Constants
const ( ResponseModeDefault = ResponseModeType("") ResponseModeFormPost = ResponseModeType(consts.ResponseModeFormPost) ResponseModeQuery = ResponseModeType(consts.ResponseModeQuery) ResponseModeFragment = ResponseModeType(consts.ResponseModeFragment) ResponseModeFormPostJWT = ResponseModeType(consts.ResponseModeFormPostJWT) ResponseModeQueryJWT = ResponseModeType(consts.ResponseModeQueryJWT) ResponseModeFragmentJWT = ResponseModeType(consts.ResponseModeFragmentJWT) ResponseModeJWT = ResponseModeType(consts.ResponseModeJWT) )
const ( RequestContextKey = ContextKey("request") AccessRequestContextKey = ContextKey("accessRequest") AccessResponseContextKey = ContextKey("accessResponse") AuthorizeRequestContextKey = ContextKey("authorizeRequest") AuthorizeResponseContextKey = ContextKey("authorizeResponse") // PushedAuthorizeResponseContextKey is the response context PushedAuthorizeResponseContextKey = ContextKey("pushedAuthorizeResponse") )
const ( AccessToken TokenType = consts.TokenTypeAccessToken RefreshToken TokenType = consts.TokenTypeRefreshToken DeviceCode TokenType = consts.CodeDevice UserCode TokenType = consts.CodeUser // PushedAuthorizeRequestContext represents the PAR context object PushedAuthorizeRequestContext TokenType = "par_context" AuthorizeCode TokenType = "authorize_code" IDToken TokenType = "id_token" GrantTypeImplicit GrantType = consts.GrantTypeImplicit GrantTypeRefreshToken GrantType = consts.GrantTypeRefreshToken GrantTypeAuthorizationCode GrantType = consts.GrantTypeAuthorizationCode GrantTypePassword GrantType = consts.GrantTypeResourceOwnerPasswordCredentials GrantTypeClientCredentials GrantType = consts.GrantTypeClientCredentials GrantTypeJWTBearer GrantType = consts.GrantTypeOAuthJWTBearer GrantTypeDeviceCode GrantType = consts.GrantTypeOAuthDeviceCode GrantTypeTokenExchange GrantType = consts.GrantTypeOAuthTokenExchange BearerAccessToken string = "bearer" )
const ( ErrorPARNotSupported = "The OAuth 2.0 provider does not support Pushed Authorization Requests" DebugPARStorageInvalid = "'PARStorage' not implemented" DebugPARConfigMissing = "'PushedAuthorizeRequestConfigProvider' not implemented" DebugPARRequestsHandlerMissing = "'PushedAuthorizeRequestHandlersProvider' not implemented" )
const DefaultBCryptWorkFactor = 12
const MinParameterEntropy = 8
Variables
var ( // ErrInvalidatedAuthorizeCode is an error indicating that an authorization code has been // used previously. ErrInvalidatedAuthorizeCode = errors.New("Authorization code has ben invalidated") // ErrInvalidatedDeviceCode is an error indicating that a device code has been used previously. ErrInvalidatedDeviceCode = errors.New("Device code has been invalidated") // ErrInvalidatedUserCode is an error indicating that a user code has been used previously. ErrInvalidatedUserCode = errors.New("user code has been invalidated") // ErrSerializationFailure is an error indicating that the transactional capable storage could not guarantee // consistency of Update & Delete operations on the same rows between multiple sessions. ErrSerializationFailure = errors.New("The request could not be completed due to concurrent access") ErrUnknownRequest = &RFC6749Error{ ErrorField: errUnknownErrorName, DescriptionField: "The handler is not responsible for this request.", CodeField: http.StatusBadRequest, } ErrRequestForbidden = &RFC6749Error{ ErrorField: errRequestForbidden, DescriptionField: "The request is not allowed.", HintField: "You are not allowed to perform this action.", CodeField: http.StatusForbidden, } ErrInvalidRequest = &RFC6749Error{ ErrorField: errInvalidRequestName, DescriptionField: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", HintField: "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.", CodeField: http.StatusBadRequest, } ErrorField: errUnauthorizedClientName, DescriptionField: "The client is not authorized to request a token using this method.", HintField: "Make sure that client id and secret are correctly specified and that the client exists.", CodeField: http.StatusBadRequest, } ErrAccessDenied = &RFC6749Error{ ErrorField: errAccessDeniedName, DescriptionField: "The resource owner or authorization server denied the request.", HintField: "Make sure that the request you are making is valid. Maybe the credential or request parameters you are using are limited in scope or otherwise restricted.", CodeField: http.StatusForbidden, } ErrUnsupportedResponseType = &RFC6749Error{ ErrorField: errUnsupportedResponseTypeName, DescriptionField: "The authorization server does not support obtaining a token using this method.", CodeField: http.StatusBadRequest, } ErrUnsupportedResponseMode = &RFC6749Error{ ErrorField: errUnsupportedResponseModeName, DescriptionField: "The authorization server does not support obtaining a response using this response mode.", CodeField: http.StatusBadRequest, } ErrInvalidScope = &RFC6749Error{ ErrorField: errInvalidScopeName, DescriptionField: "The requested scope is invalid, unknown, or malformed.", CodeField: http.StatusBadRequest, } ErrServerError = &RFC6749Error{ ErrorField: errServerErrorName, DescriptionField: "The authorization server encountered an unexpected condition that prevented it from fulfilling the request.", CodeField: http.StatusInternalServerError, } ErrorField: errTemporarilyUnavailableName, DescriptionField: "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.", CodeField: http.StatusServiceUnavailable, } ErrUnsupportedGrantType = &RFC6749Error{ ErrorField: errUnsupportedGrantTypeName, DescriptionField: "The authorization grant type is not supported by the authorization server.", CodeField: http.StatusBadRequest, } ErrInvalidGrant = &RFC6749Error{ ErrorField: errInvalidGrantName, DescriptionField: "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.", CodeField: http.StatusBadRequest, } ErrInvalidClient = &RFC6749Error{ ErrorField: errInvalidClientName, DescriptionField: "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).", CodeField: http.StatusUnauthorized, } ErrInvalidState = &RFC6749Error{ ErrorField: errInvalidStateName, DescriptionField: "The state is missing or does not have enough characters and is therefore considered too weak.", CodeField: http.StatusBadRequest, } ErrMisconfiguration = &RFC6749Error{ ErrorField: errMisconfigurationName, DescriptionField: "The request failed because of an internal error that is probably caused by misconfiguration.", CodeField: http.StatusInternalServerError, } ErrInsufficientEntropy = &RFC6749Error{ ErrorField: errInsufficientEntropyName, DescriptionField: "The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy.", CodeField: http.StatusBadRequest, } ErrNotFound = &RFC6749Error{ ErrorField: errNotFoundName, DescriptionField: "Could not find the requested resource(s).", CodeField: http.StatusNotFound, } ErrorField: errRequestUnauthorizedName, DescriptionField: "The request could not be authorized.", HintField: "Check that you provided valid credentials in the right format.", CodeField: http.StatusUnauthorized, } ErrTokenSignatureMismatch = &RFC6749Error{ ErrorField: errTokenSignatureMismatchName, DescriptionField: "Token signature mismatch.", HintField: "Check that you provided a valid token in the right format.", CodeField: http.StatusBadRequest, } ErrInvalidTokenFormat = &RFC6749Error{ ErrorField: errInvalidTokenFormatName, DescriptionField: "Invalid token format.", HintField: "Check that you provided a valid token in the right format.", CodeField: http.StatusBadRequest, } ErrTokenExpired = &RFC6749Error{ ErrorField: errTokenExpiredName, DescriptionField: "Token expired.", HintField: "The token expired.", CodeField: http.StatusUnauthorized, } ErrScopeNotGranted = &RFC6749Error{ ErrorField: errScopeNotGrantedName, DescriptionField: "The token was not granted the requested scope.", HintField: "The resource owner did not grant the requested scope.", CodeField: http.StatusForbidden, } ErrTokenClaim = &RFC6749Error{ ErrorField: errTokenClaimName, DescriptionField: "The token failed validation due to a claim mismatch.", HintField: "One or more token claims failed validation.", CodeField: http.StatusUnauthorized, } ErrInactiveToken = &RFC6749Error{ ErrorField: errTokenInactiveName, DescriptionField: "Token is inactive because it is malformed, expired or otherwise invalid.", HintField: "Token validation failed.", CodeField: http.StatusUnauthorized, } ErrLoginRequired = &RFC6749Error{ ErrorField: errLoginRequired, DescriptionField: "The Authorization Server requires End-User authentication.", CodeField: http.StatusBadRequest, } ErrInteractionRequired = &RFC6749Error{ DescriptionField: "The Authorization Server requires End-User interaction of some form to proceed.", ErrorField: errInteractionRequired, CodeField: http.StatusBadRequest, } ErrConsentRequired = &RFC6749Error{ DescriptionField: "The Authorization Server requires End-User consent.", ErrorField: errConsentRequired, CodeField: http.StatusBadRequest, } ErrRequestNotSupported = &RFC6749Error{ DescriptionField: "The authorization server does not support the use of the request parameter.", ErrorField: errRequestNotSupportedName, CodeField: http.StatusBadRequest, } ErrRequestURINotSupported = &RFC6749Error{ DescriptionField: "The authorization server does not support the use of the request_uri parameter.", ErrorField: errRequestURINotSupportedName, CodeField: http.StatusBadRequest, } ErrRegistrationNotSupported = &RFC6749Error{ DescriptionField: "The OP does not support use of the registration parameter.", ErrorField: errRegistrationNotSupportedName, CodeField: http.StatusBadRequest, } ErrInvalidRequestURI = &RFC6749Error{ DescriptionField: "The request_uri in the authorization request returns an error or contains invalid data.", ErrorField: errInvalidRequestURI, CodeField: http.StatusBadRequest, } ErrInvalidRequestObject = &RFC6749Error{ DescriptionField: "The request parameter contains an invalid Request Object.", ErrorField: errInvalidRequestObject, CodeField: http.StatusBadRequest, } ErrJTIKnown = &RFC6749Error{ DescriptionField: "The jti was already used.", ErrorField: errJTIKnownName, CodeField: http.StatusBadRequest, } ErrAuthorizationPending = &RFC6749Error{ DescriptionField: "The authorization request is still pending as the end user hasn't yet completed the user-interaction steps.", ErrorField: errAuthorizationPending, CodeField: http.StatusBadRequest, } ErrDeviceExpiredToken = &RFC6749Error{ DescriptionField: "The device_code has expired, and the device authorization session has concluded.", ErrorField: errDeviceExpiredToken, CodeField: http.StatusBadRequest, } ErrSlowDown = &RFC6749Error{ DescriptionField: "Too many requests within a short time period.", ErrorField: errSlowDown, CodeField: http.StatusBadRequest, } )
var ( // RegexSpecificationVSCHAR matches strings which only contain the ASCII visible printable // range %x20-7E per i.e. VSCHAR. Presumably the Visible // with Spaces characters. RegexSpecificationVSCHAR = regexp.MustCompile(`^[\pL\pM\pN\pP\pS ]+$`) // RegexSpecificationNQCHAR matches strings which only contain the ASCII visible printable // ranges %x21 / %x23-5B / %x5D-7E per i.e. NQCHAR. // Presumably the Non-Quoted character range. RegexSpecificationNQCHAR = regexp.MustCompile(`^[\pL\pM\pN\pS!#-@_\[\]{}]+$`) // RegexSpecificationNQSCHAR matches strings which only contain the ASCII visible printable // ranges %x20-21 / %x23-5B / %x5D-7E per i.e. NQSCHAR. // Presumably the Non-Quoted with Spaces character range. RegexSpecificationNQSCHAR = regexp.MustCompile(`^[\pL\pM\pN\pS!#-@_\[\]{}]+$`) )
var DefaultFormPostTemplate = template.Must(template.New("form_post").Parse(`<html>
<title>Submit This Form</title>
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="{{ .RedirURL }}">
{{ range $key,$value := .Parameters }}
{{ range $parameter:= $value }}
<input type="hidden" name="{{ $key }}" value="{{ $parameter }}"/>
{{ end }}
{{ end }}
var (
ErrClientSecretNotRegistered = errors.New("error occurred checking the client secret: the client is not registered with a secret")
Functions
func AccessTokenFromRequest ¶
func AddLocalizerToErr ¶
func AddLocalizerToErr(catalog i18n.MessageCatalog, err error, requester Requester) error
AddLocalizerToErr augments the error object with the localizer based on the language set in the requester object. This is primarily required for response writers like introspection that do not take in the requester in the Write* function that produces the translated message. See - WriteIntrospectionError, for example.
func AddLocalizerToErrWithLang ¶
AddLocalizerToErrWithLang augments the error object with the localizer based on the language passed in. This is primarily required for response writers like introspection that do not take in the requester in the Write* function that produces the translated message. See - WriteIntrospectionError, for example.
func CompareClientSecret ¶
CompareClientSecret compares a raw secret input from a client to the registered client secret. If the secret is valid it returns nil, otherwise it returns an error. The ErrClientSecretNotRegistered error indicates the ClientSecret is nil, all other errors are returned directly from the ClientSecret.Compare function.
func DeviceAuthorizeStatusToString ¶
func DeviceAuthorizeStatusToString(status DeviceAuthorizeStatus) string
func ErrorToDebugRFC6749Error ¶
ErrorToDebugRFC6749Error converts the provided error to a *DebugRFC6749Error provided it is not nil and can be cast as a *RFC6749Error.
func EscapeJSONString ¶
EscapeJSONString does a poor man's JSON encoding. Useful when we do not want to use full JSON encoding because we just had an error doing the JSON encoding. The characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F). See:
func ExactAudienceMatchingStrategy ¶
ExactAudienceMatchingStrategy does not assume that audiences are URIs, but compares strings as-is and does matching with exact string comparison. It requires that all strings in "needle" are present in "haystack". Use this strategy when your audience values are not URIs (e.g., you use client IDs for audience and they are UUIDs or random strings).
func ExactScopeStrategy ¶
func GetAudiences ¶
GetAudiences allows audiences to be provided as repeated "audience" form parameter, or as a space-delimited "audience" form parameter if it is not repeated. RFC 8693 in section 2.1 specifies that multiple audience values should be multiple query parameters, while RFC 6749 says that that request parameter must not be included more than once (and thus why we use space-delimited value). This function tries to satisfy both. If "audience" form parameter is repeated, we do not split the value by space.
func GetEffectiveLifespan ¶
func GetEffectiveLifespan(c Client, gt GrantType, tt TokenType, fallback time.Duration) (lifespan time.Duration)
GetEffectiveLifespan either maps GrantType x TokenType to the client's configured lifespan, or returns the fallback value.
func GetPostFormHTMLTemplate ¶
func GetPostFormHTMLTemplate(ctx context.Context, c FormPostHTMLTemplateProvider) *template.Template
func HierarchicScopeStrategy ¶
func IsLocalhost ¶
func IsMatchingRedirectURI ¶ added in v0.1.4
IsMatchingRedirectURI matches a requested redirect URI against a pool of registered client URIs.
Test a given redirect URI against a pool of URIs provided by a registered client. If the OAuth 2.0 Client has loopback URIs registered either an IPv4 URI or an IPv6 URI http://[::1] a client is allowed to request a dynamic port and the server MUST accept it as a valid redirection uri. Native apps that are able to open a port on the loopback network interface without needing special permissions (typically, those on desktop operating systems) can use the loopback interface to receive the OAuth redirect.
Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on.
func IsRedirectURISecureStrict ¶
IsRedirectURISecureStrict is stricter than IsRedirectURISecure and it does not allow custom-scheme URLs because they can be hijacked for native apps. Use claimed HTTPS redirects instead. See discussion in
func IsValidRedirectURI ¶
IsValidRedirectURI validates a redirect_uri as specified in:
- The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3.
- The endpoint URI MUST NOT include a fragment component.
- absolute-URI = scheme ":" hier-part [ "?" query ]
func JKWKSFetcherWithDefaultTTL ¶
func JKWKSFetcherWithDefaultTTL(ttl time.Duration) func(*DefaultJWKSFetcherStrategy)
JKWKSFetcherWithDefaultTTL sets the default TTL for the cache.
func JWKSFetcherWithCache ¶
func JWKSFetcherWithCache(cache *ristretto.Cache) func(*DefaultJWKSFetcherStrategy)
JWKSFetcherWithCache sets the cache to use.
func JWKSFetcherWithHTTPClient ¶
func JWKSFetcherWithHTTPClient(client *retryablehttp.Client) func(*DefaultJWKSFetcherStrategy)
JWKSFetcherWithHTTPClient sets the HTTP client to use.
func JWKSFetcherWithHTTPClientSource ¶
func JWKSFetcherWithHTTPClientSource(clientSourceFunc func(ctx context.Context) *retryablehttp.Client) func(*DefaultJWKSFetcherStrategy)
JWKSFetcherWithHTTPClientSource sets the HTTP client source function to use.
func MatchRedirectURIWithClientRedirectURIs ¶
MatchRedirectURIWithClientRedirectURIs if the given uri is a registered redirect uri. Does not perform uri validation.
Considered specifications If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.
When a redirection URI is included in an authorization request, the authorization server MUST compare and match the value received against at least one of the registered redirection URIs (or URI components) as defined in [RFC3986] Section 6, if any redirection URIs were registered. If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986] Section 6.2.1.
- The authorization server may also enforce the usage and validation of pre-registered redirect URIs (see Section This will allow for early recognition of authorization "code" disclosure to counterfeit clients.
- The attacker will need to use another redirect URI for its authorization process rather than the target web site because it needs to intercept the flow. So, if the authorization server associates the authorization "code" with the redirect URI of a particular end-user authorization and validates this redirect URI with the redirect URI passed to the token's endpoint, such an attack is detected (see Section
func NewContext ¶
func NewDefaultJWKSFetcherStrategy ¶
func NewDefaultJWKSFetcherStrategy(opts ...func(*DefaultJWKSFetcherStrategy)) jwt.JWKSFetcherStrategy
NewDefaultJWKSFetcherStrategy returns a new instance of the DefaultJWKSFetcherStrategy.
func RemoveEmpty ¶
func StringInSlice ¶
StringInSlice returns true if needle exists in haystack
func StringInSliceFold ¶
StringInSliceFold returns true if needle exists in haystack (case-insensitive).
func WildcardScopeStrategy ¶
Types
type AccessRequest ¶
type AccessRequest struct { GrantTypes Arguments `json:"grantTypes" gorethink:"grantTypes"` HandledGrantType Arguments `json:"handledGrantType" gorethink:"handledGrantType"` Request }
func NewAccessRequest ¶
func NewAccessRequest(session Session) *AccessRequest
func (*AccessRequest) GetGrantTypes ¶
func (a *AccessRequest) GetGrantTypes() Arguments
func (*AccessRequest) SanitizeRestoreRefreshTokenOriginalRequester ¶
func (a *AccessRequest) SanitizeRestoreRefreshTokenOriginalRequester(requester Requester) Requester
func (*AccessRequest) SetGrantedScopes ¶
func (a *AccessRequest) SetGrantedScopes(scopes Arguments)
type AccessRequester ¶
type AccessRequester interface { // GetGrantTypes returns the requests grant type. GetGrantTypes() (grantTypes Arguments) Requester }
AccessRequester is a token endpoint's request context.
type AccessResponder ¶
type AccessResponder interface { // SetExtra sets a key value pair for the access response. SetExtra(key string, value any) // GetExtra returns a key's value. GetExtra(key string) (extra any) SetExpiresIn(time.Duration) SetScopes(scopes Arguments) // SetAccessToken sets the responses mandatory access token. SetAccessToken(token string) // SetTokenType set's the responses mandatory token type SetTokenType(tokenType string) // GetAccessToken returns the responses access token. GetAccessToken() (token string) // GetTokenType returns the responses token type. GetTokenType() (token string) // ToMap converts the response to a map. ToMap() (values map[string]any) }
AccessResponder is a token endpoint's response.
type AccessResponse ¶
func NewAccessResponse ¶
func NewAccessResponse() *AccessResponse
func (*AccessResponse) GetAccessToken ¶
func (a *AccessResponse) GetAccessToken() string
func (*AccessResponse) GetExtra ¶
func (a *AccessResponse) GetExtra(key string) any
func (*AccessResponse) GetTokenType ¶
func (a *AccessResponse) GetTokenType() string
func (*AccessResponse) SetAccessToken ¶
func (a *AccessResponse) SetAccessToken(token string)
func (*AccessResponse) SetExpiresIn ¶
func (a *AccessResponse) SetExpiresIn(expiresIn time.Duration)
func (*AccessResponse) SetExtra ¶
func (a *AccessResponse) SetExtra(key string, value any)
func (*AccessResponse) SetScopes ¶
func (a *AccessResponse) SetScopes(scopes Arguments)
func (*AccessResponse) SetTokenType ¶
func (a *AccessResponse) SetTokenType(name string)
func (*AccessResponse) ToMap ¶
func (a *AccessResponse) ToMap() map[string]any
type AccessTokenIssuerProvider ¶
type AccessTokenIssuerProvider interface { // GetAccessTokenIssuer returns the access token issuer. GetAccessTokenIssuer(ctx context.Context) (issuer string) }
AccessTokenIssuerProvider returns the provider for configuring the JWT issuer.
type AccessTokenLifespanProvider ¶
type AccessTokenLifespanProvider interface { // GetAccessTokenLifespan returns the access token lifespan. GetAccessTokenLifespan(ctx context.Context) time.Duration }
AccessTokenLifespanProvider returns the provider for configuring the access token lifespan.
type AllowedJWTAssertionAudiencesProvider ¶ added in v0.1.17
type AllowedJWTAssertionAudiencesProvider interface { // GetAllowedJWTAssertionAudiences returns the permitted audience list for JWT Assertions. GetAllowedJWTAssertionAudiences(ctx context.Context) (audiences []string) }
AllowedJWTAssertionAudiencesProvider is a provider used in contexts where the permitted audiences for a JWT assertion is required to validate a request.
type AllowedPromptsProvider ¶
type AllowedPromptsProvider interface { // GetAllowedPrompts returns the allowed prompts. GetAllowedPrompts(ctx context.Context) (prompts []string) }
AllowedPromptsProvider returns the provider for configuring the allowed prompts.
type Arguments ¶
type Arguments []string
func (Arguments) ExactOne ¶
ExactOne checks, by string case, that a single argument equals the provided string.
func (Arguments) Has ¶
Has checks, in a case-sensitive manner, that all of the items provided exists in arguments.
func (Arguments) HasFold ¶
HasFold checks, in a case-insensitive manner, that all of the items provided exists in arguments.
func (Arguments) HasOneOf ¶
HasOneOf checks, in a case-sensitive manner, that one of the items provided exists in arguments.
func (Arguments) HasOneOfFold ¶
HasOneOfFold checks, in a case-sensitive manner, that one of the items provided exists in arguments.
func (Arguments) Matches ¶
Matches performs an case-sensitive, out-of-order check that the items provided exist and equal all of the args in arguments.
func (Arguments) MatchesExact ¶
MatchesExact checks, by order and string case, that the items provided equal those in arguments.
func (Arguments) MatchesFold ¶
MatchesFold performs an case-insensitive, out-of-order check that the items provided exist and equal all of the args in arguments. Note:
- Providing a list that includes duplicate string-case items will return not matched.
type AudienceStrategyProvider ¶
type AudienceStrategyProvider interface { // GetAudienceStrategy returns the audience strategy. GetAudienceStrategy(ctx context.Context) AudienceMatchingStrategy }
AudienceStrategyProvider returns the provider for configuring the audience strategy.
type AuthenticationMethodClient ¶ added in v0.1.11
type AuthenticationMethodClient interface { // GetTokenEndpointAuthMethod is equivalent to the 'token_endpoint_auth_method' client metadata value which // determines the requested Client Authentication method for the Token Endpoint. The options are client_secret_post, // client_secret_basic, client_secret_jwt, private_key_jwt, and none. GetTokenEndpointAuthMethod() (method string) // GetTokenEndpointAuthSigningAlg is equivalent to the 'token_endpoint_auth_signing_alg' client metadata value which // determines the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the // Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. GetTokenEndpointAuthSigningAlg() (alg string) // GetIntrospectionEndpointAuthMethod is equivalent to the 'introspection_endpoint_auth_method' client metadata // value which determines the Client Authentication method for the Introspection Endpoint. The options are // client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt. GetIntrospectionEndpointAuthMethod() (method string) // GetIntrospectionEndpointAuthSigningAlg is equivalent to the 'introspection_endpoint_auth_signing_alg' client // metadata value which determines the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] // used to authenticate the Client at the Introspection Endpoint for the private_key_jwt and client_secret_jwt // authentication methods. GetIntrospectionEndpointAuthSigningAlg() (alg string) // GetRevocationEndpointAuthMethod is equivalent to the 'revocation_endpoint_auth_method' client metadata value // which determines the Client Authentication method for the Revocation Endpoint. The options are // client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt. GetRevocationEndpointAuthMethod() (method string) // GetRevocationEndpointAuthSigningAlg is equivalent to the 'revocation_endpoint_auth_signing_alg' client metadata // value which determines the JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to // authenticate the Client at the Revocation Endpoint for the private_key_jwt and client_secret_jwt authentication // methods. GetRevocationEndpointAuthSigningAlg() (alg string) // GetPushedAuthorizationRequestEndpointAuthMethod is equivalent to the // 'pushed_authorize_request_endpoint_auth_method' client metadata value which determines the requested Client // Authentication method for the Pushed Authorization Request Endpoint. The options are client_secret_post, // client_secret_basic, client_secret_jwt, and private_key_jwt. GetPushedAuthorizationRequestEndpointAuthMethod() (method string) // GetPushedAuthorizationRequestEndpointAuthSigningAlg is equivalent to the // 'pushed_authorization_request_endpoint_auth_signing_alg' client metadata value which determines the JWS [JWS] alg // algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the // Client at the Pushed Authorization Request Endpoint for the private_key_jwt and client_secret_jwt authentication // methods. GetPushedAuthorizationRequestEndpointAuthSigningAlg() (alg string) JSONWebKeysClient }
AuthenticationMethodClient represents a client which has specific authentication methods.
type AuthorizationServerIssuerIdentificationProvider ¶
type AuthorizationServerIssuerIdentificationProvider interface {
GetAuthorizationServerIdentificationIssuer(ctx context.Context) (issuer string)
AuthorizationServerIssuerIdentificationProvider provides OAuth 2.0 Authorization Server Issuer Identification related methods.
type AuthorizeCodeLifespanProvider ¶
type AuthorizeCodeLifespanProvider interface { // GetAuthorizeCodeLifespan returns the authorization code lifespan. GetAuthorizeCodeLifespan(ctx context.Context) time.Duration }
AuthorizeCodeLifespanProvider returns the provider for configuring the authorization code lifespan.
type AuthorizeEndpointHandler ¶
type AuthorizeEndpointHandler interface { // HandleAuthorizeEndpointRequest handles an authorize endpoint request. To extend the handler's capabilities, the http request // is passed along, if further information retrieval is required. If the handler feels that he is not responsible for // the authorize request, he must return nil and NOT modify session nor responder neither requester. // // The following spec is a good example of what HandleAuthorizeRequest should do. // * // response_type REQUIRED. // The value MUST be one of "code" for requesting an // authorization code as described by Section 4.1.1, "token" for // requesting an access token (implicit grant) as described by // Section 4.2.1, or a registered extension value as described by Section 8.4. HandleAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder AuthorizeResponder) error }
type AuthorizeEndpointHandlers ¶
type AuthorizeEndpointHandlers []AuthorizeEndpointHandler
AuthorizeEndpointHandlers is a list of AuthorizeEndpointHandler
func (*AuthorizeEndpointHandlers) Append ¶
func (a *AuthorizeEndpointHandlers) Append(h AuthorizeEndpointHandler)
Append adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type AuthorizeEndpointHandlersProvider ¶
type AuthorizeEndpointHandlersProvider interface { // GetAuthorizeEndpointHandlers returns the authorize endpoint handlers. GetAuthorizeEndpointHandlers(ctx context.Context) (handlers AuthorizeEndpointHandlers) }
AuthorizeEndpointHandlersProvider returns the provider for configuring the authorize endpoint handlers.
type AuthorizeRequest ¶
type AuthorizeRequest struct { ResponseTypes Arguments `json:"responseTypes" gorethink:"responseTypes"` RedirectURI *url.URL `json:"redirectUri" gorethink:"redirectUri"` State string `json:"state" gorethink:"state"` HandledResponseTypes Arguments `json:"handledResponseTypes" gorethink:"handledResponseTypes"` ResponseMode ResponseModeType `json:"ResponseModes" gorethink:"ResponseModes"` DefaultResponseMode ResponseModeType `json:"DefaultResponseMode" gorethink:"DefaultResponseMode"` Request }
AuthorizeRequest is an implementation of AuthorizeRequester
func NewAuthorizeRequest ¶
func NewAuthorizeRequest() *AuthorizeRequest
func (*AuthorizeRequest) DidHandleAllResponseTypes ¶
func (d *AuthorizeRequest) DidHandleAllResponseTypes() bool
func (*AuthorizeRequest) GetDefaultResponseMode ¶
func (d *AuthorizeRequest) GetDefaultResponseMode() ResponseModeType
func (*AuthorizeRequest) GetRedirectURI ¶
func (d *AuthorizeRequest) GetRedirectURI() *url.URL
func (*AuthorizeRequest) GetResponseMode ¶
func (d *AuthorizeRequest) GetResponseMode() ResponseModeType
func (*AuthorizeRequest) GetResponseTypes ¶
func (d *AuthorizeRequest) GetResponseTypes() Arguments
func (*AuthorizeRequest) GetState ¶
func (d *AuthorizeRequest) GetState() string
func (*AuthorizeRequest) IsRedirectURIValid ¶
func (d *AuthorizeRequest) IsRedirectURIValid() bool
func (*AuthorizeRequest) SetDefaultResponseMode ¶
func (d *AuthorizeRequest) SetDefaultResponseMode(defaultResponseMode ResponseModeType)
func (*AuthorizeRequest) SetResponseTypeHandled ¶
func (d *AuthorizeRequest) SetResponseTypeHandled(name string)
type AuthorizeRequester ¶
type AuthorizeRequester interface { // GetResponseTypes returns the requested response types GetResponseTypes() (responseTypes Arguments) // SetResponseTypeHandled marks a response_type (e.g. token or code) as handled indicating that the response type // is supported. SetResponseTypeHandled(responseType string) // DidHandleAllResponseTypes returns if all requested response types have been handled correctly DidHandleAllResponseTypes() (didHandle bool) // GetRedirectURI returns the requested redirect URI GetRedirectURI() (redirectURL *url.URL) // IsRedirectURIValid returns false if the redirect is not rfc-conform (i.e. missing client, not on white list, // or malformed) IsRedirectURIValid() (isValid bool) // GetState returns the request's state. GetState() (state string) // GetResponseMode returns response_mode of the authorization request GetResponseMode() (responseMode ResponseModeType) // SetDefaultResponseMode sets default response mode for a response type in a flow SetDefaultResponseMode(responseMode ResponseModeType) // GetDefaultResponseMode gets default response mode for a response type in a flow GetDefaultResponseMode() (responseMode ResponseModeType) Requester }
AuthorizeRequester is an authorize endpoint's request context.
type AuthorizeResponder ¶
type AuthorizeResponder interface { // GetCode returns the response's authorize code if set. GetCode() (code string) // GetHeader returns the response's header GetHeader() (header http.Header) // AddHeader adds a header key value pair to the response AddHeader(key, value string) // GetParameters returns the response's parameters GetParameters() (query url.Values) // AddParameter adds key value pair to the response AddParameter(key, value string) }
AuthorizeResponder is an authorization endpoint's response.
type AuthorizeResponse ¶
type AuthorizeResponse struct { Header http.Header Parameters url.Values // contains filtered or unexported fields }
AuthorizeResponse is an implementation of AuthorizeResponder
func NewAuthorizeResponse ¶
func NewAuthorizeResponse() *AuthorizeResponse
func (*AuthorizeResponse) AddHeader ¶
func (a *AuthorizeResponse) AddHeader(key, value string)
func (*AuthorizeResponse) AddParameter ¶
func (a *AuthorizeResponse) AddParameter(key, value string)
func (*AuthorizeResponse) GetCode ¶
func (a *AuthorizeResponse) GetCode() string
func (*AuthorizeResponse) GetHeader ¶
func (a *AuthorizeResponse) GetHeader() http.Header
func (*AuthorizeResponse) GetParameters ¶
func (a *AuthorizeResponse) GetParameters() url.Values
type BCryptClientSecret ¶
type BCryptClientSecret struct {
// contains filtered or unexported fields
func NewBCryptClientSecret ¶
func NewBCryptClientSecret(hash string) *BCryptClientSecret
NewBCryptClientSecret returns a new BCryptClientSecret given a hash.
func NewBCryptClientSecretPlain ¶
func NewBCryptClientSecretPlain(rawSecret string, cost int) (secret *BCryptClientSecret, err error)
NewBCryptClientSecretPlain returns a new BCryptClientSecret given a plaintext secret.
func (*BCryptClientSecret) Compare ¶
func (s *BCryptClientSecret) Compare(ctx context.Context, secret []byte) (err error)
func (*BCryptClientSecret) GetPlainTextValue ¶
func (s *BCryptClientSecret) GetPlainTextValue() (secret []byte, err error)
func (*BCryptClientSecret) IsPlainText ¶
func (s *BCryptClientSecret) IsPlainText() (is bool)
func (*BCryptClientSecret) Valid ¶ added in v0.1.10
func (s *BCryptClientSecret) Valid() (valid bool)
type Client ¶
type Client interface { // GetID returns the client ID. GetID() (id string) // GetClientSecret returns the ClientSecret. GetClientSecret() (secret ClientSecret) // GetClientSecretPlainText returns the ClientSecret as plaintext if available. The semantics of this function // return values are important. // If the client is not configured with a secret the return should be: // - secret with value nil, ok with value false, and err with value of nil // If the client is configured with a secret but is hashed or otherwise not a plaintext value: // - secret with value nil, ok with value true, and err with value of nil // If an error occurs retrieving the secret other than this: // - secret with value nil, ok with value true, and err with value of the error // If the plaintext secret is successful: // - secret with value of the bytes of the plaintext secret, ok with value true, and err with value of nil GetClientSecretPlainText() (secret []byte, ok bool, err error) // GetRedirectURIs returns the client's allowed redirect URIs. GetRedirectURIs() []string // GetGrantTypes returns the client's allowed grant types. GetGrantTypes() (types Arguments) // GetResponseTypes returns the client's allowed response types. // All allowed combinations of response types have to be listed, each combination having // response types of the combination separated by a space. GetResponseTypes() (types Arguments) // GetScopes returns the scopes this client is allowed to request. GetScopes() (scopes Arguments) // IsPublic returns true, if this client is marked as public. IsPublic() (public bool) // GetAudience returns the allowed audience(s) for this client. GetAudience() (audience Arguments) }
Client represents a client or an app.
type ClientAssertion ¶ added in v0.1.3
type ClientAssertion struct {
Assertion, Type string
Parsed bool
ID, Method, Algorithm string
Client Client
ClientAssertion represents a client assertion.
func NewClientAssertion ¶ added in v0.1.3
func NewClientAssertion(ctx context.Context, strategy jwt.Strategy, store ClientManager, assertion, assertionType string, handler EndpointClientAuthHandler) (a *ClientAssertion, err error)
NewClientAssertion converts a raw assertion string into a *ClientAssertion.
type ClientAuthenticationPolicyClient ¶
type ClientAuthenticationPolicyClient interface { // GetAllowMultipleAuthenticationMethods should return true if the client policy allows multiple authentication // methods due to the client implementation breaching RFC6749 Section 2.3. // // See: GetAllowMultipleAuthenticationMethods() (allow bool) Client }
ClientAuthenticationPolicyClient is a Client implementation which also provides client authentication policy values.
type ClientAuthenticationStrategy ¶
type ClientAuthenticationStrategy interface {
AuthenticateClient(ctx context.Context, r *http.Request, form url.Values, handler EndpointClientAuthHandler) (client Client, method string, err error)
ClientAuthenticationStrategy describes a client authentication strategy implementation.
type ClientAuthenticationStrategyProvider ¶
type ClientAuthenticationStrategyProvider interface { // GetClientAuthenticationStrategy returns the client authentication strategy. GetClientAuthenticationStrategy(ctx context.Context) (strategy ClientAuthenticationStrategy) }
ClientAuthenticationStrategyProvider returns the provider for configuring the client authentication strategy.
type ClientCredentialsFlowRequestedScopeImplicitClient ¶
type ClientCredentialsFlowRequestedScopeImplicitClient interface { // GetClientCredentialsFlowRequestedScopeImplicit is indicative of if a client will implicitly request all scopes it // is allowed to request in the absence of requested scopes during the Client Credentials Flow. GetClientCredentialsFlowRequestedScopeImplicit() (implicit bool) Client }
ClientCredentialsFlowRequestedScopeImplicitClient is a client which can allow implicit scopes in the client credentials flow.
type ClientCredentialsImplicitProvider ¶
type ClientCredentialsImplicitProvider interface { // GetClientCredentialsFlowImplicitGrantRequested returns true if the PopulateTokenEndpointResponse portion of the // oauth2.ClientCredentialsGrantHandler should implicitly grant all requested and validated scopes and audiences. GetClientCredentialsFlowImplicitGrantRequested(ctx context.Context) (implicit bool) }
ClientCredentialsImplicitProvider describes the provider of the Client Credentials Flow Implicit actions.
type ClientLifespanConfig ¶
type ClientLifespanConfig struct { AuthorizationCodeGrantAccessTokenLifespan *time.Duration `json:"authorization_code_grant_access_token_lifespan"` AuthorizationCodeGrantIDTokenLifespan *time.Duration `json:"authorization_code_grant_id_token_lifespan"` AuthorizationCodeGrantRefreshTokenLifespan *time.Duration `json:"authorization_code_grant_refresh_token_lifespan"` ClientCredentialsGrantAccessTokenLifespan *time.Duration `json:"client_credentials_grant_access_token_lifespan"` ImplicitGrantAccessTokenLifespan *time.Duration `json:"implicit_grant_access_token_lifespan"` ImplicitGrantIDTokenLifespan *time.Duration `json:"implicit_grant_id_token_lifespan"` JwtBearerGrantAccessTokenLifespan *time.Duration `json:"jwt_bearer_grant_access_token_lifespan"` PasswordGrantAccessTokenLifespan *time.Duration `json:"password_grant_access_token_lifespan"` PasswordGrantRefreshTokenLifespan *time.Duration `json:"password_grant_refresh_token_lifespan"` RefreshTokenGrantIDTokenLifespan *time.Duration `json:"refresh_token_grant_id_token_lifespan"` RefreshTokenGrantAccessTokenLifespan *time.Duration `json:"refresh_token_grant_access_token_lifespan"` RefreshTokenGrantRefreshTokenLifespan *time.Duration `json:"refresh_token_grant_refresh_token_lifespan"` }
ClientLifespanConfig holds default lifespan configuration for the different token types that may be issued for the client. This configuration takes precedence over instance-wide default lifespan, but it may be overridden by a session's expires_at claim.
The OIDC Hybrid grant type inherits token lifespan configuration from the implicit grant.
type ClientManager ¶
type ClientManager interface { // GetClient loads the client by its ID or returns an error // if the client does not exist or another error occurred. GetClient(ctx context.Context, id string) (Client, error) // ClientAssertionJWTValid returns an error if the JTI is // known or the DB check failed and nil if the JTI is not known. ClientAssertionJWTValid(ctx context.Context, jti string) error // SetClientAssertionJWT marks a JTI as known for the given // expiry time. Before inserting the new JTI, it will clean // up any existing JTIs that have expired as those tokens can // not be replayed due to the expiry. SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error }
ClientManager defines the (persistent) manager interface for clients.
type ClientSecret ¶
type ClientSecret interface { // Compare is the primary function of the interface which is used to compare this ClientSecret to the form input. // This function SHOULD return nil if the secret input matches the expected value, otherwise it should return an // error. Compare(ctx context.Context, secret []byte) (err error) // IsPlainText is a utility function to determine if this secret is in a plaintext format making it usable for the // client_secret_jwt authentication method. IsPlainText() (is bool) // GetPlainTextValue is a utility function to return the secret in the plaintext format making it usable for the // client_secret_jwt authentication method. If the client secret doesn't have a value that is plaintext it should // return oauth2.ErrClientSecretNotPlainText for the sake of deterministic error values. GetPlainTextValue() (secret []byte, err error) // Valid should return false if the secret is nil or otherwise invalid. Valid() (valid bool) }
ClientSecret is a service interface for client secret comparisons and functionality.
type Config ¶
type Config struct { // AccessTokenLifespan sets how long an access token is going to be valid. Defaults to one hour. AccessTokenLifespan time.Duration // VerifiableCredentialsNonceLifespan sets how long a verifiable credentials nonce is going to be valid. Defaults to one hour. VerifiableCredentialsNonceLifespan time.Duration // RefreshTokenLifespan sets how long a refresh token is going to be valid. Defaults to 30 days. Set to -1 for // refresh tokens that never expire. RefreshTokenLifespan time.Duration // AuthorizeCodeLifespan sets how long an authorize code is going to be valid. Defaults to fifteen minutes. AuthorizeCodeLifespan time.Duration // IDTokenLifespan sets the default id token lifetime. Defaults to one hour. IDTokenLifespan time.Duration // Sets how long a device user/device code pair is valid for RFC8628CodeLifespan time.Duration // IDTokenIssuer sets the default issuer of the ID Token. IDTokenIssuer string // AccessTokenIssuer is the issuer to be used when generating access tokens. AccessTokenIssuer string // AuthorizationServerIdentificationIssuer string sets the issuer identifier for authorization responses (RFC9207). AuthorizationServerIdentificationIssuer string // IntrospectionIssuer is the issuer to be used when generating signed introspection responses. IntrospectionIssuer string // IntrospectionJWTResponseStrategy is the signer for Introspection Responses. Has no default. IntrospectionJWTResponseStrategy jwt.Strategy // HashCost sets the cost of the password hashing cost. Defaults to 12. HashCost int // DisableRefreshTokenValidation sets the introspection endpoint to disable refresh token validation. DisableRefreshTokenValidation bool // SendDebugMessagesToClients if set to true, includes error debug messages in response payloads. Be aware that sensitive // data may be exposed, depending on your implementation of Fosite. Such sensitive data might include database error // codes or other information. Proceed with caution! SendDebugMessagesToClients bool // RevokeRefreshTokensExplicit determines if Refresh Tokens should only be revoked explicitly. RevokeRefreshTokensExplicit bool // EnforceRevokeFlowRevokeRefreshTokensExplicitClient determines if a RevokeFlowRevokeRefreshTokensExplicitClient // should be prioritized even if it returns false. EnforceRevokeFlowRevokeRefreshTokensExplicitClient bool // ScopeStrategy sets the scope strategy that should be supported, for example oauth2.WildcardScopeStrategy. ScopeStrategy ScopeStrategy // AudienceMatchingStrategy sets the audience matching strategy that should be supported, defaults to oauth2.DefaultsAudienceMatchingStrategy. AudienceMatchingStrategy AudienceMatchingStrategy ClientCredentialsFlowImplicitGrantRequested bool // EnforcePKCE, if set to true, requires clients to perform authorize code flows with PKCE. Defaults to false. EnforcePKCE bool // EnforcePKCEForPublicClients requires only public clients to use PKCE with the authorize code flow. Defaults to false. EnforcePKCEForPublicClients bool // EnablePKCEPlainChallengeMethod sets whether or not to allow the plain challenge method (S256 should be used whenever possible, plain is really discouraged). Defaults to false. EnablePKCEPlainChallengeMethod bool // AllowedPromptValues sets which OpenID Connect prompt values the server supports. Defaults to []string{"login", "none", "consent", "select_account"}. AllowedPromptValues []string // AllowedJWTAssertionAudiences is a list of permitted client assertion audiences. If the authorization server is // intended to be compatible with the client_secret_jwt or private_key_jwt client authentication methods // (see, this value MUST be set. AllowedJWTAssertionAudiences []string // JWKSFetcherStrategy is responsible for fetching JSON Web Keys from remote URLs. This is required when the private_key_jwt // client authentication method is used. Defaults to oauth2.DefaultJWKSFetcherStrategy. JWKSFetcherStrategy jwt.JWKSFetcherStrategy // TokenEntropy indicates the entropy of the random string, used as the "message" part of the HMAC token. // Defaults to 32. TokenEntropy int // RFC8628UserVerificationURL is the URL of the device verification endpoint, this is is included with the device code request responses RFC8628UserVerificationURL string // RFC8628TokenPollingInterval sets the interval that clients should check for device code grants RFC8628TokenPollingInterval time.Duration // RedirectSecureChecker is a function that returns true if the provided URL can be securely used as a redirect URL. RedirectSecureChecker func(context.Context, *url.URL) bool // RefreshTokenScopes defines which OAuth scopes will be given refresh tokens during the authorization code grant exchange. This defaults to "offline" and "offline_access". When set to an empty array, all exchanges will be given refresh tokens. RefreshTokenScopes []string // MinParameterEntropy controls the minimum size of state and nonce parameters. Defaults to oauth2.MinParameterEntropy. MinParameterEntropy int // UseLegacyErrorFormat controls whether the legacy error format (with `error_debug`, `error_hint`, ...) // should be used or not. UseLegacyErrorFormat bool // GrantTypeJWTBearerCanSkipClientAuth indicates, if client authentication can be skipped, when using jwt as assertion. GrantTypeJWTBearerCanSkipClientAuth bool // GrantTypeJWTBearerIDOptional indicates, if jti (JWT ID) claim required or not in JWT. GrantTypeJWTBearerIDOptional bool // GrantTypeJWTBearerIssuedDateOptional indicates, if "iat" (issued at) claim required or not in JWT. GrantTypeJWTBearerIssuedDateOptional bool // GrantTypeJWTBearerMaxDuration sets the maximum time after JWT issued date, during which the JWT is considered valid. GrantTypeJWTBearerMaxDuration time.Duration // ClientAuthenticationStrategy indicates the Strategy to authenticate client requests ClientAuthenticationStrategy ClientAuthenticationStrategy // ResponseModeHandlers provides the handlers for performing response mode formatting. ResponseModeHandlers ResponseModeHandlers // ResponseModeParameterHandlers provides handlers for injecting additional parameters into the authorize responses. ResponseModeParameterHandlers ResponseModeParameterHandlers // MessageCatalog is the message bundle used for i18n MessageCatalog i18n.MessageCatalog // FormPostHTMLTemplate sets html template for rendering the authorization response when the request has response_mode=form_post. FormPostHTMLTemplate *template.Template // FormPostResponseWriter is the FormPostResponseWriter used for writing the form post response. Useful for // overwriting the behaviour of this element. FormPostResponseWriter FormPostResponseWriter // OmitRedirectScopeParam indicates whether the "scope" parameter should be omitted from the redirect URL. OmitRedirectScopeParam bool // SanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values // are safe for storage in a database (cleartext). SanitationWhiteList []string // JWTScopeClaimKey defines the claim key to be used to set the scope in. Valid fields are "scope" or "scp" or both. JWTScopeClaimKey jwt.JWTScopeFieldEnum // JWTSecuredAuthorizeResponseModeIssuer sets the default issuer for the JWT Secured Authorization Response Mode. JWTSecuredAuthorizeResponseModeIssuer string // JWTSecuredAuthorizeResponseModeLifespan sets the default lifetime for the tokens issued in the // JWT Secured Authorization Response Mode. Defaults to 10 minutes. JWTSecuredAuthorizeResponseModeLifespan time.Duration // JWTSecuredAuthorizeResponseModeStrategy is the signer for JWT Secured Authorization Response Mode. Has no default. JWTSecuredAuthorizeResponseModeStrategy jwt.Strategy // JWTStrategy handles less specific jwt.Strategy cases. JWTStrategy jwt.Strategy // EnforceJWTProfileAccessTokens forces the issuer to return JWT Profile Access Tokens to all clients. EnforceJWTProfileAccessTokens bool // HTTPClient is the HTTP client to use for requests. HTTPClient *retryablehttp.Client // AuthorizeEndpointHandlers is a list of handlers that are called before the authorization endpoint is served. AuthorizeEndpointHandlers AuthorizeEndpointHandlers // TokenEndpointHandlers is a list of handlers that are called before the token endpoint is served. TokenEndpointHandlers TokenEndpointHandlers // TokenIntrospectionHandlers is a list of handlers that are called before the token introspection endpoint is served. TokenIntrospectionHandlers TokenIntrospectionHandlers // RevocationHandlers is a list of handlers that are called before the revocation endpoint is served. RevocationHandlers RevocationHandlers // PushedAuthorizeEndpointHandlers is a list of handlers that are called before the PAR endpoint is served. PushedAuthorizeEndpointHandlers PushedAuthorizeEndpointHandlers // RFC8628DeviceAuthorizeEndpointHandlers is a list of handlers that are called before the device authorization endpoint is served. RFC8628DeviceAuthorizeEndpointHandlers RFC8628DeviceAuthorizeEndpointHandlers // RFC8628UserAuthorizeEndpointHandlers is a list of handlers that are called before the device grant user interaction endpoint is served. RFC8628UserAuthorizeEndpointHandlers RFC8628UserAuthorizeEndpointHandlers // GlobalSecret is the global secret used to sign and verify signatures. GlobalSecret []byte // RotatedGlobalSecrets is a list of global secrets that are used to verify signatures. RotatedGlobalSecrets [][]byte // HMACHasher is the hasher used to generate HMAC signatures. HMACHasher func() hash.Hash // PushedAuthorizeRequestURIPrefix is the URI prefix for the PAR request_uri. // This is defaulted to 'urn:ietf:params:oauth:request_uri:'. PushedAuthorizeRequestURIPrefix string // PushedAuthorizeContextLifespan is the lifespan of the PAR context PushedAuthorizeContextLifespan time.Duration // RequirePushedAuthorizationRequests requires pushed authorization request for /authorize RequirePushedAuthorizationRequests bool RFC8693TokenTypes map[string]RFC8693TokenType DefaultRequestedTokenType string }
func (*Config) GetAccessTokenIssuer ¶
func (*Config) GetAccessTokenLifespan ¶
GetAccessTokenLifespan returns how long an access token should be valid. Defaults to one hour.
func (*Config) GetAllowedJWTAssertionAudiences ¶ added in v0.1.17
func (*Config) GetAudienceStrategy ¶
func (c *Config) GetAudienceStrategy(_ context.Context) AudienceMatchingStrategy
GetAudienceStrategy returns the scope strategy to be used. Defaults to glob scope strategy.
func (*Config) GetAuthorizationServerIdentificationIssuer ¶
func (*Config) GetAuthorizeCodeLifespan ¶
GetAuthorizeCodeLifespan returns how long an authorize code should be valid. Defaults to one fifteen minutes.
func (*Config) GetAuthorizeEndpointHandlers ¶
func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) AuthorizeEndpointHandlers
func (*Config) GetBCryptCost ¶
GetBCryptCost returns the bcrypt cost factor. Defaults to 12.
func (*Config) GetClientAuthenticationStrategy ¶
func (c *Config) GetClientAuthenticationStrategy(_ context.Context) ClientAuthenticationStrategy
GetClientAuthenticationStrategy returns the configured client authentication strategy. Defaults to nil. Note that on a nil strategy `oauth2.Fosite` fallbacks to its default client authentication strategy `oauth2.Fosite.DefaultClientAuthenticationStrategy`
func (*Config) GetClientCredentialsFlowImplicitGrantRequested ¶
func (*Config) GetDefaultRFC8693RequestedTokenType ¶
func (*Config) GetDisableRefreshTokenValidation ¶
GetDisableRefreshTokenValidation returns whether to disable the validation of the refresh token.
func (*Config) GetEnablePKCEPlainChallengeMethod ¶
GetEnablePKCEPlainChallengeMethod returns whether or not to allow the plain challenge method (S256 should be used whenever possible, plain is really discouraged).
func (*Config) GetEnforceJWTProfileAccessTokens ¶
func (*Config) GetEnforcePKCE ¶
GetEnforcePKCE If set to true, public clients must use PKCE.
func (*Config) GetEnforcePKCEForPublicClients ¶
GetEnforcePKCEForPublicClients returns the value of EnforcePKCEForPublicClients.
func (*Config) GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient ¶
func (*Config) GetFormPostHTMLTemplate ¶
func (*Config) GetFormPostResponseWriter ¶
func (c *Config) GetFormPostResponseWriter(ctx context.Context) FormPostResponseWriter
func (*Config) GetGlobalSecret ¶
func (*Config) GetGrantTypeJWTBearerCanSkipClientAuth ¶
GetGrantTypeJWTBearerCanSkipClientAuth returns the GrantTypeJWTBearerCanSkipClientAuth field.
func (*Config) GetGrantTypeJWTBearerIDOptional ¶
GetGrantTypeJWTBearerIDOptional returns the GrantTypeJWTBearerIDOptional field.
func (*Config) GetGrantTypeJWTBearerIssuedDateOptional ¶
GetGrantTypeJWTBearerIssuedDateOptional returns the GrantTypeJWTBearerIssuedDateOptional field.
func (*Config) GetHTTPClient ¶
func (*Config) GetIDTokenLifespan ¶
GetIDTokenLifespan returns how long an id token should be valid. Defaults to one hour.
func (*Config) GetIntrospectionIssuer ¶ added in v0.1.4
func (*Config) GetIntrospectionJWTResponseStrategy ¶ added in v0.2.0
func (*Config) GetJWKSFetcherStrategy ¶
func (c *Config) GetJWKSFetcherStrategy(_ context.Context) jwt.JWKSFetcherStrategy
GetJWKSFetcherStrategy returns the jwt.JWKSFetcherStrategy.
func (*Config) GetJWTMaxDuration ¶
GetJWTMaxDuration specified the maximum amount of allowed `exp` time for a JWT. It compares the time with the JWT's `exp` time if the JWT time is larger, will cause the JWT to be invalid.
Defaults to a day.
func (*Config) GetJWTScopeField ¶
func (c *Config) GetJWTScopeField(ctx context.Context) jwt.JWTScopeFieldEnum
func (*Config) GetJWTSecuredAuthorizeResponseModeIssuer ¶
func (*Config) GetJWTSecuredAuthorizeResponseModeLifespan ¶
GetJWTSecuredAuthorizeResponseModeLifespan returns how long a JWT issued by the JWT Secured Authorize Response Mode should be valid. Defaults to 10 minutes.
func (*Config) GetJWTSecuredAuthorizeResponseModeStrategy ¶ added in v0.2.0
func (*Config) GetJWTStrategy ¶ added in v0.2.0
func (*Config) GetMessageCatalog ¶
func (c *Config) GetMessageCatalog(ctx context.Context) i18n.MessageCatalog
func (*Config) GetMinParameterEntropy ¶
GetMinParameterEntropy returns MinParameterEntropy if set. Defaults to oauth2.MinParameterEntropy.
func (*Config) GetOmitRedirectScopeParam ¶
func (*Config) GetPushedAuthorizeContextLifespan ¶
GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.
func (*Config) GetPushedAuthorizeEndpointHandlers ¶
func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) PushedAuthorizeEndpointHandlers
GetPushedAuthorizeEndpointHandlers returns the handlers.
func (*Config) GetPushedAuthorizeRequestURIPrefix ¶
GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is usually 'urn:ietf:params:oauth:request_uri:'.
func (*Config) GetRFC8628CodeLifespan ¶
GetRFC8628CodeLifespan returns the device and user code lifespan.
func (*Config) GetRFC8628DeviceAuthorizeEndpointHandlers ¶
func (c *Config) GetRFC8628DeviceAuthorizeEndpointHandlers(_ context.Context) RFC8628DeviceAuthorizeEndpointHandlers
func (*Config) GetRFC8628TokenPollingInterval ¶
func (*Config) GetRFC8628UserAuthorizeEndpointHandlers ¶
func (c *Config) GetRFC8628UserAuthorizeEndpointHandlers(_ context.Context) RFC8628UserAuthorizeEndpointHandlers
func (*Config) GetRFC8628UserVerificationURL ¶
func (*Config) GetRFC8693TokenTypes ¶
func (c *Config) GetRFC8693TokenTypes(ctx context.Context) map[string]RFC8693TokenType
func (*Config) GetRedirectSecureChecker ¶
GetRedirectSecureChecker returns the checker to check if redirect URI is secure. Defaults to oauth2.IsRedirectURISecure.
func (*Config) GetRefreshTokenLifespan ¶
GetRefreshTokenLifespan sets how long a refresh token is going to be valid. Defaults to 30 days. Set to -1 for refresh tokens that never expire.
func (*Config) GetRefreshTokenScopes ¶
GetRefreshTokenScopes returns which scopes will provide refresh tokens.
func (*Config) GetRequirePushedAuthorizationRequests ¶
EnforcePushedAuthorize indicates if PAR is enforced. In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint must contain the PAR request_uri.
func (*Config) GetResponseModeHandlers ¶
func (c *Config) GetResponseModeHandlers(ctx context.Context) ResponseModeHandlers
func (*Config) GetResponseModeParameterHandlers ¶ added in v0.1.3
func (c *Config) GetResponseModeParameterHandlers(ctx context.Context) ResponseModeParameterHandlers
func (*Config) GetRevocationHandlers ¶
func (c *Config) GetRevocationHandlers(ctx context.Context) RevocationHandlers
func (*Config) GetRevokeRefreshTokensExplicit ¶
func (*Config) GetRotatedGlobalSecrets ¶
func (*Config) GetSanitationWhiteList ¶
GetSanitationWhiteList returns a list of allowed form values that are required by the token endpoint. These values are safe for storage in a database (cleartext).
func (*Config) GetScopeStrategy ¶
func (c *Config) GetScopeStrategy(_ context.Context) ScopeStrategy
GetScopeStrategy returns the scope strategy to be used. Defaults to glob scope strategy.
func (*Config) GetSendDebugMessagesToClients ¶
func (*Config) GetTokenEndpointHandlers ¶
func (c *Config) GetTokenEndpointHandlers(ctx context.Context) TokenEndpointHandlers
func (*Config) GetTokenEntropy ¶
GetTokenEntropy returns the entropy of the "message" part of a HMAC Token. Defaults to 32.
func (*Config) GetTokenIntrospectionHandlers ¶
func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) TokenIntrospectionHandlers
func (*Config) GetUseLegacyErrorFormat ¶
type Configurator ¶
type Configurator interface { IDTokenIssuerProvider IDTokenLifespanProvider AuthorizationServerIssuerIdentificationProvider AllowedPromptsProvider EnforcePKCEProvider EnforcePKCEForPublicClientsProvider EnablePKCEPlainChallengeMethodProvider GrantTypeJWTBearerCanSkipClientAuthProvider GrantTypeJWTBearerIDOptionalProvider GrantTypeJWTBearerIssuedDateOptionalProvider GetJWTMaxDurationProvider ScopeStrategyProvider AudienceStrategyProvider ClientCredentialsImplicitProvider RedirectSecureCheckerProvider OmitRedirectScopeParamProvider SanitationAllowedProvider JWTScopeFieldProvider JWTSecuredAuthorizeResponseModeIssuerProvider JWTSecuredAuthorizeResponseModeStrategyProvider JWTSecuredAuthorizeResponseModeLifespanProvider JWTProfileAccessTokensProvider AccessTokenIssuerProvider DisableRefreshTokenValidationProvider RefreshTokenScopesProvider AccessTokenLifespanProvider RefreshTokenLifespanProvider VerifiableCredentialsNonceLifespanProvider AuthorizeCodeLifespanProvider TokenEntropyProvider RotatedGlobalSecretsProvider GlobalSecretProvider JWKSFetcherStrategyProvider HTTPClientProvider ScopeStrategyProvider AudienceStrategyProvider MinParameterEntropyProvider HMACHashingProvider ClientAuthenticationStrategyProvider ResponseModeHandlerProvider SendDebugMessagesToClientsProvider RevokeRefreshTokensExplicitlyProvider JWKSFetcherStrategyProvider ClientAuthenticationStrategyProvider MessageCatalogProvider FormPostHTMLTemplateProvider FormPostResponseProvider AllowedJWTAssertionAudiencesProvider AuthorizeEndpointHandlersProvider TokenEndpointHandlersProvider TokenIntrospectionHandlersProvider RevocationHandlersProvider PushedAuthorizeRequestHandlersProvider PushedAuthorizeRequestConfigProvider RFC8693ConfigProvider RFC8628DeviceAuthorizeEndpointHandlersProvider RFC8628UserAuthorizeEndpointHandlersProvider RFC9628DeviceAuthorizeConfigProvider IntrospectionIssuerProvider IntrospectionJWTResponseStrategyProvider JWTStrategyProvider UseLegacyErrorFormatProvider }
type ContextKey ¶
type ContextKey string
type CustomTokenLifespansClient ¶
type CustomTokenLifespansClient interface { // GetEffectiveLifespan either maps GrantType x TokenType to the client's configured lifespan, or returns the fallback value. GetEffectiveLifespan(gt GrantType, tt TokenType, fallback time.Duration) (lifespan time.Duration) Client }
CustomTokenLifespansClient is a Client with specific lifespans.
type DebugRFC6749Error ¶
type DebugRFC6749Error struct {
DebugRFC6749Error is a decorator type which makes the underlying *RFC6749Error expose debug information and show the full error description.
func (*DebugRFC6749Error) Error ¶
func (err *DebugRFC6749Error) Error() string
Error implements the builtin error interface and shows the error with its debug info and description.
type DefaultClient ¶
type DefaultClient struct { ID string `json:"id"` ClientSecret ClientSecret `json:"-"` RotatedClientSecrets []ClientSecret `json:"-"` RedirectURIs []string `json:"redirect_uris"` GrantTypes []string `json:"grant_types"` ResponseTypes []string `json:"response_types"` Scopes []string `json:"scopes"` Audience []string `json:"audience"` Public bool `json:"public"` }
DefaultClient is a simple default implementation of the Client interface.
func (*DefaultClient) GetAudience ¶
func (c *DefaultClient) GetAudience() Arguments
func (*DefaultClient) GetClientSecret ¶
func (c *DefaultClient) GetClientSecret() (secret ClientSecret)
func (*DefaultClient) GetClientSecretPlainText ¶ added in v0.2.0
func (c *DefaultClient) GetClientSecretPlainText() (secret []byte, ok bool, err error)
func (*DefaultClient) GetGrantTypes ¶
func (c *DefaultClient) GetGrantTypes() Arguments
func (*DefaultClient) GetID ¶
func (c *DefaultClient) GetID() string
func (*DefaultClient) GetRedirectURIs ¶
func (c *DefaultClient) GetRedirectURIs() []string
func (*DefaultClient) GetResponseTypes ¶
func (c *DefaultClient) GetResponseTypes() Arguments
func (*DefaultClient) GetRotatedClientSecrets ¶
func (c *DefaultClient) GetRotatedClientSecrets() (secrets []ClientSecret)
func (*DefaultClient) GetScopes ¶
func (c *DefaultClient) GetScopes() Arguments
func (*DefaultClient) IsPublic ¶
func (c *DefaultClient) IsPublic() bool
type DefaultClientAuthenticationStrategy ¶
type DefaultClientAuthenticationStrategy struct { Store interface { ClientManager } Config interface { JWTStrategyProvider JWKSFetcherStrategyProvider AllowedJWTAssertionAudiencesProvider } }
func (*DefaultClientAuthenticationStrategy) AuthenticateClient ¶
type DefaultClientWithCustomTokenLifespans ¶
type DefaultClientWithCustomTokenLifespans struct { *DefaultClient TokenLifespans *ClientLifespanConfig `json:"token_lifespans"` }
func (*DefaultClientWithCustomTokenLifespans) GetEffectiveLifespan ¶
func (c *DefaultClientWithCustomTokenLifespans) GetEffectiveLifespan(gt GrantType, tt TokenType, fallback time.Duration) time.Duration
GetEffectiveLifespan either maps GrantType x TokenType to the client's configured lifespan, or returns the fallback value.
TODO: Refactor time permitting.
func (*DefaultClientWithCustomTokenLifespans) GetTokenLifespans ¶
func (c *DefaultClientWithCustomTokenLifespans) GetTokenLifespans() *ClientLifespanConfig
func (*DefaultClientWithCustomTokenLifespans) SetTokenLifespans ¶
func (c *DefaultClientWithCustomTokenLifespans) SetTokenLifespans(lifespans *ClientLifespanConfig)
type DefaultJARClient ¶ added in v0.1.15
type DefaultJARClient struct { *DefaultClient JSONWebKeysURI string `json:"jwks_uri"` JSONWebKeys *jose.JSONWebKeySet `json:"jwks"` TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` IntrospectionEndpointAuthMethod string `json:"introspection_endpoint_auth_method"` RevocationEndpointAuthMethod string `json:"revocation_endpoint_auth_method"` PushedAuthorizationRequestEndpointAuthMethod string `json:"pushed_authorization_request_endpoint_auth_method"` RequestURIs []string `json:"request_uris"` RequestObjectSigningKeyID string `json:"request_object_signing_kid"` RequestObjectSigningAlg string `json:"request_object_signing_alg"` RequestObjectEncryptionKeyID string `json:"request_object_encryption_kid"` RequestObjectEncryptionAlg string `json:"request_object_encryption_alg"` RequestObjectEncryptionEnc string `json:"request_object_encryption_enc"` TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg"` IntrospectionEndpointAuthSigningAlg string `json:"introspection_endpoint_auth_signing_alg"` RevocationEndpointAuthSigningAlg string `json:"revocation_endpoint_auth_signing_alg"` PushedAuthorizationRequestEndpointAuthSigningAlg string `json:"pushed_authorization_request_endpoint_auth_signing_alg"` }
func (*DefaultJARClient) GetIntrospectionEndpointAuthMethod ¶ added in v0.1.15
func (c *DefaultJARClient) GetIntrospectionEndpointAuthMethod() string
func (*DefaultJARClient) GetIntrospectionEndpointAuthSigningAlg ¶ added in v0.1.15
func (c *DefaultJARClient) GetIntrospectionEndpointAuthSigningAlg() string
func (*DefaultJARClient) GetJSONWebKeys ¶ added in v0.1.15
func (c *DefaultJARClient) GetJSONWebKeys() *jose.JSONWebKeySet
func (*DefaultJARClient) GetJSONWebKeysURI ¶ added in v0.1.15
func (c *DefaultJARClient) GetJSONWebKeysURI() string
func (*DefaultJARClient) GetPushedAuthorizationRequestEndpointAuthMethod ¶ added in v0.2.0
func (c *DefaultJARClient) GetPushedAuthorizationRequestEndpointAuthMethod() string
func (*DefaultJARClient) GetPushedAuthorizationRequestEndpointAuthSigningAlg ¶ added in v0.2.0
func (c *DefaultJARClient) GetPushedAuthorizationRequestEndpointAuthSigningAlg() (alg string)
func (*DefaultJARClient) GetRequestObjectEncryptionAlg ¶ added in v0.1.15
func (c *DefaultJARClient) GetRequestObjectEncryptionAlg() string
func (*DefaultJARClient) GetRequestObjectEncryptionEnc ¶ added in v0.1.15
func (c *DefaultJARClient) GetRequestObjectEncryptionEnc() string
func (*DefaultJARClient) GetRequestObjectEncryptionKeyID ¶ added in v0.1.15
func (c *DefaultJARClient) GetRequestObjectEncryptionKeyID() string
func (*DefaultJARClient) GetRequestObjectSigningAlg ¶ added in v0.1.15
func (c *DefaultJARClient) GetRequestObjectSigningAlg() string
func (*DefaultJARClient) GetRequestObjectSigningKeyID ¶ added in v0.1.15
func (c *DefaultJARClient) GetRequestObjectSigningKeyID() string
func (*DefaultJARClient) GetRequestURIs ¶ added in v0.1.15
func (c *DefaultJARClient) GetRequestURIs() []string
func (*DefaultJARClient) GetRevocationEndpointAuthMethod ¶ added in v0.1.15
func (c *DefaultJARClient) GetRevocationEndpointAuthMethod() string
func (*DefaultJARClient) GetRevocationEndpointAuthSigningAlg ¶ added in v0.1.15
func (c *DefaultJARClient) GetRevocationEndpointAuthSigningAlg() string
func (*DefaultJARClient) GetTokenEndpointAuthMethod ¶ added in v0.1.15
func (c *DefaultJARClient) GetTokenEndpointAuthMethod() string
func (*DefaultJARClient) GetTokenEndpointAuthSigningAlg ¶ added in v0.1.15
func (c *DefaultJARClient) GetTokenEndpointAuthSigningAlg() string
type DefaultJWKSFetcherStrategy ¶
type DefaultJWKSFetcherStrategy struct {
// contains filtered or unexported fields
DefaultJWKSFetcherStrategy is a default implementation of the jwt.JWKSFetcherStrategy interface.
func (*DefaultJWKSFetcherStrategy) Resolve ¶
func (s *DefaultJWKSFetcherStrategy) Resolve(ctx context.Context, location string, ignoreCache bool) (*jose.JSONWebKeySet, error)
Resolve returns the JSON Web Key Set, or an error if something went wrong. The forceRefresh, if true, forces the strategy to fetch the key from the remote. If forceRefresh is false, the strategy may use a caching strategy to fetch the key.
func (*DefaultJWKSFetcherStrategy) WaitForCache ¶
func (s *DefaultJWKSFetcherStrategy) WaitForCache()
type DefaultResponseModeClient ¶
type DefaultResponseModeClient struct { *DefaultClient ResponseModes []ResponseModeType `json:"response_modes"` }
func (*DefaultResponseModeClient) GetResponseModes ¶
func (c *DefaultResponseModeClient) GetResponseModes() []ResponseModeType
type DefaultResponseModeHandler ¶
type DefaultResponseModeHandler struct {
Config ResponseModeHandlerConfigurator
func (*DefaultResponseModeHandler) EncodeResponseForm ¶
func (h *DefaultResponseModeHandler) EncodeResponseForm(ctx context.Context, rm ResponseModeType, requester AuthorizeRequester, parameters url.Values) (form url.Values, err error)
EncodeResponseForm encodes the response form if necessary.
func (*DefaultResponseModeHandler) ResponseModes ¶
func (h *DefaultResponseModeHandler) ResponseModes() ResponseModeTypes
ResponseModes returns the response modes this fosite.ResponseModeHandler is responsible for.
func (*DefaultResponseModeHandler) WriteAuthorizeError ¶
func (h *DefaultResponseModeHandler) WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, e error)
WriteAuthorizeError writes authorization errors.
func (*DefaultResponseModeHandler) WriteAuthorizeResponse ¶
func (h *DefaultResponseModeHandler) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
WriteAuthorizeResponse writes authorization responses.
type DefaultSession ¶
type DefaultSession struct { ExpiresAt map[TokenType]time.Time `json:"expires_at"` Username string `json:"username"` Subject string `json:"subject"` Extra map[string]any `json:"extra"` }
DefaultSession is a default implementation of the session interface.
func (*DefaultSession) Clone ¶
func (s *DefaultSession) Clone() Session
func (*DefaultSession) GetExpiresAt ¶
func (s *DefaultSession) GetExpiresAt(key TokenType) time.Time
func (*DefaultSession) GetExtraClaims ¶
func (s *DefaultSession) GetExtraClaims() map[string]any
GetExtraClaims implements ExtraClaimsSession for DefaultSession. The returned value can be modified in-place.
func (*DefaultSession) GetSubject ¶
func (s *DefaultSession) GetSubject() string
func (*DefaultSession) GetUsername ¶
func (s *DefaultSession) GetUsername() string
func (*DefaultSession) SetExpiresAt ¶
func (s *DefaultSession) SetExpiresAt(key TokenType, exp time.Time)
func (*DefaultSession) SetSubject ¶
func (s *DefaultSession) SetSubject(subject string)
type DeviceAuthorizeRequest ¶
type DeviceAuthorizeRequest struct { Request DeviceCodeSignature string UserCodeSignature string Status DeviceAuthorizeStatus LastChecked time.Time }
DeviceAuthorizeRequest is an implementation of DeviceAuthorizeRequester
func NewDeviceAuthorizeRequest ¶
func NewDeviceAuthorizeRequest() *DeviceAuthorizeRequest
func (*DeviceAuthorizeRequest) GetDeviceCodeSignature ¶
func (d *DeviceAuthorizeRequest) GetDeviceCodeSignature() string
GetDeviceCodeSignature returns the device code signature
func (*DeviceAuthorizeRequest) GetLastChecked ¶
func (d *DeviceAuthorizeRequest) GetLastChecked() time.Time
func (*DeviceAuthorizeRequest) GetStatus ¶
func (d *DeviceAuthorizeRequest) GetStatus() DeviceAuthorizeStatus
func (*DeviceAuthorizeRequest) GetUserCodeSignature ¶
func (d *DeviceAuthorizeRequest) GetUserCodeSignature() string
GetUserCodeSignature returns the user code signature
func (*DeviceAuthorizeRequest) Merge ¶
func (d *DeviceAuthorizeRequest) Merge(requester Requester)
func (*DeviceAuthorizeRequest) SetDeviceCodeSignature ¶
func (d *DeviceAuthorizeRequest) SetDeviceCodeSignature(signature string)
SetDeviceCodeSignature set the device code signature
func (*DeviceAuthorizeRequest) SetLastChecked ¶
func (d *DeviceAuthorizeRequest) SetLastChecked(lastChecked time.Time)
func (*DeviceAuthorizeRequest) SetStatus ¶
func (d *DeviceAuthorizeRequest) SetStatus(status DeviceAuthorizeStatus)
func (*DeviceAuthorizeRequest) SetUserCodeSignature ¶
func (d *DeviceAuthorizeRequest) SetUserCodeSignature(signature string)
SetUserCodeSignature set the user code signature
type DeviceAuthorizeRequester ¶
type DeviceAuthorizeRequester interface { // SetDeviceCodeSignature set the device code signature SetDeviceCodeSignature(signature string) // GetDeviceCodeSignature returns the device code signature GetDeviceCodeSignature() (signature string) // SetUserCodeSignature set the user code signature SetUserCodeSignature(signature string) // GetUserCodeSignature returns the user code signature GetUserCodeSignature() (signature string) SetStatus(status DeviceAuthorizeStatus) GetStatus() (status DeviceAuthorizeStatus) SetLastChecked(lastChecked time.Time) GetLastChecked() (lastChecked time.Time) Requester }
DeviceAuthorizeRequester is a device authorization endpoint's request context.
type DeviceAuthorizeResponder ¶
type DeviceAuthorizeResponder interface { GetDeviceCode() string SetDeviceCode(code string) // GetHeader returns the response's header GetHeader() (header http.Header) // AddHeader adds an header key value pair to the response AddHeader(key, value string) GetUserCode() (code string) SetUserCode(code string) GetVerificationURI() (uri string) SetVerificationURI(uri string) GetVerificationURIComplete() (completeURI string) SetVerificationURIComplete(uri string) GetExpiresIn() (expires int64) SetExpiresIn(seconds int64) GetInterval() (interval int) SetInterval(seconds int) // SetExtra sets a key value pair for the access response. SetExtra(key string, value any) // GetExtra returns a key's value. GetExtra(key string) (extra any) // ToMap converts the response to a map. ToMap() (values map[string]any) }
type DeviceAuthorizeResponse ¶
type DeviceAuthorizeResponse struct { Header http.Header `json:"-"` DeviceCode string `json:"device_code"` UserCode string `json:"user_code"` VerificationURI string `json:"verification_uri"` VerificationURIComplete string `json:"verification_uri_complete,omitempty"` ExpiresIn int64 `json:"expires_in"` Interval int `json:"interval,omitempty"` Extra map[string]any `json:"-"` }
func NewDeviceAuthorizeResponse ¶
func NewDeviceAuthorizeResponse() *DeviceAuthorizeResponse
func (*DeviceAuthorizeResponse) AddHeader ¶
func (d *DeviceAuthorizeResponse) AddHeader(key, value string)
func (*DeviceAuthorizeResponse) FromJson ¶
func (d *DeviceAuthorizeResponse) FromJson(r io.Reader) error
func (*DeviceAuthorizeResponse) GetDeviceCode ¶
func (d *DeviceAuthorizeResponse) GetDeviceCode() string
func (*DeviceAuthorizeResponse) GetExpiresIn ¶
func (d *DeviceAuthorizeResponse) GetExpiresIn() int64
GetExpiresIn returns the response's device code and user code lifetime in seconds if set
func (*DeviceAuthorizeResponse) GetExtra ¶
func (d *DeviceAuthorizeResponse) GetExtra(key string) any
func (*DeviceAuthorizeResponse) GetHeader ¶
func (d *DeviceAuthorizeResponse) GetHeader() http.Header
func (*DeviceAuthorizeResponse) GetInterval ¶
func (d *DeviceAuthorizeResponse) GetInterval() int
GetInterval returns the response's polling interval if set
func (*DeviceAuthorizeResponse) GetUserCode ¶
func (d *DeviceAuthorizeResponse) GetUserCode() string
func (*DeviceAuthorizeResponse) GetVerificationURI ¶
func (d *DeviceAuthorizeResponse) GetVerificationURI() string
GetVerificationURI returns the response's verification uri
func (*DeviceAuthorizeResponse) GetVerificationURIComplete ¶
func (d *DeviceAuthorizeResponse) GetVerificationURIComplete() string
GetVerificationURIComplete returns the response's complete verification uri if set
func (*DeviceAuthorizeResponse) SetDeviceCode ¶
func (d *DeviceAuthorizeResponse) SetDeviceCode(code string)
SetDeviceCode returns the response's user code
func (*DeviceAuthorizeResponse) SetExpiresIn ¶
func (d *DeviceAuthorizeResponse) SetExpiresIn(seconds int64)
func (*DeviceAuthorizeResponse) SetExtra ¶
func (d *DeviceAuthorizeResponse) SetExtra(key string, value any)
func (*DeviceAuthorizeResponse) SetInterval ¶
func (d *DeviceAuthorizeResponse) SetInterval(seconds int)
func (*DeviceAuthorizeResponse) SetUserCode ¶
func (d *DeviceAuthorizeResponse) SetUserCode(code string)
func (*DeviceAuthorizeResponse) SetVerificationURI ¶
func (d *DeviceAuthorizeResponse) SetVerificationURI(uri string)
func (*DeviceAuthorizeResponse) SetVerificationURIComplete ¶
func (d *DeviceAuthorizeResponse) SetVerificationURIComplete(uri string)
func (*DeviceAuthorizeResponse) ToMap ¶
func (d *DeviceAuthorizeResponse) ToMap() map[string]any
ToMap converts the response to a map.
type DeviceAuthorizeStatus ¶
type DeviceAuthorizeStatus int
const ( DeviceAuthorizeStatusNew DeviceAuthorizeStatus = iota DeviceAuthorizeStatusApproved DeviceAuthorizeStatusDenied )
type DeviceUserAuthorizeResponder ¶ added in v0.1.9
type DeviceUserAuthorizeResponder interface { // GetHeader returns the response's header GetHeader() (header http.Header) // AddHeader adds an header key value pair to the response AddHeader(key, value string) // GetParameters returns the response's parameters GetParameters() (query url.Values) // AddParameter adds key value pair to the response AddParameter(key, value string) // GetStatus returns the device grant user verification status GetStatus() (status string) // SetStatus sets the device grant user verification status SetStatus(status string) // SetExtra sets a key value pair for the access response. SetExtra(key string, value any) // GetExtra returns a key's value. GetExtra(key string) (extra any) // ToMap converts the response to a map. ToMap() (values map[string]any) }
DeviceUserAuthorizeResponder is device grant user verification endpoint response.
type DisableRefreshTokenValidationProvider ¶
type DisableRefreshTokenValidationProvider interface { // GetDisableRefreshTokenValidation returns the disable refresh token validation flag. GetDisableRefreshTokenValidation(ctx context.Context) bool }
DisableRefreshTokenValidationProvider returns the provider for configuring the refresh token validation.
type EnablePKCEPlainChallengeMethodProvider ¶
type EnablePKCEPlainChallengeMethodProvider interface { // GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method. GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool) }
EnablePKCEPlainChallengeMethodProvider returns the provider for configuring the enable PKCE plain challenge method.
type EndpointClientAuthHandler ¶ added in v0.1.12
type EndpointClientAuthHandler interface { // GetAuthMethod returns the appropriate auth method for this client. GetAuthMethod(client AuthenticationMethodClient) string // GetAuthSigningKeyID returns the appropriate auth signature key id for this client. GetAuthSigningKeyID(client AuthenticationMethodClient) string // GetAuthSigningAlg returns the appropriate auth signature algorithm for this client. GetAuthSigningAlg(client AuthenticationMethodClient) string // GetAuthEncryptionKeyID returns the appropriate auth encryption key id for this client. GetAuthEncryptionKeyID(client AuthenticationMethodClient) string // GetAuthEncryptionAlg returns the appropriate auth encryption key algorithm for this client. GetAuthEncryptionAlg(client AuthenticationMethodClient) string // GetAuthEncryptionEnc returns the appropriate auth encryption content encryption for this client. GetAuthEncryptionEnc(client AuthenticationMethodClient) string // Name returns the appropriate name for this endpoint for logging purposes. Name() string // AllowAuthMethodAny returns true if this endpoint client auth handler is allowed to be used for any method if not configured. AllowAuthMethodAny() bool }
EndpointClientAuthHandler is a helper implementation to assist with producing the correct values while using multiple endpoint implementations.
type EndpointClientAuthJWTClient ¶ added in v0.2.0
type EndpointClientAuthJWTClient struct {
// contains filtered or unexported fields
func (*EndpointClientAuthJWTClient) GetClientSecretPlainText ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetClientSecretPlainText() (secret []byte, ok bool, err error)
func (*EndpointClientAuthJWTClient) GetEncryptionAlg ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetEncryptionAlg() (alg string)
func (*EndpointClientAuthJWTClient) GetEncryptionEnc ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetEncryptionEnc() (enc string)
func (*EndpointClientAuthJWTClient) GetEncryptionKeyID ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetEncryptionKeyID() (kid string)
func (*EndpointClientAuthJWTClient) GetID ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetID() string
func (*EndpointClientAuthJWTClient) GetJSONWebKeys ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetJSONWebKeys() (jwks *jose.JSONWebKeySet)
func (*EndpointClientAuthJWTClient) GetJSONWebKeysURI ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetJSONWebKeysURI() (uri string)
func (*EndpointClientAuthJWTClient) GetSigningAlg ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetSigningAlg() (alg string)
func (*EndpointClientAuthJWTClient) GetSigningKeyID ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) GetSigningKeyID() (kid string)
func (*EndpointClientAuthJWTClient) IsClientSigned ¶ added in v0.2.0
func (c *EndpointClientAuthJWTClient) IsClientSigned() (is bool)
type EnforcePKCEForPublicClientsProvider ¶
type EnforcePKCEForPublicClientsProvider interface { // GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients. GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool) }
EnforcePKCEForPublicClientsProvider returns the provider for configuring the enforcement of PKCE for public clients.
type EnforcePKCEProvider ¶
type EnforcePKCEProvider interface { // GetEnforcePKCE returns the enforcement of PKCE. GetEnforcePKCE(ctx context.Context) (enforce bool) }
EnforcePKCEProvider returns the provider for configuring the enforcement of PKCE.
type ExtraClaimsSession ¶
type ExtraClaimsSession interface { // GetExtraClaims returns a map to store extra claims. // The returned value can be modified in-place. GetExtraClaims() map[string]any }
ExtraClaimsSession provides an interface for session to store any extra claims.
type FormPostHTMLTemplateProvider ¶
type FormPostHTMLTemplateProvider interface { // GetFormPostHTMLTemplate returns the form post HTML template. GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template) }
FormPostHTMLTemplateProvider returns the provider for configuring the form post HTML template.
type FormPostResponseProvider ¶
type FormPostResponseProvider interface { // GetFormPostResponseWriter returns a FormPostResponseWriter which should be utilized for writing the // form post response type. GetFormPostResponseWriter(ctx context.Context) FormPostResponseWriter }
FormPostResponseProvider provides a writer interface for writing the form post responses.
type FormPostResponseWriter ¶
type Fosite ¶
type Fosite struct { Store Storage Config Configurator }
Fosite implements Provider.
func New ¶
func New(store Storage, config Configurator) *Fosite
func (*Fosite) AuthenticateClient ¶
func (f *Fosite) AuthenticateClient(ctx context.Context, r *http.Request, form url.Values) (client Client, method string, err error)
AuthenticateClient authenticates client requests using the configured strategy returned by the oauth2.Configurator function GetClientAuthenticationStrategy, if nil it uses `oauth2.DefaultClientAuthenticationStrategy`.
func (*Fosite) AuthenticateClientWithAuthHandler ¶ added in v0.1.12
func (*Fosite) GetMinParameterEntropy ¶
GetMinParameterEntropy returns MinParameterEntropy if set. Defaults to oauth2.MinParameterEntropy.
func (*Fosite) IntrospectToken ¶
func (*Fosite) NewAccessRequest ¶
func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (AccessRequester, error)
NewAccessRequest Implements
- Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password. Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.
- Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.
- If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.
TODO: Refactor time permitting.
func (*Fosite) NewAccessResponse ¶
func (f *Fosite) NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)
func (*Fosite) NewAuthorizeRequest ¶
func (*Fosite) NewAuthorizeResponse ¶
func (f *Fosite) NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder AuthorizeResponder, err error)
func (*Fosite) NewIntrospectionRequest ¶
func (f *Fosite) NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (responder IntrospectionResponder, err error)
NewIntrospectionRequest initiates token introspection as defined in
The protected resource calls the introspection endpoint using an HTTP POST [RFC7231] request with parameters sent as "application/x-www-form-urlencoded" data as defined in [W3C.REC-html5-20141028]. The protected resource sends a parameter representing the token along with optional parameters representing additional context that is known by the protected resource to aid the authorization server in its response.
* token REQUIRED. The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, this is the "refresh_token" value returned from the token endpoint as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types are outside the scope of this specification.
* token_type_hint OPTIONAL. A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. Values for this field are defined in the "OAuth Token Type Hints" registry defined in OAuth Token Revocation [RFC7009].
The introspection endpoint MAY accept other OPTIONAL parameters to provide further context to the query. For instance, an authorization server may desire to know the IP address of the client accessing the protected resource to determine if the correct client is likely to be presenting the token. The definition of this or any other parameters are outside the scope of this specification, to be defined by service documentation or extensions to this specification. If the authorization server is unable to determine the state of the token without additional information, it SHOULD return an introspection response indicating the token is not active as described in Section 2.2.
To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint, such as client authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth 2.0 access token such as the bearer token described in OAuth 2.0 Bearer Token Usage [RFC6750]. The methods of managing and validating these authentication credentials are out of scope of this specification.
For example, the following shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer token. The protected resource is using a separate OAuth 2.0 bearer token to authorize this call.
The following is a non-normative example request:
POST /introspect HTTP/1.1 Host: Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Bearer 23410913-abewfq.123483 token=2YotnFZFEjr1zCsicMWpAA
In this example, the protected resource uses a client identifier and client secret to authenticate itself to the introspection endpoint. The protected resource also sends a token type hint indicating that it is inquiring about an access token.
The following is a non-normative example request:
POST /introspect HTTP/1.1 Host: Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=mF_9.B5f-4.1JqM&token_type_hint=access_token
func (*Fosite) NewPushedAuthorizeRequest ¶
func (f *Fosite) NewPushedAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error)
NewPushedAuthorizeRequest validates the request and produces an AuthorizeRequester object that can be stored
func (*Fosite) NewPushedAuthorizeResponse ¶
func (f *Fosite) NewPushedAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder PushedAuthorizeResponder, err error)
NewPushedAuthorizeResponse executes the handlers and builds the response
func (*Fosite) NewRFC8628UserAuthorizeRequest ¶
func (*Fosite) NewRFC8628UserAuthorizeResponse ¶
func (f *Fosite) NewRFC8628UserAuthorizeResponse(ctx context.Context, requester DeviceAuthorizeRequester, session Session) (DeviceUserAuthorizeResponder, error)
func (*Fosite) NewRFC862DeviceAuthorizeRequest ¶
func (*Fosite) NewRFC862DeviceAuthorizeResponse ¶
func (f *Fosite) NewRFC862DeviceAuthorizeResponse(ctx context.Context, r DeviceAuthorizeRequester, session Session) (DeviceAuthorizeResponder, error)
func (*Fosite) NewRevocationRequest ¶
NewRevocationRequest handles incoming token revocation requests and validates various parameters as specified in:
The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below.
In the next step, the authorization server invalidates the token. The invalidation takes place immediately, and the token cannot be used again after the revocation.
* An invalid token type hint value is ignored by the authorization server and does not influence the revocation response.
func (*Fosite) ParseResponseMode ¶
func (*Fosite) WriteAccessError ¶
func (f *Fosite) WriteAccessError(ctx context.Context, rw http.ResponseWriter, req AccessRequester, err error)
func (*Fosite) WriteAccessResponse ¶
func (f *Fosite) WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
func (*Fosite) WriteAuthorizeError ¶
func (f *Fosite) WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)
func (*Fosite) WriteAuthorizeResponse ¶
func (f *Fosite) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
func (*Fosite) WriteIntrospectionError ¶
WriteIntrospectionError responds with token metadata discovered by token introspection as defined in
If the protected resource uses OAuth 2.0 client credentials to authenticate to the introspection endpoint and its credentials are invalid, the authorization server responds with an HTTP 401 (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].
If the protected resource uses an OAuth 2.0 bearer token to authorize its call to the introspection endpoint and the token used for authorization does not contain sufficient privileges or is otherwise invalid for this request, the authorization server responds with an HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token Usage [RFC6750].
Note that a properly formed and authorized query for an inactive or otherwise invalid token (or a token the protected resource is not allowed to know about) is not considered an error response by this specification. In these cases, the authorization server MUST instead respond with an introspection response with the "active" field set to "false" as described in Section 2.2.
func (*Fosite) WriteIntrospectionResponse ¶
func (f *Fosite) WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder)
WriteIntrospectionResponse responds with an error if token introspection failed as defined in
The server responds with a JSON object [RFC7159] in "application/ json" format with the following top-level members.
* active REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). See Section 4 for information on implementation of such checks.
* scope OPTIONAL. A JSON string containing a space-separated list of scopes associated with this token, in the format described in Section 3.3 of OAuth 2.0 [RFC6749].
* client_id OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.
* username OPTIONAL. Human-readable identifier for the resource owner who authorized this token.
* token_type OPTIONAL. Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].
* exp OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire, as defined in JWT [RFC7519].
* iat OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued, as defined in JWT [RFC7519].
* nbf OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before, as defined in JWT [RFC7519].
* sub OPTIONAL. Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token.
* aud OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].
* iss OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].
* jti OPTIONAL. String identifier for the token, as defined in JWT [RFC7519].
Specific implementations MAY extend this structure with their own service-specific response names as top-level members of this JSON object. Response names intended to be used across domains MUST be registered in the "OAuth Token Introspection Response" registry defined in Section 3.1.
The authorization server MAY respond differently to different protected resources making the same request. For instance, an authorization server MAY limit which scopes from a given token are returned for each protected resource to prevent a protected resource from learning more about the larger network than is necessary for its operation.
The response MAY be cached by the protected resource to improve performance and reduce load on the introspection endpoint, but at the cost of liveness of the information used by the protected resource to make authorization decisions. See Section 4 for more information regarding the trade off when the response is cached.
For example, the following response contains a set of information about an active token:
The following is a non-normative example response:
HTTP/1.1 200 OK Content-Type: application/json { "active": true, "client_id": "l238j323ds-23ij4", "username": "jdoe", "scope": "read write dolphin", "sub": "Z5O3upPC88QrAjx00dis", "aud": "", "iss": "", "exp": 1419356238, "iat": 1419350238, "extension_field": "twenty-seven" }
If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the "active" field set to "false". Note that to avoid disclosing too much of the authorization server's state to a third party, the authorization server SHOULD NOT include any additional information about an inactive token, including why the token is inactive.
The following is a non-normative example response for a token that has been revoked or is otherwise invalid:
HTTP/1.1 200 OK Content-Type: application/json { "active": false }
func (*Fosite) WritePushedAuthorizeError ¶
func (f *Fosite) WritePushedAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)
WritePushedAuthorizeError writes the PAR error
func (*Fosite) WritePushedAuthorizeResponse ¶
func (f *Fosite) WritePushedAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder PushedAuthorizeResponder)
WritePushedAuthorizeResponse writes the PAR response
func (*Fosite) WriteRFC8628UserAuthorizeError ¶
func (f *Fosite) WriteRFC8628UserAuthorizeError(ctx context.Context, rw http.ResponseWriter, req DeviceAuthorizeRequester, err error)
func (*Fosite) WriteRFC8628UserAuthorizeResponse ¶
func (f *Fosite) WriteRFC8628UserAuthorizeResponse(_ context.Context, rw http.ResponseWriter, _ DeviceAuthorizeRequester, responder DeviceUserAuthorizeResponder)
func (*Fosite) WriteRFC862DeviceAuthorizeResponse ¶
func (f *Fosite) WriteRFC862DeviceAuthorizeResponse(_ context.Context, rw http.ResponseWriter, _ DeviceAuthorizeRequester, responder DeviceAuthorizeResponder)
func (*Fosite) WriteRevocationResponse ¶
WriteRevocationResponse writes a token revocation response as specified in:
The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.
Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.
type G11NContext ¶
type G11NContext interface { // GetLang returns the current language in the context GetLang() (lang language.Tag) }
G11NContext is the globalization context
type GetJWTMaxDurationProvider ¶
type GetJWTMaxDurationProvider interface { // GetJWTMaxDuration returns the JWT max duration. GetJWTMaxDuration(ctx context.Context) (max time.Duration) }
GetJWTMaxDurationProvider returns the provider for configuring the JWT max duration.
type GlobalSecretProvider ¶
type GlobalSecretProvider interface { // GetGlobalSecret returns the global secret. GetGlobalSecret(ctx context.Context) (secret []byte, err error) }
GlobalSecretProvider returns the provider for configuring the global secret.
type GrantTypeJWTBearerCanSkipClientAuthProvider ¶
type GrantTypeJWTBearerCanSkipClientAuthProvider interface { // GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth. GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (permitted bool) }
GrantTypeJWTBearerCanSkipClientAuthProvider returns the provider for configuring the grant type JWT bearer can skip client auth.
type GrantTypeJWTBearerIDOptionalProvider ¶
type GrantTypeJWTBearerIDOptionalProvider interface { // GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional. GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool) }
GrantTypeJWTBearerIDOptionalProvider returns the provider for configuring the grant type JWT bearer ID optional.
type GrantTypeJWTBearerIssuedDateOptionalProvider ¶
type GrantTypeJWTBearerIssuedDateOptionalProvider interface { // GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional. GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool) }
GrantTypeJWTBearerIssuedDateOptionalProvider returns the provider for configuring the grant type JWT bearer issued date optional.
type HMACHashingProvider ¶
type HMACHashingProvider interface { // GetHMACHasher returns the hash function. GetHMACHasher(ctx context.Context) func() (hasher hash.Hash) }
HMACHashingProvider returns the provider for configuring the hash function.
type HTTPClientProvider ¶
type HTTPClientProvider interface { // GetHTTPClient returns the HTTP client provider. GetHTTPClient(ctx context.Context) (client *retryablehttp.Client) }
HTTPClientProvider returns the provider for configuring the HTTP client.
type IDTokenClient ¶ added in v0.1.15
type IDTokenClient interface { // GetIDTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the ID // Token specifications. If unspecified the other available parameters will be utilized to select an appropriate // key. GetIDTokenSignedResponseKeyID() (kid string) // GetIDTokenSignedResponseAlg is equivalent to the 'id_token_signed_response_alg' client metadata value which // determines the JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none // MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token // from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, // is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the // jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery]. GetIDTokenSignedResponseAlg() (alg string) // GetIDTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the ID // Token specifications. If unspecified the other available parameters will be utilized to select an appropriate // key. GetIDTokenEncryptedResponseKeyID() (kid string) // GetIDTokenEncryptedResponseAlg is equivalent to the 'id_token_encrypted_response_alg' client metadata value which // determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is // requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. // The default, if omitted, is that no encryption is performed. GetIDTokenEncryptedResponseAlg() (alg string) // GetIDTokenEncryptedResponseEnc is equivalent to the 'id_token_encrypted_response_enc' client metadata value which // determines the JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If // id_token_encrypted_response_alg is specified, the default id_token_encrypted_response_enc value is A128CBC-HS256. // When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided. GetIDTokenEncryptedResponseEnc() (enc string) JSONWebKeysClient }
IDTokenClient is a client which can satisfy all JWS and JWE requirements of the ID Token responses.
type IDTokenIssuerProvider ¶
type IDTokenIssuerProvider interface { // GetIDTokenIssuer returns the ID token issuer. GetIDTokenIssuer(ctx context.Context) (issuer string) }
IDTokenIssuerProvider returns the provider for configuring the ID token issuer.
type IDTokenLifespanProvider ¶
type IDTokenLifespanProvider interface { // GetIDTokenLifespan returns the ID token lifespan. GetIDTokenLifespan(ctx context.Context) time.Duration }
IDTokenLifespanProvider returns the provider for configuring the ID token lifespan.
type IntrospectionEndpointClientAuthHandler ¶ added in v0.1.12
type IntrospectionEndpointClientAuthHandler struct{}
func (*IntrospectionEndpointClientAuthHandler) AllowAuthMethodAny ¶ added in v0.1.12
func (h *IntrospectionEndpointClientAuthHandler) AllowAuthMethodAny() bool
func (*IntrospectionEndpointClientAuthHandler) GetAuthEncryptionAlg ¶ added in v0.2.0
func (h *IntrospectionEndpointClientAuthHandler) GetAuthEncryptionAlg(client AuthenticationMethodClient) string
func (*IntrospectionEndpointClientAuthHandler) GetAuthEncryptionEnc ¶ added in v0.2.0
func (h *IntrospectionEndpointClientAuthHandler) GetAuthEncryptionEnc(client AuthenticationMethodClient) string
func (*IntrospectionEndpointClientAuthHandler) GetAuthEncryptionKeyID ¶ added in v0.2.0
func (h *IntrospectionEndpointClientAuthHandler) GetAuthEncryptionKeyID(client AuthenticationMethodClient) string
func (*IntrospectionEndpointClientAuthHandler) GetAuthMethod ¶ added in v0.1.12
func (h *IntrospectionEndpointClientAuthHandler) GetAuthMethod(client AuthenticationMethodClient) string
func (*IntrospectionEndpointClientAuthHandler) GetAuthSigningAlg ¶ added in v0.1.12
func (h *IntrospectionEndpointClientAuthHandler) GetAuthSigningAlg(client AuthenticationMethodClient) string
func (*IntrospectionEndpointClientAuthHandler) GetAuthSigningKeyID ¶ added in v0.2.0
func (h *IntrospectionEndpointClientAuthHandler) GetAuthSigningKeyID(client AuthenticationMethodClient) string
func (*IntrospectionEndpointClientAuthHandler) Name ¶ added in v0.1.12
func (h *IntrospectionEndpointClientAuthHandler) Name() string
type IntrospectionIssuerProvider ¶ added in v0.1.4
type IntrospectionIssuerProvider interface { // GetIntrospectionIssuer returns the Introspection token issuer. GetIntrospectionIssuer(ctx context.Context) (issuer string) }
IntrospectionIssuerProvider returns the provider for configuring the Introspection issuer.
type IntrospectionJWTResponseClient ¶ added in v0.1.4
type IntrospectionJWTResponseClient interface { // GetIntrospectionSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for // OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be // utilized to select an appropriate key. GetIntrospectionSignedResponseKeyID() (kid string) // GetIntrospectionSignedResponseAlg is equivalent to the 'introspection_signed_response_alg' client metadata // value which determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518] for signing // introspection responses. If this is specified, the response will be signed using JWS and the configured // algorithm. The default, if omitted, is RS256. GetIntrospectionSignedResponseAlg() (alg string) // GetIntrospectionEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for // OAuth 2.0 JWT introspection response specifications. If unspecified the other available parameters will be // utilized to select an appropriate key. GetIntrospectionEncryptedResponseKeyID() (kid string) // GetIntrospectionEncryptedResponseAlg is equivalent to the 'introspection_encrypted_response_alg' client metadata // value which determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518] for content key // encryption. If this is specified, the response will be encrypted using JWE and the configured content encryption // algorithm (introspection_encrypted_response_enc). The default, if omitted, is that no encryption is performed. // If both signing and encryption are requested, the response will be signed then encrypted, with the result being // a Nested JWT, as defined in JWT [RFC7519]. GetIntrospectionEncryptedResponseAlg() (alg string) // GetIntrospectionEncryptedResponseEnc is equivalent to the 'introspection_encrypted_response_enc' client metadata // value which determines the JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518] for content // encryption of introspection responses. The default, if omitted, is A128CBC-HS256. Note: This parameter MUST NOT // be specified without setting introspection_encrypted_response_alg. GetIntrospectionEncryptedResponseEnc() (enc string) Client }
IntrospectionJWTResponseClient is a client which can potentially sign Introspection responses.
type IntrospectionJWTResponseStrategyProvider ¶ added in v0.2.0
type IntrospectionJWTResponseStrategyProvider interface { // GetIntrospectionJWTResponseStrategy returns the Introspection JWT Strategy. GetIntrospectionJWTResponseStrategy(ctx context.Context) jwt.Strategy }
IntrospectionJWTResponseStrategyProvider returns the provider for configuring the Introspection jwt.Strategy.
type IntrospectionResponder ¶
type IntrospectionResponder interface { // IsActive returns true if the introspected token is active and false otherwise. IsActive() (active bool) // GetAccessRequester returns the AccessRequester which returns nil when IsActive() is false and the original access request object otherwise. GetAccessRequester() (requester AccessRequester) // GetTokenUse optionally returns the type of the token that was introspected. This could be "access_token", "refresh_token", // or if the type can not be determined an empty string. GetTokenUse() (tokenUse TokenUse) // GetAccessTokenType optionally returns the type of the access token that was introspected. This could be "bearer", "mac", // or empty string if the type of the token is refresh token. GetAccessTokenType() (tokenType string) // ToMap returns the audience values for this introspection for use with signed introspection responses, and map // values for this introspection regardless of what kind of introspection response. ToMap() (audience []string, introspection map[string]any) }
IntrospectionResponder is the response object that will be returned when token introspection was successful, for example when the client is allowed to perform token introspection. Refer to for more details.
type IntrospectionResponse ¶
type IntrospectionResponse struct { Client Client `json:"-"` Active bool `json:"active"` AccessRequester AccessRequester `json:"extra"` TokenUse TokenUse `json:"token_use,omitempty"` AccessTokenType string `json:"token_type,omitempty"` Lang language.Tag `json:"-"` }
func (*IntrospectionResponse) GetAccessRequester ¶
func (r *IntrospectionResponse) GetAccessRequester() AccessRequester
func (*IntrospectionResponse) GetAccessTokenType ¶
func (r *IntrospectionResponse) GetAccessTokenType() string
func (*IntrospectionResponse) GetClient ¶
func (r *IntrospectionResponse) GetClient() Client
GetClient returns the client related to the introspected token.
func (*IntrospectionResponse) GetTokenUse ¶
func (r *IntrospectionResponse) GetTokenUse() TokenUse
func (*IntrospectionResponse) IsActive ¶
func (r *IntrospectionResponse) IsActive() bool
type JARClient ¶ added in v0.1.15
type JARClient interface { // GetRequestObjectSigningKeyID returns the specific key identifier used to satisfy JWS requirements of the request // object specifications. If unspecified the other available parameters will be utilized to select an appropriate // key. GetRequestObjectSigningKeyID() (kid string) // GetRequestObjectSigningAlg is equivalent to the 'request_object_signing_alg' client metadata // value which determines the JWS alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. // All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are // described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the // Request Object is passed by value (using the request parameter) and when it is passed by reference (using the // request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is // that any algorithm supported by the OP and the RP MAY be used. GetRequestObjectSigningAlg() (alg string) // GetRequestObjectEncryptionKeyID returns the specific key identifier used to satisfy JWE requirements of the // request object specifications. If unspecified the other available parameters will be utilized to select an // appropriate key. GetRequestObjectEncryptionKeyID() (kid string) // GetRequestObjectEncryptionAlg is equivalent to the 'request_object_encryption_alg' client metadata value which // determines the JWE alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to // the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP // that a client_secret value needs to be returned from which the symmetric key will be derived, that might not // otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request // Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object // will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, // is that the RP is not declaring whether it might encrypt any Request Objects. GetRequestObjectEncryptionAlg() (alg string) // GetRequestObjectEncryptionEnc is equivalent to the 'request_object_encryption_enc' client metadata value which // determines the JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to // the OP. If request_object_encryption_alg is specified, the default request_object_encryption_enc value is // A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be // provided. GetRequestObjectEncryptionEnc() (enc string) // GetRequestURIs is an array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY // cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request. // OPs can require that request_uri values used be pre-registered with the require_request_uri_registration // discovery parameter. GetRequestURIs() (requestURIs []string) JSONWebKeysClient }
JARClient represents a client capable of performing OpenID Connect requests.
type JARMClient ¶
type JARMClient interface { // GetAuthorizationSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the // JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters // will be utilized to select an appropriate key. GetAuthorizationSignedResponseKeyID() (kid string) // GetAuthorizationSignedResponseAlg is equivalent to the 'authorization_signed_response_alg' client metadata // value which determines the JWS [RFC7515] alg algorithm JWA [RFC7518] REQUIRED for signing authorization // responses. If this is specified, the response will be signed using JWS and the configured algorithm. The // algorithm none is not allowed. The default, if omitted, is RS256. GetAuthorizationSignedResponseAlg() (alg string) // GetAuthorizationEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of // the JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters will be // utilized to select an appropriate key. GetAuthorizationEncryptedResponseKeyID() (kid string) // GetAuthorizationEncryptedResponseAlg is equivalent to the 'authorization_encrypted_response_alg' client metadata // value which determines the JWE [RFC7516] alg algorithm JWA [RFC7518] REQUIRED for encrypting authorization // responses. If both signing and encryption are requested, the response will be signed then encrypted, with the // result being a Nested JWT, as defined in JWT [RFC7519]. The default, if omitted, is that no encryption is // performed. GetAuthorizationEncryptedResponseAlg() (alg string) // GetAuthorizationEncryptedResponseEnc is equivalent to the 'authorization_encrypted_response_enc' client // metadata value which determines the JWE [RFC7516] enc algorithm JWA [RFC7518] REQUIRED for encrypting // authorization responses. If authorization_encrypted_response_alg is specified, the default for this value is // A128CBC-HS256. When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST // also be provided. GetAuthorizationEncryptedResponseEnc() (alg string) Client }
JARMClient is a client which supports JARM.
type JSONWebKeysClient ¶ added in v0.1.11
type JSONWebKeysClient interface { // GetJSONWebKeys returns the JSON Web Key Set containing the public key used by the client to authenticate. GetJSONWebKeys() (jwks *jose.JSONWebKeySet) // GetJSONWebKeysURI returns the URL for lookup of JSON Web Key Set containing the // public key used by the client to authenticate. GetJSONWebKeysURI() (uri string) Client }
JSONWebKeysClient is a client base which includes a JSON Web Key Set registration.
type JWKSFetcherStrategyProvider ¶
type JWKSFetcherStrategyProvider interface { // GetJWKSFetcherStrategy returns the JWKS fetcher strategy. GetJWKSFetcherStrategy(ctx context.Context) (strategy jwt.JWKSFetcherStrategy) }
JWKSFetcherStrategyProvider returns the provider for configuring the JWKS fetcher strategy.
type JWTProfileAccessTokensProvider ¶
type JWTProfileAccessTokensProvider interface { // GetEnforceJWTProfileAccessTokens when returning true will disregard the registered client capabilities for // Access Token generation and produce only JWT Profile Access Tokens. GetEnforceJWTProfileAccessTokens(ctx context.Context) (enable bool) }
JWTProfileAccessTokensProvider provides configuration options to the JWT Profile strategies.
type JWTProfileClient ¶
type JWTProfileClient interface { // GetAccessTokenSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements for // JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be // utilized to select an appropriate key. GetAccessTokenSignedResponseKeyID() (kid string) // GetAccessTokenSignedResponseAlg determines the JWS [RFC7515] algorithm (alg value) as defined in JWA [RFC7518] // for signing JWT Profile Access Token responses. If this is specified, the response will be signed using JWS and // the configured algorithm. The default, if omitted, is none; i.e. unsigned responses unless the // GetEnableJWTProfileOAuthAccessTokens receiver returns true in which case the default is RS256. GetAccessTokenSignedResponseAlg() (alg string) // GetAccessTokenEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements for // JWT Profile for OAuth 2.0 Access Tokens specifications. If unspecified the other available parameters will be // utilized to select an appropriate key. GetAccessTokenEncryptedResponseKeyID() (kid string) // GetAccessTokenEncryptedResponseAlg determines the JWE [RFC7516] algorithm (alg value) as defined in JWA [RFC7518] // for content key encryption. If this is specified, the response will be encrypted using JWE and the configured // content encryption algorithm (access_token_encrypted_response_enc). The default, if omitted, is that no // encryption is performed. If both signing and encryption are requested, the response will be signed then // encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519]. GetAccessTokenEncryptedResponseAlg() (alg string) // GetAccessTokenEncryptedResponseEnc determines the JWE [RFC7516] algorithm (enc value) as defined in JWA [RFC7518] // for content encryption of access token responses. The default, if omitted, is A128CBC-HS256. Note: This parameter // MUST NOT be specified without setting access_token_encrypted_response_alg. GetAccessTokenEncryptedResponseEnc() (alg string) // GetEnableJWTProfileOAuthAccessTokens indicates this client should or should not issue JWT Profile Access Tokens. GetEnableJWTProfileOAuthAccessTokens() (enforce bool) Client }
JWTProfileClient represents a client with can handle RFC9068 responses; i.e. the JWT Profile for OAuth 2.0 Access Tokens.
type JWTScopeFieldProvider ¶
type JWTScopeFieldProvider interface { // GetJWTScopeField returns the JWT scope field. GetJWTScopeField(ctx context.Context) jwt.JWTScopeFieldEnum }
JWTScopeFieldProvider returns the provider for configuring the JWT scope field.
type JWTSecuredAuthorizeResponseModeIssuerProvider ¶
type JWTSecuredAuthorizeResponseModeIssuerProvider interface { // GetJWTSecuredAuthorizeResponseModeIssuer returns the JARM issuer. GetJWTSecuredAuthorizeResponseModeIssuer(ctx context.Context) string }
JWTSecuredAuthorizeResponseModeIssuerProvider returns the provider for configuring the JARM issuer.
type JWTSecuredAuthorizeResponseModeLifespanProvider ¶
type JWTSecuredAuthorizeResponseModeLifespanProvider interface {
GetJWTSecuredAuthorizeResponseModeLifespan(ctx context.Context) time.Duration
JWTSecuredAuthorizeResponseModeLifespanProvider returns the provider for configuring the JWT Secured Authorize Response Mode token lifespan.
type JWTSecuredAuthorizeResponseModeStrategyProvider ¶ added in v0.2.0
type JWTSecuredAuthorizeResponseModeStrategyProvider interface { // GetJWTSecuredAuthorizeResponseModeStrategy returns the JARM Strategy. GetJWTSecuredAuthorizeResponseModeStrategy(ctx context.Context) jwt.Strategy }
JWTSecuredAuthorizeResponseModeStrategyProvider returns the provider for configuring the JARM jwt.Strategy.
type JWTStrategyProvider ¶ added in v0.2.0
JWTStrategyProvider returns the provider for configuring the jwt.Strategy.
type MessageCatalogProvider ¶
type MessageCatalogProvider interface { // GetMessageCatalog returns the message catalog. GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog) }
MessageCatalogProvider returns the provider for configuring the message catalog.
type MinParameterEntropyProvider ¶
type MinParameterEntropyProvider interface { // GetMinParameterEntropy returns the minimum parameter entropy. GetMinParameterEntropy(_ context.Context) (min int) }
MinParameterEntropyProvider returns the provider for configuring the minimum parameter entropy.
type OmitRedirectScopeParamProvider ¶
type OmitRedirectScopeParamProvider interface { // GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted // in the authorization's redirect URI GetOmitRedirectScopeParam(ctx context.Context) (omit bool) }
OmitRedirectScopeParamProvider returns the provider for configuring the omit redirect scope param.
type PARStorage ¶
type PARStorage interface { // CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key. CreatePARSession(ctx context.Context, requestURI string, request AuthorizeRequester) error // GetPARSession gets the push authorization request context. The caller is expected to merge the AuthorizeRequest. GetPARSession(ctx context.Context, requestURI string) (AuthorizeRequester, error) // DeletePARSession deletes the context. DeletePARSession(ctx context.Context, requestURI string) (err error) }
PARStorage holds information needed to store and retrieve PAR context.
type PlainTextClientSecret ¶ added in v0.2.0
type PlainTextClientSecret struct {
// contains filtered or unexported fields
func NewPlainTextClientSecret ¶ added in v0.2.0
func NewPlainTextClientSecret(value string) *PlainTextClientSecret
NewPlainTextClientSecret returns a new PlainTextClientSecret given a value.
func (*PlainTextClientSecret) Compare ¶ added in v0.2.0
func (s *PlainTextClientSecret) Compare(ctx context.Context, secret []byte) (err error)
func (*PlainTextClientSecret) GetPlainTextValue ¶ added in v0.2.0
func (s *PlainTextClientSecret) GetPlainTextValue() (secret []byte, err error)
func (*PlainTextClientSecret) IsPlainText ¶ added in v0.2.0
func (s *PlainTextClientSecret) IsPlainText() (is bool)
func (*PlainTextClientSecret) Valid ¶ added in v0.2.0
func (s *PlainTextClientSecret) Valid() (valid bool)
type PrivateKey ¶
type PrivateKey interface { Public() crypto.PublicKey Equal(x crypto.PrivateKey) bool }
PrivateKey properly describes crypto.PrivateKey.
type ProofKeyCodeExchangeClient ¶
type ProofKeyCodeExchangeClient interface { GetEnforcePKCE() (enforce bool) GetEnforcePKCEChallengeMethod() (enforce bool) GetPKCEChallengeMethod() (method string) Client }
ProofKeyCodeExchangeClient is a Client implementation which provides PKCE client policy values.
type Provider ¶
type Provider interface { // NewAuthorizeRequest returns an AuthorizeRequest. // // The following specs must be considered in any implementation of this method: // * // Extension response types MAY contain a space-delimited (%x20) list of // values, where the order of values does not matter (e.g., response // type "a b" is the same as "b a"). The meaning of such composite // response types is defined by their respective specifications. // * // The redirection endpoint URI MUST be an absolute URI as defined by // [RFC3986] Section 4.3. The endpoint URI MAY include an // "application/x-www-form-urlencoded" formatted (per Appendix B) query // component ([RFC3986] Section 3.4), which MUST be retained when adding // additional query parameters. The endpoint URI MUST NOT include a // fragment component. // * (everything MUST be implemented) NewAuthorizeRequest(ctx context.Context, r *http.Request) (requester AuthorizeRequester, err error) // NewAuthorizeResponse iterates through all response type handlers and returns their result or // ErrUnsupportedResponseType if none of the handlers were able to handle it. // // The following specs must be considered in any implementation of this method: // * // Extension response types MAY contain a space-delimited (%x20) list of // values, where the order of values does not matter (e.g., response // type "a b" is the same as "b a"). The meaning of such composite // response types is defined by their respective specifications. // If an authorization request is missing the "response_type" parameter, // or if the response type is not understood, the authorization server // MUST return an error response as described in Section NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder AuthorizeResponder, err error) // WriteAuthorizeError returns the error codes to the redirection endpoint or shows the error to the user, if no valid // redirect uri was given. Implements rfc6749#section- // // The following specs must be considered in any implementation of this method: // * // The redirection endpoint URI MUST be an absolute URI as defined by // [RFC3986] Section 4.3. The endpoint URI MAY include an // "application/x-www-form-urlencoded" formatted (per Appendix B) query // component ([RFC3986] Section 3.4), which MUST be retained when adding // additional query parameters. The endpoint URI MUST NOT include a // fragment component. // * (everything) // * (everything MUST be implemented) WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error) // WriteAuthorizeResponse persists the AuthorizeSession in the store and redirects the user agent to the provided // redirect url or returns an error if storage failed. // // The following specs must be considered in any implementation of this method: // * // After completing its interaction with the resource owner, the // authorization server directs the resource owner's user-agent back to // the client. The authorization server redirects the user-agent to the // client's redirection endpoint previously established with the // authorization server during the client registration process or when // making the authorization request. // * (everything MUST be implemented) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder) // NewAccessRequest creates a new access request object and validates // various parameters. // // The following specs must be considered in any implementation of this method: // * (everything) // * (everything) // // Furthermore the registered handlers should implement their specs accordingly. NewAccessRequest(ctx context.Context, r *http.Request, session Session) (requester AccessRequester, err error) // NewAccessResponse creates a new access response and validates that access_token and token_type are set. // // The following specs must be considered in any implementation of this method: // NewAccessResponse(ctx context.Context, requester AccessRequester) (responder AccessResponder, err error) // WriteAccessError writes an access request error response. // // The following specs must be considered in any implementation of this method: // * (everything) WriteAccessError(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, err error) // WriteAccessResponse writes the access response. // // The following specs must be considered in any implementation of this method: // WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder) // NewRevocationRequest handles incoming token revocation requests and validates various parameters. // // The following specs must be considered in any implementation of this method: // NewRevocationRequest(ctx context.Context, r *http.Request) (err error) // WriteRevocationResponse writes the revoke response. // // The following specs must be considered in any implementation of this method: // WriteRevocationResponse(ctx context.Context, rw http.ResponseWriter, err error) // IntrospectToken returns token metadata, if the token is valid. Tokens generated by the authorization endpoint, // such as the authorization code, can not be introspected. IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scope ...string) (actualTokenUse TokenUse, requester AccessRequester, err error) // NewIntrospectionRequest initiates token introspection as defined in // NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (responder IntrospectionResponder, err error) // WriteIntrospectionError responds with an error if token introspection failed as defined in // WriteIntrospectionError(ctx context.Context, rw http.ResponseWriter, err error) // WriteIntrospectionResponse responds with token metadata discovered by token introspection as defined in // WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder) // NewPushedAuthorizeRequest validates the request and produces an AuthorizeRequester object that can be stored NewPushedAuthorizeRequest(ctx context.Context, r *http.Request) (requester AuthorizeRequester, err error) // NewPushedAuthorizeResponse executes the handlers and builds the response NewPushedAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (responder PushedAuthorizeResponder, err error) // WritePushedAuthorizeResponse writes the PAR response WritePushedAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder PushedAuthorizeResponder) // WritePushedAuthorizeError writes the PAR error WritePushedAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error) // NewRFC862DeviceAuthorizeRequest validate the OAuth 2.0 Device Authorization Flow Request // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // Parameters sent without a value MUST be treated as if they were // omitted from the request. The authorization server MUST ignore // unrecognized request parameters. Request and response parameters // MUST NOT be included more than once. NewRFC862DeviceAuthorizeRequest(ctx context.Context, req *http.Request) (requester DeviceAuthorizeRequester, err error) // NewRFC862DeviceAuthorizeResponse persists the DeviceCodeSession and UserCodeSession in the store // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // In response, the authorization server generates a unique device // verification code and an end-user code that are valid for a limited // time NewRFC862DeviceAuthorizeResponse(ctx context.Context, requester DeviceAuthorizeRequester, session Session) (responder DeviceAuthorizeResponder, err error) // WriteRFC862DeviceAuthorizeResponse return to the user both codes and // some configuration information in a JSON formatted manner // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // Response is a HTTP response body using the // "application/json" format [RFC8259] with a 200 (OK) status code. WriteRFC862DeviceAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester DeviceAuthorizeRequester, responder DeviceAuthorizeResponder) // WriteRFC8628UserAuthorizeResponse returns the device grant user verification result in a JSON formatted manner. // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // Response is a HTTP response body using the // "application/json" format [RFC8259] with a 200 (OK) status code. WriteRFC8628UserAuthorizeResponse(cxt context.Context, rw http.ResponseWriter, requester DeviceAuthorizeRequester, responder DeviceUserAuthorizeResponder) // WriteRFC8628UserAuthorizeError returns the device grant user verification error in a JSON formatted manner. // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // Response is a HTTP response body using the // "application/json" format [RFC8259] with a 200 (OK) status code. WriteRFC8628UserAuthorizeError(_ context.Context, rw http.ResponseWriter, requester DeviceAuthorizeRequester, err error) // NewRFC8628UserAuthorizeRequest validate the OAuth 2.0 Device Authorization Flow - User interaction Request // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // Parameters sent without a value MUST be treated as if they were // omitted from the request. The authorization server MUST ignore // unrecognized request parameters. Request and response parameters // MUST NOT be included more than once. NewRFC8628UserAuthorizeRequest(ctx context.Context, req *http.Request) (requester DeviceAuthorizeRequester, err error) // NewRFC8628UserAuthorizeResponse persists the DeviceCodeSession and UserCodeSession in the store // // The following specs must be considered in any implementation of this method: // * (everything MUST be implemented) // In response, the authorization server generates a unique device // verification code and an end-user code that are valid for a limited // time NewRFC8628UserAuthorizeResponse(ctx context.Context, requester DeviceAuthorizeRequester, session Session) (responder DeviceUserAuthorizeResponder, err error) }
Provider is an interface that enables you to write OAuth2 handlers with only a few lines of code. Check Fosite for an implementation of this interface.
type PushedAuthorizationRequestClient ¶
type PushedAuthorizationRequestClient interface { // GetRequirePushedAuthorizationRequests should return true if this client MUST use a Pushed Authorization Request. GetRequirePushedAuthorizationRequests() (require bool) // GetPushedAuthorizeContextLifespan should return a custom lifespan or a duration of 0 seconds to utilize the // global lifespan. GetPushedAuthorizeContextLifespan() (lifespan time.Duration) Client }
PushedAuthorizationRequestClient is a client with custom requirements for Pushed Authorization requests.
type PushedAuthorizeEndpointHandler ¶
type PushedAuthorizeEndpointHandler interface { // HandlePushedAuthorizeEndpointRequest handles a pushed authorize endpoint request. To extend the handler's capabilities, the http request // is passed along, if further information retrieval is required. If the handler feels that he is not responsible for // the pushed authorize request, he must return nil and NOT modify session nor responder neither requester. HandlePushedAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder PushedAuthorizeResponder) error }
PushedAuthorizeEndpointHandler is the interface that handles PAR (
type PushedAuthorizeEndpointHandlers ¶
type PushedAuthorizeEndpointHandlers []PushedAuthorizeEndpointHandler
PushedAuthorizeEndpointHandlers is a list of PushedAuthorizeEndpointHandler
func (*PushedAuthorizeEndpointHandlers) Append ¶
func (a *PushedAuthorizeEndpointHandlers) Append(h PushedAuthorizeEndpointHandler)
Append adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type PushedAuthorizeRequestConfigProvider ¶
type PushedAuthorizeRequestConfigProvider interface { // GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is // usually 'urn:ietf:params:oauth:request_uri:'. GetPushedAuthorizeRequestURIPrefix(ctx context.Context) (prefix string) // GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context. GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration) // GetRequirePushedAuthorizationRequests indicates if the use of Pushed Authorization Requests is gobally required. // In this mode, a client cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint // must contain the PAR request_uri. GetRequirePushedAuthorizationRequests(ctx context.Context) (enforce bool) }
PushedAuthorizeRequestConfigProvider is the configuration provider for pushed authorization request.
type PushedAuthorizeRequestHandlersProvider ¶
type PushedAuthorizeRequestHandlersProvider interface { // GetPushedAuthorizeEndpointHandlers returns the handlers. GetPushedAuthorizeEndpointHandlers(ctx context.Context) (handlers PushedAuthorizeEndpointHandlers) }
PushedAuthorizeRequestHandlersProvider returns the provider for configuring the PAR handlers.
type PushedAuthorizeResponder ¶
type PushedAuthorizeResponder interface { // GetRequestURI returns the request_uri GetRequestURI() (uri string) // SetRequestURI sets the request_uri SetRequestURI(requestURI string) // GetExpiresIn gets the expires_in GetExpiresIn() (expires int) // SetExpiresIn sets the expires_in SetExpiresIn(seconds int) // GetHeader returns the response's header GetHeader() (header http.Header) // AddHeader adds a header key value pair to the response AddHeader(key, value string) // SetExtra sets a key value pair for the response. SetExtra(key string, value any) // GetExtra returns a key's value. GetExtra(key string) (extra any) // ToMap converts the response to a map. ToMap() (values map[string]any) }
PushedAuthorizeResponder is the response object for PAR
type PushedAuthorizeResponse ¶
type PushedAuthorizeResponse struct { RequestURI string `json:"request_uri"` ExpiresIn int `json:"expires_in"` Header http.Header Extra map[string]any }
PushedAuthorizeResponse is the response object for PAR
func (*PushedAuthorizeResponse) AddHeader ¶
func (a *PushedAuthorizeResponse) AddHeader(key, value string)
AddHeader adds
func (*PushedAuthorizeResponse) GetExpiresIn ¶
func (a *PushedAuthorizeResponse) GetExpiresIn() int
GetExpiresIn gets
func (*PushedAuthorizeResponse) GetExtra ¶
func (a *PushedAuthorizeResponse) GetExtra(key string) any
GetExtra gets
func (*PushedAuthorizeResponse) GetHeader ¶
func (a *PushedAuthorizeResponse) GetHeader() http.Header
GetHeader gets
func (*PushedAuthorizeResponse) GetRequestURI ¶
func (a *PushedAuthorizeResponse) GetRequestURI() string
GetRequestURI gets
func (*PushedAuthorizeResponse) SetExpiresIn ¶
func (a *PushedAuthorizeResponse) SetExpiresIn(seconds int)
SetExpiresIn sets
func (*PushedAuthorizeResponse) SetExtra ¶
func (a *PushedAuthorizeResponse) SetExtra(key string, value any)
SetExtra sets
func (*PushedAuthorizeResponse) SetRequestURI ¶
func (a *PushedAuthorizeResponse) SetRequestURI(requestURI string)
SetRequestURI sets
func (*PushedAuthorizeResponse) ToMap ¶
func (a *PushedAuthorizeResponse) ToMap() map[string]any
ToMap converts to a map
type RFC6749Error ¶
type RFC6749Error struct { ErrorField string DescriptionField string HintField string CodeField int DebugField string // contains filtered or unexported fields }
func ErrorToRFC6749Error ¶
func ErrorToRFC6749Error(err error) *RFC6749Error
func ErrorToRFC6749ErrorFallback ¶
func ErrorToRFC6749ErrorFallback(err error, fallback *RFC6749Error) *RFC6749Error
func (*RFC6749Error) Cause ¶
func (e *RFC6749Error) Cause() error
func (*RFC6749Error) Debug ¶
func (e *RFC6749Error) Debug() string
func (*RFC6749Error) Details ¶
func (e *RFC6749Error) Details() map[string]any
func (RFC6749Error) Error ¶
func (e RFC6749Error) Error() string
func (*RFC6749Error) GetDescription ¶
func (e *RFC6749Error) GetDescription() string
GetDescription returns a more descriptive description, combined with hint and debug (when available).
func (RFC6749Error) Is ¶
func (e RFC6749Error) Is(err error) bool
func (RFC6749Error) IsEmpty ¶
func (e RFC6749Error) IsEmpty() bool
IsEmpty returns true if the error is an empty error.
func (RFC6749Error) MarshalJSON ¶
func (e RFC6749Error) MarshalJSON() ([]byte, error)
func (*RFC6749Error) Reason ¶
func (e *RFC6749Error) Reason() string
func (*RFC6749Error) RequestID ¶
func (e *RFC6749Error) RequestID() string
func (*RFC6749Error) Sanitize
func (e *RFC6749Error) Sanitize() *RFC6749Error
Sanitize strips the debug field
Deprecated: Use WithExposeDebug instead.
func (*RFC6749Error) StackTrace ¶
func (e *RFC6749Error) StackTrace() (trace errors.StackTrace)
StackTrace returns the error's stack trace.
func (*RFC6749Error) Status ¶
func (e *RFC6749Error) Status() string
func (*RFC6749Error) StatusCode ¶
func (e *RFC6749Error) StatusCode() int
func (*RFC6749Error) ToValues ¶
func (e *RFC6749Error) ToValues() url.Values
func (*RFC6749Error) UnmarshalJSON ¶
func (e *RFC6749Error) UnmarshalJSON(b []byte) error
func (RFC6749Error) Unwrap ¶
func (e RFC6749Error) Unwrap() error
func (*RFC6749Error) WithDebug ¶
func (e *RFC6749Error) WithDebug(debug string) *RFC6749Error
func (*RFC6749Error) WithDebugError ¶
func (e *RFC6749Error) WithDebugError(debug error) *RFC6749Error
func (*RFC6749Error) WithDebugf ¶
func (e *RFC6749Error) WithDebugf(debug string, args ...any) *RFC6749Error
func (*RFC6749Error) WithDescription ¶
func (e *RFC6749Error) WithDescription(description string) *RFC6749Error
func (*RFC6749Error) WithExposeDebug ¶
func (e *RFC6749Error) WithExposeDebug(exposeDebug bool) *RFC6749Error
WithExposeDebug if set to true exposes debug messages.
func (*RFC6749Error) WithHint ¶
func (e *RFC6749Error) WithHint(hint string) *RFC6749Error
func (*RFC6749Error) WithHintIDOrDefaultf ¶
func (e *RFC6749Error) WithHintIDOrDefaultf(id string, def string, args ...any) *RFC6749Error
WithHintIDOrDefaultf accepts the ID of the hint message
func (*RFC6749Error) WithHintTranslationID ¶
func (e *RFC6749Error) WithHintTranslationID(id string) *RFC6749Error
WithHintTranslationID accepts the ID of the hint message and should be paired with WithHint and WithHintf to add a default message and vaargs.
func (*RFC6749Error) WithHintf ¶
func (e *RFC6749Error) WithHintf(hint string, args ...any) *RFC6749Error
func (RFC6749Error) WithLegacyFormat ¶
func (e RFC6749Error) WithLegacyFormat(useLegacyFormat bool) *RFC6749Error
func (*RFC6749Error) WithLocalizer ¶
func (e *RFC6749Error) WithLocalizer(catalog i18n.MessageCatalog, lang language.Tag) *RFC6749Error
func (*RFC6749Error) WithTrace ¶
func (e *RFC6749Error) WithTrace(err error) *RFC6749Error
func (RFC6749Error) WithWrap ¶
func (e RFC6749Error) WithWrap(cause error) *RFC6749Error
func (*RFC6749Error) Wrap ¶
func (e *RFC6749Error) Wrap(err error)
type RFC6749ErrorJson ¶
type RFC6749ErrorJson struct { Name string `json:"error"` Description string `json:"error_description"` Hint string `json:"error_hint,omitempty"` Code int `json:"status_code,omitempty"` Debug string `json:"error_debug,omitempty"` }
RFC6749ErrorJson is a helper struct for JSON encoding/decoding of RFC6749Error.
type RFC8628DeviceAuthorizeEndpointHandler ¶
type RFC8628DeviceAuthorizeEndpointHandler interface { // HandleRFC8628DeviceAuthorizeEndpointRequest handles a device authorize endpoint request. To extend the handler's capabilities, the http request // is passed along, if further information retrieval is required. If the handler feels that he is not responsible for // the device authorize request, he must return nil and NOT modify session nor responder neither requester. // // The following spec is a good example of what HandleDeviceAuthorizeRequest should do. // * HandleRFC8628DeviceAuthorizeEndpointRequest(ctx context.Context, requester DeviceAuthorizeRequester, responder DeviceAuthorizeResponder) error }
type RFC8628DeviceAuthorizeEndpointHandlers ¶
type RFC8628DeviceAuthorizeEndpointHandlers []RFC8628DeviceAuthorizeEndpointHandler
RFC8628DeviceAuthorizeEndpointHandlers is a list of RFC8628DeviceAuthorizeEndpointHandler
func (*RFC8628DeviceAuthorizeEndpointHandlers) Append ¶
func (a *RFC8628DeviceAuthorizeEndpointHandlers) Append(h RFC8628DeviceAuthorizeEndpointHandler)
Append adds an RFC8628DeviceAuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type RFC8628DeviceAuthorizeEndpointHandlersProvider ¶
type RFC8628DeviceAuthorizeEndpointHandlersProvider interface { // GetRFC8628DeviceAuthorizeEndpointHandlers returns the handlers. GetRFC8628DeviceAuthorizeEndpointHandlers(ctx context.Context) (handlers RFC8628DeviceAuthorizeEndpointHandlers) }
RFC8628DeviceAuthorizeEndpointHandlersProvider returns the provider for setting up the Device authorization handlers.
type RFC8628UserAuthorizeEndpointHandler ¶
type RFC8628UserAuthorizeEndpointHandler interface { // HandleRFC8628UserAuthorizeEndpointRequest validates the request with the given user code. // // The following spec is a good example of what PopulateRFC8628UserAuthorizeEndpointResponse should do. // * HandleRFC8628UserAuthorizeEndpointRequest(ctx context.Context, request DeviceAuthorizeRequester) error // PopulateRFC8628UserAuthorizeEndpointResponse populates the response object as an outcome of user authorization during // the device authorization grant flow. // PopulateRFC8628UserAuthorizeEndpointResponse(ctx context.Context, requester DeviceAuthorizeRequester, responder DeviceUserAuthorizeResponder) error }
type RFC8628UserAuthorizeEndpointHandlers ¶
type RFC8628UserAuthorizeEndpointHandlers []RFC8628UserAuthorizeEndpointHandler
RFC8628UserAuthorizeEndpointHandlers is a list of RFC8628UserAuthorizeEndpointHandler
func (*RFC8628UserAuthorizeEndpointHandlers) Append ¶
func (a *RFC8628UserAuthorizeEndpointHandlers) Append(h RFC8628UserAuthorizeEndpointHandler)
Append adds an RFC8628UserAuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type RFC8628UserAuthorizeEndpointHandlersProvider ¶
type RFC8628UserAuthorizeEndpointHandlersProvider interface { // GetRFC8628UserAuthorizeEndpointHandlers returns the handlers. GetRFC8628UserAuthorizeEndpointHandlers(ctx context.Context) (handlers RFC8628UserAuthorizeEndpointHandlers) }
RFC8628UserAuthorizeEndpointHandlersProvider returns the provider for setting up the Device grant user interaction handlers.
type RFC8628UserAuthorizeResponse ¶
type RFC8628UserAuthorizeResponse struct { Header http.Header `json:"-"` Parameters url.Values `json:"-"` Status string `json:"status"` Extra map[string]any `json:"-"` }
RFC8628UserAuthorizeResponse is an implementation of DeviceUserAuthorizeResponder
func NewRFC8628UserAuthorizeResponse ¶
func NewRFC8628UserAuthorizeResponse() *RFC8628UserAuthorizeResponse
func (*RFC8628UserAuthorizeResponse) AddHeader ¶
func (d *RFC8628UserAuthorizeResponse) AddHeader(key, value string)
func (*RFC8628UserAuthorizeResponse) AddParameter ¶
func (d *RFC8628UserAuthorizeResponse) AddParameter(key, value string)
func (*RFC8628UserAuthorizeResponse) FromJson ¶
func (d *RFC8628UserAuthorizeResponse) FromJson(r io.Reader) error
func (*RFC8628UserAuthorizeResponse) GetExtra ¶
func (d *RFC8628UserAuthorizeResponse) GetExtra(key string) any
func (*RFC8628UserAuthorizeResponse) GetHeader ¶
func (d *RFC8628UserAuthorizeResponse) GetHeader() http.Header
func (*RFC8628UserAuthorizeResponse) GetParameters ¶
func (d *RFC8628UserAuthorizeResponse) GetParameters() url.Values
func (*RFC8628UserAuthorizeResponse) GetStatus ¶
func (d *RFC8628UserAuthorizeResponse) GetStatus() string
func (*RFC8628UserAuthorizeResponse) SetExtra ¶
func (d *RFC8628UserAuthorizeResponse) SetExtra(key string, value any)
func (*RFC8628UserAuthorizeResponse) SetStatus ¶
func (d *RFC8628UserAuthorizeResponse) SetStatus(status string)
func (*RFC8628UserAuthorizeResponse) ToJson ¶
func (d *RFC8628UserAuthorizeResponse) ToJson(rw io.Writer) error
func (*RFC8628UserAuthorizeResponse) ToMap ¶
func (d *RFC8628UserAuthorizeResponse) ToMap() map[string]any
ToMap converts the response to a map.
type RFC8693ConfigProvider ¶
type RFC8693ConfigProvider interface { GetRFC8693TokenTypes(ctx context.Context) (types map[string]RFC8693TokenType) GetDefaultRFC8693RequestedTokenType(ctx context.Context) (tokenType string) }
RFC8693ConfigProvider is the configuration provider for RFC8693 Token Exchange.
type RFC8693TokenType ¶
type RFC9207ResponseModeParameterHandler ¶ added in v0.1.3
type RFC9207ResponseModeParameterHandler struct { Config interface { AuthorizationServerIssuerIdentificationProvider } }
RFC9207ResponseModeParameterHandler adds the RFC9207
func (*RFC9207ResponseModeParameterHandler) ResponseModes ¶ added in v0.1.3
func (h *RFC9207ResponseModeParameterHandler) ResponseModes() ResponseModeTypes
func (*RFC9207ResponseModeParameterHandler) WriteParameters ¶ added in v0.1.3
func (h *RFC9207ResponseModeParameterHandler) WriteParameters(ctx context.Context, requester AuthorizeRequester, parameters url.Values)
type RFC9628DeviceAuthorizeConfigProvider ¶
type RFC9628DeviceAuthorizeConfigProvider interface { // GetRFC8628CodeLifespan returns the device and user code lifespan. GetRFC8628CodeLifespan(ctx context.Context) (lifespan time.Duration) GetRFC8628UserVerificationURL(ctx context.Context) (url string) GetRFC8628TokenPollingInterval(ctx context.Context) (interval time.Duration) }
RFC9628DeviceAuthorizeConfigProvider returns the provider for configuring the device authorization response.
type RedirectSecureCheckerProvider ¶
type RedirectSecureCheckerProvider interface { // GetRedirectSecureChecker returns the redirect URL security validator. GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) bool }
RedirectSecureCheckerProvider returns the provider for configuring the redirect URL security validator.
type RefreshFlowScopeClient ¶
type RefreshFlowScopeClient interface { GetRefreshFlowIgnoreOriginalGrantedScopes(ctx context.Context) (ignoreOriginalGrantedScopes bool) Client }
RefreshFlowScopeClient is a client which can be customized to ignore scopes that were not originally granted.
type RefreshTokenAccessRequester ¶
type RefreshTokenAccessRequester interface { // SanitizeRestoreRefreshTokenOriginalRequester returns a sanitized copy of this Requester and mutates the relevant // values from the provided Requester which is the original refresh token session Requester. SanitizeRestoreRefreshTokenOriginalRequester(requester Requester) (sanitized Requester) AccessRequester }
RefreshTokenAccessRequester is an extended AccessRequester implementation that allows preserving the original Requester.
type RefreshTokenLifespanProvider ¶
type RefreshTokenLifespanProvider interface { // GetRefreshTokenLifespan returns the refresh token lifespan. GetRefreshTokenLifespan(ctx context.Context) time.Duration }
RefreshTokenLifespanProvider returns the provider for configuring the refresh token lifespan.
type RefreshTokenScopesProvider ¶
type RefreshTokenScopesProvider interface { // GetRefreshTokenScopes returns the refresh token scopes. GetRefreshTokenScopes(ctx context.Context) []string }
RefreshTokenScopesProvider returns the provider for configuring the refresh token scopes.
type Request ¶
type Request struct { ID string `json:"id" gorethink:"id"` RequestedAt time.Time `json:"requestedAt" gorethink:"requestedAt"` Client Client `json:"-" gorethink:"client"` RequestedScope Arguments `json:"scopes" gorethink:"scopes"` GrantedScope Arguments `json:"grantedScopes" gorethink:"grantedScopes"` Form url.Values `json:"form" gorethink:"form"` Session Session `json:"session" gorethink:"session"` RequestedAudience Arguments `json:"requestedAudience"` GrantedAudience Arguments `json:"grantedAudience"` Lang language.Tag `json:"-"` }
Request is an implementation of Requester
func NewRequest ¶
func NewRequest() *Request
func (*Request) AppendRequestedAudience ¶
func (*Request) AppendRequestedScope ¶
func (*Request) GetGrantedAudience ¶
func (*Request) GetGrantedScopes ¶
func (*Request) GetRequestForm ¶
func (*Request) GetRequestedAt ¶
func (*Request) GetRequestedAudience ¶
func (*Request) GetRequestedScopes ¶
func (*Request) GetSession ¶
func (*Request) GrantAudience ¶
func (*Request) GrantScope ¶
func (*Request) SetRequestedAudience ¶
func (*Request) SetRequestedScopes ¶
func (*Request) SetSession ¶
type RequestedAudienceImplicitClient ¶
type RequestedAudienceImplicitClient interface { // GetRequestedAudienceImplicit is indicative of if a client will implicitly request all audiences it is allowed to // request in the absence of requested audience during an Authorization Endpoint Flow or Client Credentials Flow. GetRequestedAudienceImplicit() (implicit bool) Client }
RequestedAudienceImplicitClient is a client which can potentially implicitly grant permitted audiences given the absence of a request parameter.
type Requester ¶
type Requester interface { // SetID sets the unique identifier. SetID(id string) // GetID returns a unique identifier. GetID() (id string) // GetRequestedAt returns the time the request was created. GetRequestedAt() (requestedAt time.Time) // GetClient returns the request's client. GetClient() (client Client) // GetRequestedScopes returns the request's scopes. GetRequestedScopes() (scopes Arguments) // GetRequestedAudience returns the requested audiences for this request. GetRequestedAudience() (audience Arguments) // SetRequestedScopes sets the request's scopes. SetRequestedScopes(scopes Arguments) // SetRequestedAudience sets the requested audience. SetRequestedAudience(audience Arguments) // AppendRequestedScope appends a scope to the request. AppendRequestedScope(scope string) // GetGrantedScopes returns all granted scopes. GetGrantedScopes() (grantedScopes Arguments) // GetGrantedAudience returns all granted audiences. GetGrantedAudience() (grantedAudience Arguments) // GrantScope marks a request's scope as granted. GrantScope(scope string) // GrantAudience marks a request's audience as granted. GrantAudience(audience string) // GetSession returns a pointer to the request's session or nil if none is set. GetSession() (session Session) // SetSession sets the request's session pointer. SetSession(session Session) // GetRequestForm returns the request's form input. GetRequestForm() (form url.Values) // Merge merges the argument into the method receiver. Merge(requester Requester) // Sanitize returns a sanitized clone of the request which can be used for storage. Sanitize(allowedParameters []string) (sanitized Requester) }
Requester is an abstract interface for handling requests in Fosite.
type ResponseModeClient ¶
type ResponseModeClient interface { // GetResponseModes returns the response modes that client is allowed to send GetResponseModes() (modes []ResponseModeType) Client }
ResponseModeClient represents a client capable of handling response_mode
type ResponseModeHandler ¶
type ResponseModeHandler interface { // ResponseModes returns a set of supported response modes handled // by the interface implementation. // // In an authorize request with any of the provide response modes // methods `WriteAuthorizeResponse` and `WriteAuthorizeError` will be // invoked to write the successful or error authorization responses respectively. ResponseModes() ResponseModeTypes // WriteAuthorizeResponse writes successful responses // // The following headers are expected to be set by implementations of this interface: // header.Set(consts.HeaderCacheControl, consts.CacheControlNoStore) // header.Set(consts.HeaderPragma, consts.PragmaNoCache) WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder) // WriteAuthorizeError writes error responses // // The following headers are expected to be set by implementations of this interface: // header.Set(consts.HeaderCacheControl, consts.CacheControlNoStore) // header.Set(consts.HeaderPragma, consts.PragmaNoCache) WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error) }
ResponseModeHandler provides a contract for handling response modes.
type ResponseModeHandlerConfigurator ¶
type ResponseModeHandlerConfigurator interface { ResponseModeParameterHandlerProvider FormPostHTMLTemplateProvider FormPostResponseProvider JWTSecuredAuthorizeResponseModeIssuerProvider JWTSecuredAuthorizeResponseModeStrategyProvider JWTSecuredAuthorizeResponseModeLifespanProvider MessageCatalogProvider SendDebugMessagesToClientsProvider UseLegacyErrorFormatProvider }
type ResponseModeHandlerProvider ¶
type ResponseModeHandlerProvider interface { // GetResponseModeHandlers returns the response mode handlers in order of execution. GetResponseModeHandlers(ctx context.Context) (handlers ResponseModeHandlers) }
ResponseModeHandlerProvider returns the provider for configuring the response mode handlers.
type ResponseModeHandlers ¶ added in v0.1.3
type ResponseModeHandlers []ResponseModeHandler
ResponseModeHandlers is a list of ResponseModeHandler.
func (*ResponseModeHandlers) Append ¶ added in v0.1.3
func (a *ResponseModeHandlers) Append(h ResponseModeHandler)
Append adds an ResponseModeHandler to this list. Ignores duplicates based on reflect.TypeOf.
type ResponseModeParameterHandler ¶ added in v0.1.3
type ResponseModeParameterHandler interface { // ResponseModes returns a set of supported response modes handled // by the interface implementation. // // In an authorize request with any of the provide response modes // methods `WriteAuthorizeResponse` and `WriteAuthorizeError` will be // invoked to write the successful or error authorization responses respectively. ResponseModes() ResponseModeTypes // WriteParameters is handed the parameters just before handing of to the response writer. WriteParameters(ctx context.Context, requester AuthorizeRequester, parameters url.Values) }
type ResponseModeParameterHandlerProvider ¶ added in v0.1.3
type ResponseModeParameterHandlerProvider interface { // GetResponseModeParameterHandlers returns the ResponseModeParameterHandler's to process. GetResponseModeParameterHandlers(ctx context.Context) (handlers ResponseModeParameterHandlers) }
ResponseModeParameterHandlerProvider returns the providers for configuring additional parameters in the response mode phase of an Authorization Request which may not be possible to determine until the final response mode is known.
type ResponseModeParameterHandlers ¶ added in v0.1.3
type ResponseModeParameterHandlers []ResponseModeParameterHandler
ResponseModeParameterHandlers is a list of ResponseModeParameterHandler.
func (*ResponseModeParameterHandlers) Append ¶ added in v0.1.3
func (a *ResponseModeParameterHandlers) Append(h ResponseModeParameterHandler)
Append adds an ResponseModeParameterHandler to this list. Ignores duplicates based on reflect.TypeOf.
type ResponseModeType ¶
type ResponseModeType string
type ResponseModeTypes ¶
type ResponseModeTypes []ResponseModeType
func (ResponseModeTypes) Has ¶
func (rs ResponseModeTypes) Has(item ResponseModeType) bool
type RevocationEndpointClientAuthHandler ¶ added in v0.1.12
type RevocationEndpointClientAuthHandler struct{}
func (*RevocationEndpointClientAuthHandler) AllowAuthMethodAny ¶ added in v0.1.12
func (h *RevocationEndpointClientAuthHandler) AllowAuthMethodAny() bool
func (*RevocationEndpointClientAuthHandler) GetAuthEncryptionAlg ¶ added in v0.2.0
func (h *RevocationEndpointClientAuthHandler) GetAuthEncryptionAlg(client AuthenticationMethodClient) string
func (*RevocationEndpointClientAuthHandler) GetAuthEncryptionEnc ¶ added in v0.2.0
func (h *RevocationEndpointClientAuthHandler) GetAuthEncryptionEnc(client AuthenticationMethodClient) string
func (*RevocationEndpointClientAuthHandler) GetAuthEncryptionKeyID ¶ added in v0.2.0
func (h *RevocationEndpointClientAuthHandler) GetAuthEncryptionKeyID(client AuthenticationMethodClient) string
func (*RevocationEndpointClientAuthHandler) GetAuthMethod ¶ added in v0.1.12
func (h *RevocationEndpointClientAuthHandler) GetAuthMethod(client AuthenticationMethodClient) string
func (*RevocationEndpointClientAuthHandler) GetAuthSigningAlg ¶ added in v0.1.12
func (h *RevocationEndpointClientAuthHandler) GetAuthSigningAlg(client AuthenticationMethodClient) string
func (*RevocationEndpointClientAuthHandler) GetAuthSigningKeyID ¶ added in v0.2.0
func (h *RevocationEndpointClientAuthHandler) GetAuthSigningKeyID(client AuthenticationMethodClient) string
func (*RevocationEndpointClientAuthHandler) Name ¶ added in v0.1.12
func (h *RevocationEndpointClientAuthHandler) Name() string
type RevocationHandler ¶
type RevocationHandler interface { // RevokeToken handles access and refresh token revocation. RevokeToken(ctx context.Context, token string, tokenType TokenType, client Client) error }
RevocationHandler is the interface that allows token revocation for an OAuth2.0 provider.
RevokeToken is invoked after a new token revocation request is parsed. If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.
type RevocationHandlers ¶
type RevocationHandlers []RevocationHandler
RevocationHandlers is a list of RevocationHandler
func (*RevocationHandlers) Append ¶
func (t *RevocationHandlers) Append(h RevocationHandler)
Append adds an RevocationHandler to this list. Ignores duplicates based on reflect.TypeOf.
type RevocationHandlersProvider ¶
type RevocationHandlersProvider interface { // GetRevocationHandlers returns the revocation handlers. GetRevocationHandlers(ctx context.Context) (handlers RevocationHandlers) }
RevocationHandlersProvider returns the provider for configuring the revocation handlers.
type RevokeFlowRevokeRefreshTokensExplicitClient ¶
type RevokeFlowRevokeRefreshTokensExplicitClient interface { // GetRevokeRefreshTokensExplicit returns true if this client will only revoke refresh tokens explicitly. GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool) Client }
RevokeFlowRevokeRefreshTokensExplicitClient is a client which can be customized to only revoke Refresh Tokens explicitly.
type RevokeRefreshTokensExplicitlyProvider ¶
type RevokeRefreshTokensExplicitlyProvider interface { // GetRevokeRefreshTokensExplicit returns true if a refresh token should only be revoked explicitly. GetRevokeRefreshTokensExplicit(ctx context.Context) (explicit bool) // GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient returns true if a // RevokeFlowRevokeRefreshTokensExplicitClient returning false should be enforced. GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx context.Context) (explicit bool) }
RevokeRefreshTokensExplicitlyProvider returns the provider for configuring the Refresh Token Explicit Revocation policy.
type RotatedClientSecretsClient ¶
type RotatedClientSecretsClient interface { GetRotatedClientSecrets() (secrets []ClientSecret) Client }
RotatedClientSecretsClient extends Client interface by a method providing a slice of rotated secrets.
type RotatedGlobalSecretsProvider ¶
type RotatedGlobalSecretsProvider interface { // GetRotatedGlobalSecrets returns the rotated global secrets. GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte, err error) }
RotatedGlobalSecretsProvider returns the provider for configuring the rotated global secrets.
type SanitationAllowedProvider ¶
type SanitationAllowedProvider interface { // GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values // are safe for storage in a database (cleartext). GetSanitationWhiteList(ctx context.Context) (whitelist []string) }
SanitationAllowedProvider returns the provider for configuring the sanitation white list.
type ScopeStrategy ¶
ScopeStrategy is a strategy for matching scopes.
type ScopeStrategyProvider ¶
type ScopeStrategyProvider interface { // GetScopeStrategy returns the scope strategy. GetScopeStrategy(ctx context.Context) ScopeStrategy }
ScopeStrategyProvider returns the provider for configuring the scope strategy.
type SendDebugMessagesToClientsProvider ¶
type SendDebugMessagesToClientsProvider interface { // GetSendDebugMessagesToClients returns the send debug messages to clients. GetSendDebugMessagesToClients(ctx context.Context) (send bool) }
SendDebugMessagesToClientsProvider returns the provider for configuring the send debug messages to clients.
type Session ¶
type Session interface { // SetExpiresAt sets the expiration time of a token. // // session.SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(time.Hour)) SetExpiresAt(key TokenType, exp time.Time) // GetExpiresAt returns the expiration time of a token if set, or time.IsZero() if not. // // session.GetExpiresTimeX(oauth2.AccessToken) GetExpiresAt(key TokenType) time.Time // GetUsername returns the username, if set. This is optional and only used during token introspection. GetUsername() string // GetSubject returns the subject, if set. This is optional and only used during token introspection. GetSubject() string // Clone clones the session. Clone() Session }
Session is an interface that is used to store session data between OAuth2 requests. It can be used to look up when a session expires or what the subject's name was.
type Storage ¶
type Storage interface { ClientManager }
Storage defines the minimal storage interface.
type TokenEndpointClientAuthHandler ¶ added in v0.1.12
type TokenEndpointClientAuthHandler struct{}
func (*TokenEndpointClientAuthHandler) AllowAuthMethodAny ¶ added in v0.1.12
func (h *TokenEndpointClientAuthHandler) AllowAuthMethodAny() bool
func (*TokenEndpointClientAuthHandler) GetAuthEncryptionAlg ¶ added in v0.2.0
func (h *TokenEndpointClientAuthHandler) GetAuthEncryptionAlg(client AuthenticationMethodClient) string
func (*TokenEndpointClientAuthHandler) GetAuthEncryptionEnc ¶ added in v0.2.0
func (h *TokenEndpointClientAuthHandler) GetAuthEncryptionEnc(client AuthenticationMethodClient) string
func (*TokenEndpointClientAuthHandler) GetAuthEncryptionKeyID ¶ added in v0.2.0
func (h *TokenEndpointClientAuthHandler) GetAuthEncryptionKeyID(client AuthenticationMethodClient) string
func (*TokenEndpointClientAuthHandler) GetAuthMethod ¶ added in v0.1.12
func (h *TokenEndpointClientAuthHandler) GetAuthMethod(client AuthenticationMethodClient) string
func (*TokenEndpointClientAuthHandler) GetAuthSigningAlg ¶ added in v0.1.12
func (h *TokenEndpointClientAuthHandler) GetAuthSigningAlg(client AuthenticationMethodClient) string
func (*TokenEndpointClientAuthHandler) GetAuthSigningKeyID ¶ added in v0.2.0
func (h *TokenEndpointClientAuthHandler) GetAuthSigningKeyID(client AuthenticationMethodClient) string
func (*TokenEndpointClientAuthHandler) Name ¶ added in v0.1.12
func (h *TokenEndpointClientAuthHandler) Name() string
type TokenEndpointHandler ¶
type TokenEndpointHandler interface { // PopulateTokenEndpointResponse is responsible for setting return values and should only be executed if // the handler's HandleTokenEndpointRequest did not return ErrUnknownRequest. PopulateTokenEndpointResponse(ctx context.Context, requester AccessRequester, responder AccessResponder) error // HandleTokenEndpointRequest handles an authorize request. If the handler is not responsible for handling // the request, this method should return ErrUnknownRequest and otherwise handle the request. HandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) error // CanSkipClientAuth indicates if client authentication can be skipped. By default it MUST be false, unless you are // implementing extension grant type, which allows unauthenticated client. CanSkipClientAuth must be called // before HandleTokenEndpointRequest to decide, if AccessRequester will contain authenticated client. CanSkipClientAuth(ctx context.Context, requester AccessRequester) bool // CanHandleTokenEndpointRequest indicates, if TokenEndpointHandler can handle this request or not. If true, // HandleTokenEndpointRequest can be called. CanHandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) bool }
type TokenEndpointHandlers ¶
type TokenEndpointHandlers []TokenEndpointHandler
TokenEndpointHandlers is a list of TokenEndpointHandler
func (*TokenEndpointHandlers) Append ¶
func (t *TokenEndpointHandlers) Append(h TokenEndpointHandler)
Append adds an TokenEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
type TokenEndpointHandlersProvider ¶
type TokenEndpointHandlersProvider interface { // GetTokenEndpointHandlers returns the token endpoint handlers. GetTokenEndpointHandlers(ctx context.Context) (handlers TokenEndpointHandlers) }
TokenEndpointHandlersProvider returns the provider for configuring the token endpoint handlers.
type TokenEntropyProvider ¶
type TokenEntropyProvider interface { // GetTokenEntropy returns the token entropy. GetTokenEntropy(ctx context.Context) (entropy int) }
TokenEntropyProvider returns the provider for configuring the token entropy.
type TokenIntrospectionHandlers ¶
type TokenIntrospectionHandlers []TokenIntrospector
TokenIntrospectionHandlers is a list of TokenValidator
func (*TokenIntrospectionHandlers) Append ¶
func (t *TokenIntrospectionHandlers) Append(h TokenIntrospector)
Append adds an AccessTokenValidator to this list. Ignores duplicates based on reflect.TypeOf.
type TokenIntrospectionHandlersProvider ¶
type TokenIntrospectionHandlersProvider interface { // GetTokenIntrospectionHandlers returns the token introspection handlers. GetTokenIntrospectionHandlers(ctx context.Context) (handlers TokenIntrospectionHandlers) }
TokenIntrospectionHandlersProvider returns the provider for configuring the token introspection handlers.
type TokenIntrospector ¶
type UseLegacyErrorFormatProvider
type UseLegacyErrorFormatProvider interface { // GetUseLegacyErrorFormat returns whether to use the legacy error format. // // Deprecated: Do not use this flag anymore. GetUseLegacyErrorFormat(ctx context.Context) (use bool) }
UseLegacyErrorFormatProvider returns the provider for configuring whether to use the legacy error format.
Deprecated: Do not use this flag anymore.
type UserInfoClient ¶ added in v0.1.15
type UserInfoClient interface { // GetUserinfoSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the User // Info specifications. If unspecified the other available parameters will be utilized to select an appropriate // key. GetUserinfoSignedResponseKeyID() (kid string) // GetUserinfoSignedResponseAlg is equivalent to the 'userinfo_signed_response_alg' client metadata value which // determines the JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the // response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo // Response to return the Claims as a UTF-8 [RFC3629] encoded JSON object using the application/json content-type. GetUserinfoSignedResponseAlg() (alg string) // GetUserinfoEncryptedResponseKeyID returns the specific key identifier used to satisfy JWE requirements of the // User Info specifications. If unspecified the other available parameters will be utilized to select an appropriate // key. GetUserinfoEncryptedResponseKeyID() (kid string) // GetUserinfoEncryptedResponseAlg is equivalent to the 'userinfo_encrypted_response_alg' client metadata value // which determines the JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If // this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in // [JWT]. The default, if omitted, is that no encryption is performed. GetUserinfoEncryptedResponseAlg() (alg string) // GetUserinfoEncryptedResponseEnc is equivalent to the 'userinfo_encrypted_response_enc' client metadata value // which determines the JWE enc algorithm [JWA] REQUIRED for encrypting UserInfo Responses. If // userinfo_encrypted_response_alg is specified, the default userinfo_encrypted_response_enc value is A128CBC-HS256. // When userinfo_encrypted_response_enc is included, userinfo_encrypted_response_alg MUST also be provided. GetUserinfoEncryptedResponseEnc() (enc string) JSONWebKeysClient }
UserInfoClient is a client which can satisfy all JWS and JWE requirements of the User Info responses.
type VerifiableCredentialsNonceLifespanProvider ¶
type VerifiableCredentialsNonceLifespanProvider interface { // GetVerifiableCredentialsNonceLifespan returns the nonce lifespan. GetVerifiableCredentialsNonceLifespan(ctx context.Context) time.Duration }
VerifiableCredentialsNonceLifespanProvider returns the provider for configuring the access token lifespan.
