Documentation
¶
Index ¶
- Constants
- Variables
- func DisableDebugLogging()
- func EnableDebugLogging()
- func RegisterPolicyOperator(operator PolicyOperator)
- func RegisterPolicyVerifier(v PolicyVerifier)
- type AllowedTrustMarkIssuers
- type ConstraintSpecification
- type EntityConfiguration
- type EntityStatement
- type EntityStatementPayload
- type FederationEntity
- type FederationEntityMetadata
- type FederationLeaf
- func (f FederationLeaf) CodeExchange(issuer, code, redirectURI string, additionalParameter url.Values) (*OIDCTokenResponse, *OIDCErrorResponse, error)
- func (f FederationLeaf) GetAuthorizationURL(issuer, redirectURI, state, scope string, additionalParams url.Values) (string, error)
- func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer
- func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error)
- type FilterableVerifiedChainsOPDiscoverer
- type Metadata
- type MetadataPolicies
- type MetadataPolicy
- type MetadataPolicyEntry
- type NamingConstraints
- type OAuthAuthorizationServerMetadata
- type OAuthClientMetadata
- type OAuthProtectedResourceMetadata
- type OIDCErrorResponse
- type OIDCTokenResponse
- type OPDiscoverer
- type OPDiscoveryFilter
- type OPDiscoveryFilterVerifiedChains
- type OpenIDProviderMetadata
- type OpenIDRelyingPartyMetadata
- type PolicyOperator
- type PolicyOperatorName
- type PolicyVerifier
- type RequestObjectProducer
- type SimpleOPDiscoverer
- type SliceOrSingleValue
- type TrustAnchor
- type TrustAnchors
- type TrustChain
- type TrustChainChecker
- type TrustChains
- type TrustChainsFilter
- type TrustMark
- type TrustResolver
- type Unixtime
- type VerifiedChainsOPDiscoverer
Constants ¶
View Source
const ( ClientRegistrationTypeAutomatic = "automatic" ClientRegistrationTypeExplicit = "explicit" )
Variables ¶
View Source
var OPDiscoveryFilterAutomaticRegistration opDiscoveryFilterAutomaticRegistration
View Source
var OPDiscoveryFilterExplicitRegistration opDiscoveryFilterExplicitRegistration
Functions ¶
func DisableDebugLogging ¶
func DisableDebugLogging()
func EnableDebugLogging ¶
func EnableDebugLogging()
func RegisterPolicyOperator ¶
func RegisterPolicyOperator(operator PolicyOperator)
func RegisterPolicyVerifier ¶
func RegisterPolicyVerifier(v PolicyVerifier)
Types ¶
type AllowedTrustMarkIssuers ¶
AllowedTrustMarkIssuers is type for defining which TrustMark can be issued by which entities
type ConstraintSpecification ¶
type ConstraintSpecification struct {
MaxPathLength int `json:"max_path_length,omitempty"`
NamingConstraints NamingConstraints `json:"naming_constraints,omitempty"`
AllowedLeafEntityTypes []string `json:"allowed_leaf_entity_types,omitempty"`
}
ConstraintSpecification is type for holding constraints according to the oidc fed spec
type EntityConfiguration ¶
type EntityConfiguration struct {
EntityStatementPayload
// contains filtered or unexported fields
}
EntityConfiguration is a type for holding an entity configuration, more precisely an entity statement from an entity about itself that was created by us. To create a new EntityConfiguration use the NewEntityConfiguration function
func NewEntityConfiguration ¶
func NewEntityConfiguration( payload EntityStatementPayload, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, ) *EntityConfiguration
NewEntityConfiguration creates a new EntityConfiguration with the passed EntityStatementPayload and the passed signing key and jwa.SignatureAlgorithm
func (*EntityConfiguration) JWT ¶
func (e *EntityConfiguration) JWT() (jwt []byte, err error)
JWT returns a signed jwt representation of the EntityConfiguration
type EntityStatement ¶
type EntityStatement struct {
EntityStatementPayload
// contains filtered or unexported fields
}
EntityStatement is a type for holding an entity statement, more precisely an entity statement that was obtained as a jwt and created by us
func ParseEntityStatement ¶
func ParseEntityStatement(statementJWT []byte) (*EntityStatement, error)
ParseEntityStatement parses a jwt into an EntityStatement
type EntityStatementPayload ¶
type EntityStatementPayload struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
IssuedAt Unixtime `json:"iat"`
ExpiresAt Unixtime `json:"exp"`
JWKS jwk.Set `json:"jwks"`
Audience string `json:"aud,omitempty"`
AuthorityHints []string `json:"authority_hints,omitempty"`
SourceEndpoint string `json:"source_endpoint,omitempty"`
Metadata *Metadata `json:"metadata,omitempty"`
MetadataPolicy *MetadataPolicies `json:"metadata_policy,omitempty"`
Constraints *ConstraintSpecification `json:"constraints,omitempty"`
CriticalExtensions []string `json:"crit,omitempty"`
CriticalPolicyLanguageExtensions []string `json:"policy_language_crit,omitempty"`
TrustMarks []TrustMark `json:"trust_marks,omitempty"`
TrustMarksIssuers *AllowedTrustMarkIssuers `json:"trust_marks_issuers,omitempty"`
TrustAnchorID string `json:"trust_anchor_id,omitempty"`
Extra map[string]interface{} `json:"-"`
}
EntityStatementPayload is a type for holding the actual payload of an EntityStatement or EntityConfiguration; additional fields can be set in the Extra claim
func (EntityStatementPayload) MarshalJSON ¶
func (e EntityStatementPayload) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. It also marshals extra fields.
func (EntityStatementPayload) TimeValid ¶
func (e EntityStatementPayload) TimeValid() bool
TimeValid checks if the EntityStatementPayload is already valid and not yet expired.
func (*EntityStatementPayload) UnmarshalJSON ¶
func (e *EntityStatementPayload) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. It also unmarshalls additional fields into the Extra claim.
type FederationEntity ¶
type FederationEntity struct {
EntityID string
Metadata *Metadata
AuthorityHints []string
// contains filtered or unexported fields
}
FederationEntity is a type for an entity participating in federations. It holds all relevant information about the federation entity and can be used to create an EntityConfiguration about it
func NewFederationEntity ¶
func NewFederationEntity( entityID string, authorityHints []string, metadata *Metadata, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, configurationLifetime int64, ) (*FederationEntity, error)
NewFederationEntity creates a new FederationEntity with the passed properties
func (FederationEntity) EntityConfiguration ¶
func (f FederationEntity) EntityConfiguration() *EntityConfiguration
EntityConfiguration returns an EntityConfiguration for this FederationLeaf
func (FederationEntity) SignEntityStatement ¶
func (f FederationEntity) SignEntityStatement(payload EntityStatementPayload) ([]byte, error)
SignEntityStatement creates a signed JWT for the given EntityStatementPayload; this function is intended to be used on TA/IA
type FederationEntityMetadata ¶
type FederationEntityMetadata struct {
FederationFetchEndpoint string `json:"federation_fetch_endpoint,omitempty"`
FederationListEndpoint string `json:"federation_list_endpoint,omitempty"`
FederationResolveEndpoint string `json:"federation_resolve_endpoint,omitempty"`
FederationTrustMarkStatusEndpoint string `json:"federation_trust_mark_status_endpoint,omitempty"`
OrganizationName string `json:"organization_name,omitempty"`
Contacts []string `json:"contacts,omitempty"`
LogoURI string `json:"logo_uri,omitempty"`
PolicyURI string `json:"policy_uri,omitempty"`
HomepageURI string `json:"homepage_uri,omitempty"`
Extra map[string]interface{} `json:"-"`
}
func (FederationEntityMetadata) ApplyPolicy ¶
func (m FederationEntityMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (FederationEntityMetadata) MarshalJSON ¶
func (m FederationEntityMetadata) MarshalJSON() ([]byte, error)
func (*FederationEntityMetadata) UnmarshalJSON ¶
func (m *FederationEntityMetadata) UnmarshalJSON(data []byte) error
type FederationLeaf ¶
type FederationLeaf struct {
FederationEntity
TrustAnchors TrustAnchors
// contains filtered or unexported fields
}
FederationLeaf is a type for a leaf entity and holds all relevant information about it; it can also be used to create an EntityConfiguration about it or to start OIDC flows
func NewFederationLeaf ¶
func NewFederationLeaf( entityID string, authorityHints []string, trustAnchors TrustAnchors, metadata *Metadata, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, configurationLifetime int64, oidcSigningKey crypto.Signer, oidcSigningAlg jwa.SignatureAlgorithm, ) (*FederationLeaf, error)
NewFederationLeaf creates a new FederationLeaf with the passed properties
func (FederationLeaf) CodeExchange ¶
func (f FederationLeaf) CodeExchange( issuer, code, redirectURI string, additionalParameter url.Values, ) (*OIDCTokenResponse, *OIDCErrorResponse, error)
CodeExchange performs an oidc code exchange it creates the mytoken and stores it in the database
func (FederationLeaf) GetAuthorizationURL ¶
func (f FederationLeaf) GetAuthorizationURL( issuer, redirectURI, state, scope string, additionalParams url.Values, ) (string, error)
GetAuthorizationURL creates an authorization url
func (FederationLeaf) RequestObjectProducer ¶
func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer
func (FederationLeaf) ResolveOPMetadata ¶
func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error)
type FilterableVerifiedChainsOPDiscoverer ¶
type FilterableVerifiedChainsOPDiscoverer struct {
Filters []OPDiscoveryFilter
}
func (FilterableVerifiedChainsOPDiscoverer) Discover ¶
func (d FilterableVerifiedChainsOPDiscoverer) Discover(authorities ...TrustAnchor) (opInfos []*OpenIDProviderMetadata)
type Metadata ¶
type Metadata struct {
OpenIDProvider *OpenIDProviderMetadata `json:"openid_provider,omitempty"`
RelyingParty *OpenIDRelyingPartyMetadata `json:"openid_relying_party,omitempty"`
OAuthAuthorizationServer *OAuthAuthorizationServerMetadata `json:"oauth_authorization_server,omitempty"`
OAuthClient *OAuthClientMetadata `json:"oauth_client,omitempty"`
OAuthProtectedResource *OAuthProtectedResourceMetadata `json:"oauth_resource,omitempty"`
FederationEntity *FederationEntityMetadata `json:"federation_entity,omitempty"`
}
func (Metadata) ApplyPolicy ¶
func (m Metadata) ApplyPolicy(p *MetadataPolicies) (*Metadata, error)
type MetadataPolicies ¶
type MetadataPolicies struct {
OpenIDProvider MetadataPolicy `json:"openid_provider,omitempty"`
RelyingParty MetadataPolicy `json:"openid_relying_party,omitempty"`
OAuthAuthorizationServer MetadataPolicy `json:"oauth_authorization_server,omitempty"`
OAuthClient MetadataPolicy `json:"oauth_client,omitempty"`
OAuthProtectedResource MetadataPolicy `json:"oauth_resource,omitempty"`
FederationEntity MetadataPolicy `json:"federation_entity,omitempty"`
}
func MergeMetadataPolicies ¶
func MergeMetadataPolicies(policies ...*MetadataPolicies) (*MetadataPolicies, error)
MergeMetadataPolicies combines multiples MetadataPolicies from a chain into a single one
type MetadataPolicy ¶
type MetadataPolicy map[string]MetadataPolicyEntry
func CombineMetadataPolicy ¶
func CombineMetadataPolicy(pathInfo string, policies ...MetadataPolicy) (MetadataPolicy, error)
CombineMetadataPolicy combines multiples MetadataPolicy into a single MetadataPolicy, at each step verifying that the result is valid
func (MetadataPolicy) Verify ¶
func (p MetadataPolicy) Verify(pathInfo string) error
type MetadataPolicyEntry ¶
type MetadataPolicyEntry map[PolicyOperatorName]any
func (MetadataPolicyEntry) ApplyTo ¶
func (p MetadataPolicyEntry) ApplyTo(value any, pathInfo string) (any, error)
func (MetadataPolicyEntry) Verify ¶
func (p MetadataPolicyEntry) Verify(pathInfo string) error
type NamingConstraints ¶
type NamingConstraints struct {
Permitted []string `json:"permitted,omitempty"`
Excluded []string `json:"excluded,omitempty"`
}
NamingConstraints is a type for holding constraints about naming
type OAuthAuthorizationServerMetadata ¶
type OAuthAuthorizationServerMetadata OpenIDProviderMetadata
func (OAuthAuthorizationServerMetadata) ApplyPolicy ¶
func (m OAuthAuthorizationServerMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OAuthAuthorizationServerMetadata) MarshalJSON ¶
func (m OAuthAuthorizationServerMetadata) MarshalJSON() ([]byte, error)
func (*OAuthAuthorizationServerMetadata) UnmarshalJSON ¶
func (m *OAuthAuthorizationServerMetadata) UnmarshalJSON(data []byte) error
type OAuthClientMetadata ¶
type OAuthClientMetadata OpenIDRelyingPartyMetadata
func (OAuthClientMetadata) ApplyPolicy ¶
func (m OAuthClientMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OAuthClientMetadata) MarshalJSON ¶
func (m OAuthClientMetadata) MarshalJSON() ([]byte, error)
func (*OAuthClientMetadata) UnmarshalJSON ¶
func (m *OAuthClientMetadata) UnmarshalJSON(data []byte) error
type OAuthProtectedResourceMetadata ¶
type OAuthProtectedResourceMetadata struct {
Resource string `json:"resource,omitempty"`
AuthorizationServers []string `json:"authorization_servers,omitempty"`
ScopesProvided []string `json:"scopes_provided,omitempty"`
BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"`
ResourceEncryptionAlgValuesSupported []string `json:"resource_encryption_alg_values_supported"`
ResourceEncryptionEncValuesSupported []string `json:"resource_encryption_enc_values_supported"`
ResourceDocumentation string `json:"resource_documentation,omitempty"`
ResourcePolicyURI string `json:"resource_policy_uri,omitempty"`
ResourceTOSURI string `json:"resource_tos_uri,omitempty"`
JWKSURI string `json:"jwks_uri,omitempty"`
JWKS jwk.Set `json:"jwks,omitempty"`
SignedJWKSURI string `json:"signed_jwks_uri,omitempty"`
OrganizationName string `json:"organization_name,omitempty"`
Extra map[string]interface{} `json:"-"`
}
func (OAuthProtectedResourceMetadata) ApplyPolicy ¶
func (m OAuthProtectedResourceMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OAuthProtectedResourceMetadata) MarshalJSON ¶
func (m OAuthProtectedResourceMetadata) MarshalJSON() ([]byte, error)
func (*OAuthProtectedResourceMetadata) UnmarshalJSON ¶
func (m *OAuthProtectedResourceMetadata) UnmarshalJSON(data []byte) error
type OIDCErrorResponse ¶
type OIDCTokenResponse ¶
type OIDCTokenResponse struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
Scopes string `json:"scope"`
IDToken string `json:"id_token"`
Extra map[string]any `json:"-"`
}
OIDCTokenResponse is the token response of an oidc provider
func (*OIDCTokenResponse) UnmarshalJSON ¶
func (res *OIDCTokenResponse) UnmarshalJSON(data []byte) error
type OPDiscoverer ¶
type OPDiscoverer interface {
Discover(authorities ...string) []*OpenIDProviderMetadata
}
type OPDiscoveryFilter ¶
type OPDiscoveryFilter interface {
Filter(*OpenIDProviderMetadata) bool
}
func NewOPDiscoveryFilter ¶
func NewOPDiscoveryFilter(filter func(metadata *OpenIDProviderMetadata) bool) OPDiscoveryFilter
func OPDiscoveryFilterSupportedGrantTypesIncludes ¶
func OPDiscoveryFilterSupportedGrantTypesIncludes(neededGrantTypes ...string) OPDiscoveryFilter
func OPDiscoveryFilterSupportedScopesIncludes ¶
func OPDiscoveryFilterSupportedScopesIncludes(neededScopes ...string) OPDiscoveryFilter
type OPDiscoveryFilterVerifiedChains ¶
type OPDiscoveryFilterVerifiedChains struct {
TrustAnchors TrustAnchors
}
func (OPDiscoveryFilterVerifiedChains) Filter ¶
func (f OPDiscoveryFilterVerifiedChains) Filter(op *OpenIDProviderMetadata) bool
type OpenIDProviderMetadata ¶
type OpenIDProviderMetadata struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
JWKSURI string `json:"jwks_uri,omitempty"`
JWKS jwk.Set `json:"jwks,omitempty"`
SignedJWKSURI string `json:"signed_jwks_uri,omitempty"`
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported"`
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
SubjectTypesSupported []string `json:"subject_types_supported"`
IDTokenSignedResponseAlgValuesSupported []string `json:"id_token_signed_response_alg_values_supported,omitempty"`
IDTokenEncryptedResponseAlgValuesSupported []string `json:"id_token_encrypted_response_alg_values_supported,omitempty"`
IDTokenEncryptedResponseEncValuesSupported []string `json:"id_token_encrypted_response_enc_values_supported,omitempty"`
UserinfoSignedResponseAlgValuesSupported []string `json:"userinfo_signed_response_alg_values_supported,omitempty"`
UserinfoEncryptedResponseAlgValuesSupported []string `json:"userinfo_encrypted_response_alg_values_supported,omitempty"`
UserinfoEncryptedResponseEncValuesSupported []string `json:"userinfo_encrypted_response_enc_values_supported,omitempty"`
RequestSignedResponseAlgValuesSupported []string `json:"request_signed_response_alg_values_supported,omitempty"`
RequestEncryptedResponseAlgValuesSupported []string `json:"request_encrypted_response_alg_values_supported,omitempty"`
RequestEncryptedResponseEncValuesSupported []string `json:"request_encrypted_response_enc_values_supported,omitempty"`
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
DisplayValuesSupported []string `json:"display_values_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
ServiceDocumentation string `json:"service_documentation,omitempty"`
ClaimsLocalesSupported []string `json:"claims_locales_supported,omitempty"`
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`
RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
OPPolicyURI string `json:"op_policy_uri,omitempty"`
OPTOSURI string `json:"op_tos_uri,omitempty"`
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
IntrospectionSigningAlgValuesSupported []string `json:"introspection_signing_alg_values_supported,omitempty"`
IntrospectionEncryptionAlgValuesSupported []string `json:"introspection_encryption_alg_values_supported,omitempty"`
IntrospectionEncryptionEncValuesSupported []string `json:"introspection_encryption_enc_values_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
SignedMetadata string `json:"signed_metadata,omitempty"`
DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"`
TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"`
MTLSEndpointAliases map[string]string `json:"mtls_endpoint_aliases,omitempty"`
NFVTokenSigningAlgValuesSupported []string `json:"nfv_token_signing_alg_values_supported,omitempty"`
NFVTokenEncryptionAlgValuesSupported []string `json:"nfv_token_encryption_alg_values_supported,omitempty"`
NFVTokenEncryptionEncValuesSupported []string `json:"nfv_token_encryption_enc_values_supported,omitempty"`
RequireSignedRequestObject bool `json:"require_signed_request_object,omitempty"`
PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"`
AuthorizationResponseIssParameterSupported bool `json:"authorization_response_iss_parameter_supported,omitempty"`
CheckSessionIFrame string `json:"check_session_iframe,omitempty"`
FrontchannelLogoutSupported bool `json:"frontchannel_logout_supported,omitempty"`
BackchannelLogoutSupported bool `json:"backchannel_logout_supported,omitempty"`
BackchannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported,omitempty"`
EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
BackchannelTokenDeliveryModesSupported []string `json:"backchannel_token_delivery_modes_supported,omitempty"`
BackchannelAuthenticationEndpoint string `json:"backchannel_authentication_endpoint,omitempty"`
BackchannelAuthenticationRequestSigningAlgValuesSupported []string `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"`
BackchannelUserCodeParameterSupported bool `json:"backchannel_user_code_parameter_supported,omitempty"`
AuthorizationDetailsTypesSupported []string `json:"authorization_details_types_supported,omitempty"`
ClientRegistrationTypesSupported []string `json:"client_registration_types_supported"`
FederationRegistrationEndpoint string `json:"federation_registration_endpoint,omitempty"`
RequestAuthenticationMethodsSupported map[string][]string `json:"request_authentication_methods_supported,omitempty"`
RequestAuthenticationSigningAlgValuesSupported []string `json:"request_authentication_signing_alg_values_supported,omitempty"`
OrganizationName string `json:"organization_name,omitempty"`
Extra map[string]interface{} `json:"-"`
}
func (OpenIDProviderMetadata) ApplyPolicy ¶
func (m OpenIDProviderMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OpenIDProviderMetadata) MarshalJSON ¶
func (m OpenIDProviderMetadata) MarshalJSON() ([]byte, error)
func (*OpenIDProviderMetadata) UnmarshalJSON ¶
func (m *OpenIDProviderMetadata) UnmarshalJSON(data []byte) error
type OpenIDRelyingPartyMetadata ¶
type OpenIDRelyingPartyMetadata struct {
Scope string `json:"scope,omitempty"`
RedirectURIS []string `json:"redirect_uris,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
ApplicationType string `json:"application_type,omitempty"`
Contacts []string `json:"contacts,omitempty"`
ClientName string `json:"client_name,omitempty"`
LogoURI string `json:"logo_uri,omitempty"`
ClientURI string `json:"client_uri,omitempty"`
PolicyURI string `json:"policy_uri,omitempty"`
TOSURI string `json:"tos_uri,omitempty"`
JWKSURI string `json:"jwks_uri,omitempty"`
JWKS jwk.Set `json:"jwks,omitempty"`
SignedJWKSURI string `json:"signed_jwks_uri,omitempty"`
SectorIdentifierURI string `json:"sector_identifier_uri,omitempty"`
SubjectType string `json:"subject_type,omitempty"`
IDTokenSignedResponseAlg string `json:"id_token_signed_response_alg,omitempty"`
IDTokenEncryptedResponseAlg string `json:"id_token_encrypted_response_alg,omitempty"`
IDTokenEncryptedResponseEnc string `json:"id_token_encrypted_response_enc,omitempty"`
UserinfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"`
UserinfoEncryptedResponseAlg string `json:"userinfo_encrypted_response_alg,omitempty"`
UserinfoEncryptedResponseEnc string `json:"userinfo_encrypted_response_enc,omitempty"`
RequestSignedResponseAlg string `json:"request_signed_response_alg,omitempty"`
RequestEncryptedResponseAlg string `json:"request_encrypted_response_alg,omitempty"`
RequestEncryptedResponseEnc string `json:"request_encrypted_response_enc,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg,omitempty"`
DefaultMaxAge int64 `json:"default_max_age,omitempty"`
RequireAuthTime bool `json:"require_auth_time,omitempty"`
DefaultACRValues []string `json:"default_acr_values,omitempty"`
InitiateLoginURI string `json:"initiate_login_uri,omitempty"`
RequestURIs []string `json:"request_uris,omitempty"`
SoftwareID string `json:"software_id,omitempty"`
SoftwareVersion string `json:"software_version,omitempty"`
ClientID string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
ClientIDIssuedAt int64 `json:"client_id_issued_at,omitempty"`
ClientSecretExpiresAt int64 `json:"client_secret_expires_at,omitempty"`
RegistrationAccessToken string `json:"registration_access_token,omitempty"`
RegistrationClientURI string `json:"registration_client_uri,omitempty"`
ClaimsRedirectURIs []string `json:"claims_redirect_uris,omitempty"`
NFVTokenSignedResponseAlg string `json:"nfv_token_signed_response_alg,omitempty"`
NFVTokenEncryptedResponseAlg string `json:"nfv_token_encrypted_response_alg,omitempty"`
NFVTokenEncryptedResponseEnc string `json:"nfv_token_encrypted_response_enc,omitempty"`
TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"`
TLSClientAuthSubjectDN string `json:"tls_client_auth_subject_dn,omitempty"`
TLSClientAuthSANDNS string `json:"tls_client_auth_san_dns,omitempty"`
TLSClientAuthSANURI string `json:"tls_client_auth_san_uri,omitempty"`
TLSClientAuthSANIP string `json:"tls_client_auth_san_ip,omitempty"`
TLSClientAuthSANEMAIL string `json:"tls_client_auth_san_email,omitempty"`
RequireSignedRequestObject bool `json:"require_signed_request_object,omitempty"`
RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests,omitempty"`
IntrospectionSignedResponseAlg string `json:"introspection_signed_response_alg,omitempty"`
IntrospectionEncryptedResponseAlg string `json:"introspection_encrypted_response_alg,omitempty"`
IntrospectionEncryptedResponseEnc string `json:"introspection_encrypted_response_enc,omitempty"`
FrontchannelLogoutURI string `json:"frontchannel_logout_uri,omitempty"`
FrontchannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required,omitempty"`
BackchannelLogoutURI string `json:"backchannel_logout_uri,omitempty"`
BackchannelLogoutSessionRequired bool `json:"backchannel_logout_session_required,omitempty"`
PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"`
AuthorizationDetailsTypes []string `json:"authorization_details_types,omitempty"`
OrganizationName string `json:"organization_name,omitempty"`
ClientRegistrationTypes []string `json:"client_registration_types"`
Extra map[string]interface{} `json:"-"`
}
func (OpenIDRelyingPartyMetadata) ApplyPolicy ¶
func (m OpenIDRelyingPartyMetadata) ApplyPolicy(policy MetadataPolicy) (any, error)
func (OpenIDRelyingPartyMetadata) MarshalJSON ¶
func (m OpenIDRelyingPartyMetadata) MarshalJSON() ([]byte, error)
func (*OpenIDRelyingPartyMetadata) UnmarshalJSON ¶
func (m *OpenIDRelyingPartyMetadata) UnmarshalJSON(data []byte) error
type PolicyOperator ¶
type PolicyOperator interface {
Merge(a, b any, pathInfo string) (any, error)
Apply(value, policyValue any, essential bool, pathInfo string) (any, error)
Name() PolicyOperatorName
IsModifier() bool
}
func NewPolicyOperator ¶
type PolicyOperatorName ¶
type PolicyOperatorName string
const ( PolicyOperatorValue PolicyOperatorName = "value" PolicyOperatorDefault PolicyOperatorName = "default" PolicyOperatorAdd PolicyOperatorName = "add" PolicyOperatorOneOf PolicyOperatorName = "one_of" PolicyOperatorSubsetOf PolicyOperatorName = "subset_of" PolicyOperatorSupersetOf PolicyOperatorName = "superset_of" PolicyOperatorEssential PolicyOperatorName = "essential" )
type PolicyVerifier ¶
type PolicyVerifier func(p MetadataPolicyEntry, pathInfo string) error
type RequestObjectProducer ¶
type RequestObjectProducer struct {
EntityID string
// contains filtered or unexported fields
}
func NewRequestObjectProducer ¶
func NewRequestObjectProducer( entityID string, privateSigningKey crypto.Signer, signingAlg jwa.SignatureAlgorithm, lifetime int64, ) *RequestObjectProducer
NewRequestObjectProducer creates a new RequestObjectProducer with the passed properties
func (RequestObjectProducer) ClientAssertion ¶
func (rop RequestObjectProducer) ClientAssertion(aud string) ([]byte, error)
func (RequestObjectProducer) RequestObject ¶
func (rop RequestObjectProducer) RequestObject(requestValues map[string]any) ([]byte, error)
type SimpleOPDiscoverer ¶
type SimpleOPDiscoverer struct{}
SimpleOPDiscoverer is an OPDiscoverer that checks authorities for subordinate OPs and verifies that those publish openid_provider metadata in their EntityConfiguration
func (SimpleOPDiscoverer) Discover ¶
func (d SimpleOPDiscoverer) Discover(authorities ...TrustAnchor) (opInfos []*OpenIDProviderMetadata)
type SliceOrSingleValue ¶
type SliceOrSingleValue[T any] []T
SliceOrSingleValue is a type that supports (un-)marshaling (json) of a slice where a single value might not be expressed as a slice
func (SliceOrSingleValue[T]) MarshalJSON ¶
func (v SliceOrSingleValue[T]) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface
func (*SliceOrSingleValue[T]) UnmarshalJSON ¶
func (v *SliceOrSingleValue[T]) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type TrustAnchor ¶
type TrustAnchors ¶
type TrustAnchors []TrustAnchor
func NewTrustAnchorsFromEntityIDs ¶
func NewTrustAnchorsFromEntityIDs(anchorIDs ...string) (anchors TrustAnchors)
func (TrustAnchors) EntityIDs ¶
func (anchors TrustAnchors) EntityIDs() (entityIDs []string)
type TrustChain ¶
type TrustChain []*EntityStatement
TrustChain is a slice of *EntityStatements
func (TrustChain) ExpiresAt ¶
func (c TrustChain) ExpiresAt() Unixtime
ExpiresAt returns the expiration time of the TrustChain as a UNIX time stamp
func (TrustChain) Metadata ¶
func (c TrustChain) Metadata() (*Metadata, error)
Metadata returns the final Metadata for this TrustChain, i.e. the Metadata of the leaf entity with MetadataPolicies of authorities applied to it.
type TrustChainChecker ¶
type TrustChainChecker interface {
Check(TrustChain) bool
}
TrustChainChecker can check a single TrustChain to determine if it should be included or not, i.e. in a TrustChainsFilter
type TrustChains ¶
type TrustChains []TrustChain
TrustChains is a slice of multiple TrustChain
func (TrustChains) Filter ¶
func (c TrustChains) Filter(filter ...TrustChainsFilter) TrustChains
Filter filters multiple TrustChains with the passed TrustChainsFilter to a subset
type TrustChainsFilter ¶
type TrustChainsFilter interface {
Filter(TrustChains) TrustChains
}
TrustChainsFilter filters multiple TrustChains to a subset
var TrustChainsFilterMinPathLength TrustChainsFilter = trustChainsFilterPathLength{/* contains filtered or unexported fields */}
TrustChainsFilterMinPathLength is a TrustChainsFilter that filters TrustChains to the chains with the minimal path length
func NewTrustChainsFilterFromTrustChainChecker ¶
func NewTrustChainsFilterFromTrustChainChecker(f TrustChainChecker) TrustChainsFilter
NewTrustChainsFilterFromTrustChainChecker creates a new TrustChainsFilter from a TrustChainChecker
func TrustChainsFilterMaxPathLength ¶
func TrustChainsFilterMaxPathLength(maxPathLen int) TrustChainsFilter
TrustChainsFilterMaxPathLength returns a TrustChainsFilter that filters TrustChains to only the chains that are not longer than the passed maximum path len.
func TrustChainsFilterTrustAnchor ¶
func TrustChainsFilterTrustAnchor(anchor string) TrustChainsFilter
TrustChainsFilterTrustAnchor returns a TrustChainsFilter for the passed trust anchor entity id. The return TrustChainsFilter will filter TrustChains to only chains ending in the passed anchor.
type TrustResolver ¶
type TrustResolver struct {
TrustAnchors []TrustAnchor
StartingEntity string
// contains filtered or unexported fields
}
TrustResolver is type for resolving trust chains from a StartingEntity to one or multiple TrustAnchors
func (TrustResolver) Chains ¶
func (r TrustResolver) Chains() (chains TrustChains)
Chains returns the TrustChains in the itnernal trust tree
func (*TrustResolver) Resolve ¶
func (r *TrustResolver) Resolve()
Resolve starts the trust chain resolution process, building an internal trust tree
func (*TrustResolver) ResolveToValidChains ¶
func (r *TrustResolver) ResolveToValidChains() TrustChains
ResolveToValidChains starts the trust chain resolution process, building an internal trust tree, verifies the signatures, integrity, and expirations and returns all possible valid TrustChains
func (*TrustResolver) VerifySignatures ¶
func (r *TrustResolver) VerifySignatures()
VerifySignatures verifies the signatures of the internal trust tree
type VerifiedChainsOPDiscoverer ¶
type VerifiedChainsOPDiscoverer struct{}
VerifiedChainsOPDiscoverer is an OPDiscoverer that compared to VerifiedOPDiscoverer additionally verifies that there is a valid TrustChain between the op and one of the specified trust anchors
func (VerifiedChainsOPDiscoverer) Discover ¶
func (VerifiedChainsOPDiscoverer) Discover(authorities ...TrustAnchor) (ops []*OpenIDProviderMetadata)
Source Files
¶
- authcode.go
- discovery.go
- entitystatement.go
- federation.go
- logging.go
- metadata.go
- metadataPolicy.go
- mock_authority.go
- mock_general.go
- mock_http.go
- mock_op.go
- mock_rp.go
- policyoperators.go
- policyverifiers.go
- registration.go
- sliceorsinglevalue.go
- trustchain.go
- trustchainfilter.go
- trustmark.go
- trustresolver.go
Directories
Click to show internal directories.
Click to hide internal directories.