sso

package
v0.0.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2026 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// Protocol enablement
	AllowSAML bool `json:"allowSAML"`
	AllowOIDC bool `json:"allowOIDC"`

	// JIT (Just-in-Time) user provisioning
	AutoProvision    bool   `json:"autoProvision"`    // Automatically create users on first SSO login
	UpdateAttributes bool   `json:"updateAttributes"` // Update existing user attributes from SSO
	DefaultRole      string `json:"defaultRole"`      // Default role for provisioned users (e.g., "member")

	// Attribute mapping from user fields to SSO attribute names
	// Example: {"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"}
	AttributeMapping map[string]string `json:"attributeMapping"`

	// SAML configuration
	SAMLMetadataURL   string `json:"samlMetadataURL"`
	SAMLACS           string `json:"samlACS"`           // Assertion Consumer Service URL
	RequireEncryption bool   `json:"requireEncryption"` // Require encrypted SAML assertions

	// OIDC configuration
	OIDCRedirectURL string `json:"oidcRedirectURL"`
}

Config holds the SSO plugin configuration

func DefaultConfig 

func DefaultConfig() Config

DefaultConfig returns the default SSO plugin configuration

type DiscoverProviderRequest 

type DiscoverProviderRequest struct {
	Email string `json:"email" validate:"required,email"`
}

DiscoverProviderRequest represents a request to discover SSO provider by email

type ErrorResponse 

type ErrorResponse = responses.ErrorResponse

Response types - use shared responses from core

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

func NewHandler 

func NewHandler(svc *Service) *Handler

func NewHandlerWithLogger 

func NewHandlerWithLogger(svc *Service, logger forge.Logger) *Handler

func (*Handler) OIDCCallback 

func (h *Handler) OIDCCallback(c forge.Context) error

OIDCCallback handles OIDC callback and provisions user

func (*Handler) OIDCLogin 

func (h *Handler) OIDCLogin(c forge.Context) error

OIDCLogin initiates OIDC authentication flow with PKCE

func (*Handler) RegisterProvider 

func (h *Handler) RegisterProvider(c forge.Context) error

RegisterProvider registers a new SSO provider (SAML or OIDC)

func (*Handler) SAMLCallback 

func (h *Handler) SAMLCallback(c forge.Context) error

SAMLCallback handles SAML response callback and provisions user

func (*Handler) SAMLLogin 

func (h *Handler) SAMLLogin(c forge.Context) error

SAMLLogin initiates SAML authentication by generating AuthnRequest

func (*Handler) SAMLSPMetadata 

func (h *Handler) SAMLSPMetadata(c forge.Context) error

SAMLSPMetadata returns Service Provider metadata

type MessageResponse 

type MessageResponse = responses.MessageResponse

type MetadataResponse 

type MetadataResponse struct {
	Metadata string `json:"metadata"`
}

MetadataResponse represents SAML SP metadata

type OIDCLoginRequest 

type OIDCLoginRequest struct {
	RedirectURI string `json:"redirectUri"`
	State       string `json:"state"`
	Nonce       string `json:"nonce"`
	Scope       string `json:"scope"` // Optional custom scope
}

OIDCLoginRequest represents a request to initiate OIDC login

type OIDCLoginResponse 

type OIDCLoginResponse struct {
	AuthURL    string `json:"authUrl"`
	State      string `json:"state"`
	Nonce      string `json:"nonce"`
	ProviderID string `json:"providerId"`
}

OIDCLoginResponse represents the response to OIDC login initiation

type OIDCState 

type OIDCState struct {
	State        string
	Nonce        string
	CodeVerifier string
	ProviderID   string
	RedirectURI  string
	CreatedAt    time.Time
	ExpiresAt    time.Time
}

OIDCState represents OIDC flow state data

type Plugin 

type Plugin struct {
	// contains filtered or unexported fields
}

Plugin wires the SSO service and registers routes

func NewPlugin 

func NewPlugin(opts ...PluginOption) *Plugin

NewPlugin creates a new SSO plugin instance with optional configuration

func (*Plugin) ID 

func (p *Plugin) ID() string

func (*Plugin) Init 

func (p *Plugin) Init(authInst core.Authsome) error

Init accepts auth instance with GetDB method

func (*Plugin) Migrate 

func (p *Plugin) Migrate() error

Migrate creates required tables and indexes for SSO providers

func (*Plugin) RegisterHooks 

func (p *Plugin) RegisterHooks(_ *hooks.HookRegistry) error

func (*Plugin) RegisterRoutes 

func (p *Plugin) RegisterRoutes(router forge.Router) error

RegisterRoutes mounts SSO endpoints under /api/auth/sso

func (*Plugin) RegisterServiceDecorators 

func (p *Plugin) RegisterServiceDecorators(_ *registry.ServiceRegistry) error

type PluginOption 

type PluginOption func(*Plugin)

PluginOption is a functional option for configuring the SSO plugin

func WithAllowOIDC 

func WithAllowOIDC(allow bool) PluginOption

WithAllowOIDC sets whether OIDC is enabled

func WithAllowSAML 

func WithAllowSAML(allow bool) PluginOption

WithAllowSAML sets whether SAML is enabled

func WithAutoProvision 

func WithAutoProvision(enable bool) PluginOption

WithAutoProvision sets whether auto-provisioning is enabled

func WithDefaultConfig 

func WithDefaultConfig(cfg Config) PluginOption

WithDefaultConfig sets the default configuration for the plugin

func WithOIDCRedirectURL 

func WithOIDCRedirectURL(url string) PluginOption

WithOIDCRedirectURL sets the OIDC redirect URL

func WithRequireEncryption 

func WithRequireEncryption(require bool) PluginOption

WithRequireEncryption sets whether encrypted assertions are required

func WithSAMLACS 

func WithSAMLACS(acs string) PluginOption

WithSAMLACS sets the SAML assertion consumer service URL

func WithSAMLMetadataURL 

func WithSAMLMetadataURL(url string) PluginOption

WithSAMLMetadataURL sets the SAML metadata URL

type ProviderDetailResponse 

type ProviderDetailResponse struct {
	ProviderID       string            `json:"providerId"`
	Type             string            `json:"type"`
	Domain           string            `json:"domain,omitempty"`
	AttributeMapping map[string]string `json:"attributeMapping,omitempty"`

	// SAML info (without sensitive data)
	SAMLEntryPoint string `json:"samlEntryPoint,omitempty"`
	SAMLIssuer     string `json:"samlIssuer,omitempty"`
	HasSAMLCert    bool   `json:"hasSamlCert,omitempty"`

	// OIDC info (without sensitive data)
	OIDCClientID    string `json:"oidcClientID,omitempty"`
	OIDCIssuer      string `json:"oidcIssuer,omitempty"`
	OIDCRedirectURI string `json:"oidcRedirectURI,omitempty"`

	CreatedAt string `json:"createdAt"`
	UpdatedAt string `json:"updatedAt"`
}

ProviderDetailResponse represents detailed SSO provider information

type ProviderDiscoveredResponse 

type ProviderDiscoveredResponse struct {
	Found      bool   `json:"found"`
	ProviderID string `json:"providerId,omitempty"`
	Type       string `json:"type,omitempty"`
}

ProviderDiscoveredResponse represents the result of provider discovery

type ProviderInfo 

type ProviderInfo struct {
	ProviderID string `json:"providerId"`
	Type       string `json:"type"`
	Domain     string `json:"domain,omitempty"`
	CreatedAt  string `json:"createdAt"`
}

ProviderInfo represents basic SSO provider information

type ProviderListResponse 

type ProviderListResponse struct {
	Providers []ProviderInfo `json:"providers"`
	Total     int            `json:"total"`
}

ProviderListResponse represents a list of SSO providers

type ProviderRegisteredResponse 

type ProviderRegisteredResponse struct {
	ProviderID string `json:"providerId"`
	Type       string `json:"type"`
	Status     string `json:"status"`
}

ProviderRegisteredResponse represents a successful provider registration

type RedisStateStore 

type RedisStateStore struct {
}

RedisStateStore is a production-ready state store backed by Redis This is a placeholder interface for future implementation

type RegisterProviderRequest 

type RegisterProviderRequest struct {
	ProviderID string `json:"providerId" validate:"required"`
	Type       string `json:"type" validate:"required,oneof=saml oidc"`
	Domain     string `json:"domain"`

	// Attribute mapping from user fields to SSO attribute names
	AttributeMapping map[string]string `json:"attributeMapping"`

	// SAML configuration
	SAMLEntryPoint string `json:"samlEntryPoint"`
	SAMLIssuer     string `json:"samlIssuer"`
	SAMLCert       string `json:"samlCert"`

	// OIDC configuration
	OIDCClientID     string `json:"oidcClientID"`
	OIDCClientSecret string `json:"oidcClientSecret"`
	OIDCIssuer       string `json:"oidcIssuer"`
	OIDCRedirectURI  string `json:"oidcRedirectURI"`
}

RegisterProviderRequest represents a request to register a new SSO provider

type SAMLLoginRequest 

type SAMLLoginRequest struct {
	RelayState string `json:"relayState"`
}

SAMLLoginRequest represents a request to initiate SAML login

type SAMLLoginResponse 

type SAMLLoginResponse struct {
	RedirectURL string `json:"redirectUrl"`
	RequestID   string `json:"requestId"`
	ProviderID  string `json:"providerId"`
}

SAMLLoginResponse represents the response to SAML login initiation

type SSOAuthResponse 

type SSOAuthResponse struct {
	User    *user.User       `json:"user"`
	Session *session.Session `json:"session"`
	Token   string           `json:"token"`
}

SSOAuthResponse represents a successful SSO authentication response

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service provides SSO operations (registration, callbacks, metadata)

func NewService 

func NewService(r *repo.SSOProviderRepository, cfg Config, userSvc user.ServiceInterface, sessionSvc session.ServiceInterface) *Service

func (*Service) CreateSSOSession 

func (s *Service) CreateSSOSession(
	ctx context.Context,
	userID xid.ID,
	provider *schema.SSOProvider,
) (*session.Session, string, error)

CreateSSOSession creates a session after successful SSO authentication

func (*Service) ExchangeOIDCCode 

func (s *Service) ExchangeOIDCCode(ctx context.Context, provider *schema.SSOProvider, code, redirectURI, codeVerifier string) (*oidcsvc.OIDCTokenResponse, error)

ExchangeOIDCCode exchanges authorization code for tokens with PKCE support

func (*Service) GeneratePKCEChallenge 

func (s *Service) GeneratePKCEChallenge() (*oidcsvc.PKCEChallenge, error)

GeneratePKCEChallenge generates PKCE challenge for OIDC flow

func (*Service) GetOIDCUserInfo 

func (s *Service) GetOIDCUserInfo(ctx context.Context, provider *schema.SSOProvider, accessToken string) (*oidcsvc.OIDCUserInfo, error)

GetOIDCUserInfo fetches user information from userinfo endpoint

func (*Service) GetProvider 

func (s *Service) GetProvider(ctx context.Context, providerID string) (*schema.SSOProvider, error)

func (*Service) InitiateOIDCLogin 

func (s *Service) InitiateOIDCLogin(
	ctx context.Context,
	provider *schema.SSOProvider,
	redirectURI, state, nonce string,
) (string, *oidcsvc.PKCEChallenge, error)

InitiateOIDCLogin generates an OIDC authorization URL with PKCE

func (*Service) InitiateSAMLLogin 

func (s *Service) InitiateSAMLLogin(idpURL, relayState string) (string, string, error)

InitiateSAMLLogin generates an AuthnRequest and returns the redirect URL

func (*Service) ProvisionUser 

func (s *Service) ProvisionUser(
	ctx context.Context,
	email string,
	attributes map[string][]string,
	provider *schema.SSOProvider,
) (*user.User, error)

ProvisionUser finds or creates a user from SSO assertion Implements Just-in-Time (JIT) user provisioning

func (*Service) RegisterProvider 

func (s *Service) RegisterProvider(ctx context.Context, p *schema.SSOProvider) error

func (*Service) SPMetadata 

func (s *Service) SPMetadata() string

SPMetadata returns a minimal placeholder SP metadata string

func (*Service) ValidateOIDCIDToken 

func (s *Service) ValidateOIDCIDToken(ctx context.Context, provider *schema.SSOProvider, idToken, nonce string) (*oidcsvc.OIDCUserInfo, error)

ValidateOIDCIDToken validates an OIDC ID token

func (*Service) ValidateSAMLResponse 

func (s *Service) ValidateSAMLResponse(b64Response, expectedIssuer, relayState string) (*samsvc.SAMLAssertion, error)

ValidateSAMLResponse performs full SAML response validation

type StateStore 

type StateStore struct {
	// contains filtered or unexported fields
}

StateStore provides temporary storage for OIDC flow state In production, this should be backed by Redis or similar distributed cache

func NewStateStore 

func NewStateStore() *StateStore

NewStateStore creates a new state store

func (*StateStore) Delete 

func (s *StateStore) Delete(ctx context.Context, state string) error

Delete removes OIDC state data (should be called after successful callback)

func (*StateStore) Get 

func (s *StateStore) Get(ctx context.Context, state string) (*OIDCState, error)

Get retrieves OIDC state data by state parameter

func (*StateStore) Store 

func (s *StateStore) Store(ctx context.Context, state *OIDCState) error

Store saves OIDC state data

type StatusResponse 

type StatusResponse = responses.StatusResponse

type SuccessResponse 

type SuccessResponse = responses.SuccessResponse

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.