oidc

package module

v0.0.0-...-1f03736 Latest Latest Go to latest Published: Feb 14, 2022 License: MIT Imports: 7 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/osstotalsoft/oidc-jwt-go

Links

Open Source Insights

README ¶

oidc-jwt-go

OpenID Connect package to secure your API using JWT Bearer tokens. It uses dgrijalva/jwt-go for jwt decoding and signature verification

Installation

go get "github.com/osstotalsoft/oidc-jwt-go"

Usage

import (
	"log"
	"net/http"

	jwtRequest "github.com/golang-jwt/jwt/request"
	"github.com/osstotalsoft/oidc-jwt-go"
)

func middleware() func(next http.Handler) http.Handler {
	authority := "https://accounts.google.com" //or other OIDC provider
	audience := "YOUR_API_NAME"

	secretProvider := oidc.NewOidcSecretProvider(discovery.NewClient(discovery.Options{authority}))
	validator := oidc.NewJWTValidator(jwtRequest.OAuth2Extractor, secretProvider, audience, authority)

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
			token, err := validator(request)
			if err != nil {
				log.Error("AuthorizationFilter: Token is not valid", err)
				UnauthorizedWithHeader(writer, err.Error())
				return
			}
			next.ServeHttp(writer, request)
		})
	}
}

//UnauthorizedWithHeader adds to the response a WWW-Authenticate header and returns a StatusUnauthorized error
func UnauthorizedWithHeader(writer http.ResponseWriter, err string) {
	writer.Header().Set("WWW-Authenticate", "Bearer error=\"invalid_token\", error_description=\""+err+"\"")
	http.Error(writer, "", http.StatusUnauthorized)
}

Caching

The Secret Provider uses a simple sync.Map, with no expiration, to cache the rsa.PublicKey by a Key ID string

TODO

Token Introspection rfc7662
UserInfo UserInfo

Similar projects

Documentation ¶

Index ¶

func NewJWTValidator(extractor jwtRequest.Extractor, provider SecretProvider, audience string, ...) func(request *http.Request) (*jwt.Token, error)
func NewOidcSecretProvider(configurationDiscoverer discovery.Discoverer) *oidcSecretProvider
type SecretProvider
- func NewKeyProvider(publicKey *rsa.PublicKey) SecretProvider
type SecretProviderFunc
- func (f SecretProviderFunc) GetSecret(tokenKeyId string) (*rsa.PublicKey, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewJWTValidator ¶

func NewJWTValidator(extractor jwtRequest.Extractor, provider SecretProvider, audience string, authority string) func(request *http.Request) (*jwt.Token, error)

func NewOidcSecretProvider ¶

func NewOidcSecretProvider(configurationDiscoverer discovery.Discoverer) *oidcSecretProvider

Types ¶

type SecretProvider ¶

type SecretProvider interface {
	GetSecret(tokenKeyId string) (key *rsa.PublicKey, err error)
}

func NewKeyProvider ¶

func NewKeyProvider(publicKey *rsa.PublicKey) SecretProvider

NewKeyProvider provide a simple passphrase key provider.

type SecretProviderFunc ¶

type SecretProviderFunc func(tokenKeyId string) (*rsa.PublicKey, error)

func (SecretProviderFunc) GetSecret ¶

func (f SecretProviderFunc) GetSecret(tokenKeyId string) (*rsa.PublicKey, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
discovery

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL