scope

README

scope

scope is a Go library for validating OIDC token scopes. It allows you to verify if tokens meet validation requirements described in the RFC6749 document.

Using the Go library

The following example illustrates how to verify the OIDC scope string. The scope must include the openid token.

import (
    "fmt"
    "strings"

    "github.com/qba73/scope"
)

func main() {
    scopes := []string{"openid myscope email", "myscope email"}
    
    for +, s := range scopes {
        if !scope.ValidOIDC(s) {
            fmt.Println("invalid scope")
        }
    }
}

The following example illustrates how to verify tokens in the scope. Note that func Valid() validates if tokens do not contain unsupported characters.

import (
    "fmt"
    "strings"

    "github.com/qba73/scope"
)

func main() {
    tokens := "openid myscope email"
    
    for _, token := range strings.Split(tokens, "+") {
        if !scope.Valid(token) {
            fmt.Printf("scope/token %v is not valid\n", token)
        }
        fmt.Printf("scope/token %v is valid\n", token)
    }
}

Bugs and feature requests

If you find a bug in the scope library, please open an issue. Similarly, if you'd like a feature added or improved, let me know via an issue.

Pull requests welcome!

Documentation

Overview

Package scope provides functions for validating OIDC scopes.

Index

• func Valid(s string) bool
• func ValidOIDC(s string) bool

Examples

• Valid (InvalidTokens)
• Valid (ValidTokens)
• ValidOIDC (InvalidTokens)
• ValidOIDC (MissingRequiredToken)
• ValidOIDC (ValidTokens)

Functions

func Valid

func Valid(s string) bool

Valid takes a string representing token scope and validates if the token conforms to RFC6749. If the token does not contain invalid characters it returns true, false otherwise.

Ref. https://datatracker.ietf.org/doc/html/rfc6749#section-3.3

Example (InvalidTokens)

package main

import (
	"fmt"

	"github.com/qba73/scope"
)

func main() {
	fmt.Println(scope.Valid("my\x18scope+second\x7fScope"))
}

Output:

false

Example (ValidTokens)

package main

import (
	"fmt"

	"github.com/qba73/scope"
)

func main() {
	fmt.Println(scope.Valid("myscope"))
}

Output:

true

func ValidOIDC

func ValidOIDC(s string) bool

ValidOIDC takes a string representing OIDC scope and validates if all tokens in the scope conforms to RFC6749. The input string (scope) is expected to have the following formats:

`openid+scope1+scope2` `scope1+openid+scope2`

Tokens should be separated by `+` sign. Order of tokens does not matter. ValidOIDC checks if the mandatory token `openid` is present in the scope. If it is not present the func returns false. If any token in the scope contains invalid characters the func will return false.

Ref.

• https://openid.net/specs/openid-connect-core-1_0.html section 3.1.2.1 (Authentication Request)
• https://datatracker.ietf.org/doc/html/rfc6749#section-3.3

Example (InvalidTokens)

package main

import (
	"fmt"

	"github.com/qba73/scope"
)

func main() {
	fmt.Println(scope.ValidOIDC("openid m\x7fyscope"))
}

Output:

false

Example (MissingRequiredToken)

package main

import (
	"fmt"

	"github.com/qba73/scope"
)

func main() {
	fmt.Println(scope.ValidOIDC("secondScope email"))
}

Output:

false

Example (ValidTokens)

package main

import (
	"fmt"

	"github.com/qba73/scope"
)

func main() {
	fmt.Println(scope.ValidOIDC("openid myscope"))
}

Output:

true