oidcclient

package

v0.24.2 Latest Latest Go to latest Published: Nov 22, 2025 License: MIT Imports: 29 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/vdbulcke/oidc-client-demo

Links

Open Source Insights

Documentation ¶

Overview ¶

*

Authorization request & access token request: authorize.go
Pushed Authorization request: par.go
userinfo request: userinfo.go
introspect request: introspect.go
refresh_token request: refresh_token.go

*

Index ¶

func ParsePrivateKey(filename string) (crypto.PrivateKey, error)
func ValidateConfig(config *OIDCClientConfig) bool
type JSONAccessTokenResponse
type JwtProfileClaims
type OIDCClient
- func NewOIDCClient(c *OIDCClientConfig, privateKey oauthx.OAuthPrivateKey, ...) (_ *OIDCClient, err error)
type OIDCClientConfig
- func ParseConfig(configFile string) (*OIDCClientConfig, error)
- func (c *OIDCClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ParsePrivateKey ¶ added in v0.22.0

func ParsePrivateKey(filename string) (crypto.PrivateKey, error)

ParsePrivateKey pase PEM private key file, and returns a crypto.PrivateKey interface.

func ValidateConfig ¶

func ValidateConfig(config *OIDCClientConfig) bool

ValidateConfig validate config

Types ¶

type JSONAccessTokenResponse ¶

type JSONAccessTokenResponse struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	Scope        string `json:"scope"`
	IDToken      string `json:"id_token"`
	TokenType    string `json:"token_type"`
	Nonce        string `json:"nonce"`
	// NOTE: this is reformatted as Human readable time
	ExpiresInHumanReadable string `json:"expires_in_human_readable"`
}

JSONAccessTokenResponse ...

type JwtProfileClaims ¶

type JwtProfileClaims struct {
	Jti string `json:"jti,omitempty"`
	// the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
	Audience string `json:"aud,omitempty"`
	jwt.RegisteredClaims
}

type OIDCClient ¶

type OIDCClient struct {
	// contains filtered or unexported fields
}

func NewOIDCClient ¶

func NewOIDCClient(c *OIDCClientConfig, privateKey oauthx.OAuthPrivateKey, clientCert tls.Certificate, l hclog.Logger) (_ *OIDCClient, err error)

OIDCClient create a new OIDC Client

func (*OIDCClient) ClientCredentialsFlow ¶ added in v0.22.0

func (c *OIDCClient) ClientCredentialsFlow() error

func (*OIDCClient) EndSession ¶ added in v0.22.0

func (c *OIDCClient) EndSession(token, postLogoutRedirectUri string) error

func (*OIDCClient) GenerateJwtProfile ¶

func (c *OIDCClient) GenerateJwtProfile(endpoint string) (string, error)

https://www.rfc-editor.org/rfc/rfc7523.html

func (*OIDCClient) GenerateRequestJwt ¶

func (c *OIDCClient) GenerateRequestJwt() (string, error)

func (*OIDCClient) GetLogger ¶ added in v0.22.0

func (c *OIDCClient) GetLogger() hclog.Logger

func (*OIDCClient) Info ¶

func (c *OIDCClient) Info()

Info Display info about current config

func (*OIDCClient) IntrospectToken ¶

func (c *OIDCClient) IntrospectToken(token string) error

IntrospectToken introspect the token

func (*OIDCClient) OIDCAuthorizationCodeFlow ¶

func (c *OIDCClient) OIDCAuthorizationCodeFlow() error

OIDCAuthorizationCodeFlow starts a HTTP server and set handler for performing the Authorization code flow

func (*OIDCClient) RefreshTokenFlow ¶

func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerification bool) error

RefreshTokenFlow renew the refresh token

ref: https://github.com/nonbeing/awsconsoleauth/blob/master/http.go#L46

func (*OIDCClient) Revoke ¶ added in v0.22.0

func (c *OIDCClient) Revoke(token string) error

func (*OIDCClient) SetDefaultOutput ¶

func (c *OIDCClient) SetDefaultOutput()

SetDefaultOutput Set default output file name

func (*OIDCClient) TokenExchangeFlow ¶ added in v0.23.0

func (c *OIDCClient) TokenExchangeFlow(subjectToken, subjectTokenType, requestedTokenType, actorToken, actorTokenType string) error

TokenExchangeFlow rfc8693 TokenExchange

type OIDCClientConfig ¶

type OIDCClientConfig struct {
	ClientID     string `yaml:"client_id"  validate:"required"`
	ClientSecret string `yaml:"client_secret" `
	AuthMethod   string `yaml:"auth_method"  validate:"required,oneof=none client_secret_basic client_secret_post private_key_jwt tls_client_auth"`

	ClientIDParamForTokenEndpoint bool `yaml:"always_set_client_id_for_token_endpoint" default:"false"`

	UsePKCE             bool   `yaml:"use_pkce"`
	PKCEChallengeMethod string `yaml:"pkce_challenge_method"`
	PKCECodeLength      int
	FakePKCEVerifier    bool

	AccessTokenJwt  bool `yaml:"access_token_jwt"`
	RefreshTokenJwt bool `yaml:"refresh_token_jwt"`

	Scopes   []string `yaml:"scopes"  `
	Audience []string `yaml:"audiences"`

	AcrValues string `yaml:"acr_values"`

	Issuer string `yaml:"issuer"  validate:"required"`

	Claims      string `yaml:"oidc_claims_param"`
	ParseClaims *oauthx.OpenIdRequestedClaimsParam

	AuthorizationDetailsInput string `yaml:"authorization_details"`
	AuthorizationDetails      oauthx.AuthorizationDetails

	TokenEndpoint                string `yaml:"token_endpoint"  `
	AuthorizeEndpoint            string `yaml:"authorize_endpoint"  `
	UserinfoEndpoint             string `yaml:"userinfo_endpoint"  `
	JwksEndpoint                 string `yaml:"jwks_endpoint"`
	IntrospectEndpoint           string `yaml:"introspect_endpoint"`
	PAREndpoint                  string `yaml:"par_endpoint"`
	EndSessionEndpoint           string `yaml:"endsession_endpoint"`
	RevocationEndpoint           string `yaml:"revocation_endpoint"`
	AlternativeWellKnownEndpoint string `yaml:"alternative_wellknown_endpoint"`
	InsecureWellKnownEndpoint    bool   `yaml:"insecure_wellknown_endpoint"`

	UsePAR                            bool              `yaml:"use_par"`
	PARIntrospectEndpointWellKnownKey string            `yaml:"par_endpoint_wellknown_key"`
	PARAdditionalParameter            map[string]string `yaml:"par_additional_parameters"`
	AuthorizeAdditionalParameter      map[string]string `yaml:"authorize_additional_parameters"`

	TokenSigningAlg    []string `yaml:"token_signing_alg" validate:"required"`
	TokenEncryptionAlg []string `yaml:"token_encryption_alg" validate:"dive,oneof=ECDH-ES RSA-OAEP RSA-OAEP-256 ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW"`

	AllowNonCompliantAmr bool     `yaml:"allow_non_compliant_amr" default:"false"`
	AMRWhitelist         []string `yaml:"amr_list"`
	ACRWhitelist         []string `yaml:"acr_list"`

	RedirectUri string `yaml:"override_redirect_uri"`

	UseRequestParameter             bool                   `yaml:"use_request_parameter" default:"false"`
	StrictOIDCAndRCF6749Param       bool                   `yaml:"strict_oidc_rcf6749_param" default:"false"`
	LegacyRequestJwtHeaderType      bool                   `yaml:"legacy_request_jwt_header_type" default:"false"`
	JwtProfileTokenDuration         time.Duration          `yaml:"jwt_profile_token_duration" default:"5m"`
	JwtProfileAudiance              string                 `yaml:"jwt_profile_token_audiance" `
	JwtProfilePARAudiance           string                 `yaml:"jwt_profile_par_endpoint_audiance" `
	JwtProfileTokenAudiance         string                 `yaml:"jwt_profile_token_endpoint_audiance" `
	JwtProfileRevocationAudiance    string                 `yaml:"jwt_profile_revocation_endpoint_audiance" `
	JwtProfileIntrospectionAudiance string                 `yaml:"jwt_profile_introspection_endpoint_audiance" `
	JwtProfileEndpointAsAudiance    bool                   `yaml:"jwt_profile_endpoint_audiance" default:"false"`
	JwtRequestTokenDuration         time.Duration          `yaml:"jwt_request_token_duration" default:"5m"`
	JwtRequestAudiance              string                 `yaml:"jwt_request_token_audiance" `
	JwtRequestAdditionalParameter   map[string]interface{} `yaml:"jwt_request_token_additional_parameters"`
	JwtSigningAlg                   string                 `yaml:"jwt_signing_alg" default:"RS256" validate:"required,oneof=ES256 ES384 ES512 RS256 RS384 RS512"`

	HttpClientConfig *client_http.HttpClientConfig `yaml:"http_client_config"  `
	// Mock
	MockState        string
	MockNonce        string
	MockCodeVerifier string

	// keep server running during authorizaiton code flow
	//
	KeepRunning bool

	// Output
	OutputEnabled       bool
	OutputDir           string
	AccessTokenRespFile string
	IDTokenFile         string
	AccessTokenFile     string
	RefreshTokenFile    string
	UserinfoFile        string
	IntrospectFile      string

	// NOTE: default is false
	SkipTLSVerification bool `yaml:"skip_tls_verification"`

	// NOTE: default is false
	SkipUserinfo bool `yaml:"skip_userinfo_call"`

	// Listen Address
	ListenAddress string
	// Listen Port
	ListenPort int
}

func ParseConfig ¶

func ParseConfig(configFile string) (*OIDCClientConfig, error)

ParseConfig Parse config file

func (*OIDCClientConfig) UnmarshalYAML ¶

func (c *OIDCClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
http
jwt
signer

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL