README
¶
Service Provider library and example for the OP Identity Service Broker
https://github.com/op-developer/Identity-Service-Broker-API
This is just my hobby project to get familiar with identity services.
Example
Example server with test credentials is under example/httpd
$ make run-example
or directly
$ cd example/httpd
$ go run main.go
TODO
- verify that identity token nonce attribute value is equal to the value of the nonce parameter sent in the authentication request
- more test cases
Documentation
¶
Index ¶
- Constants
- func CreateRandomToken(s uint8) string
- func NewPrivateKey(data []byte) (*rsa.PrivateKey, error)
- func NewPrivateKeyFromFile(path string) (*rsa.PrivateKey, error)
- func NewSignature(payload []byte, signingKey *rsa.PrivateKey) (string, error)
- type Access
- type Auth
- type Client
- func (c *Client) EncodeClientAssertionToken(tokenID string) (string, error)
- func (c *Client) NewAccessFromAuthorizationCode(authorizationCode string) (Access, error)
- func (c *Client) NewAuthToken(scope string, state string, nonce string, promptConcent bool) (string, error)
- func (c *Client) NewIdentityFromAuthorizationCode(authorizationCode string) (Identity, error)
- type ClientAssertion
- type Identity
- type PublicKeyProvider
Constants ¶
View Source
const ClientAssertionClaimExpiration = 600
Variables ¶
This section is empty.
Functions ¶
func CreateRandomToken ¶
func NewPrivateKey ¶
func NewPrivateKey(data []byte) (*rsa.PrivateKey, error)
func NewPrivateKeyFromFile ¶
func NewPrivateKeyFromFile(path string) (*rsa.PrivateKey, error)
func NewSignature ¶
func NewSignature(payload []byte, signingKey *rsa.PrivateKey) (string, error)
NewSignature signs payload and returns serialized JWS token
Types ¶
type Access ¶
type Access struct {
Token string `json:"access_token"`
Type string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
IDToken string `json:"id_token"`
Error string `json:"error"`
ErrorDescription string `json:"error_description"`
}
Access attributes returnned from /oauth/token https://github.com/op-developer/Identity-Service-Broker-API#8-post-oauthtoken
type Auth ¶
type Auth struct {
ClientID string `json:"client_id"`
Scope string `json:"scope"`
RedirectURL string `json:"redirect_uri"`
ResponseType string `json:"response_type"` // value must be code
Nonce string `json:"nonce"` // make sure that the nonce attribute in the ID Token matches (mitigate replay attacks)
State string `json:"state"` // state between request and callback (eg session id)
Locales string `json:"ui_locales"` // interface language
Prompt string `json:"prompt,omitempty"` // can be set to consent to indicate that the user should be asked to consent to personal data being transferred
}
Auth attributes for /oauth/authorize https://github.com/op-developer/Identity-Service-Broker-API#7-getpost-oauthauthorize
type Client ¶
type Client struct {
ID string
EncryptionKey *rsa.PrivateKey
SigningKey *rsa.PrivateKey
AuthURL string
TokenURL string
CallbackURL string
Locales string
AssertionClaimExpiration int64
KeyStore PublicKeyProvider
}
func (*Client) EncodeClientAssertionToken ¶
func (*Client) NewAccessFromAuthorizationCode ¶
func (*Client) NewAuthToken ¶
type ClientAssertion ¶
type ClientAssertion struct {
Issuer string `json:"iss"` // This must contain the client_id.
Subject string `json:"sub"` // This must contain the client_id.
Audience string `json:"aud"` // The aud (audience) Claim. This must match the ISB's token endpoint URL.
JWTID string `json:"jti"` // A unique identifier for JWS tokens, which can be used to prevent reuse of the token. These identifiers must only be used once. ISB checks if this jti has already been used and if it has ISB will respond with an error.
Expiration int64 `json:"exp"` // time for the token. This is seconds since UNIX epoch (UTC). Suggested time is 600 seconds in the future. ISB checks that the JWS has not expired. If it has expired the ISB will respond with an error.
Error string `json:"error"`
ErrorDescription string `json:"error_description"`
}
ClientAssertion attributes for /oauth/token https://github.com/op-developer/Identity-Service-Broker-API#8-post-oauthtoken
type Identity ¶
type Identity struct {
Audience string `json:"aud"` // Audience this ID Token is intended for. It MUST contain the SP client_id
Expiration int64 `json:"exp"` // Expiration time in seconds since UNIX epoch on or after which the ID Token MUST NOT be accepted for processing.
Nonce string `json:"nonce"` // Case sensitive string from the authentication request to associate an end-user with an ID token and to mitigate replay attacks
Birthdate string `json:"birthdate"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
Name string `json:"name"` // Family name and given name
PersonalIdentityCode string `json:"personal_identity_code"` // The Finnish personal identity code
}
Identity attributes decoded from ID token https://github.com/op-developer/Identity-Service-Broker-API#9-identity-token
func DecodeIdentityToken ¶
func DecodeIdentityToken(token string, encryptionKey *rsa.PrivateKey, k PublicKeyProvider) (Identity, error)
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.