsePayload, err error,
)

ResolveResponsePayload implements the MetadataResolver interface

type Metadata 

type Metadata struct {
	OpenIDProvider           *OpenIDProviderMetadata           `json:"openid_provider,omitempty"`
	RelyingParty             *OpenIDRelyingPartyMetadata       `json:"openid_relying_party,omitempty"`
	OAuthAuthorizationServer *OAuthAuthorizationServerMetadata `json:"oauth_authorization_server,omitempty"`
	OAuthClient              *OAuthClientMetadata              `json:"oauth_client,omitempty"`
	OAuthProtectedResource   *OAuthProtectedResourceMetadata   `json:"oauth_resource,omitempty"`
	FederationEntity         *FederationEntityMetadata         `json:"federation_entity,omitempty"`
	// Extra contains additional metadata this entity should advertise.
	Extra map[string]any `json:"-"`
}

Metadata is a type for holding the different metadata types

func (Metadata) ApplyPolicy 

func (m Metadata) ApplyPolicy(p *MetadataPolicies) (*Metadata, error)

ApplyPolicy applies MetadataPolicies to Metadata and returns the final Metadata

func (*Metadata) FindEntityMetadata 

func (m *Metadata) FindEntityMetadata(entityType string, metadata any) error

FindEntityMetadata finds metadata for the specified entity type in the metadata and decodes it into the provided metadata object.

func (Metadata) GuessDisplayNames 

func (m Metadata) GuessDisplayNames() map[string]string

GuessDisplayNames collects (guessed) display names for all present metadata types.

func (Metadata) GuessEntityTypes 

func (m Metadata) GuessEntityTypes() (entityTypes []string)

GuessEntityTypes returns a slice of entity types for which metadata is set

func (Metadata) IterateStringClaim 

func (m Metadata) IterateStringClaim(tag string, iterator func(entityType, value string))

IterateStringClaim collects a claim that has a string value for all metadata types and calls the iterator on it.

func (Metadata) IterateStringSliceClaim 

func (m Metadata) IterateStringSliceClaim(tag string, iterator func(entityType string, value []string))

IterateStringSliceClaim collects a claim that has a []string value for all metadata types and calls the iterator on it.

func (Metadata) MarshalJSON 

func (m Metadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*Metadata) UnmarshalJSON 

func (m *Metadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

type MetadataPolicies 

type MetadataPolicies struct {
	OpenIDProvider           MetadataPolicy `json:"openid_provider,omitempty"`
	RelyingParty             MetadataPolicy `json:"openid_relying_party,omitempty"`
	OAuthAuthorizationServer MetadataPolicy `json:"oauth_authorization_server,omitempty"`
	OAuthClient              MetadataPolicy `json:"oauth_client,omitempty"`
	OAuthProtectedResource   MetadataPolicy `json:"oauth_resource,omitempty"`
	FederationEntity         MetadataPolicy `json:"federation_entity,omitempty"`
	// Extra contains metadata policies for entity types unknown to this module.
	Extra map[string]MetadataPolicy `json:"-"`
}

MetadataPolicies is a type for holding the different MetadataPolicy

func MergeMetadataPolicies 

func MergeMetadataPolicies(policies ...*MetadataPolicies) (*MetadataPolicies, error)

MergeMetadataPolicies combines multiples MetadataPolicies from a chain into a single one

func (MetadataPolicies) MarshalJSON 

func (m MetadataPolicies) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*MetadataPolicies) UnmarshalJSON 

func (m *MetadataPolicies) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

type MetadataPolicy 

type MetadataPolicy map[string]MetadataPolicyEntry

MetadataPolicy is a type for holding MetadataPolicyEntry for each relevant attribute

func CombineMetadataPolicy 

func CombineMetadataPolicy(pathInfo string, policies ...MetadataPolicy) (MetadataPolicy, error)

CombineMetadataPolicy combines multiples MetadataPolicy into a single MetadataPolicy, at each step verifying that the result is valid

func (MetadataPolicy) Verify 

func (p MetadataPolicy) Verify(pathInfo string) error

Verify verifies that the MetadataPolicy is valid

type MetadataPolicyEntry 

type MetadataPolicyEntry map[PolicyOperatorName]any

MetadataPolicyEntry is a type for holding the operator value for each operator

func (MetadataPolicyEntry) ApplyTo 

func (p MetadataPolicyEntry) ApplyTo(value any, valueSet bool, pathInfo string) (any, error)

ApplyTo applies this MetadataPolicyEntry to the passed value and returns the resulting value

func (MetadataPolicyEntry) Verify 

func (p MetadataPolicyEntry) Verify(pathInfo string) error

Verify verifies that the MetadataPolicyEntry is valid

type MetadataResolver 

type MetadataResolver interface {
	Resolve(request apimodel.ResolveRequest) (*Metadata, error)
	ResolveResponsePayload(request apimodel.ResolveRequest) (ResolveResponsePayload, error)
	ResolvePossible(request apimodel.ResolveRequest) (validConfirmed, invalidConfirmed bool)
}

MetadataResolver is type for resolving the metadata from a StartingEntity to one or multiple TrustAnchors 

var DefaultMetadataResolver MetadataResolver = LocalMetadataResolver{}

DefaultMetadataResolver is the default MetadataResolver used within the library to resolve Metadata

type NamingConstraints 

type NamingConstraints struct {
	Permitted []string `json:"permitted,omitempty"`
	Excluded  []string `json:"excluded,omitempty"`
}

NamingConstraints is a type for holding constraints about naming

type OAuthAuthorizationServerMetadata 

type OAuthAuthorizationServerMetadata OpenIDProviderMetadata

OAuthAuthorizationServerMetadata is a type for holding the metadata about an oauth authorization server

func (OAuthAuthorizationServerMetadata) ApplyPolicy 

func (m OAuthAuthorizationServerMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OAuthAuthorizationServerMetadata

func (OAuthAuthorizationServerMetadata) GuessDisplayName 

func (m OAuthAuthorizationServerMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OAuthAuthorizationServerMetadata) MarshalJSON 

func (m OAuthAuthorizationServerMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OAuthAuthorizationServerMetadata) UnmarshalJSON 

func (m *OAuthAuthorizationServerMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type OAuthClientMetadata 

type OAuthClientMetadata OpenIDRelyingPartyMetadata

OAuthClientMetadata is a type for holding the metadata about an oauth client

func (OAuthClientMetadata) ApplyPolicy 

func (m OAuthClientMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OAuthClientMetadata

func (OAuthClientMetadata) GuessDisplayName 

func (m OAuthClientMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OAuthClientMetadata) MarshalJSON 

func (m OAuthClientMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OAuthClientMetadata) UnmarshalJSON 

func (m *OAuthClientMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type OAuthProtectedResourceMetadata 

type OAuthProtectedResourceMetadata struct {
	Resource                             string         `json:"resource,omitempty"`
	AuthorizationServers                 []string       `json:"authorization_servers,omitempty"`
	ScopesSupported                      []string       `json:"scopes_supported,omitempty"`
	BearerMethodsSupported               []string       `json:"bearer_methods_supported,omitempty"`
	ResourceSigningAlgValuesSupported    []string       `json:"resource_signing_alg_values_supported,omitempty"`
	ResourceEncryptionAlgValuesSupported []string       `json:"resource_encryption_alg_values_supported"`
	ResourceEncryptionEncValuesSupported []string       `json:"resource_encryption_enc_values_supported"`
	ResourceName                         string         `json:"resource_name,omitempty"`
	ResourceDocumentation                string         `json:"resource_documentation,omitempty"`
	ResourcePolicyURI                    string         `json:"resource_policy_uri,omitempty"`
	ResourceTOSURI                       string         `json:"resource_tos_uri,omitempty"`
	Extra                                map[string]any `json:"-"`
	SignedJWKSURI                        string         `json:"signed_jwks_uri,omitempty"`
	JWKSURI                              string         `json:"jwks_uri,omitempty"`
	JWKS                                 *jwks.JWKS     `json:"jwks,omitempty"`
	DisplayName                          string         `json:"display_name,omitempty"`
	Description                          string         `json:"description,omitempty"`
	Keywords                             []string       `json:"keywords,omitempty"`
	Contacts                             []string       `json:"contacts,omitempty"`
	LogoURI                              string         `json:"logo_uri,omitempty"`
	PolicyURI                            string         `json:"policy_uri,omitempty"`
	InformationURI                       string         `json:"information_uri,omitempty"`
	OrganizationName                     string         `json:"organization_name,omitempty"`
	OrganizationURI                      string         `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (OAuthProtectedResourceMetadata) ApplyPolicy 

func (m OAuthProtectedResourceMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OAuthProtectedResourceMetadata

func (OAuthProtectedResourceMetadata) GuessDisplayName 

func (m OAuthProtectedResourceMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OAuthProtectedResourceMetadata) MarshalJSON 

func (m OAuthProtectedResourceMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OAuthProtectedResourceMetadata) UnmarshalJSON 

func (m *OAuthProtectedResourceMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*OAuthProtectedResourceMetadata) UnmarshalMsgpack 

func (m *OAuthProtectedResourceMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type OIDCErrorResponse 

type OIDCErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

OIDCErrorResponse is the error response of an oidc provider

type OIDCTokenResponse 

type OIDCTokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int64  `json:"expires_in"`
	RefreshToken string `json:"refresh_token"`
	Scopes       string `json:"scope"`
	IDToken      string `json:"id_token"`

	Extra map[string]any `json:"-"`
}

OIDCTokenResponse is the token response of an oidc provider

func (*OIDCTokenResponse) UnmarshalJSON 

func (res *OIDCTokenResponse) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type OpenIDProviderMetadata 

type OpenIDProviderMetadata struct {
	Issuer                                                    string              `json:"issuer"`
	AuthorizationEndpoint                                     string              `json:"authorization_endpoint"`
	TokenEndpoint                                             string              `json:"token_endpoint"`
	UserinfoEndpoint                                          string              `json:"userinfo_endpoint,omitempty"`
	RegistrationEndpoint                                      string              `json:"registration_endpoint,omitempty"`
	ScopesSupported                                           []string            `json:"scopes_supported,omitempty"`
	ResponseTypesSupported                                    []string            `json:"response_types_supported"`
	ResponseModesSupported                                    []string            `json:"response_modes_supported,omitempty"`
	GrantTypesSupported                                       []string            `json:"grant_types_supported,omitempty"`
	ACRValuesSupported                                        []string            `json:"acr_values_supported,omitempty"`
	SubjectTypesSupported                                     []string            `json:"subject_types_supported"`
	IDTokenSignedResponseAlgValuesSupported                   []string            `json:"id_token_signed_response_alg_values_supported,omitempty"`
	IDTokenEncryptedResponseAlgValuesSupported                []string            `json:"id_token_encrypted_response_alg_values_supported,omitempty"`
	IDTokenEncryptedResponseEncValuesSupported                []string            `json:"id_token_encrypted_response_enc_values_supported,omitempty"`
	UserinfoSignedResponseAlgValuesSupported                  []string            `json:"userinfo_signed_response_alg_values_supported,omitempty"`
	UserinfoEncryptedResponseAlgValuesSupported               []string            `json:"userinfo_encrypted_response_alg_values_supported,omitempty"`
	UserinfoEncryptedResponseEncValuesSupported               []string            `json:"userinfo_encrypted_response_enc_values_supported,omitempty"`
	RequestSignedResponseAlgValuesSupported                   []string            `json:"request_signed_response_alg_values_supported,omitempty"`
	RequestEncryptedResponseAlgValuesSupported                []string            `json:"request_encrypted_response_alg_values_supported,omitempty"`
	RequestEncryptedResponseEncValuesSupported                []string            `json:"request_encrypted_response_enc_values_supported,omitempty"`
	TokenEndpointAuthMethodsSupported                         []string            `json:"token_endpoint_auth_methods_supported,omitempty"`
	TokenEndpointAuthSigningAlgValuesSupported                []string            `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
	DisplayValuesSupported                                    []string            `json:"display_values_supported,omitempty"`
	ClaimsSupported                                           []string            `json:"claims_supported,omitempty"`
	ServiceDocumentation                                      string              `json:"service_documentation,omitempty"`
	ClaimsLocalesSupported                                    []string            `json:"claims_locales_supported,omitempty"`
	UILocalesSupported                                        []string            `json:"ui_locales_supported,omitempty"`
	ClaimsParameterSupported                                  bool                `json:"claims_parameter_supported,omitempty"`
	RequestParameterSupported                                 bool                `json:"request_parameter_supported,omitempty"`
	RequestURIParameterSupported                              bool                `json:"request_uri_parameter_supported,omitempty"`
	RequireRequestURIRegistration                             bool                `json:"require_request_uri_registration,omitempty"`
	OPPolicyURI                                               string              `json:"op_policy_uri,omitempty"`
	OPTOSURI                                                  string              `json:"op_tos_uri,omitempty"`
	RevocationEndpoint                                        string              `json:"revocation_endpoint,omitempty"`
	RevocationEndpointAuthMethodsSupported                    []string            `json:"revocation_endpoint_auth_methods_supported,omitempty"`
	RevocationEndpointAuthSigningAlgValuesSupported           []string            `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
	IntrospectionEndpoint                                     string              `json:"introspection_endpoint,omitempty"`
	IntrospectionEndpointAuthMethodsSupported                 []string            `json:"introspection_endpoint_auth_methods_supported,omitempty"`
	IntrospectionEndpointAuthSigningAlgValuesSupported        []string            `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
	IntrospectionSigningAlgValuesSupported                    []string            `json:"introspection_signing_alg_values_supported,omitempty"`
	IntrospectionEncryptionAlgValuesSupported                 []string            `json:"introspection_encryption_alg_values_supported,omitempty"`
	IntrospectionEncryptionEncValuesSupported                 []string            `json:"introspection_encryption_enc_values_supported,omitempty"`
	CodeChallengeMethodsSupported                             []string            `json:"code_challenge_methods_supported,omitempty"`
	SignedMetadata                                            string              `json:"signed_metadata,omitempty"`
	DeviceAuthorizationEndpoint                               string              `json:"device_authorization_endpoint,omitempty"`
	TLSClientCertificateBoundAccessTokens                     bool                `json:"tls_client_certificate_bound_access_tokens,omitempty"`
	MTLSEndpointAliases                                       map[string]string   `json:"mtls_endpoint_aliases,omitempty"`
	NFVTokenSigningAlgValuesSupported                         []string            `json:"nfv_token_signing_alg_values_supported,omitempty"`
	NFVTokenEncryptionAlgValuesSupported                      []string            `json:"nfv_token_encryption_alg_values_supported,omitempty"`
	NFVTokenEncryptionEncValuesSupported                      []string            `json:"nfv_token_encryption_enc_values_supported,omitempty"`
	RequireSignedRequestObject                                bool                `json:"require_signed_request_object,omitempty"`
	PushedAuthorizationRequestEndpoint                        string              `json:"pushed_authorization_request_endpoint,omitempty"`
	RequirePushedAuthorizationRequests                        bool                `json:"require_pushed_authorization_requests,omitempty"`
	AuthorizationResponseIssParameterSupported                bool                `json:"authorization_response_iss_parameter_supported,omitempty"`
	CheckSessionIFrame                                        string              `json:"check_session_iframe,omitempty"`
	FrontchannelLogoutSupported                               bool                `json:"frontchannel_logout_supported,omitempty"`
	BackchannelLogoutSupported                                bool                `json:"backchannel_logout_supported,omitempty"`
	BackchannelLogoutSessionSupported                         bool                `json:"backchannel_logout_session_supported,omitempty"`
	EndSessionEndpoint                                        string              `json:"end_session_endpoint,omitempty"`
	BackchannelTokenDeliveryModesSupported                    []string            `json:"backchannel_token_delivery_modes_supported,omitempty"`
	BackchannelAuthenticationEndpoint                         string              `json:"backchannel_authentication_endpoint,omitempty"`
	BackchannelAuthenticationRequestSigningAlgValuesSupported []string            `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"`
	BackchannelUserCodeParameterSupported                     bool                `json:"backchannel_user_code_parameter_supported,omitempty"`
	AuthorizationDetailsTypesSupported                        []string            `json:"authorization_details_types_supported,omitempty"`
	ClientRegistrationTypesSupported                          []string            `json:"client_registration_types_supported"`
	FederationRegistrationEndpoint                            string              `json:"federation_registration_endpoint,omitempty"`
	RequestAuthenticationMethodsSupported                     map[string][]string `json:"request_authentication_methods_supported,omitempty"`
	RequestAuthenticationSigningAlgValuesSupported            []string            `json:"request_authentication_signing_alg_values_supported,omitempty"`
	Extra                                                     map[string]any      `json:"-"`
	SignedJWKSURI                                             string              `json:"signed_jwks_uri,omitempty"`
	JWKSURI                                                   string              `json:"jwks_uri,omitempty"`
	JWKS                                                      *jwks.JWKS          `json:"jwks,omitempty"`
	DisplayName                                               string              `json:"display_name,omitempty"`
	Description                                               string              `json:"description,omitempty"`
	Keywords                                                  []string            `json:"keywords,omitempty"`
	Contacts                                                  []string            `json:"contacts,omitempty"`
	LogoURI                                                   string              `json:"logo_uri,omitempty"`
	PolicyURI                                                 string              `json:"policy_uri,omitempty"`
	InformationURI                                            string              `json:"information_uri,omitempty"`
	OrganizationName                                          string              `json:"organization_name,omitempty"`
	OrganizationURI                                           string              `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (OpenIDProviderMetadata) ApplyPolicy 

func (m OpenIDProviderMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OpenIDProviderMetadata

func (OpenIDProviderMetadata) GuessDisplayName 

func (m OpenIDProviderMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OpenIDProviderMetadata) MarshalJSON 

func (m OpenIDProviderMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OpenIDProviderMetadata) UnmarshalJSON 

func (m *OpenIDProviderMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*OpenIDProviderMetadata) UnmarshalMsgpack 

func (m *OpenIDProviderMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type OpenIDRelyingPartyMetadata 

type OpenIDRelyingPartyMetadata struct {
	Scope                                 string         `json:"scope,omitempty"`
	RedirectURIS                          []string       `json:"redirect_uris,omitempty"`
	ResponseTypes                         []string       `json:"response_types,omitempty"`
	GrantTypes                            []string       `json:"grant_types,omitempty"`
	ApplicationType                       string         `json:"application_type,omitempty"`
	Contacts                              []string       `json:"contacts,omitempty"`
	ClientName                            string         `json:"client_name,omitempty"`
	LogoURI                               string         `json:"logo_uri,omitempty"`
	ClientURI                             string         `json:"client_uri,omitempty"`
	PolicyURI                             string         `json:"policy_uri,omitempty"`
	TOSURI                                string         `json:"tos_uri,omitempty"`
	SectorIdentifierURI                   string         `json:"sector_identifier_uri,omitempty"`
	SubjectType                           string         `json:"subject_type,omitempty"`
	IDTokenSignedResponseAlg              string         `json:"id_token_signed_response_alg,omitempty"`
	IDTokenEncryptedResponseAlg           string         `json:"id_token_encrypted_response_alg,omitempty"`
	IDTokenEncryptedResponseEnc           string         `json:"id_token_encrypted_response_enc,omitempty"`
	UserinfoSignedResponseAlg             string         `json:"userinfo_signed_response_alg,omitempty"`
	UserinfoEncryptedResponseAlg          string         `json:"userinfo_encrypted_response_alg,omitempty"`
	UserinfoEncryptedResponseEnc          string         `json:"userinfo_encrypted_response_enc,omitempty"`
	RequestSignedResponseAlg              string         `json:"request_signed_response_alg,omitempty"`
	RequestEncryptedResponseAlg           string         `json:"request_encrypted_response_alg,omitempty"`
	RequestEncryptedResponseEnc           string         `json:"request_encrypted_response_enc,omitempty"`
	TokenEndpointAuthMethod               string         `json:"token_endpoint_auth_method,omitempty"`
	TokenEndpointAuthSigningAlg           string         `json:"token_endpoint_auth_signing_alg,omitempty"`
	DefaultMaxAge                         int64          `json:"default_max_age,omitempty"`
	RequireAuthTime                       bool           `json:"require_auth_time,omitempty"`
	DefaultACRValues                      []string       `json:"default_acr_values,omitempty"`
	InitiateLoginURI                      string         `json:"initiate_login_uri,omitempty"`
	RequestURIs                           []string       `json:"request_uris,omitempty"`
	SoftwareID                            string         `json:"software_id,omitempty"`
	SoftwareVersion                       string         `json:"software_version,omitempty"`
	ClientID                              string         `json:"client_id,omitempty"`
	ClientSecret                          string         `json:"client_secret,omitempty"`
	ClientIDIssuedAt                      int64          `json:"client_id_issued_at,omitempty"`
	ClientSecretExpiresAt                 int64          `json:"client_secret_expires_at,omitempty"`
	RegistrationAccessToken               string         `json:"registration_access_token,omitempty"`
	RegistrationClientURI                 string         `json:"registration_client_uri,omitempty"`
	ClaimsRedirectURIs                    []string       `json:"claims_redirect_uris,omitempty"`
	NFVTokenSignedResponseAlg             string         `json:"nfv_token_signed_response_alg,omitempty"`
	NFVTokenEncryptedResponseAlg          string         `json:"nfv_token_encrypted_response_alg,omitempty"`
	NFVTokenEncryptedResponseEnc          string         `json:"nfv_token_encrypted_response_enc,omitempty"`
	TLSClientCertificateBoundAccessTokens bool           `json:"tls_client_certificate_bound_access_tokens,omitempty"`
	TLSClientAuthSubjectDN                string         `json:"tls_client_auth_subject_dn,omitempty"`
	TLSClientAuthSANDNS                   string         `json:"tls_client_auth_san_dns,omitempty"`
	TLSClientAuthSANURI                   string         `json:"tls_client_auth_san_uri,omitempty"`
	TLSClientAuthSANIP                    string         `json:"tls_client_auth_san_ip,omitempty"`
	TLSClientAuthSANEMAIL                 string         `json:"tls_client_auth_san_email,omitempty"`
	RequireSignedRequestObject            bool           `json:"require_signed_request_object,omitempty"`
	RequirePushedAuthorizationRequests    bool           `json:"require_pushed_authorization_requests,omitempty"`
	IntrospectionSignedResponseAlg        string         `json:"introspection_signed_response_alg,omitempty"`
	IntrospectionEncryptedResponseAlg     string         `json:"introspection_encrypted_response_alg,omitempty"`
	IntrospectionEncryptedResponseEnc     string         `json:"introspection_encrypted_response_enc,omitempty"`
	FrontchannelLogoutURI                 string         `json:"frontchannel_logout_uri,omitempty"`
	FrontchannelLogoutSessionRequired     bool           `json:"frontchannel_logout_session_required,omitempty"`
	BackchannelLogoutURI                  string         `json:"backchannel_logout_uri,omitempty"`
	BackchannelLogoutSessionRequired      bool           `json:"backchannel_logout_session_required,omitempty"`
	PostLogoutRedirectURIs                []string       `json:"post_logout_redirect_uris,omitempty"`
	AuthorizationDetailsTypes             []string       `json:"authorization_details_types,omitempty"`
	ClientRegistrationTypes               []string       `json:"client_registration_types"`
	Extra                                 map[string]any `json:"-"`
	SignedJWKSURI                         string         `json:"signed_jwks_uri,omitempty"`
	JWKSURI                               string         `json:"jwks_uri,omitempty"`
	JWKS                                  *jwks.JWKS     `json:"jwks,omitempty"`
	DisplayName                           string         `json:"display_name,omitempty"`
	Description                           string         `json:"description,omitempty"`
	Keywords                              []string       `json:"keywords,omitempty"`
	InformationURI                        string         `json:"information_uri,omitempty"`
	OrganizationName                      string         `json:"organization_name,omitempty"`
	OrganizationURI                       string         `json:"organization_uri,omitempty"`
	// contains filtered or unexported fields
}

func (OpenIDRelyingPartyMetadata) ApplyPolicy 

func (m OpenIDRelyingPartyMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)

ApplyPolicy applies a MetadataPolicy to the OpenIDRelyingPartyMetadata

func (OpenIDRelyingPartyMetadata) GuessDisplayName 

func (m OpenIDRelyingPartyMetadata) GuessDisplayName() string

GuessDisplayName implements the DisplayNameGuesser interface

func (OpenIDRelyingPartyMetadata) MarshalJSON 

func (m OpenIDRelyingPartyMetadata) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*OpenIDRelyingPartyMetadata) UnmarshalJSON 

func (m *OpenIDRelyingPartyMetadata) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*OpenIDRelyingPartyMetadata) UnmarshalMsgpack 

func (m *OpenIDRelyingPartyMetadata) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

type OwnedTrustMark 

type OwnedTrustMark struct {
	ID                 string
	DelegationLifetime time.Duration
	Ref                string
	Extra              map[string]any
}

OwnedTrustMark is a type describing the trust marks owned by a TrustMarkOwner

type PolicyOperator 

type PolicyOperator interface {
	// Merge merges two policy operator values and returns the result
	Merge(a, b any, pathInfo string) (any, error)
	// Apply applies the policy operator value to the attribute value and returns the result
	Apply(value any, valueSet bool, policyValue any, essential bool, pathInfo string) (any, bool, error)
	// Name returns the PolicyOperatorName
	Name() PolicyOperatorName
	// MayCombineWith gives a list of PolicyOperatorName with which this PolicyOperator may be combined
	MayCombineWith() []PolicyOperatorName
}

PolicyOperator is an interface implemented by policy operators

func NewPolicyOperator 

func NewPolicyOperator(
	name PolicyOperatorName,
	merger func(a, b any, pathInfo string) (any, error),
	applier func(value any, valueSet bool, policyValue any, essential bool, pathInfo string) (any, bool, error),
	mayCombineWith []PolicyOperatorName,
) PolicyOperator

NewPolicyOperator creates a new PolicyOperator from the passed functions and PolicyOperatorName

type PolicyOperatorName 

type PolicyOperatorName string

PolicyOperatorName is the name of a PolicyOperator 

const (
	PolicyOperatorValue      PolicyOperatorName = "value"
	PolicyOperatorDefault    PolicyOperatorName = "default"
	PolicyOperatorAdd        PolicyOperatorName = "add"
	PolicyOperatorOneOf      PolicyOperatorName = "one_of"
	PolicyOperatorSubsetOf   PolicyOperatorName = "subset_of"
	PolicyOperatorSupersetOf PolicyOperatorName = "superset_of"
	PolicyOperatorEssential  PolicyOperatorName = "essential"
)

Constants for PolicyOperatorNames

type PolicyVerifier 

type PolicyVerifier func(p MetadataPolicyEntry, pathInfo string) error

PolicyVerifier is a function that verifies a MetadataPolicyEntry

type RequestObjectProducer 

type RequestObjectProducer struct {
	EntityID string
	// contains filtered or unexported fields
}

RequestObjectProducer is a generator for signed request objects

func NewRequestObjectProducer 

func NewRequestObjectProducer(
	entityID string, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, lifetime int64,
) *RequestObjectProducer

NewRequestObjectProducer creates a new RequestObjectProducer with the passed properties

func (RequestObjectProducer) ClientAssertion 

func (rop RequestObjectProducer) ClientAssertion(aud string) ([]byte, error)

ClientAssertion creates a new signed client assertion jwt for the passed audience

func (RequestObjectProducer) RequestObject 

func (rop RequestObjectProducer) RequestObject(requestValues map[string]any) ([]byte, error)

RequestObject generates a signed request object jwt from the passed requestValues

type ResolveResponse 

type ResolveResponse struct {
	Issuer                 string            `json:"iss"`
	Subject                string            `json:"sub"`
	IssuedAt               unixtime.Unixtime `json:"iat"`
	ExpiresAt              unixtime.Unixtime `json:"exp"`
	Audience               string            `json:"aud,omitempty"`
	ResolveResponsePayload `json:",inline"`
}

ResolveResponse is a type describing the response of a resolve request

func ParseResolveResponse 

func ParseResolveResponse(body []byte) (*ResolveResponse, error)

ParseResolveResponse parses a jwt into a ResolveResponse

func (ResolveResponse) MarshalJSON 

func (r ResolveResponse) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

type ResolveResponsePayload 

type ResolveResponsePayload struct {
	Metadata   *Metadata              `json:"metadata,omitempty"`
	TrustMarks TrustMarkInfos         `json:"trust_marks,omitempty"`
	TrustChain JWSMessages            `json:"trust_chain,omitempty"`
	Extra      map[string]interface{} `json:"-"`
}

ResolveResponsePayload holds the actual payload of a resolve response

func (ResolveResponsePayload) MarshalJSON 

func (r ResolveResponsePayload) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*ResolveResponsePayload) UnmarshalJSON 

func (r *ResolveResponsePayload) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

type ResolveResponseSigner 

type ResolveResponseSigner struct {
	*GeneralJWTSigner
}

ResolveResponseSigner is a JWTSigner for oidfedconst.JWTTypeResolveResponse

func NewResolveResponseSigner 

func NewResolveResponseSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *ResolveResponseSigner

NewResolveResponseSigner creates a new ResolveResponseSigner

func (ResolveResponseSigner) JWT 

func (s ResolveResponseSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type SimpleEntityCollector 

type SimpleEntityCollector struct {
	// contains filtered or unexported fields
}

SimpleEntityCollector is an EntityCollector that collects entities in a federation

func (*SimpleEntityCollector) CollectEntities 

func (d *SimpleEntityCollector) CollectEntities(req apimodel.EntityCollectionRequest) (entities []*CollectedEntity)

CollectEntities implements the EntityCollector interface

type SimpleOPCollector 

type SimpleOPCollector struct{}

SimpleOPCollector is an EntityCollector that uses the SimpleEntityCollector to collect OPs in a federation

func (*SimpleOPCollector) CollectEntities 

func (*SimpleOPCollector) CollectEntities(req apimodel.EntityCollectionRequest) (entities []*CollectedEntity)

CollectEntities implements the EntityCollector interface

type SimpleRemoteEntityCollector 

type SimpleRemoteEntityCollector struct {
	EntityCollectionEndpoint string
}

SimpleRemoteEntityCollector is a EntityCollector that utilizes a given EntityCollectionEndpoint

func (SimpleRemoteEntityCollector) CollectEntities 

func (c SimpleRemoteEntityCollector) CollectEntities(req apimodel.EntityCollectionRequest) []*CollectedEntity

CollectEntities queries a remote EntityCollectionEndpoint for the collected entities and implements the EntityCollector interface

type SimpleRemoteMetadataResolver 

type SimpleRemoteMetadataResolver struct {
	ResolveEndpoint string
}

SimpleRemoteMetadataResolver is a MetadataResolver that utilizes a given ResolveEndpoint

func (SimpleRemoteMetadataResolver) Resolve 

func (r SimpleRemoteMetadataResolver) Resolve(req apimodel.ResolveRequest) (*Metadata, error)

Resolve implements the MetadataResolver interface

func (SimpleRemoteMetadataResolver) ResolvePossible 

func (r SimpleRemoteMetadataResolver) ResolvePossible(req apimodel.ResolveRequest) (bool, bool)

ResolvePossible implements the MetadataResolver interface

func (SimpleRemoteMetadataResolver) ResolveResponse 

func (r SimpleRemoteMetadataResolver) ResolveResponse(req apimodel.ResolveRequest) (
	*ResolveResponse, int, error,
)

ResolveResponse returns the ResolveResponse from a response endpoint

func (SimpleRemoteMetadataResolver) ResolveResponsePayload 

func (r SimpleRemoteMetadataResolver) ResolveResponsePayload(req apimodel.ResolveRequest) (
	ResolveResponsePayload, error,
)

ResolveResponsePayload implements the MetadataResolver interface

type SliceOrSingleValue 

type SliceOrSingleValue[T any] []T

SliceOrSingleValue is a type that supports (un-)marshaling (json) of a slice where a single value might not be expressed as a slice

func (SliceOrSingleValue[T]) MarshalJSON 

func (v SliceOrSingleValue[T]) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (SliceOrSingleValue[T]) MarshalYAML 

func (v SliceOrSingleValue[T]) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface

func (*SliceOrSingleValue[T]) UnmarshalJSON 

func (v *SliceOrSingleValue[T]) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*SliceOrSingleValue[T]) UnmarshalYAML 

func (v *SliceOrSingleValue[T]) UnmarshalYAML(value *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type SmartRemoteEntityCollector 

type SmartRemoteEntityCollector struct {
	TrustAnchors []string
}

SmartRemoteEntityCollector is a EntityCollector that utilizes remote entity collection endpoints. It will iterate through the entity collect endpoints of the given TrustAnchors and stop if one is successful, if no entity collection endpoint is successful, the SimpleEntityCollector is used

func (SmartRemoteEntityCollector) CollectEntities 

func (c SmartRemoteEntityCollector) CollectEntities(req apimodel.EntityCollectionRequest) []*CollectedEntity

CollectEntities implements the EntityCollector interface

type SmartRemoteMetadataResolver 

type SmartRemoteMetadataResolver struct{}

SmartRemoteMetadataResolver is a MetadataResolver that utilizes remote resolve endpoints. It will iterate through the resolve endpoints of the given TrustAnchors and stop if one is successful, if no resolve endpoint is successful, local resolving is used

func (SmartRemoteMetadataResolver) Resolve 

func (r SmartRemoteMetadataResolver) Resolve(req apimodel.ResolveRequest) (*Metadata, error)

Resolve implements the MetadataResolver interface

func (SmartRemoteMetadataResolver) ResolvePossible 

func (SmartRemoteMetadataResolver) ResolvePossible(req apimodel.ResolveRequest) (bool, bool)

ResolvePossible implements the MetadataResolver interface

func (SmartRemoteMetadataResolver) ResolveResponsePayload 

func (SmartRemoteMetadataResolver) ResolveResponsePayload(req apimodel.ResolveRequest) (
	ResolveResponsePayload, error,
)

ResolveResponsePayload implements the MetadataResolver interface

type TrustAnchor 

type TrustAnchor struct {
	EntityID string    `yaml:"entity_id" json:"entity_id"`
	JWKS     jwks.JWKS `yaml:"jwks" json:"jwks"`
}

TrustAnchor is a type for specifying trust anchors

type TrustAnchors 

type TrustAnchors []TrustAnchor

TrustAnchors is a slice of TrustAnchor

func NewTrustAnchorsFromEntityIDs 

func NewTrustAnchorsFromEntityIDs(anchorIDs ...string) (anchors TrustAnchors)

NewTrustAnchorsFromEntityIDs returns TrustAnchors for the passed entity ids; this does not set jwks.JWKS

func (TrustAnchors) EntityIDs 

func (anchors TrustAnchors) EntityIDs() (entityIDs []string)

EntityIDs returns the entity ids as a []string

type TrustChain 

type TrustChain []*EntityStatement

TrustChain is a slice of *EntityStatements

func (TrustChain) ExpiresAt 

func (c TrustChain) ExpiresAt() unixtime.Unixtime

ExpiresAt returns the expiration time of the TrustChain as a UNIX time stamp

func (TrustChain) Messages 

func (c TrustChain) Messages() (msgs JWSMessages)

Messages returns the jwts of the TrustChain

func (TrustChain) Metadata 

func (c TrustChain) Metadata() (*Metadata, error)

Metadata returns the final Metadata for this TrustChain, i.e. the Metadata of the leaf entity with MetadataPolicies of authorities applied to it.

func (TrustChain) PathLen 

func (c TrustChain) PathLen() int

PathLen returns the path len of a chain as defined by the spec, i.e. the number of intermediates

type TrustChainChecker 

type TrustChainChecker interface {
	Check(TrustChain) bool
}

TrustChainChecker can check a single TrustChain to determine if it should be included or not, i.e. in a TrustChainsFilter

type TrustChainScoringFnc 

type TrustChainScoringFnc func(c TrustChain) int

TrustChainScoringFnc a function type that takes a TrustChain and calculates a score for the chain. This score then can be used to sort TrustChains

type TrustChains 

type TrustChains []TrustChain

TrustChains is a slice of multiple TrustChain

func (TrustChains) Filter 

func (c TrustChains) Filter(filter ...TrustChainsFilter) TrustChains

Filter filters multiple TrustChains with the passed TrustChainsFilter to a subset

func (TrustChains) SortAsc 

func (c TrustChains) SortAsc(scorer TrustChainScoringFnc) TrustChains

SortAsc sorts multiple TrustChains ascending by using the passed TrustChainScoringFnc

func (TrustChains) SortDesc 

func (c TrustChains) SortDesc(scorer TrustChainScoringFnc) TrustChains

SortDesc sorts multiple TrustChains descending by using the passed TrustChainScoringFnc

type TrustChainsFilter 

type TrustChainsFilter interface {
	Filter(TrustChains) TrustChains
}

TrustChainsFilter filters multiple TrustChains to a subset 

var TrustChainsFilterMinPathLength TrustChainsFilter = trustChainsFilterPathLength{/* contains filtered or unexported fields */}

TrustChainsFilterMinPathLength is a TrustChainsFilter that filters TrustChains to the chains with the minimal path length

func NewTrustChainsFilterFromCheckerFnc 

func NewTrustChainsFilterFromCheckerFnc(checker func(TrustChain) bool) TrustChainsFilter

NewTrustChainsFilterFromCheckerFnc returns a new TrustChainsFilter from the passed checker function

func NewTrustChainsFilterFromTrustChainChecker 

func NewTrustChainsFilterFromTrustChainChecker(f TrustChainChecker) TrustChainsFilter

NewTrustChainsFilterFromTrustChainChecker creates a new TrustChainsFilter from a TrustChainChecker

func TrustChainsFilterMaxPathLength 

func TrustChainsFilterMaxPathLength(maxPathLen int) TrustChainsFilter

TrustChainsFilterMaxPathLength returns a TrustChainsFilter that filters TrustChains to only the chains that are not longer than the passed maximum path len.

func TrustChainsFilterTrustAnchor 

func TrustChainsFilterTrustAnchor(anchor string) TrustChainsFilter

TrustChainsFilterTrustAnchor returns a TrustChainsFilter for the passed trust anchor entity id. The return TrustChainsFilter will filter TrustChains to only chains ending with the passed anchor.

type TrustMark 

type TrustMark struct {
	Issuer        string                 `json:"iss"`
	Subject       string                 `json:"sub"`
	TrustMarkType string                 `json:"trust_mark_type"`
	IssuedAt      unixtime.Unixtime      `json:"iat"`
	LogoURI       string                 `json:"logo_uri,omitempty"`
	ExpiresAt     *unixtime.Unixtime     `json:"exp,omitempty"`
	Ref           string                 `json:"ref,omitempty"`
	DelegationJWT string                 `json:"delegation,omitempty"`
	Extra         map[string]interface{} `json:"-"`
	// contains filtered or unexported fields
}

TrustMark is a type for holding a trust mark

func ParseTrustMark 

func ParseTrustMark(data []byte) (*TrustMark, error)

ParseTrustMark parses a trust mark jwt into a TrustMark

func (*TrustMark) Delegation 

func (tm *TrustMark) Delegation() (*DelegationJWT, error)

Delegation returns the DelegationJWT (if any) for this TrustMark

func (TrustMark) MarshalJSON 

func (tm TrustMark) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*TrustMark) UnmarshalJSON 

func (tm *TrustMark) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (*TrustMark) VerifyExternal 

func (tm *TrustMark) VerifyExternal(jwks jwks.JWKS, tmo ...TrustMarkOwnerSpec) error

VerifyExternal verifies the TrustMark by using the passed trust mark issuer jwks and optionally the passed trust mark owner jwks

func (*TrustMark) VerifyFederation 

func (tm *TrustMark) VerifyFederation(ta *EntityStatementPayload) error

VerifyFederation verifies the TrustMark by using the passed trust anchor

type TrustMarkDelegationSigner 

type TrustMarkDelegationSigner struct {
	*GeneralJWTSigner
}

TrustMarkDelegationSigner is a JWTSigner for constants. JWTTypeTrustMarkDelegation

func NewTrustMarkDelegationSigner 

func NewTrustMarkDelegationSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *TrustMarkDelegationSigner

NewTrustMarkDelegationSigner creates a new TrustMarkDelegationSigner

func (TrustMarkDelegationSigner) JWT 

func (s TrustMarkDelegationSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type TrustMarkInfo 

type TrustMarkInfo struct {
	TrustMarkType string                 `json:"trust_mark_type" yaml:"type"`
	TrustMarkJWT  string                 `json:"trust_mark" yaml:"trust_mark"`
	Extra         map[string]interface{} `json:"-" yaml:"-"`
	// contains filtered or unexported fields
}

TrustMarkInfo is a type for holding a trust mark as represented in an EntityConfiguration

func (TrustMarkInfo) MarshalJSON 

func (tm TrustMarkInfo) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.

func (*TrustMarkInfo) TrustMark 

func (tm *TrustMarkInfo) TrustMark() (*TrustMark, error)

TrustMark returns the TrustMark for this TrustMarkInfo

func (*TrustMarkInfo) UnmarshalJSON 

func (tm *TrustMarkInfo) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.

func (*TrustMarkInfo) VerifyExternal 

func (tm *TrustMarkInfo) VerifyExternal(
	jwks jwks.JWKS,
	tmo ...TrustMarkOwnerSpec,
) error

VerifyExternal verifies the TrustMarkInfo by using the passed trust mark issuer jwks and optionally the passed trust mark owner jwks

func (*TrustMarkInfo) VerifyFederation 

func (tm *TrustMarkInfo) VerifyFederation(ta *EntityStatementPayload) error

VerifyFederation verifies the TrustMarkInfo by using the passed trust anchor

type TrustMarkInfos 

type TrustMarkInfos []TrustMarkInfo

TrustMarkInfos is a slice of TrustMarkInfo

func (TrustMarkInfos) Find 

func (tms TrustMarkInfos) Find(matcher func(info TrustMarkInfo) bool) *TrustMarkInfo

Find uses the passed function to find the first matching TrustMarkInfo

func (TrustMarkInfos) FindByID 

func (tms TrustMarkInfos) FindByID(id string) *TrustMarkInfo

FindByID returns the (first) TrustMarkInfo with the passed id

func (TrustMarkInfos) VerifiedExternal 

func (tms TrustMarkInfos) VerifiedExternal(
	jwks jwks.JWKS,
	tmo ...TrustMarkOwnerSpec,
) (verified TrustMarkInfos)

VerifiedExternal verifies all TrustMarkInfos by using the passed trust mark issuer jwks and optionally the passed trust mark owner jwks and returns only the valid TrustMarkInfos

func (TrustMarkInfos) VerifiedFederation 

func (tms TrustMarkInfos) VerifiedFederation(ta *EntityStatementPayload) (verified TrustMarkInfos)

VerifiedFederation verifies all TrustMarkInfos by using the passed trust anchor and returns only the valid TrustMarkInfos

type TrustMarkIssuer 

type TrustMarkIssuer struct {
	EntityID string
	*TrustMarkSigner
	// contains filtered or unexported fields
}

TrustMarkIssuer is an entity that can issue TrustMarkInfo

func NewTrustMarkIssuer 

func NewTrustMarkIssuer(
	entityID string, signer *TrustMarkSigner, trustMarkSpecs []TrustMarkSpec,
) *TrustMarkIssuer

NewTrustMarkIssuer creates a new TrustMarkIssuer

func (*TrustMarkIssuer) AddTrustMark 

func (tmi *TrustMarkIssuer) AddTrustMark(spec TrustMarkSpec)

AddTrustMark adds a TrustMarkSpec to the TrustMarkIssuer enabling it to issue the TrustMarkInfo

func (TrustMarkIssuer) IssueTrustMark 

func (tmi TrustMarkIssuer) IssueTrustMark(trustMarkType, sub string, lifetime ...time.Duration) (
	*TrustMarkInfo, error,
)

IssueTrustMark issues a TrustMarkInfo for the passed trust mark id and subject; optionally a custom lifetime can be passed

func (*TrustMarkIssuer) TrustMarkTypes 

func (tmi *TrustMarkIssuer) TrustMarkTypes() []string

TrustMarkTypes returns a slice of the trust mark ids for which this TrustMarKIssuer can issue TrustMarks

type TrustMarkOwner 

type TrustMarkOwner struct {
	EntityID string
	*TrustMarkDelegationSigner
	// contains filtered or unexported fields
}

TrustMarkOwner is a type describing the owning entity of a trust mark; it can be used to issue DelegationJWT

func NewTrustMarkOwner 

func NewTrustMarkOwner(
	entityID string, signer *TrustMarkDelegationSigner, ownedTrustMarks []OwnedTrustMark,
) *TrustMarkOwner

NewTrustMarkOwner creates a new TrustMarkOwner

func (*TrustMarkOwner) AddTrustMark 

func (tmo *TrustMarkOwner) AddTrustMark(spec OwnedTrustMark)

AddTrustMark adds a new OwnedTrustMark to the TrustMarkOwner

func (TrustMarkOwner) DelegationJWT 

func (tmo TrustMarkOwner) DelegationJWT(trustMarkType, sub string, lifetime ...time.Duration) ([]byte, error)

DelegationJWT issues a DelegationJWT (as []byte) for the passed trust mark id and subject; optionally a custom lifetime can be passed

type TrustMarkOwnerSpec 

type TrustMarkOwnerSpec struct {
	ID   string    `json:"sub" yaml:"entity_id"`
	JWKS jwks.JWKS `json:"jwks" yaml:"jwks"`
}

TrustMarkOwnerSpec describes the owner of a trust mark

func (*TrustMarkOwnerSpec) UnmarshalJSON 

func (tmo *TrustMarkOwnerSpec) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

func (*TrustMarkOwnerSpec) UnmarshalMsgpack 

func (tmo *TrustMarkOwnerSpec) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface.

type TrustMarkOwners 

type TrustMarkOwners map[string]TrustMarkOwnerSpec

TrustMarkOwners defines owners for TrustMarks

type TrustMarkSigner 

type TrustMarkSigner struct {
	*GeneralJWTSigner
}

TrustMarkSigner is a JWTSigner for oidfedconst.JWTTypeTrustMark

func NewTrustMarkSigner 

func NewTrustMarkSigner(key crypto.Signer, alg jwa.SignatureAlgorithm) *TrustMarkSigner

NewTrustMarkSigner creates a new TrustMarkSigner

func (TrustMarkSigner) JWT 

func (s TrustMarkSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type TrustMarkSpec 

type TrustMarkSpec struct {
	TrustMarkType            string                     `json:"trust_mark_type" yaml:"trust_mark_type"`
	Lifetime                 unixtime.DurationInSeconds `json:"lifetime" yaml:"lifetime"`
	Ref                      string                     `json:"ref" yaml:"ref"`
	LogoURI                  string                     `json:"logo_uri" yaml:"logo_uri"`
	Extra                    map[string]any             `json:"-" yaml:"-"`
	IncludeExtraClaimsInInfo bool                       `json:"include_extra_claims_in_info" yaml:"include_extra_claims_in_info"`
	DelegationJWT            string                     `json:"delegation_jwt" yaml:"delegation_jwt"`
}

TrustMarkSpec describes a TrustMark for a TrustMarkIssuer

func (TrustMarkSpec) MarshalJSON 

func (tms TrustMarkSpec) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (TrustMarkSpec) MarshalYAML 

func (tms TrustMarkSpec) MarshalYAML() (any, error)

MarshalYAML implements the yaml.Marshaler interface

func (*TrustMarkSpec) UnmarshalJSON 

func (tms *TrustMarkSpec) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*TrustMarkSpec) UnmarshalYAML 

func (tms *TrustMarkSpec) UnmarshalYAML(data *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type TrustResolver 

type TrustResolver struct {
	TrustAnchors   []TrustAnchor
	StartingEntity string
	Types          []string
	// contains filtered or unexported fields
}

TrustResolver is type for resolving trust chains from a StartingEntity to one or multiple TrustAnchors

func (TrustResolver) Chains 

func (r TrustResolver) Chains() (chains TrustChains)

Chains returns the TrustChains in the internal trust tree

func (*TrustResolver) Resolve 

func (r *TrustResolver) Resolve()

Resolve starts the trust chain resolution process, building an internal trust tree

func (*TrustResolver) ResolveToValidChains 

func (r *TrustResolver) ResolveToValidChains() TrustChains

ResolveToValidChains starts the trust chain resolution process, building an internal trust tree, verifies the signatures, integrity, expirations, and metadata policies and returns all possible valid TrustChains

func (*TrustResolver) ResolveToValidChainsWithoutVerifyingMetadata 

func (r *TrustResolver) ResolveToValidChainsWithoutVerifyingMetadata() TrustChains

ResolveToValidChainsWithoutVerifyingMetadata starts the trust chain resolution process, building an internal trust tree, verifies the signatures, integrity, expirations, but not metadata policies and returns all possible valid TrustChains

func (*TrustResolver) VerifySignatures 

func (r *TrustResolver) VerifySignatures()

VerifySignatures verifies the signatures of the internal trust tree

type TypedJWTSigner 

type TypedJWTSigner struct {
	*GeneralJWTSigner
	HeaderType string
}

TypedJWTSigner is a JWTSigner for a specific header type

func (TypedJWTSigner) JWT 

func (s TypedJWTSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type UIInfo 

type UIInfo struct {
	DisplayName    string         `json:"display_name,omitempty"`
	Description    string         `json:"description,omitempty"`
	Keywords       []string       `json:"keywords,omitempty"`
	LogoURI        string         `json:"logo_uri,omitempty"`
	PolicyURI      string         `json:"policy_uri,omitempty"`
	InformationURI string         `json:"information_uri,omitempty"`
	Extra          map[string]any `json:"-"`
}

func (UIInfo) MarshalJSON 

func (i UIInfo) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*UIInfo) UnmarshalJSON 

func (i *UIInfo) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type VerifiedChainsEntityCollector 

type VerifiedChainsEntityCollector struct{}

VerifiedChainsEntityCollector is an EntityCollector that compared to SimpleEntityCollector additionally verifies that there is a valid TrustChain between the entity and one of the specified trust anchors

func (VerifiedChainsEntityCollector) CollectEntities 

func (VerifiedChainsEntityCollector) CollectEntities(req apimodel.EntityCollectionRequest) (entities []*CollectedEntity)

CollectEntities implements the EntityCollector interface

Source Files

View all Source files

Directories

Path Synopsis
examples
ta Module
generators
http
jwx
utils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.