Documentation ¶
Index ¶
- Constants
- func HttpRequestFromContext(ctx context.Context) (*http.Request, error)
- func NewChangeCtx() *change.Context
- func NewHttpChangeCtx(r *http.Request) *change.Context
- func NewNativeOnlyOP(ctx context.Context, env model.Env, config Config) (http.Handler, error)
- func NewRevocation(tokenId string, expiresAt time.Time) *model.Revocation
- type AccessClaims
- func (r *AccessClaims) GetAudience() (jwt.ClaimStrings, error)
- func (r *AccessClaims) GetExpirationTime() (*jwt.NumericDate, error)
- func (r *AccessClaims) GetIssuedAt() (*jwt.NumericDate, error)
- func (r *AccessClaims) GetIssuer() (string, error)
- func (r *AccessClaims) GetNotBefore() (*jwt.NumericDate, error)
- func (r *AccessClaims) GetSubject() (string, error)
- func (c *AccessClaims) TotpComplete() bool
- type AuthRequest
- func (a *AuthRequest) AddAmr(amr string)
- func (a *AuthRequest) Done() bool
- func (a *AuthRequest) GetACR() string
- func (a *AuthRequest) GetAMR() []string
- func (a *AuthRequest) GetAudience() []string
- func (a *AuthRequest) GetAuthTime() time.Time
- func (a *AuthRequest) GetCertFingerprints() []string
- func (a *AuthRequest) GetClientID() string
- func (a *AuthRequest) GetCodeChallenge() *oidc.CodeChallenge
- func (a *AuthRequest) GetID() string
- func (a *AuthRequest) GetNonce() string
- func (a *AuthRequest) GetRedirectURI() string
- func (a *AuthRequest) GetResponseMode() oidc.ResponseMode
- func (a *AuthRequest) GetResponseType() oidc.ResponseType
- func (a *AuthRequest) GetScopes() []string
- func (a *AuthRequest) GetState() string
- func (a *AuthRequest) GetSubject() string
- func (a *AuthRequest) HasAmr(amr string) bool
- func (a *AuthRequest) HasFullAuth() bool
- func (a *AuthRequest) HasPrimaryAuth() bool
- func (a *AuthRequest) HasSecondaryAuth() bool
- type Client
- func (c *Client) AccessTokenType() op.AccessTokenType
- func (c *Client) ApplicationType() op.ApplicationType
- func (c *Client) AuthMethod() oidc.AuthMethod
- func (c *Client) ClockSkew() time.Duration
- func (c *Client) DevMode() bool
- func (c *Client) GetID() string
- func (c *Client) GrantTypes() []oidc.GrantType
- func (c *Client) IDTokenLifetime() time.Duration
- func (c *Client) IDTokenUserinfoClaimsAssertion() bool
- func (c *Client) IsScopeAllowed(_ string) bool
- func (c *Client) LoginURL(id string) string
- func (c *Client) PostLogoutRedirectURIs() []string
- func (c *Client) RedirectURIs() []string
- func (c *Client) ResponseTypes() []oidc.ResponseType
- func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string
- func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string
- type Config
- type CustomClaims
- type HybridStorage
- func (s *HybridStorage) AddClient(client *Client)
- func (s *HybridStorage) AuthRequestByCode(ctx context.Context, code string) (op.AuthRequest, error)
- func (s *HybridStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequest, error)
- func (s *HybridStorage) AuthRequestDone(id string) error
- func (s *HybridStorage) Authenticate(authCtx model.AuthContext, id string, configTypes []string) (*AuthRequest, error)
- func (s *HybridStorage) AuthorizeClientIDSecret(_ context.Context, clientID, clientSecret string) error
- func (s *HybridStorage) Clean()
- func (s *HybridStorage) ClientCredentials(_ context.Context, clientID, clientSecret string) (op.Client, error)
- func (s *HybridStorage) ClientCredentialsTokenRequest(_ context.Context, clientID string, scopes []string) (op.TokenRequest, error)
- func (s *HybridStorage) CompleteDeviceAuthorization(_ context.Context, userCode, subject string) error
- func (s *HybridStorage) CreateAccessAndRefreshTokens(_ context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
- func (s *HybridStorage) CreateAccessToken(_ context.Context, request op.TokenRequest) (string, time.Time, error)
- func (s *HybridStorage) CreateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, identityId string) (op.AuthRequest, error)
- func (s *HybridStorage) CreateTokenExchangeRequest(_ context.Context, _ op.TokenExchangeRequest) error
- func (s *HybridStorage) DeleteAuthRequest(_ context.Context, id string) error
- func (s *HybridStorage) DenyDeviceAuthorization(_ context.Context, userCode string) error
- func (s *HybridStorage) GetAuthRequest(id string) (*AuthRequest, error)
- func (s *HybridStorage) GetClientByClientID(_ context.Context, clientID string) (op.Client, error)
- func (s *HybridStorage) GetDeviceAuthorizationByUserCode(_ context.Context, userCode string) (*op.DeviceAuthorizationState, error)
- func (s *HybridStorage) GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (*op.DeviceAuthorizationState, error)
- func (s *HybridStorage) GetKeyByIDAndClientID(_ context.Context, keyID, _ string) (*jose.JSONWebKey, error)
- func (s *HybridStorage) GetPrivateClaimsFromScopes(ctx context.Context, identityId, clientID string, scopes []string) (claims map[string]interface{}, err error)
- func (s *HybridStorage) GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) (claims map[string]interface{}, err error)
- func (s *HybridStorage) GetRefreshTokenInfo(_ context.Context, _ string, token string) (identityId string, tokenID string, err error)
- func (s *HybridStorage) Health(_ context.Context) error
- func (s *HybridStorage) IsTokenRevoked(tokenId string) bool
- func (s *HybridStorage) KeySet(_ context.Context) ([]op.Key, error)
- func (s *HybridStorage) RevokeToken(_ context.Context, tokenIDOrToken string, _ string, _ string) *oidc.Error
- func (s *HybridStorage) SaveAuthCode(_ context.Context, id string, code string) error
- func (s *HybridStorage) SetIntrospectionFromToken(_ context.Context, _ *oidc.IntrospectionResponse, _, _, _ string) error
- func (s *HybridStorage) SetUserinfoFromRequest(_ context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, ...) error
- func (s *HybridStorage) SetUserinfoFromScopes(_ context.Context, _ *oidc.UserInfo, _, _ string, _ []string) error
- func (s *HybridStorage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, _ string) error
- func (s *HybridStorage) SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request op.TokenExchangeRequest) error
- func (s *HybridStorage) SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error)
- func (s *HybridStorage) SigningKey(_ context.Context) (op.SigningKey, error)
- func (s *HybridStorage) StoreDeviceAuthorization(_ context.Context, clientID, deviceCode, userCode string, expires time.Time, ...) error
- func (s *HybridStorage) TerminateSession(_ context.Context, identityId string, clientID string) error
- func (s *HybridStorage) TokenRequestByRefreshToken(_ context.Context, refreshToken string) (op.RefreshTokenRequest, error)
- func (s *HybridStorage) ValidateJWTProfileScopes(_ context.Context, _ string, scopes []string) ([]string, error)
- func (s *HybridStorage) ValidateTokenExchangeRequest(_ context.Context, request op.TokenExchangeRequest) error
- func (s *HybridStorage) VerifyTotp(ctx *change.Context, code string, id string) (*AuthRequest, error)
- type IdTokenClaims
- type RefreshClaims
- func (r *RefreshClaims) GetAudience() (jwt.ClaimStrings, error)
- func (r *RefreshClaims) GetExpirationTime() (*jwt.NumericDate, error)
- func (r *RefreshClaims) GetIssuedAt() (*jwt.NumericDate, error)
- func (r *RefreshClaims) GetIssuer() (string, error)
- func (r *RefreshClaims) GetNotBefore() (*jwt.NumericDate, error)
- func (r *RefreshClaims) GetSubject() (string, error)
- func (c *RefreshClaims) MarshalJSON() ([]byte, error)
- func (c *RefreshClaims) UnmarshalJSON(data []byte) error
- type RefreshTokenRequest
- func (r *RefreshTokenRequest) GetAMR() []string
- func (r *RefreshTokenRequest) GetAudience() []string
- func (r *RefreshTokenRequest) GetAuthTime() time.Time
- func (r *RefreshTokenRequest) GetCertFingerprints() []string
- func (r *RefreshTokenRequest) GetClientID() string
- func (r *RefreshTokenRequest) GetScopes() []string
- func (r *RefreshTokenRequest) GetSubject() string
- func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string)
- type Storage
Constants ¶
const ( WellKnownOidcConfiguration = "/.well-known/openid-configuration" SourceTypeOidc = "oidc_auth" AuthMethodPassword = model.AuthMethodPassword AuthMethodExtJwt = model.AuthMethodExtJwt AuthMethodCert = persistence.MethodAuthenticatorCert AuthMethodSecondaryTotp = "totp" AuthMethodSecondaryExtJwt = "ejs" DefaultNativeClientId = "native" )
const ( ScopeTokenId = "tid-" ScopeApiSessionId = "asid-" )
const ( ClaimAudienceOpenZiti = "openziti" CustomClaimApiSessionId = "z_asid" CustomClaimExternalId = "z_eid" CustomClaimIsAdmin = "z_ia" CustomClaimsConfigTypes = "z_ct" CustomClaimsCertFingerprints = "z_cfs" DefaultAccessTokenDuration = 30 * time.Minute DefaultIdTokenDuration = 30 * time.Minute DefaultRefreshTokenDuration = 24 * time.Hour TokenTypeAccess = "a" TokenTypeRefresh = "r" )
const JwtTokenPrefix = "eY"
Variables ¶
This section is empty.
Functions ¶
func HttpRequestFromContext ¶
HttpRequestFromContext returns the initiating http.Request for the current OIDC context
func NewChangeCtx ¶
NewChangeCtx creates a change.Context scoped to oidc_auth package
func NewHttpChangeCtx ¶
NewHttpChangeCtx creates a change.Context scoped to oidc_auth package and supplied http.Request
func NewNativeOnlyOP ¶
NewNativeOnlyOP creates an OIDC Provider that allows native clients and only the AutCode PKCE flow.
func NewRevocation ¶
func NewRevocation(tokenId string, expiresAt time.Time) *model.Revocation
Types ¶
type AccessClaims ¶
type AccessClaims struct { oidc.AccessTokenClaims CustomClaims }
func (*AccessClaims) GetAudience ¶
func (r *AccessClaims) GetAudience() (jwt.ClaimStrings, error)
func (*AccessClaims) GetExpirationTime ¶
func (r *AccessClaims) GetExpirationTime() (*jwt.NumericDate, error)
func (*AccessClaims) GetIssuedAt ¶
func (r *AccessClaims) GetIssuedAt() (*jwt.NumericDate, error)
func (*AccessClaims) GetIssuer ¶
func (r *AccessClaims) GetIssuer() (string, error)
func (*AccessClaims) GetNotBefore ¶
func (r *AccessClaims) GetNotBefore() (*jwt.NumericDate, error)
func (*AccessClaims) GetSubject ¶
func (r *AccessClaims) GetSubject() (string, error)
func (*AccessClaims) TotpComplete ¶
func (c *AccessClaims) TotpComplete() bool
type AuthRequest ¶
type AuthRequest struct { oidc.AuthRequest Id string CreationDate time.Time IdentityId string AuthTime time.Time ApiSessionId string SecondaryTotpRequired bool SecondaryExtJwtRequired bool SecondaryExtJwtId string ConfigTypes []string Amr map[string]struct{} PeerCerts []*x509.Certificate RequestedMethod string BearerTokenDetected bool }
AuthRequest represents an OIDC authentication request and implements op.AuthRequest
func (*AuthRequest) Done ¶
func (a *AuthRequest) Done() bool
Done returns true once authentication has been completed and implements op.AuthRequest
func (*AuthRequest) GetACR ¶
func (a *AuthRequest) GetACR() string
GetACR returns the authentication class reference provided by client and implements oidc.AuthRequest All ACRs are currently ignored.
func (*AuthRequest) GetAMR ¶
func (a *AuthRequest) GetAMR() []string
GetAMR returns the authentication method references the authentication has undergone and implements op.AuthRequest
func (*AuthRequest) GetAudience ¶
func (a *AuthRequest) GetAudience() []string
GetAudience returns all current audience targets and implements op.AuthRequest
func (*AuthRequest) GetAuthTime ¶
func (a *AuthRequest) GetAuthTime() time.Time
GetAuthTime returns the time at which authentication has occurred and implements op.AuthRequest
func (*AuthRequest) GetCertFingerprints ¶
func (a *AuthRequest) GetCertFingerprints() []string
func (*AuthRequest) GetClientID ¶
func (a *AuthRequest) GetClientID() string
GetClientID returns the client id requested and implements op.AuthRequest
func (*AuthRequest) GetCodeChallenge ¶
func (a *AuthRequest) GetCodeChallenge() *oidc.CodeChallenge
GetCodeChallenge returns the rp supplied code change and implements op.AuthRequest
func (*AuthRequest) GetID ¶
func (a *AuthRequest) GetID() string
GetID returns an AuthRequest's ID and implements op.AuthRequest
func (*AuthRequest) GetNonce ¶
func (a *AuthRequest) GetNonce() string
GetNonce returns the rp supplied nonce and implements op.AuthRequest
func (*AuthRequest) GetRedirectURI ¶
func (a *AuthRequest) GetRedirectURI() string
GetRedirectURI returns the rp supplied redirect target and implements op.AuthRequest
func (*AuthRequest) GetResponseMode ¶
func (a *AuthRequest) GetResponseMode() oidc.ResponseMode
GetResponseMode is not supported and all tokens are turned via query string and implements op.AuthRequest
func (*AuthRequest) GetResponseType ¶
func (a *AuthRequest) GetResponseType() oidc.ResponseType
GetResponseType returns the rp supplied response type and implements op.AuthRequest
func (*AuthRequest) GetScopes ¶
func (a *AuthRequest) GetScopes() []string
GetScopes returns the current scopes and implements op.AuthRequest Scopes are also used to transport custom claims into access tokens. The zitadel oidc framework does not provide a method for accessing the request object during JWT signing time, and any claims supplied are overwritten.
func (*AuthRequest) GetState ¶
func (a *AuthRequest) GetState() string
GetState returns the rp provided state and implements op.AuthRequest
func (*AuthRequest) GetSubject ¶
func (a *AuthRequest) GetSubject() string
GetSubject returns the target subject and implements op.AuthRequest
func (*AuthRequest) HasAmr ¶
func (a *AuthRequest) HasAmr(amr string) bool
HasAmr returns true if the supplied amr is present
func (*AuthRequest) HasFullAuth ¶
func (a *AuthRequest) HasFullAuth() bool
HasFullAuth returns true if an authentication request has passed all primary and secondary authentications.
func (*AuthRequest) HasPrimaryAuth ¶
func (a *AuthRequest) HasPrimaryAuth() bool
HasPrimaryAuth returns true if a primary authentication mechanism has been passed.
func (*AuthRequest) HasSecondaryAuth ¶
func (a *AuthRequest) HasSecondaryAuth() bool
HasSecondaryAuth returns true if all applicable secondary authentications have been passed
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client represents an OIDC Client and implements op.Client
func NativeClient ¶
NativeClient will create a client of type native, which will always use PKCE and allow the use of refresh tokens
func (*Client) AccessTokenType ¶
func (c *Client) AccessTokenType() op.AccessTokenType
AccessTokenType returns the type of access token the client uses (Bearer (opaque) or JWT), implements op.Client
func (*Client) ApplicationType ¶
func (c *Client) ApplicationType() op.ApplicationType
ApplicationType returns the application type (app, native, user agent), implements op.Client
func (*Client) AuthMethod ¶
func (c *Client) AuthMethod() oidc.AuthMethod
AuthMethod returns the authentication method (client_secret_basic, client_secret_post, none, private_key_jwt), implements op.Client
func (*Client) ClockSkew ¶
ClockSkew enables clients to instruct the OP to apply a clock skew on the various times and expirations (subtract from issued_at, add to expiration, ...), implements op.Client
func (*Client) DevMode ¶
DevMode enables the use of non-compliant configs such as redirect_uris, implements op.Client
func (*Client) GrantTypes ¶
GrantTypes returns all allowed grant types (authorization_code, refresh_token, urn:ietf:params:oauth:grant-type:jwt-bearer), implements op.Client
func (*Client) IDTokenLifetime ¶
IDTokenLifetime returns the lifetime of the client's id_tokens
func (*Client) IDTokenUserinfoClaimsAssertion ¶
IDTokenUserinfoClaimsAssertion allows specifying if claims of scope profile, email, phone and address are asserted into the id_token even if an access token if issued which violates the OIDC Core spec (5.4. Requesting Claims using Scope Values: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) some clients though require that e.g. email is always in the id_token when requested even if an access_token is issued, implements op.Client
func (*Client) IsScopeAllowed ¶
IsScopeAllowed enables Client custom scopes validation, implements op.Client No custom scopes are currently supported.
func (*Client) LoginURL ¶
LoginURL returns the URL clients should be directed to for login based on authentication request id, implements op.Client
func (*Client) PostLogoutRedirectURIs ¶
PostLogoutRedirectURIs returns an array of post logout redirect URIs, implements op.Client
func (*Client) RedirectURIs ¶
RedirectURIs returns an array of valid redirect URIs, implements op.Client
func (*Client) ResponseTypes ¶
func (c *Client) ResponseTypes() []oidc.ResponseType
ResponseTypes returns all allowed response types (code, id_token token, id_token), these must match with the allowed grant types, implements op.Client
func (*Client) RestrictAdditionalAccessTokenScopes ¶
RestrictAdditionalAccessTokenScopes allows specifying which custom scopes shall be asserted into the JWT access_token, implements op.Client
func (*Client) RestrictAdditionalIdTokenScopes ¶
RestrictAdditionalIdTokenScopes allows specifying which custom scopes shall be asserted into the id_token, implements op.Client
type Config ¶
type Config struct { Issuer string TokenSecret string Storage Storage Certificate *x509.Certificate PrivateKey crypto.PrivateKey IdTokenDuration time.Duration RefreshTokenDuration time.Duration AccessTokenDuration time.Duration RedirectURIs []string PostLogoutURIs []string // contains filtered or unexported fields }
Config represents the configuration necessary to operate an OIDC Provider
func NewConfig ¶
func NewConfig(issuer string, cert *x509.Certificate, key crypto.PrivateKey) Config
NewConfig will create a Config with default values
func (*Config) MaxTokenDuration ¶
MaxTokenDuration returns the maximum token lifetime currently configured
type CustomClaims ¶
type CustomClaims struct { ApiSessionId string `json:"z_asid,omitempty"` ExternalId string `json:"z_eid,omitempty"` IsAdmin bool `json:"z_ia,omitempty"` ConfigTypes []string `json:"z_ct,omitempty"` ApplicationId string `json:"z_aid,omitempty"` Type string `json:"z_t"` CertFingerprints []string `json:"z_cfs"` Scopes []string `json:"scopes,omitempty"` }
type HybridStorage ¶
type HybridStorage struct {
// contains filtered or unexported fields
}
HybridStorage implements the Storage interface Authentication requests are not synchronized with other controllers. Authentication must happen entirely with one controller. After id, access, and/or refresh tokens are acquired, they may be used at any controller. All token revocations are synchronized with other controllers.
func NewStorage ¶
func NewStorage(kid string, publicKey crypto.PublicKey, privateKey crypto.PrivateKey, singingMethod jwt.SigningMethod, config *Config, env model.Env) *HybridStorage
func (*HybridStorage) AddClient ¶
func (s *HybridStorage) AddClient(client *Client)
func (*HybridStorage) AuthRequestByCode ¶
func (s *HybridStorage) AuthRequestByCode(ctx context.Context, code string) (op.AuthRequest, error)
AuthRequestByCode implements the op.Storage interface
func (*HybridStorage) AuthRequestByID ¶
func (s *HybridStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequest, error)
AuthRequestByID implements the op.Storage interface
func (*HybridStorage) AuthRequestDone ¶
func (s *HybridStorage) AuthRequestDone(id string) error
AuthRequestDone is used by testing and is not required to implement op.Storage
func (*HybridStorage) Authenticate ¶
func (s *HybridStorage) Authenticate(authCtx model.AuthContext, id string, configTypes []string) (*AuthRequest, error)
Authenticate will verify supplied credentials and update the primary authentication status of an AuthRequest
func (*HybridStorage) AuthorizeClientIDSecret ¶
func (s *HybridStorage) AuthorizeClientIDSecret(_ context.Context, clientID, clientSecret string) error
AuthorizeClientIDSecret implements the op.Storage interface
func (*HybridStorage) Clean ¶
func (s *HybridStorage) Clean()
Clean removes abandoned auth requests and associated data
func (*HybridStorage) ClientCredentials ¶
func (s *HybridStorage) ClientCredentials(_ context.Context, clientID, clientSecret string) (op.Client, error)
ClientCredentials implements op.ClientCredentialsStorage
func (*HybridStorage) ClientCredentialsTokenRequest ¶
func (s *HybridStorage) ClientCredentialsTokenRequest(_ context.Context, clientID string, scopes []string) (op.TokenRequest, error)
ClientCredentialsTokenRequest implements op.ClientCredentialsStorage
func (*HybridStorage) CompleteDeviceAuthorization ¶
func (s *HybridStorage) CompleteDeviceAuthorization(_ context.Context, userCode, subject string) error
CompleteDeviceAuthorization implements op.DeviceAuthorizationStorage
func (*HybridStorage) CreateAccessAndRefreshTokens ¶
func (s *HybridStorage) CreateAccessAndRefreshTokens(_ context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
CreateAccessAndRefreshTokens implements the op.Storage interface
func (*HybridStorage) CreateAccessToken ¶
func (s *HybridStorage) CreateAccessToken(_ context.Context, request op.TokenRequest) (string, time.Time, error)
CreateAccessToken implements the op.Storage interface
func (*HybridStorage) CreateAuthRequest ¶
func (s *HybridStorage) CreateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, identityId string) (op.AuthRequest, error)
CreateAuthRequest creates a new AuthRequest based on an incoming request, implements the op.Storage interface
func (*HybridStorage) CreateTokenExchangeRequest ¶
func (s *HybridStorage) CreateTokenExchangeRequest(_ context.Context, _ op.TokenExchangeRequest) error
func (*HybridStorage) DeleteAuthRequest ¶
func (s *HybridStorage) DeleteAuthRequest(_ context.Context, id string) error
DeleteAuthRequest implements the op.Storage interface
func (*HybridStorage) DenyDeviceAuthorization ¶
func (s *HybridStorage) DenyDeviceAuthorization(_ context.Context, userCode string) error
DenyDeviceAuthorization implements op.DeviceAuthorizationStorage
func (*HybridStorage) GetAuthRequest ¶
func (s *HybridStorage) GetAuthRequest(id string) (*AuthRequest, error)
GetAuthRequest returns an AuthRequest by id
func (*HybridStorage) GetClientByClientID ¶
GetClientByClientID implements the op.Storage interface
func (*HybridStorage) GetDeviceAuthorizationByUserCode ¶
func (s *HybridStorage) GetDeviceAuthorizationByUserCode(_ context.Context, userCode string) (*op.DeviceAuthorizationState, error)
GetDeviceAuthorizationByUserCode implements op.DeviceAuthorizationStorage
func (*HybridStorage) GetDeviceAuthorizatonState ¶
func (s *HybridStorage) GetDeviceAuthorizatonState(ctx context.Context, clientID, deviceCode string) (*op.DeviceAuthorizationState, error)
GetDeviceAuthorizatonState implements op.DeviceAuthorizationStorage
func (*HybridStorage) GetKeyByIDAndClientID ¶
func (s *HybridStorage) GetKeyByIDAndClientID(_ context.Context, keyID, _ string) (*jose.JSONWebKey, error)
GetKeyByIDAndClientID implements the op.Storage interface
func (*HybridStorage) GetPrivateClaimsFromScopes ¶
func (s *HybridStorage) GetPrivateClaimsFromScopes(ctx context.Context, identityId, clientID string, scopes []string) (claims map[string]interface{}, err error)
GetPrivateClaimsFromScopes implements the op.Storage interface
func (*HybridStorage) GetPrivateClaimsFromTokenExchangeRequest ¶
func (s *HybridStorage) GetPrivateClaimsFromTokenExchangeRequest(ctx context.Context, request op.TokenExchangeRequest) (claims map[string]interface{}, err error)
GetPrivateClaimsFromTokenExchangeRequest implements the op.TokenExchangeStorage interface
func (*HybridStorage) GetRefreshTokenInfo ¶
func (s *HybridStorage) GetRefreshTokenInfo(_ context.Context, _ string, token string) (identityId string, tokenID string, err error)
GetRefreshTokenInfo implements the op.Storage interface
func (*HybridStorage) Health ¶
func (s *HybridStorage) Health(_ context.Context) error
Health implements the op.Storage interface
func (*HybridStorage) IsTokenRevoked ¶
func (s *HybridStorage) IsTokenRevoked(tokenId string) bool
IsTokenRevoked returns true or false if a token has been revoked
func (*HybridStorage) RevokeToken ¶
func (s *HybridStorage) RevokeToken(_ context.Context, tokenIDOrToken string, _ string, _ string) *oidc.Error
RevokeToken implements the op.Storage interface
func (*HybridStorage) SaveAuthCode ¶
SaveAuthCode implements the op.Storage interface
func (*HybridStorage) SetIntrospectionFromToken ¶
func (s *HybridStorage) SetIntrospectionFromToken(_ context.Context, _ *oidc.IntrospectionResponse, _, _, _ string) error
SetIntrospectionFromToken implements the op.Storage interface
func (*HybridStorage) SetUserinfoFromRequest ¶
func (s *HybridStorage) SetUserinfoFromRequest(_ context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, scopes []string) error
SetUserinfoFromRequest implements the op.CanSetUserinfoFromRequest interface.
func (*HybridStorage) SetUserinfoFromScopes ¶
func (s *HybridStorage) SetUserinfoFromScopes(_ context.Context, _ *oidc.UserInfo, _, _ string, _ []string) error
SetUserinfoFromScopes implements the op.Storage interface.
func (*HybridStorage) SetUserinfoFromToken ¶
func (s *HybridStorage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, _ string) error
SetUserinfoFromToken implements the op.Storage interface
func (*HybridStorage) SetUserinfoFromTokenExchangeRequest ¶
func (s *HybridStorage) SetUserinfoFromTokenExchangeRequest(ctx context.Context, userinfo *oidc.UserInfo, request op.TokenExchangeRequest) error
SetUserinfoFromTokenExchangeRequest implements the op.TokenExchangeStorage interface
func (*HybridStorage) SignatureAlgorithms ¶
func (s *HybridStorage) SignatureAlgorithms(context.Context) ([]jose.SignatureAlgorithm, error)
SignatureAlgorithms implements the op.Storage interface
func (*HybridStorage) SigningKey ¶
func (s *HybridStorage) SigningKey(_ context.Context) (op.SigningKey, error)
SigningKey implements the op.Storage interface
func (*HybridStorage) StoreDeviceAuthorization ¶
func (s *HybridStorage) StoreDeviceAuthorization(_ context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes []string) error
StoreDeviceAuthorization implements op.DeviceAuthorizationStorage
func (*HybridStorage) TerminateSession ¶
func (s *HybridStorage) TerminateSession(_ context.Context, identityId string, clientID string) error
TerminateSession implements the op.Storage interface
func (*HybridStorage) TokenRequestByRefreshToken ¶
func (s *HybridStorage) TokenRequestByRefreshToken(_ context.Context, refreshToken string) (op.RefreshTokenRequest, error)
TokenRequestByRefreshToken implements the op.Storage interface
func (*HybridStorage) ValidateJWTProfileScopes ¶
func (s *HybridStorage) ValidateJWTProfileScopes(_ context.Context, _ string, scopes []string) ([]string, error)
ValidateJWTProfileScopes implements the op.Storage interface
func (*HybridStorage) ValidateTokenExchangeRequest ¶
func (s *HybridStorage) ValidateTokenExchangeRequest(_ context.Context, request op.TokenExchangeRequest) error
ValidateTokenExchangeRequest implements the op.TokenExchangeStorage interface
func (*HybridStorage) VerifyTotp ¶
func (s *HybridStorage) VerifyTotp(ctx *change.Context, code string, id string) (*AuthRequest, error)
VerifyTotp will update and return the AuthRequest associated with `id`
type IdTokenClaims ¶
type IdTokenClaims struct { oidc.IDTokenClaims CustomClaims }
func (*IdTokenClaims) TotpComplete ¶
func (c *IdTokenClaims) TotpComplete() bool
type RefreshClaims ¶
type RefreshClaims struct { oidc.IDTokenClaims CustomClaims }
func (*RefreshClaims) GetAudience ¶
func (r *RefreshClaims) GetAudience() (jwt.ClaimStrings, error)
func (*RefreshClaims) GetExpirationTime ¶
func (r *RefreshClaims) GetExpirationTime() (*jwt.NumericDate, error)
func (*RefreshClaims) GetIssuedAt ¶
func (r *RefreshClaims) GetIssuedAt() (*jwt.NumericDate, error)
func (*RefreshClaims) GetIssuer ¶
func (r *RefreshClaims) GetIssuer() (string, error)
func (*RefreshClaims) GetNotBefore ¶
func (r *RefreshClaims) GetNotBefore() (*jwt.NumericDate, error)
func (*RefreshClaims) GetSubject ¶
func (r *RefreshClaims) GetSubject() (string, error)
func (*RefreshClaims) MarshalJSON ¶
func (c *RefreshClaims) MarshalJSON() ([]byte, error)
func (*RefreshClaims) UnmarshalJSON ¶
func (c *RefreshClaims) UnmarshalJSON(data []byte) error
type RefreshTokenRequest ¶
type RefreshTokenRequest struct {
RefreshClaims
}
RefreshTokenRequest is a wrapper around RefreshClaims to avoid collisions between go-jwt interface requirements and zitadel oidc interface names. Implements zitadel op.RefreshTokenRequest
func (*RefreshTokenRequest) GetAMR ¶
func (r *RefreshTokenRequest) GetAMR() []string
GetAMR implements op.RefreshTokenRequest
func (*RefreshTokenRequest) GetAudience ¶
func (r *RefreshTokenRequest) GetAudience() []string
GetAudience implements op.RefreshTokenRequest
func (*RefreshTokenRequest) GetAuthTime ¶
func (r *RefreshTokenRequest) GetAuthTime() time.Time
GetAuthTime implements op.RefreshTokenRequest
func (*RefreshTokenRequest) GetCertFingerprints ¶
func (r *RefreshTokenRequest) GetCertFingerprints() []string
func (*RefreshTokenRequest) GetClientID ¶
func (r *RefreshTokenRequest) GetClientID() string
GetClientID implements op.RefreshTokenRequest
func (*RefreshTokenRequest) GetScopes ¶
func (r *RefreshTokenRequest) GetScopes() []string
GetScopes implements op.RefreshTokenRequest
func (*RefreshTokenRequest) GetSubject ¶
func (r *RefreshTokenRequest) GetSubject() string
GetSubject implements op.RefreshTokenRequest
func (*RefreshTokenRequest) SetCurrentScopes ¶
func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string)
SetCurrentScopes implements op.RefreshTokenRequest
type Storage ¶
type Storage interface { op.Storage // Authenticate attempts to perform authentication on supplied credentials for all known authentication methods Authenticate(authCtx model.AuthContext, id string, configTypes []string) (*AuthRequest, error) // VerifyTotp will verify the supplied code for the current authentication request's subject // A change context is required for the removal of one-time TOTP recovery codes VerifyTotp(ctx *change.Context, code string, id string) (*AuthRequest, error) // IsTokenRevoked will return true if a token has been removed. // TokenId may be a JWT token id or an identity id IsTokenRevoked(tokenId string) bool // AddClient adds an OIDC Client to the registry of valid clients. AddClient(client *Client) // GetAuthRequest returns an *AuthRequest by its id GetAuthRequest(id string) (*AuthRequest, error) }
Storage is a compound interface of op.Storage and custom storage functions