oidc

package

v0.20.0 Latest Latest Go to latest Published: Nov 11, 2022 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package oidc implements a generic OpenID Connect provider.

https://openid.net/specs/openid-connect-core-1_0.html

Index ¶

Constants
Variables
type Option
type Provider
- func New(ctx context.Context, o *oauth.Options, options ...Option) (*Provider, error)

Constants ¶

View Source

const Name = "oidc"

Name identifies the generic OpenID Connect provider.

Variables ¶

View Source

var ErrMissingAccessToken = errors.New("identity/oidc: missing access token")

ErrMissingAccessToken is returned when no access token was found.

View Source

var ErrMissingIDToken = errors.New("identity/oidc: missing id_token")

ErrMissingIDToken is returned when (usually on refresh) and identity provider failed to include an id_token in a oauth2 token.

View Source

var ErrMissingProviderURL = errors.New("identity/oidc: missing provider url")

ErrMissingProviderURL is returned when an identity provider requires a provider url does not receive one.

View Source

var ErrMissingRefreshToken = errors.New("identity/oidc: missing refresh token")

ErrMissingRefreshToken is returned if no refresh token was found.

View Source

var ErrRevokeNotImplemented = errors.New("identity/oidc: revoke not implemented")

ErrRevokeNotImplemented is returned when revoke is not implemented by an identity provider.

View Source

var ErrSignoutNotImplemented = errors.New("identity/oidc: end session not implemented")

ErrSignoutNotImplemented is returned when end session is not implemented by an identity provider https://openid.net/specs/openid-connect-frontchannel-1_0.html#RPInitiated

Functions ¶

This section is empty.

Types ¶

type Option ¶ added in v0.12.2

type Option func(*config)

An Option customizes the config.

func WithGetOauthConfig ¶ added in v0.12.2

func WithGetOauthConfig(f func(provider *oidc.Provider) *oauth2.Config) Option

WithGetOauthConfig sets the getOauthConfig function in the config.

func WithGetProvider ¶ added in v0.12.2

func WithGetProvider(f func() (*oidc.Provider, error)) Option

WithGetProvider sets the getProvider function in the config.

func WithGetVerifier ¶ added in v0.12.2

func WithGetVerifier(f func(*oidc.Provider) *oidc.IDTokenVerifier) Option

WithGetVerifier sets the getVerifier function in the config.

type Provider ¶

type Provider struct {

	// RevocationURL is the location of the OAuth 2.0 token revocation endpoint.
	// https://tools.ietf.org/html/rfc7009
	RevocationURL string `json:"revocation_endpoint,omitempty"`

	// EndSessionURL is another endpoint that can be used by other identity
	// providers that doesn't implement the revocation endpoint but a logout session.
	// https://openid.net/specs/openid-connect-frontchannel-1_0.html#RPInitiated
	EndSessionURL string `json:"end_session_endpoint,omitempty"`

	// AuthCodeOptions specifies additional key value pairs query params to add
	// to the request flow signin url.
	AuthCodeOptions map[string]string
	// contains filtered or unexported fields
}

Provider provides a standard, OpenID Connect implementation of an authorization identity provider. https://openid.net/specs/openid-connect-core-1_0.html

func New ¶

func New(ctx context.Context, o *oauth.Options, options ...Option) (*Provider, error)

New creates a new instance of a generic OpenID Connect provider.

func (*Provider) Authenticate ¶

func (p *Provider) Authenticate(ctx context.Context, code string, v identity.State) (*oauth2.Token, error)

Authenticate converts an authorization code returned from the identity provider into a token which is then converted into a user session.

func (*Provider) GetOauthConfig ¶ added in v0.12.2

func (p *Provider) GetOauthConfig() (*oauth2.Config, error)

GetOauthConfig gets the oauth.

func (*Provider) GetProvider ¶ added in v0.12.2

func (p *Provider) GetProvider() (*go_oidc.Provider, error)

GetProvider gets the underlying oidc Provider.

func (*Provider) GetSignInURL ¶

func (p *Provider) GetSignInURL(state string) (string, error)

GetSignInURL returns the url of the provider's OAuth 2.0 consent page that asks for permissions for the required scopes explicitly.

State is a token to protect the user from CSRF attacks. You must always provide a non-empty string and validate that it matches the the state query parameter on your redirect callback. See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.

func (*Provider) GetSubject ¶ added in v0.9.0

func (p *Provider) GetSubject(v interface{}) (string, error)

GetSubject gets the RFC 7519 Subject claim (`sub`) from a

func (*Provider) GetVerifier ¶ added in v0.12.2

func (p *Provider) GetVerifier() (*go_oidc.IDTokenVerifier, error)

GetVerifier gets the verifier.

func (*Provider) LogOut ¶

func (p *Provider) LogOut() (*url.URL, error)

LogOut returns the EndSessionURL endpoint to allow a logout session to be initiated. https://openid.net/specs/openid-connect-frontchannel-1_0.html#RPInitiated

func (*Provider) Name ¶ added in v0.11.0

func (p *Provider) Name() string

Name returns the provider name.

func (*Provider) Refresh ¶

func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v identity.State) (*oauth2.Token, error)

Refresh renews a user's session using an oidc refresh token without reprompting the user. Group membership is also refreshed. https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

func (*Provider) Revoke ¶

func (p *Provider) Revoke(ctx context.Context, t *oauth2.Token) error

Revoke enables a user to revoke her token. If the identity provider does not support revocation an error is thrown.

https://tools.ietf.org/html/rfc7009#section-2.1

func (*Provider) UpdateUserInfo ¶ added in v0.10.0

func (p *Provider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error

UpdateUserInfo calls the OIDC (spec required) UserInfo Endpoint as well as any groups endpoint (non-spec) to populate the rest of the user's information.

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
auth0 Package auth0 implements OpenID Connect for auth0	Package auth0 implements OpenID Connect for auth0
azure Package azure implements OpenID Connect for Microsoft Azure	Package azure implements OpenID Connect for Microsoft Azure
gitlab Package gitlab implements OpenID Connect for Gitlab	Package gitlab implements OpenID Connect for Gitlab
google Package google implements OpenID Connect for Google and GSuite.	Package google implements OpenID Connect for Google and GSuite.
okta Package okta implements OpenID Connect for okta	Package okta implements OpenID Connect for okta
onelogin Package onelogin implements OpenID Connect for OneLogin	Package onelogin implements OpenID Connect for OneLogin
ping Package ping implements OpenID Connect for Ping	Package ping implements OpenID Connect for Ping

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL