Documentation ¶
Index ¶
- Constants
- Variables
- func DisableDebugLogging()
- func EnableDebugLogging()
- func RegisterPolicyOperator(operator PolicyOperator)
- func RegisterPolicyVerifier(v PolicyVerifier)
- type AllowedTrustMarkIssuers
- type ConstraintSpecification
- type EntityConfiguration
- type EntityStatement
- type EntityStatementPayload
- type FederationEntity
- type FederationEntityMetadata
- type FederationLeaf
- func (f FederationLeaf) CodeExchange(issuer, code, redirectURI string, additionalParameter url.Values) (*OIDCTokenResponse, *OIDCErrorResponse, error)
- func (f FederationLeaf) GetAuthorizationURL(issuer, redirectURI, state, scope string, additionalParams url.Values) (string, error)
- func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer
- func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error)
- type FilterableVerifiedChainsOPDiscoverer
- type Metadata
- type MetadataPolicies
- type MetadataPolicy
- type MetadataPolicyEntry
- type NamingConstraints
- type OAuthAuthorizationServerMetadata
- type OAuthClientMetadata
- type OAuthProtectedResourceMetadata
- type OIDCErrorResponse
- type OIDCTokenResponse
- type OPDiscoverer
- type OPDiscoveryFilter
- type OPDiscoveryFilterVerifiedChains
- type OpenIDProviderMetadata
- type OpenIDRelyingPartyMetadata
- type PolicyOperator
- type PolicyOperatorName
- type PolicyVerifier
- type RequestObjectProducer
- type SimpleOPDiscoverer
- type SliceOrSingleValue
- type TrustAnchor
- type TrustAnchors
- type TrustChain
- type TrustChainChecker
- type TrustChains
- type TrustChainsFilter
- type TrustMark
- type TrustResolver
- type Unixtime
- type VerifiedChainsOPDiscoverer
Constants ¶
const ( ClientRegistrationTypeAutomatic = "automatic" ClientRegistrationTypeExplicit = "explicit" )
Variables ¶
var OPDiscoveryFilterAutomaticRegistration opDiscoveryFilterAutomaticRegistration
var OPDiscoveryFilterExplicitRegistration opDiscoveryFilterExplicitRegistration
Functions ¶
func DisableDebugLogging ¶
func DisableDebugLogging()
func EnableDebugLogging ¶
func EnableDebugLogging()
func RegisterPolicyOperator ¶
func RegisterPolicyOperator(operator PolicyOperator)
func RegisterPolicyVerifier ¶
func RegisterPolicyVerifier(v PolicyVerifier)
Types ¶
type AllowedTrustMarkIssuers ¶
AllowedTrustMarkIssuers is type for defining which TrustMark can be issued by which entities
type ConstraintSpecification ¶
type ConstraintSpecification struct { MaxPathLength int `json:"max_path_length,omitempty"` NamingConstraints NamingConstraints `json:"naming_constraints,omitempty"` AllowedLeafEntityTypes []string `json:"allowed_leaf_entity_types,omitempty"` }
ConstraintSpecification is type for holding constraints according to the oidc fed spec
type EntityConfiguration ¶
type EntityConfiguration struct { EntityStatementPayload // contains filtered or unexported fields }
EntityConfiguration is a type for holding an entity configuration, more precisely an entity statement from an entity about itself that was created by us. To create a new EntityConfiguration use the NewEntityConfiguration function
func NewEntityConfiguration ¶
func NewEntityConfiguration( payload EntityStatementPayload, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, ) *EntityConfiguration
NewEntityConfiguration creates a new EntityConfiguration with the passed EntityStatementPayload and the passed signing key and jwa.SignatureAlgorithm
func (*EntityConfiguration) JWT ¶
func (e *EntityConfiguration) JWT() (jwt []byte, err error)
JWT returns a signed jwt representation of the EntityConfiguration
type EntityStatement ¶
type EntityStatement struct { EntityStatementPayload // contains filtered or unexported fields }
EntityStatement is a type for holding an entity statement, more precisely an entity statement that was obtained as a jwt and created by us
func ParseEntityStatement ¶
func ParseEntityStatement(statementJWT []byte) (*EntityStatement, error)
ParseEntityStatement parses a jwt into an EntityStatement
type EntityStatementPayload ¶
type EntityStatementPayload struct { Issuer string `json:"iss"` Subject string `json:"sub"` IssuedAt Unixtime `json:"iat"` ExpiresAt Unixtime `json:"exp"` JWKS jwk.Set `json:"jwks"` Audience string `json:"aud,omitempty"` AuthorityHints []string `json:"authority_hints,omitempty"` SourceEndpoint string `json:"source_endpoint,omitempty"` Metadata *Metadata `json:"metadata,omitempty"` MetadataPolicy *MetadataPolicies `json:"metadata_policy,omitempty"` Constraints *ConstraintSpecification `json:"constraints,omitempty"` CriticalExtensions []string `json:"crit,omitempty"` CriticalPolicyLanguageExtensions []string `json:"policy_language_crit,omitempty"` TrustMarks []TrustMark `json:"trust_marks,omitempty"` TrustMarksIssuers *AllowedTrustMarkIssuers `json:"trust_marks_issuers,omitempty"` TrustAnchorID string `json:"trust_anchor_id,omitempty"` Extra map[string]interface{} `json:"-"` }
EntityStatementPayload is a type for holding the actual payload of an EntityStatement or EntityConfiguration; additional fields can be set in the Extra claim
func (EntityStatementPayload) MarshalJSON ¶
func (e EntityStatementPayload) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.
func (EntityStatementPayload) TimeValid ¶
func (e EntityStatementPayload) TimeValid() bool
TimeValid checks if the EntityStatementPayload is already valid and not yet expired.
func (*EntityStatementPayload) UnmarshalJSON ¶
func (e *EntityStatementPayload) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.
type FederationEntity ¶
type FederationEntity struct { EntityID string Metadata *Metadata AuthorityHints []string // contains filtered or unexported fields }
FederationEntity is a type for an entity participating in federations. It holds all relevant information about the federation entity and can be used to create an EntityConfiguration about it
func NewFederationEntity ¶
func NewFederationEntity( entityID string, authorityHints []string, metadata *Metadata, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, configurationLifetime int64, ) (*FederationEntity, error)
NewFederationEntity creates a new FederationEntity with the passed properties
func (FederationEntity) EntityConfiguration ¶
func (f FederationEntity) EntityConfiguration() *EntityConfiguration
EntityConfiguration returns an EntityConfiguration for this FederationLeaf
func (FederationEntity) SignEntityStatement ¶
func (f FederationEntity) SignEntityStatement(payload EntityStatementPayload) ([]byte, error)
SignEntityStatement creates a signed JWT for the given EntityStatementPayload; this function is intended to be used on TA/IA
type FederationEntityMetadata ¶
type FederationEntityMetadata struct { FederationFetchEndpoint string `json:"federation_fetch_endpoint,omitempty"` FederationListEndpoint string `json:"federation_list_endpoint,omitempty"` FederationResolveEndpoint string `json:"federation_resolve_endpoint,omitempty"` FederationTrustMarkStatusEndpoint string `json:"federation_trust_mark_status_endpoint,omitempty"` OrganizationName string `json:"organization_name,omitempty"` Contacts []string `json:"contacts,omitempty"` LogoURI string `json:"logo_uri,omitempty"` PolicyURI string `json:"policy_uri,omitempty"` HomepageURI string `json:"homepage_uri,omitempty"` Extra map[string]interface{} `json:"-"` }
func (FederationEntityMetadata) ApplyPolicy ¶
func (m FederationEntityMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (FederationEntityMetadata) MarshalJSON ¶
func (m FederationEntityMetadata) MarshalJSON() ([]byte, error)
func (*FederationEntityMetadata) UnmarshalJSON ¶
func (m *FederationEntityMetadata) UnmarshalJSON(data []byte) error
type FederationLeaf ¶
type FederationLeaf struct { FederationEntity TrustAnchors TrustAnchors // contains filtered or unexported fields }
FederationLeaf is a type for a leaf entity and holds all relevant information about it; it can also be used to create an EntityConfiguration about it or to start OIDC flows
func NewFederationLeaf ¶
func NewFederationLeaf( entityID string, authorityHints []string, trustAnchors TrustAnchors, metadata *Metadata, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, configurationLifetime int64, oidcSigningKey crypto.Signer, oidcSigningAlg jwa.SignatureAlgorithm, ) (*FederationLeaf, error)
NewFederationLeaf creates a new FederationLeaf with the passed properties
func (FederationLeaf) CodeExchange ¶
func (f FederationLeaf) CodeExchange( issuer, code, redirectURI string, additionalParameter url.Values, ) (*OIDCTokenResponse, *OIDCErrorResponse, error)
CodeExchange performs an oidc code exchange it creates the mytoken and stores it in the database
func (FederationLeaf) GetAuthorizationURL ¶
func (f FederationLeaf) GetAuthorizationURL( issuer, redirectURI, state, scope string, additionalParams url.Values, ) (string, error)
GetAuthorizationURL creates an authorization url
func (FederationLeaf) RequestObjectProducer ¶
func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer
func (FederationLeaf) ResolveOPMetadata ¶
func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error)
type FilterableVerifiedChainsOPDiscoverer ¶
type FilterableVerifiedChainsOPDiscoverer struct {
Filters []OPDiscoveryFilter
}
func (FilterableVerifiedChainsOPDiscoverer) Discover ¶
func (d FilterableVerifiedChainsOPDiscoverer) Discover(authorities ...TrustAnchor) (opInfos []*OpenIDProviderMetadata)
type Metadata ¶
type Metadata struct { OpenIDProvider *OpenIDProviderMetadata `json:"openid_provider,omitempty"` RelyingParty *OpenIDRelyingPartyMetadata `json:"openid_relying_party,omitempty"` OAuthAuthorizationServer *OAuthAuthorizationServerMetadata `json:"oauth_authorization_server,omitempty"` OAuthClient *OAuthClientMetadata `json:"oauth_client,omitempty"` OAuthProtectedResource *OAuthProtectedResourceMetadata `json:"oauth_resource,omitempty"` FederationEntity *FederationEntityMetadata `json:"federation_entity,omitempty"` }
func (Metadata) ApplyPolicy ¶
func (m Metadata) ApplyPolicy(p *MetadataPolicies) (*Metadata, error)
type MetadataPolicies ¶
type MetadataPolicies struct { OpenIDProvider MetadataPolicy `json:"openid_provider,omitempty"` RelyingParty MetadataPolicy `json:"openid_relying_party,omitempty"` OAuthAuthorizationServer MetadataPolicy `json:"oauth_authorization_server,omitempty"` OAuthClient MetadataPolicy `json:"oauth_client,omitempty"` OAuthProtectedResource MetadataPolicy `json:"oauth_resource,omitempty"` FederationEntity MetadataPolicy `json:"federation_entity,omitempty"` }
func MergeMetadataPolicies ¶
func MergeMetadataPolicies(policies ...*MetadataPolicies) (*MetadataPolicies, error)
MergeMetadataPolicies combines multiples MetadataPolicies from a chain into a single one
type MetadataPolicy ¶
type MetadataPolicy map[string]MetadataPolicyEntry
func CombineMetadataPolicy ¶
func CombineMetadataPolicy(pathInfo string, policies ...MetadataPolicy) (MetadataPolicy, error)
CombineMetadataPolicy combines multiples MetadataPolicy into a single MetadataPolicy, at each step verifying that the result is valid
func (MetadataPolicy) Verify ¶
func (p MetadataPolicy) Verify(pathInfo string) error
type MetadataPolicyEntry ¶
type MetadataPolicyEntry map[PolicyOperatorName]any
func (MetadataPolicyEntry) ApplyTo ¶
func (p MetadataPolicyEntry) ApplyTo(value any, pathInfo string) (any, error)
func (MetadataPolicyEntry) Verify ¶
func (p MetadataPolicyEntry) Verify(pathInfo string) error
type NamingConstraints ¶
type NamingConstraints struct { Permitted []string `json:"permitted,omitempty"` Excluded []string `json:"excluded,omitempty"` }
NamingConstraints is a type for holding constraints about naming
type OAuthAuthorizationServerMetadata ¶
type OAuthAuthorizationServerMetadata OpenIDProviderMetadata
func (OAuthAuthorizationServerMetadata) ApplyPolicy ¶
func (m OAuthAuthorizationServerMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OAuthAuthorizationServerMetadata) MarshalJSON ¶
func (m OAuthAuthorizationServerMetadata) MarshalJSON() ([]byte, error)
func (*OAuthAuthorizationServerMetadata) UnmarshalJSON ¶
func (m *OAuthAuthorizationServerMetadata) UnmarshalJSON(data []byte) error
type OAuthClientMetadata ¶
type OAuthClientMetadata OpenIDRelyingPartyMetadata
func (OAuthClientMetadata) ApplyPolicy ¶
func (m OAuthClientMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OAuthClientMetadata) MarshalJSON ¶
func (m OAuthClientMetadata) MarshalJSON() ([]byte, error)
func (*OAuthClientMetadata) UnmarshalJSON ¶
func (m *OAuthClientMetadata) UnmarshalJSON(data []byte) error
type OAuthProtectedResourceMetadata ¶
type OAuthProtectedResourceMetadata struct { Resource string `json:"resource,omitempty"` AuthorizationServers []string `json:"authorization_servers,omitempty"` ScopesProvided []string `json:"scopes_provided,omitempty"` BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"` ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"` ResourceEncryptionAlgValuesSupported []string `json:"resource_encryption_alg_values_supported"` ResourceEncryptionEncValuesSupported []string `json:"resource_encryption_enc_values_supported"` ResourceDocumentation string `json:"resource_documentation,omitempty"` ResourcePolicyURI string `json:"resource_policy_uri,omitempty"` ResourceTOSURI string `json:"resource_tos_uri,omitempty"` JWKSURI string `json:"jwks_uri,omitempty"` JWKS jwk.Set `json:"jwks,omitempty"` SignedJWKSURI string `json:"signed_jwks_uri,omitempty"` OrganizationName string `json:"organization_name,omitempty"` Extra map[string]interface{} `json:"-"` }
func (OAuthProtectedResourceMetadata) ApplyPolicy ¶
func (m OAuthProtectedResourceMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OAuthProtectedResourceMetadata) MarshalJSON ¶
func (m OAuthProtectedResourceMetadata) MarshalJSON() ([]byte, error)
func (*OAuthProtectedResourceMetadata) UnmarshalJSON ¶
func (m *OAuthProtectedResourceMetadata) UnmarshalJSON(data []byte) error
type OIDCErrorResponse ¶
type OIDCTokenResponse ¶
type OIDCTokenResponse struct { AccessToken string `json:"access_token"` TokenType string `json:"token_type"` ExpiresIn int64 `json:"expires_in"` RefreshToken string `json:"refresh_token"` Scopes string `json:"scope"` IDToken string `json:"id_token"` Extra map[string]any `json:"-"` }
OIDCTokenResponse is the token response of an oidc provider
func (*OIDCTokenResponse) UnmarshalJSON ¶
func (res *OIDCTokenResponse) UnmarshalJSON(data []byte) error
type OPDiscoverer ¶
type OPDiscoverer interface {
Discover(authorities ...string) []*OpenIDProviderMetadata
}
type OPDiscoveryFilter ¶
type OPDiscoveryFilter interface {
Filter(*OpenIDProviderMetadata) bool
}
func NewOPDiscoveryFilter ¶
func NewOPDiscoveryFilter(filter func(metadata *OpenIDProviderMetadata) bool) OPDiscoveryFilter
func OPDiscoveryFilterSupportedGrantTypesIncludes ¶
func OPDiscoveryFilterSupportedGrantTypesIncludes(neededGrantTypes ...string) OPDiscoveryFilter
func OPDiscoveryFilterSupportedScopesIncludes ¶
func OPDiscoveryFilterSupportedScopesIncludes(neededScopes ...string) OPDiscoveryFilter
type OPDiscoveryFilterVerifiedChains ¶
type OPDiscoveryFilterVerifiedChains struct {
TrustAnchors TrustAnchors
}
func (OPDiscoveryFilterVerifiedChains) Filter ¶
func (f OPDiscoveryFilterVerifiedChains) Filter(op *OpenIDProviderMetadata) bool
type OpenIDProviderMetadata ¶
type OpenIDProviderMetadata struct { Issuer string `json:"issuer"` AuthorizationEndpoint string `json:"authorization_endpoint"` TokenEndpoint string `json:"token_endpoint"` UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` JWKSURI string `json:"jwks_uri,omitempty"` JWKS jwk.Set `json:"jwks,omitempty"` SignedJWKSURI string `json:"signed_jwks_uri,omitempty"` RegistrationEndpoint string `json:"registration_endpoint,omitempty"` ScopesSupported []string `json:"scopes_supported,omitempty"` ResponseTypesSupported []string `json:"response_types_supported"` ResponseModesSupported []string `json:"response_modes_supported,omitempty"` GrantTypesSupported []string `json:"grant_types_supported,omitempty"` ACRValuesSupported []string `json:"acr_values_supported,omitempty"` SubjectTypesSupported []string `json:"subject_types_supported"` IDTokenSignedResponseAlgValuesSupported []string `json:"id_token_signed_response_alg_values_supported,omitempty"` IDTokenEncryptedResponseAlgValuesSupported []string `json:"id_token_encrypted_response_alg_values_supported,omitempty"` IDTokenEncryptedResponseEncValuesSupported []string `json:"id_token_encrypted_response_enc_values_supported,omitempty"` UserinfoSignedResponseAlgValuesSupported []string `json:"userinfo_signed_response_alg_values_supported,omitempty"` UserinfoEncryptedResponseAlgValuesSupported []string `json:"userinfo_encrypted_response_alg_values_supported,omitempty"` UserinfoEncryptedResponseEncValuesSupported []string `json:"userinfo_encrypted_response_enc_values_supported,omitempty"` RequestSignedResponseAlgValuesSupported []string `json:"request_signed_response_alg_values_supported,omitempty"` RequestEncryptedResponseAlgValuesSupported []string `json:"request_encrypted_response_alg_values_supported,omitempty"` RequestEncryptedResponseEncValuesSupported []string `json:"request_encrypted_response_enc_values_supported,omitempty"` TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"` TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` DisplayValuesSupported []string `json:"display_values_supported,omitempty"` ClaimsSupported []string `json:"claims_supported,omitempty"` ServiceDocumentation string `json:"service_documentation,omitempty"` ClaimsLocalesSupported []string `json:"claims_locales_supported,omitempty"` UILocalesSupported []string `json:"ui_locales_supported,omitempty"` ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"` RequestParameterSupported bool `json:"request_parameter_supported,omitempty"` RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"` OPPolicyURI string `json:"op_policy_uri,omitempty"` OPTOSURI string `json:"op_tos_uri,omitempty"` RevocationEndpoint string `json:"revocation_endpoint,omitempty"` RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"` RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"` IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` IntrospectionSigningAlgValuesSupported []string `json:"introspection_signing_alg_values_supported,omitempty"` IntrospectionEncryptionAlgValuesSupported []string `json:"introspection_encryption_alg_values_supported,omitempty"` IntrospectionEncryptionEncValuesSupported []string `json:"introspection_encryption_enc_values_supported,omitempty"` CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"` SignedMetadata string `json:"signed_metadata,omitempty"` DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"` TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"` MTLSEndpointAliases map[string]string `json:"mtls_endpoint_aliases,omitempty"` NFVTokenSigningAlgValuesSupported []string `json:"nfv_token_signing_alg_values_supported,omitempty"` NFVTokenEncryptionAlgValuesSupported []string `json:"nfv_token_encryption_alg_values_supported,omitempty"` NFVTokenEncryptionEncValuesSupported []string `json:"nfv_token_encryption_enc_values_supported,omitempty"` RequireSignedRequestObject bool `json:"require_signed_request_object,omitempty"` PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"` RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"` AuthorizationResponseIssParameterSupported bool `json:"authorization_response_iss_parameter_supported,omitempty"` CheckSessionIFrame string `json:"check_session_iframe,omitempty"` FrontchannelLogoutSupported bool `json:"frontchannel_logout_supported,omitempty"` BackchannelLogoutSupported bool `json:"backchannel_logout_supported,omitempty"` BackchannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported,omitempty"` EndSessionEndpoint string `json:"end_session_endpoint,omitempty"` BackchannelTokenDeliveryModesSupported []string `json:"backchannel_token_delivery_modes_supported,omitempty"` BackchannelAuthenticationEndpoint string `json:"backchannel_authentication_endpoint,omitempty"` BackchannelAuthenticationRequestSigningAlgValuesSupported []string `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"` BackchannelUserCodeParameterSupported bool `json:"backchannel_user_code_parameter_supported,omitempty"` AuthorizationDetailsTypesSupported []string `json:"authorization_details_types_supported,omitempty"` ClientRegistrationTypesSupported []string `json:"client_registration_types_supported"` FederationRegistrationEndpoint string `json:"federation_registration_endpoint,omitempty"` RequestAuthenticationMethodsSupported map[string][]string `json:"request_authentication_methods_supported,omitempty"` RequestAuthenticationSigningAlgValuesSupported []string `json:"request_authentication_signing_alg_values_supported,omitempty"` OrganizationName string `json:"organization_name,omitempty"` Extra map[string]interface{} `json:"-"` }
func (OpenIDProviderMetadata) ApplyPolicy ¶
func (m OpenIDProviderMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OpenIDProviderMetadata) MarshalJSON ¶
func (m OpenIDProviderMetadata) MarshalJSON() ([]byte, error)
func (*OpenIDProviderMetadata) UnmarshalJSON ¶
func (m *OpenIDProviderMetadata) UnmarshalJSON(data []byte) error
type OpenIDRelyingPartyMetadata ¶
type OpenIDRelyingPartyMetadata struct { Scope string `json:"scope,omitempty"` RedirectURIS []string `json:"redirect_uris,omitempty"` ResponseTypes []string `json:"response_types,omitempty"` GrantTypes []string `json:"grant_types,omitempty"` ApplicationType string `json:"application_type,omitempty"` Contacts []string `json:"contacts,omitempty"` ClientName string `json:"client_name,omitempty"` LogoURI string `json:"logo_uri,omitempty"` ClientURI string `json:"client_uri,omitempty"` PolicyURI string `json:"policy_uri,omitempty"` TOSURI string `json:"tos_uri,omitempty"` JWKSURI string `json:"jwks_uri,omitempty"` JWKS jwk.Set `json:"jwks,omitempty"` SignedJWKSURI string `json:"signed_jwks_uri,omitempty"` SectorIdentifierURI string `json:"sector_identifier_uri,omitempty"` SubjectType string `json:"subject_type,omitempty"` IDTokenSignedResponseAlg string `json:"id_token_signed_response_alg,omitempty"` IDTokenEncryptedResponseAlg string `json:"id_token_encrypted_response_alg,omitempty"` IDTokenEncryptedResponseEnc string `json:"id_token_encrypted_response_enc,omitempty"` UserinfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"` UserinfoEncryptedResponseAlg string `json:"userinfo_encrypted_response_alg,omitempty"` UserinfoEncryptedResponseEnc string `json:"userinfo_encrypted_response_enc,omitempty"` RequestSignedResponseAlg string `json:"request_signed_response_alg,omitempty"` RequestEncryptedResponseAlg string `json:"request_encrypted_response_alg,omitempty"` RequestEncryptedResponseEnc string `json:"request_encrypted_response_enc,omitempty"` TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"` TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg,omitempty"` DefaultMaxAge int64 `json:"default_max_age,omitempty"` RequireAuthTime bool `json:"require_auth_time,omitempty"` DefaultACRValues []string `json:"default_acr_values,omitempty"` InitiateLoginURI string `json:"initiate_login_uri,omitempty"` RequestURIs []string `json:"request_uris,omitempty"` SoftwareID string `json:"software_id,omitempty"` SoftwareVersion string `json:"software_version,omitempty"` ClientID string `json:"client_id,omitempty"` ClientSecret string `json:"client_secret,omitempty"` ClientIDIssuedAt int64 `json:"client_id_issued_at,omitempty"` ClientSecretExpiresAt int64 `json:"client_secret_expires_at,omitempty"` RegistrationAccessToken string `json:"registration_access_token,omitempty"` RegistrationClientURI string `json:"registration_client_uri,omitempty"` ClaimsRedirectURIs []string `json:"claims_redirect_uris,omitempty"` NFVTokenSignedResponseAlg string `json:"nfv_token_signed_response_alg,omitempty"` NFVTokenEncryptedResponseAlg string `json:"nfv_token_encrypted_response_alg,omitempty"` NFVTokenEncryptedResponseEnc string `json:"nfv_token_encrypted_response_enc,omitempty"` TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"` TLSClientAuthSubjectDN string `json:"tls_client_auth_subject_dn,omitempty"` TLSClientAuthSANDNS string `json:"tls_client_auth_san_dns,omitempty"` TLSClientAuthSANURI string `json:"tls_client_auth_san_uri,omitempty"` TLSClientAuthSANIP string `json:"tls_client_auth_san_ip,omitempty"` TLSClientAuthSANEMAIL string `json:"tls_client_auth_san_email,omitempty"` RequireSignedRequestObject bool `json:"require_signed_request_object,omitempty"` RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"` IntrospectionSignedResponseAlg string `json:"introspection_signed_response_alg,omitempty"` IntrospectionEncryptedResponseAlg string `json:"introspection_encrypted_response_alg,omitempty"` IntrospectionEncryptedResponseEnc string `json:"introspection_encrypted_response_enc,omitempty"` FrontchannelLogoutURI string `json:"frontchannel_logout_uri,omitempty"` FrontchannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required,omitempty"` BackchannelLogoutURI string `json:"backchannel_logout_uri,omitempty"` BackchannelLogoutSessionRequired bool `json:"backchannel_logout_session_required,omitempty"` PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"` AuthorizationDetailsTypes []string `json:"authorization_details_types,omitempty"` OrganizationName string `json:"organization_name,omitempty"` ClientRegistrationTypes []string `json:"client_registration_types"` Extra map[string]interface{} `json:"-"` }
func (OpenIDRelyingPartyMetadata) ApplyPolicy ¶
func (m OpenIDRelyingPartyMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OpenIDRelyingPartyMetadata) MarshalJSON ¶
func (m OpenIDRelyingPartyMetadata) MarshalJSON() ([]byte, error)
func (*OpenIDRelyingPartyMetadata) UnmarshalJSON ¶
func (m *OpenIDRelyingPartyMetadata) UnmarshalJSON(data []byte) error
type PolicyOperator ¶
type PolicyOperator interface { Merge(a, b any, pathInfo string) (any, error) Apply(value, policyValue any, essential bool, pathInfo string) (any, error) Name() PolicyOperatorName IsModifier() bool }
func NewPolicyOperator ¶
type PolicyOperatorName ¶
type PolicyOperatorName string
const ( PolicyOperatorValue PolicyOperatorName = "value" PolicyOperatorDefault PolicyOperatorName = "default" PolicyOperatorAdd PolicyOperatorName = "add" PolicyOperatorOneOf PolicyOperatorName = "one_of" PolicyOperatorSubsetOf PolicyOperatorName = "subset_of" PolicyOperatorSupersetOf PolicyOperatorName = "superset_of" PolicyOperatorEssential PolicyOperatorName = "essential" )
type PolicyVerifier ¶
type PolicyVerifier func(p MetadataPolicyEntry, pathInfo string) error
type RequestObjectProducer ¶
type RequestObjectProducer struct { EntityID string // contains filtered or unexported fields }
func NewRequestObjectProducer ¶
func NewRequestObjectProducer( entityID string, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, lifetime int64, ) *RequestObjectProducer
NewRequestObjectProducer creates a new RequestObjectProducer with the passed properties
func (RequestObjectProducer) ClientAssertion ¶
func (rop RequestObjectProducer) ClientAssertion(aud string) ([]byte, error)
func (RequestObjectProducer) RequestObject ¶
func (rop RequestObjectProducer) RequestObject(requestValues map[string]any) ([]byte, error)
type SimpleOPDiscoverer ¶
type SimpleOPDiscoverer struct{}
SimpleOPDiscoverer is an OPDiscoverer that checks authorities for subordinate OPs and verifies that those publish openid_provider metadata in their EntityConfiguration
func (SimpleOPDiscoverer) Discover ¶
func (d SimpleOPDiscoverer) Discover(authorities ...TrustAnchor) (opInfos []*OpenIDProviderMetadata)
type SliceOrSingleValue ¶
type SliceOrSingleValue[T any] []T
SliceOrSingleValue is a type that supports (un-)marshaling (json) of a slice where a single value might not be expressed as a slice
func (SliceOrSingleValue[T]) MarshalJSON ¶
func (v SliceOrSingleValue[T]) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface
func (*SliceOrSingleValue[T]) UnmarshalJSON ¶
func (v *SliceOrSingleValue[T]) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type TrustAnchor ¶
type TrustAnchors ¶
type TrustAnchors []TrustAnchor
func NewTrustAnchorsFromEntityIDs ¶
func NewTrustAnchorsFromEntityIDs(anchorIDs ...string) (anchors TrustAnchors)
func (TrustAnchors) EntityIDs ¶
func (anchors TrustAnchors) EntityIDs() (entityIDs []string)
type TrustChain ¶
type TrustChain []*EntityStatement
TrustChain is a slice of *EntityStatements
func (TrustChain) ExpiresAt ¶
func (c TrustChain) ExpiresAt() Unixtime
ExpiresAt returns the expiration time of the TrustChain as a UNIX time stamp
func (TrustChain) Metadata ¶
func (c TrustChain) Metadata() (*Metadata, error)
Metadata returns the final Metadata for this TrustChain, i.e. the Metadata of the leaf entity with MetadataPolicies of authorities applied to it.
type TrustChainChecker ¶
type TrustChainChecker interface {
Check(TrustChain) bool
}
TrustChainChecker can check a single TrustChain to determine if it should be included or not, i.e. in a TrustChainsFilter
type TrustChains ¶
type TrustChains []TrustChain
TrustChains is a slice of multiple TrustChain
func (TrustChains) Filter ¶
func (c TrustChains) Filter(filter ...TrustChainsFilter) TrustChains
Filter filters multiple TrustChains with the passed TrustChainsFilter to a subset
type TrustChainsFilter ¶
type TrustChainsFilter interface {
Filter(TrustChains) TrustChains
}
TrustChainsFilter filters multiple TrustChains to a subset
var TrustChainsFilterMinPathLength TrustChainsFilter = trustChainsFilterPathLength{/* contains filtered or unexported fields */}
TrustChainsFilterMinPathLength is a TrustChainsFilter that filters TrustChains to the chains with the minimal path length
func NewTrustChainsFilterFromTrustChainChecker ¶
func NewTrustChainsFilterFromTrustChainChecker(f TrustChainChecker) TrustChainsFilter
NewTrustChainsFilterFromTrustChainChecker creates a new TrustChainsFilter from a TrustChainChecker
func TrustChainsFilterMaxPathLength ¶
func TrustChainsFilterMaxPathLength(maxPathLen int) TrustChainsFilter
TrustChainsFilterMaxPathLength returns a TrustChainsFilter that filters TrustChains to only the chains that are not longer than the passed maximum path len.
func TrustChainsFilterTrustAnchor ¶
func TrustChainsFilterTrustAnchor(anchor string) TrustChainsFilter
TrustChainsFilterTrustAnchor returns a TrustChainsFilter for the passed trust anchor entity id. The return TrustChainsFilter will filter TrustChains to only chains ending in the passed anchor.
type TrustResolver ¶
type TrustResolver struct { TrustAnchors []TrustAnchor StartingEntity string // contains filtered or unexported fields }
TrustResolver is type for resolving trust chains from a StartingEntity to one or multiple TrustAnchors
func (TrustResolver) Chains ¶
func (r TrustResolver) Chains() (chains TrustChains)
Chains returns the TrustChains in the itnernal trust tree
func (*TrustResolver) Resolve ¶
func (r *TrustResolver) Resolve()
Resolve starts the trust chain resolution process, building an internal trust tree
func (*TrustResolver) ResolveToValidChains ¶
func (r *TrustResolver) ResolveToValidChains() TrustChains
ResolveToValidChains starts the trust chain resolution process, building an internal trust tree, verifies the signatures, integrity, and expirations and returns all possible valid TrustChains
func (*TrustResolver) VerifySignatures ¶
func (r *TrustResolver) VerifySignatures()
VerifySignatures verifies the signatures of the internal trust tree
type VerifiedChainsOPDiscoverer ¶
type VerifiedChainsOPDiscoverer struct{}
VerifiedChainsOPDiscoverer is an OPDiscoverer that compared to VerifiedOPDiscoverer additionally verifies that there is a valid TrustChain between the op and one of the specified trust anchors
func (VerifiedChainsOPDiscoverer) Discover ¶
func (VerifiedChainsOPDiscoverer) Discover(authorities ...TrustAnchor) (ops []*OpenIDProviderMetadata)
Source Files ¶
- authcode.go
- discovery.go
- entitystatement.go
- federation.go
- logging.go
- metadata.go
- metadataPolicy.go
- mock_authority.go
- mock_general.go
- mock_http.go
- mock_op.go
- mock_rp.go
- policyoperators.go
- policyverifiers.go
- registration.go
- sliceorsinglevalue.go
- trustchain.go
- trustchainfilter.go
- trustmark.go
- trustresolver.go