oidc

package module
v1.0.0-beta.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 10, 2024 License: BSD-3-Clause Imports: 14 Imported by: 3

README

oidc

Go Reference

Module that provides extensions for OIDC usage with x/oauth2, as well as some other extended oauth2 usage.

The root package provides functions around interacting with an OIDC provider. The provider can be discovered from the issuer URL, or manually configured. The provider instance can be used to verify the issued ID tokens, and access tokens if they comply with the JWT Profile.

Some other packages are provided:

  • clitoken Implements the three-legged OIDC flow for local/CLI applications, with a dynamic server on the loopback to handle the callback
  • middleware Provides a HTTP middleware to secure a path against an OIDC issuer
  • tokencache Provides a mechanism for caching and refreshing tokens.

Examples:

  • cmd/oidc-example-rp An example of a webapp that authenticates via OIDC
  • cmd/oidcli A CLI tool that uses the clitoken package to retrieve ID/Access tokens, and return them or information about them.

Documentation

Overview

Package oidc implements an OIDC client library

Index

Constants

View Source 
const (
	CodeChallengeMethodPlain = "plain"
	CodeChallengeMethodS256  = "S256"
)
View Source 
const (
	// ScopeOpenID is the base OpenID Connect scope.
	ScopeOpenID = "openid"
	// ScopeProfile requests access to the user's default profile claims, which
	// are: name, family_name, given_name, middle_name, nickname,
	// preferred_username, profile, picture, website.
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeProfile = "profile"
	// ScopeEmail requests access to the email and email_verified claims.
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeEmail = "email"
	// ScopePhone requests access to the phone_number and phone_number_verified
	// claims. https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopePhone = "phone"
	// ScopeAddress requests access to the address claim.
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeAddress = "address"
	// ScopeOfflineAccess requests offline access, i.e issue a refresh token.
	// https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
	ScopeOfflineAccess = "offline_access"
)
View Source 
const (
	ACRMultiFactor         string = "http://schemas.openid.net/pape/policies/2007/06/multi-factor"
	ACRMultiFactorPhysical string = "http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical"

	AMROTP string = "otp"
)
View Source 
const DefaultProviderCacheDuration = 15 * time.Minute

Variables

This section is empty.

Functions

func AddIDToken 

func AddIDToken(tok *oauth2.Token, idToken string) *oauth2.Token

AddIDToken reconstructs the oauth2 token, with the ID token added. This exists because the serialized form of the oauth2 token does not contain the extra/ID token info, so this safely allows a token to be stored and t

func GetIDToken 

func GetIDToken(tok *oauth2.Token) (string, bool)

GetIDToken extracts the ID token from the given oauth2 Token

func NewIDTokenSource deprecated 

func NewIDTokenSource(ts oauth2.TokenSource, provider *Provider) oauth2.TokenSource

NewIDTokenSource wraps a token source, re-writing the ID token as the access token for outgoing requests. This is a backwards compatibility option for services that expect the ID token contents, or where the access token is not a JWT/not otherwise verifiable. It should be the _last_ token source in any chain, the result from this should not be cached. Provider is optional, if provided it will be used to set the token expiry based on the issued token's expiry. If nil, the oauth2 token endpoint expiration will be used, which may or may not correlate with the ID token's expiration.

Deprecated: Services should expect oauth2 access tokens, and use the userinfo endpoint if profile information is required. This will not be removed, but is marked as deprecated to require explcit opt-in for linting etc.

func SetACRValues 

func SetACRValues(acrValues []string) oauth2.AuthCodeOption

func SetNonce 

func SetNonce(nonce string) oauth2.AuthCodeOption

Types

type AccessTokenClaims 

type AccessTokenClaims struct {
	// REQUIRED. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1
	Issuer string `json:"iss,omitempty"`
	// REQUIRED. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4
	Expiry UnixTime `json:"exp,omitempty"`
	// REQUIRED. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3
	Audience StrOrSlice `json:"aud,omitempty"`
	// REQUIRED - as defined in Section 4.1.2 of [RFC7519]. In cases
	// of access tokens obtained through grants where a resource owner is
	// involved, such as the authorization code grant, the value of "sub" SHOULD
	// correspond to the subject identifier of the resource owner. In cases of
	// access tokens obtained through grants where no resource owner is
	// involved, such as the client credentials grant, the value of "sub" SHOULD
	// correspond to an identifier the authorization server uses to indicate the
	// client application. See Section 5 for more details on this scenario.
	// Also, see Section 6 for a discussion about how different choices in
	// assigning "sub" values can impact privacy.
	// https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2
	Subject string `json:"sub,omitempty"`
	// REQUIRED. https://www.rfc-editor.org/rfc/rfc8693#section-4.3
	ClientID string `json:"client_id,omitempty"`
	// REQUIRED. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6
	IssuedAt UnixTime `json:"iat,omitempty"`
	// REQUIRED. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7
	JWTID string `json:"jti,omitempty"`
	// https://www.rfc-editor.org/rfc/rfc8693#section-4.2
	Scope string `json:"scope,omitempty"`
	// Time when the End-User authentication occurred. Its value is a JSON
	// number representing the number of seconds from 1970-01-01T0:0:0Z as
	// measured in UTC until the date/time. When a max_age request is made or
	// when auth_time is requested as an Essential Claim, then this Claim is
	// REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim
	// semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time
	// response parameter.)
	//
	// https://openid.net/specs/openid-connect-core-1_0.html
	AuthTime UnixTime `json:"auth_time,omitempty"`
	// OPTIONAL. Authentication Context Class Reference. String specifying an
	// Authentication Context Class Reference value that identifies the
	// Authentication Context Class that the authentication performed satisfied.
	// The value "0" indicates the End-User authentication did not meet the
	// requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a
	// long-lived browser cookie, for instance, is one example where the use of
	// "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used
	// to authorize access to any resource of any monetary value. (This
	// corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An
	// absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as
	// the acr value; registered names MUST NOT be used with a different meaning
	// than that which is registered. Parties using this claim will need to
	// agree upon the meanings of the values used, which may be
	// context-specific. The acr value is a case sensitive string.
	//
	// https://openid.net/specs/openid-connect-core-1_0.html
	ACR string `json:"acr,omitempty"`
	// OPTIONAL. Authentication Methods References. JSON array of strings that
	// are identifiers for authentication methods used in the authentication.
	// For instance, values might indicate that both password and OTP
	// authentication methods were used. The definition of particular values to
	// be used in the amr Claim is beyond the scope of this specification.
	// Parties using this claim will need to agree upon the meanings of the
	// values used, which may be context-specific. The amr value is an array of
	// case sensitive strings.
	//
	// https://openid.net/specs/openid-connect-core-1_0.html
	AMR []string `json:"amr,omitempty"`

	// https://datatracker.ietf.org/doc/html/rfc9068#section-2.2.3.1 |
	// https://www.rfc-editor.org/rfc/rfc7643#section-4.1.2
	//
	// TODO(lstoll) - do we want to support the more complex than a list version
	// of these, i.e https://www.rfc-editor.org/rfc/rfc7643#section-8.2 ?
	Groups []string `json:"groups,omitempty"`
	// https://datatracker.ietf.org/doc/html/rfc9068#section-2.2.3.1 |
	// https://www.rfc-editor.org/rfc/rfc7643#section-4.1.2
	Roles []string `json:"roles,omitempty"`
	// https://datatracker.ietf.org/doc/html/rfc9068#section-2.2.3.1 |
	// https://www.rfc-editor.org/rfc/rfc7643#section-4.1.2
	Entitlements []string `json:"entitlements,omitempty"`
}

AccessTokenClaims represents the set of JWT claims for an OAuth2 JWT Access token.

https://datatracker.ietf.org/doc/html/rfc9068

func AccessTokenClaimsFromJWT 

func AccessTokenClaimsFromJWT(verified *jwt.VerifiedJWT) (*AccessTokenClaims, error)

func (*AccessTokenClaims) String 

func (a *AccessTokenClaims) String() string

func (*AccessTokenClaims) ToJWT 

func (a *AccessTokenClaims) ToJWT(extraClaims map[string]any) (*jwt.RawJWT, error)

type AccessTokenValidationOpts 

type AccessTokenValidationOpts struct {
	Audience       string
	IgnoreAudience bool

	// IgnoreTokenTypeHeader header ignores the type header for Access
	// Tokens, rather than requiring it to be the correct value.
	IgnoreTokenTypeHeader bool

	// ACRValues can contain a list of ACRs the token should satisfy. If none of
	// these values are found in the token ACR, validation will fail.
	ACRValues []string
}

AccessTokenValidationOpts configures the validation of an OAuth2 JWT Access Token

type CodeChallengeMethod 

type CodeChallengeMethod string

CodeChallengeMethod is https://www.rfc-editor.org/rfc/rfc7636#section-4.3

type DiscoverOptions 

type DiscoverOptions struct {
	// OverridePublicHandle allows setting an alternate source for the public
	// keyset for this provider. If set, rather than retrieving the JWKS from
	// the provider this function will be called to get a handle to the keyset
	// to verify against. Results from this will not be subject to the normal
	// cache duration for the provider.
	OverridePublicHandle PublicHandle

	// HTTPClient sets the client used for discovery actions. Defaults to
	// http.DefaultClient
	HTTPClient *http.Client
}

DiscoverOptions are used to customize the discovery process. If fields are set, the corresponding field will be set on the returned provider as well.

type IDClaims 

type IDClaims struct {
	// REQUIRED. Issuer Identifier for the Issuer of the response. The iss value
	// is a case sensitive URL using the https scheme that contains scheme,
	// host, and optionally, port number and path components and no query or
	// fragment components.
	Issuer string `json:"iss,omitempty"`
	// REQUIRED. Subject Identifier. A locally unique and never reassigned
	// identifier within the Issuer for the End-User, which is intended to be
	// consumed by the Client, e.g., 24400320 or
	// AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII
	// characters in length. The sub value is a case sensitive string.
	Subject string `json:"sub,omitempty"`
	// REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain
	// the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY
	// also contain identifiers for other audiences.
	Audience StrOrSlice `json:"aud,omitempty"`
	// REQUIRED. Expiration time on or after which the ID Token MUST NOT be
	// accepted for processing. The processing of this parameter requires that
	// the current date/time MUST be before the expiration date/time listed in
	// the value. Implementers MAY provide for some small leeway, usually no
	// more than a few minutes, to account for clock skew.
	Expiry UnixTime `json:"exp,omitempty"`
	// OPTIONAL. The "nbf" (not before) claim identifies the time before which
	// the JWT MUST NOT be accepted for processing.  The processing of the "nbf"
	// claim requires that the current date/time MUST be after or equal to the
	// not-before date/time listed in the "nbf" claim.  Implementers MAY provide
	// for some small leeway, usually no more than a few minutes, to account for
	// clock skew.  Its value MUST be a number containing a NumericDate value.
	NotBefore UnixTime `json:"nbf,omitempty"`
	// REQUIRED. Time at which the JWT was issued.
	IssuedAt UnixTime `json:"iat,omitempty"`
	// Time when the End-User authentication occurred. Its value is a JSON
	// number representing the number of seconds from 1970-01-01T0:0:0Z as
	// measured in UTC until the date/time. When a max_age request is made or
	// when auth_time is requested as an Essential Claim, then this Claim is
	// REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim
	// semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time
	// response parameter.)
	AuthTime UnixTime `json:"auth_time,omitempty"`
	// String value used to associate a Client session with an ID Token, and to
	// mitigate replay attacks. The value is passed through unmodified from the
	// Authentication Request to the ID Token. If present in the ID Token,
	// Clients MUST verify that the nonce Claim Value is equal to the value of
	// the nonce parameter sent in the Authentication Request. If present in the
	// Authentication Request, Authorization Servers MUST include a nonce Claim
	// in the ID Token with the Claim Value being the nonce value sent in the
	// Authentication Request. Authorization Servers SHOULD perform no other
	// processing on nonce values used. The nonce value is a case sensitive
	// string.
	Nonce string `json:"nonce,omitempty"`
	// OPTIONAL. Authentication Context Class Reference. String specifying an
	// Authentication Context Class Reference value that identifies the
	// Authentication Context Class that the authentication performed satisfied.
	// The value "0" indicates the End-User authentication did not meet the
	// requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a
	// long-lived browser cookie, for instance, is one example where the use of
	// "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used
	// to authorize access to any resource of any monetary value. (This
	// corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An
	// absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as
	// the acr value; registered names MUST NOT be used with a different meaning
	// than that which is registered. Parties using this claim will need to
	// agree upon the meanings of the values used, which may be
	// context-specific. The acr value is a case sensitive string.
	ACR string `json:"acr,omitempty"`
	// OPTIONAL. Authentication Methods References. JSON array of strings that
	// are identifiers for authentication methods used in the authentication.
	// For instance, values might indicate that both password and OTP
	// authentication methods were used. The definition of particular values to
	// be used in the amr Claim is beyond the scope of this specification.
	// Parties using this claim will need to agree upon the meanings of the
	// values used, which may be context-specific. The amr value is an array of
	// case sensitive strings.
	AMR []string `json:"amr,omitempty"`
	// OPTIONAL. Authorized party - the party to which the ID Token was issued.
	// If present, it MUST contain the OAuth 2.0 Client ID of this party. This
	// Claim is only needed when the ID Token has a single audience value and
	// that audience is different than the authorized party. It MAY be included
	// even when the authorized party is the same as the sole audience. The azp
	// value is a case sensitive string containing a StringOrURI value.
	AZP string `json:"azp,omitempty"`
}

IDClaims represents the set of JWT claims for a user ID Token, or userinfo endpoint.

https://openid.net/specs/openid-connect-core-1_0.html#IDClaims

func IDClaimsFromJWT 

func IDClaimsFromJWT(verified *jwt.VerifiedJWT) (*IDClaims, error)

func (*IDClaims) String 

func (i *IDClaims) String() string

func (*IDClaims) ToJWT 

func (i *IDClaims) ToJWT(extraClaims map[string]any) (*jwt.RawJWT, error)

type IDTokenValidationOpts 

type IDTokenValidationOpts struct {
	// Audience claim to expect in the ID token. Often corresponds to the Client
	// ID
	Audience       string
	IgnoreAudience bool

	// ACRValues can contain a list of ACRs the token should satisfy. If none of
	// these values are found in the token ACR, validation will fail.
	ACRValues []string
}

IDTokenValidationOpts configures the validation of an OIDC ID token

type Provider 

type Provider struct {
	// Metadata for the OIDC provider configuration
	Metadata *ProviderMetadata
	// HTTPClient used for keyset fetching. Defaults to http.DefaultClient
	HTTPClient *http.Client
	// CacheDuration sets the time a keyset is cached for, before considering
	// re-fetching it. If not set, DefaultProviderCacheDuration is used.
	CacheDuration time.Duration
	// OverridePublicHandle allows setting an alternate source for the public
	// keyset for this provider. If set, rather than retrieving the JWKS from
	// the provider this function will be called to get a handle to the keyset
	// to verify against. Results from this will not be subject to the normal
	// cache duration for the provider.
	OverrideHandle PublicHandle
	// contains filtered or unexported fields
}

Provider represents an OIDC Provider/issuer. It can provide a set of oauth2 endpoints for the authentication flow, and verify tokens issued by the provider against it. It can be constructed via DiscoverProvider

func DiscoverProvider 

func DiscoverProvider(ctx context.Context, issuer string, opts *DiscoverOptions) (*Provider, error)

DiscoverProvider will discover Provider from the given issuer. The returned provider can be modified as needed.

func (*Provider) Endpoint 

func (p *Provider) Endpoint() oauth2.Endpoint

Endpoint returns the OAuth2 endpoint configuration for this provider.

func (*Provider) FetchKeys 

func (p *Provider) FetchKeys(ctx context.Context) error

FetchKeys retrieve the current signing keyset from the discovered jwks URL, and updates the cache on the provider. This can be used in a background routine to ensure the cache is always up-to-date, and avoid the verification methods potentially having to wait on a fetch. It can also be used to implement revocation.

func (*Provider) PublicHandle 

func (p *Provider) PublicHandle(ctx context.Context) (*keyset.Handle, error)

PublicHandle returns a public handle to the verification keyset for this issuer. If there is a cached version within its life it will be returned, otherwise it will be refreshed from the provider.

func (*Provider) Userinfo 

func (p *Provider) Userinfo(ctx context.Context, tokenSource oauth2.TokenSource) ([]byte, *IDClaims, error)

Userinfo calls the OIDC userinfo endpoint with the given credentials, returning the raw JSON response and parsed standard ID claims from this.

func (*Provider) VerifyAccessToken 

func (p *Provider) VerifyAccessToken(ctx context.Context, tok *oauth2.Token, opts AccessTokenValidationOpts) (*jwt.VerifiedJWT, *AccessTokenClaims, error)

VerifyAccessToken verifies an OAuth2 access token issued by this provider. If successful, the verified token and standard claims associated with it will be returned. Options should either have an audience specified, or have audience validation opted out of.

func (*Provider) VerifyIDToken 

func (p *Provider) VerifyIDToken(ctx context.Context, tok *oauth2.Token, opts IDTokenValidationOpts) (*jwt.VerifiedJWT, *IDClaims, error)

VerifyIDToken verifies an OIDC ID token issued by this provider. If successful, the verified token and standard claims associated with it will be returned. Options should either have an audience specified, or have audience validation opted out of.

func (*Provider) VerifyToken 

func (p *Provider) VerifyToken(ctx context.Context, rawJWT string, opts *jwt.ValidatorOpts) (*jwt.VerifiedJWT, error)

VerifyToken is a low-level function that verifies the raw JWT against the keyset for this provider. In most cases, one of the higher level ID token/access token methods should be used. This will always try and use the cached keyset, only falling back to a refresh if validation with the current keys fails.. It will return the verified JWT contents. This can be used against a JWT issued by this provider for any purpose. The validator opts should be provided to verify the audience/client ID and other required fields. Opts can be used to pass validation opts for the token, the issuer will always be set to the issuer for this provider and cannot be ignored.

type ProviderMetadata 

type ProviderMetadata struct {
	// REQUIRED. URL using the https scheme with no query or fragment component
	// that the OP asserts as its Issuer Identifier. If Issuer discovery is
	// supported (see Section 2), this value MUST be identical to the issuer
	// value returned by WebFinger. This also MUST be identical to the iss Claim
	// value in ID Tokens issued from this Issuer.
	Issuer string `json:"issuer,omitempty"`
	// REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
	// URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED
	// unless only the Implicit Flow is used.
	TokenEndpoint string `json:"token_endpoint,omitempty"`
	// RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL
	// MUST use the https scheme and MAY contain port, path, and query parameter
	// components.
	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
	// REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains
	// the signing key(s) the RP uses to validate signatures from the OP. The
	// JWK Set MAY also contain the Server's encryption key(s), which are used
	// by RPs to encrypt requests to the Server. When both signing and
	// encryption keys are made available, a use (Key Use) parameter value is
	// REQUIRED for all keys in the referenced JWK Set to indicate each key's
	// intended usage. Although some algorithms allow the same key to be used
	// for both signatures and encryption, doing so is NOT RECOMMENDED, as it is
	// less secure. The JWK x5c parameter MAY be used to provide X.509
	// representations of keys provided. When used, the bare key values MUST
	// still be present and MUST match those in the certificate.
	JWKSURI string `json:"jwks_uri,omitempty"`
	// RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint
	// [OpenID.Registration].
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
	// RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749]
	// scope values that this server supports. The server MUST support the
	// openid scope value. Servers MAY choose not to advertise some supported
	// scope values even when this parameter is used, although those defined in
	// [OpenID.Core] SHOULD be listed, if supported.
	ScopesSupported []string `json:"scopes_supported,omitempty"`
	// REQUIRED. JSON array containing a list of the OAuth 2.0 response_type
	// values that this OP supports. Dynamic OpenID Providers MUST support the
	// code, id_token, and the token id_token Response Type values.
	ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode
	// values that this OP supports, as specified in OAuth 2.0 Multiple Response
	// Type Encoding Practices [OAuth.Responses]. If omitted, the default for
	// Dynamic OpenID Providers is ["query", "fragment"].
	ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values
	// that this OP supports. Dynamic OpenID Providers MUST support the
	// authorization_code and implicit Grant Type values and MAY support other
	// Grant Types. If omitted, the default value is ["authorization_code",
	// "implicit"].
	GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the Authentication Context
	// Class References that this OP supports.
	ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
	// REQUIRED. JSON array containing a list of the Subject Identifier types
	// that this OP supports. Valid types include pairwise and public.
	SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
	// REQUIRED. JSON array containing a list of the JWS signing algorithms (alg
	// values) supported by the OP for the ID Token to encode the Claims in a
	// JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be
	// supported, but MUST NOT be used unless the Response Type used returns no
	// ID Token from the Authorization Endpoint (such as when using the
	// Authorization Code Flow).
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
	// (alg values) supported by the OP for the ID Token to encode the Claims in
	// a JWT [JWT].
	IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
	// (enc values) supported by the OP for the ID Token to encode the Claims in
	// a JWT [JWT].
	IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWS [JWS] signing
	// algorithms (alg values) [JWA] supported by the UserInfo Endpoint to
	// encode the Claims in a JWT [JWT]. The value none MAY be included.
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWE [JWE] encryption
	// algorithms (alg values) [JWA] supported by the UserInfo Endpoint to
	// encode the Claims in a JWT [JWT].
	UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
	// (enc values) [JWA] supported by the UserInfo Endpoint to encode the
	// Claims in a JWT [JWT].
	UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg
	// values) supported by the OP for Request Objects, which are described in
	// Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms
	// are used both when the Request Object is passed by value (using the
	// request parameter) and when it is passed by reference (using the
	// request_uri parameter). Servers SHOULD support none and RS256.
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
	// (alg values) supported by the OP for Request Objects. These algorithms
	// are used both when the Request Object is passed by value and when it is
	// passed by reference.
	RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWE encryption algorithms
	// (enc values) supported by the OP for Request Objects. These algorithms
	// are used both when the Request Object is passed by value and when it is
	// passed by reference.
	RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of Client Authentication methods
	// supported by this Token Endpoint. The options are client_secret_post,
	// client_secret_basic, client_secret_jwt, and private_key_jwt, as described
	// in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other
	// authentication methods MAY be defined by extensions. If omitted, the
	// default is client_secret_basic -- the HTTP Basic Authentication Scheme
	// specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg
	// values) supported by the Token Endpoint for the signature on the JWT
	// [JWT] used to authenticate the Client at the Token Endpoint for the
	// private_key_jwt and client_secret_jwt authentication methods. Servers
	// SHOULD support RS256. The value none MUST NOT be used.
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the display parameter values
	// that the OpenID Provider supports. These values are described in Section
	// 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].
	DisplayValuesSupported []string `json:"display_values_supported,omitempty"`
	// OPTIONAL. JSON array containing a list of the Claim Types that the OpenID
	// Provider supports. These Claim Types are described in Section 5.6 of
	// OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this
	// specification are normal, aggregated, and distributed. If omitted, the
	// implementation supports only normal Claims.
	ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`
	// RECOMMENDED. JSON array containing a list of the Claim Names of the
	// Claims that the OpenID Provider MAY be able to supply values for. Note
	// that for privacy or other reasons, this might not be an exhaustive list.
	ClaimsSupported []string `json:"claims_supported,omitempty"`
	// OPTIONAL. URL of a page containing human-readable information that
	// developers might want or need to know when using the OpenID Provider. In
	// particular, if the OpenID Provider does not support Dynamic Client
	// Registration, then information on how to register Clients needs to be
	// provided in this documentation.
	ServiceDocumentation string `json:"service_documentation,omitempty"`
	// OPTIONAL. Languages and scripts supported for values in Claims being
	// returned, represented as a JSON array of BCP47 [RFC5646] language tag
	// values. Not all languages and scripts are necessarily supported for all
	// Claim values.
	ClaimLocalesSupported []string `json:"claims_locales_supported,omitempty"`
	// OPTIONAL. Languages and scripts supported for the user interface,
	// represented as a JSON array of BCP47 [RFC5646] language tag values.
	UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
	// OPTIONAL. Boolean value specifying whether the OP supports use of the
	// claims parameter, with true indicating support. If omitted, the default
	// value is false.
	ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
	// OPTIONAL. Boolean value specifying whether the OP supports use of the
	// request parameter, with true indicating support. If omitted, the default
	// value is false.
	RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
	// OPTIONAL. Boolean value specifying whether the OP supports use of the
	// request_uri parameter, with true indicating support. If omitted, the
	// default value is true.
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported,omitempty"`
	// OPTIONAL. Boolean value specifying whether the OP requires any
	// request_uri values used to be pre-registered using the request_uris
	// registration parameter. Pre-registration is REQUIRED when the value is
	// true. If omitted, the default value is false.
	RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
	// OPTIONAL. URL that the OpenID Provider provides to the person registering
	// the Client to read about the OP's requirements on how the Relying Party
	// can use the data provided by the OP. The registration process SHOULD
	// display this URL to the person registering the Client if it is given.
	OPPolicyURI string `json:"op_policy_uri,omitempty"`
	// OPTIONAL. URL that the OpenID Provider provides to the person registering
	// the Client to read about OpenID Provider's terms of service. The
	// registration process SHOULD display this URL to the person registering
	// the Client if it is given.
	OPTOSURI string `json:"op_tos_uri,omitempty"`
	// OPTIONAL. JSON array containing a list of Proof Key for Code Exchange
	// (PKCE) [RFC7636] code challenge methods supported by this authorization
	// server.  Code challenge method values are used in the
	// "code_challenge_method" parameter defined in Section 4.3 of [RFC7636].
	// The valid code challenge method values are those registered in the IANA
	// "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters].  If
	// omitted, the authorization server does not support PKCE.
	//
	// https://www.rfc-editor.org/rfc/rfc8414.html#section-2
	CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
}

ProviderMetadata implements the JSON structure that describes the configuration of an OIDC provider

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

type PublicHandle 

type PublicHandle interface {
	PublicHandle(context.Context) (*keyset.Handle, error)
}

func NewStaticPublicHandle 

func NewStaticPublicHandle(h *keyset.Handle) PublicHandle

NewStaticPublicHandle creates a PublicHandle from a fixed keyset Handle. This handle is used for JWT verification, so must be for a JWT type and contain the public keys only.

type StrOrSlice 

type StrOrSlice []string

StrOrSlice represents a JWT claim that can either be a single string, or a list of strings..

func (StrOrSlice) Contains 

func (a StrOrSlice) Contains(s string) bool

Contains returns true if a passed item is found in the set

func (StrOrSlice) MarshalJSON 

func (a StrOrSlice) MarshalJSON() ([]byte, error)

func (*StrOrSlice) UnmarshalJSON 

func (a *StrOrSlice) UnmarshalJSON(b []byte) error

type TokenWithID 

type TokenWithID struct {
	*oauth2.Token
}

TokenWithID is a wrapper for an oauth2 token, that allows the ID Token to be serialized as well if present. This is used when a token needs to be saved/restored.

func (TokenWithID) MarshalJSON 

func (t TokenWithID) MarshalJSON() ([]byte, error)

func (*TokenWithID) UnmarshalJSON 

func (t *TokenWithID) UnmarshalJSON(b []byte) error

type UnixTime 

type UnixTime int64

UnixTime represents the number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. This is the type IDToken uses to represent dates

func (UnixTime) MarshalJSON 

func (u UnixTime) MarshalJSON() ([]byte, error)

func (UnixTime) Time 

func (u UnixTime) Time() time.Time

Time returns the *time.Time this represents

func (*UnixTime) UnmarshalJSON 

func (u *UnixTime) UnmarshalJSON(b []byte) error

Source Files

View all Source files

Directories

Path Synopsis
cmd
oidc-example-rp
oidccli

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳