oidc

package module

v0.1.0 Latest Latest Go to latest Published: Jan 27, 2024 License: MPL-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

git.sr.ht/~mpldr/oidc

Links

Open Source Insights

README ¶

Oh, I don't care

OIDC stands for Open ID Connect, but honestly I just don't give a shit about its internals. What's the use of a well-known address if it's not used most of the time?! Introducing: Oh, I don't care. Taking the pain out of OIDC.

How it works

It's really difficult:

// create a config
cfg := oidc.Configure("https://sso.provi.de/application/o/my-cool-app/.well-known/openid-configuration")
cfg.SetCredentials(clientID, clientSecret)
cfg.SetScopes("openid", "email") // optional: set scopes

Then you redirect the user to the application:

func (a *Authenticator) signIn(w http.ResponseWriter, r *http.Request) {
	url := a.cfg.GetAuthorizationURL()
	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
}

And wait for the callback:

func (a *Authenticator) callback(w http.ResponseWriter, r *http.Request) {
	tok, err := a.cfg.Callback(r.FormValue("code"), r.FormValue("state"))
	if err != nil {
		http.Error(w, err.Error(), http.StatusUnauthorized)
		return
	}

	// set a cookie, initialize a session, do stuff
}

Licence

This project is licensed under the MPL-2.0 licence. See the licence header in each file.

Documentation ¶

Overview ¶

Package oidc is a simple OpenID Connect client library for Go. Its goal is to make OIDC based authentication as easy as it should be. Give it the application URL, provide credentials, done.

Why should this exist? Honestly, it shouldn't. I don't know if I missed the other 200 libraries out there that already solve this issue, or if I am really the first person to think of it.

There are also examples available, even if pkg.go.dev decides not to show them. Just check the sourcecode for simple examples on how to use the various functions.

Index ¶

Constants
Variables
type Configuration
- func Configure(address string, callbackURL string, opts ...option) (*Configuration, error)
type Token

Constants ¶

View Source

const (
	// OptionSkipScopeValidation disables the scope validation. This is
	// intended to only be used if a known non-standard compliant service
	// *has* to be used.
	OptionSkipScopeValidation option = 1 << iota
	// OptionDisableCSRFProtection disables CSRF protection.
	OptionDisableCSRFProtection
	// OptionForceApprovalPrompt forces the user to approve the login.
	OptionForceApprovalPrompt
	// OptionRequestOfflineToken sends a request for an offline token. This
	// is only useful if the token is used without user-interaction to
	// authenticate with another system.
	OptionRequestOfflineToken
	// OptionSkipTokenValidation skips the validation of the returned JWT.
	OptionSkipTokenValidation
)

View Source

const (
	TokenClaimAddressFormattedKey     = openid.AddressFormattedKey
	TokenClaimAddressStreetAddressKey = openid.AddressStreetAddressKey
	TokenClaimAddressLocalityKey      = openid.AddressLocalityKey
	TokenClaimAddressRegionKey        = openid.AddressRegionKey
	TokenClaimAddressPostalCodeKey    = openid.AddressPostalCodeKey
	TokenClaimAddressCountryKey       = openid.AddressCountryKey
	TokenClaimAddressKey              = openid.AddressKey
	TokenClaimBirthdateKey            = openid.BirthdateKey
	TokenClaimEmailKey                = openid.EmailKey
	TokenClaimEmailVerifiedKey        = openid.EmailVerifiedKey
	TokenClaimFamilyNameKey           = openid.FamilyNameKey
	TokenClaimGenderKey               = openid.GenderKey
	TokenClaimGivenNameKey            = openid.GivenNameKey
	TokenClaimLocaleKey               = openid.LocaleKey
	TokenClaimMiddleNameKey           = openid.MiddleNameKey
	TokenClaimNameKey                 = openid.NameKey
	TokenClaimNicknameKey             = openid.NicknameKey
	TokenClaimPhoneNumberKey          = openid.PhoneNumberKey
	TokenClaimPhoneNumberVerifiedKey  = openid.PhoneNumberVerifiedKey
	TokenClaimPictureKey              = openid.PictureKey
	TokenClaimPreferredUsernameKey    = openid.PreferredUsernameKey
	TokenClaimProfileKey              = openid.ProfileKey
	TokenClaimUpdatedAtKey            = openid.UpdatedAtKey
	TokenClaimWebsiteKey              = openid.WebsiteKey
	TokenClaimZoneinfoKey             = openid.ZoneinfoKey
)

Variables ¶

View Source

var (
	// ErrScopeUnsupported is returned if the service does not advertise
	// support for a particular scope.
	ErrScopeUnsupported = errors.New("scope not supported")
	// ErrCSRFValidationFailed is returned if the validation of the CSRF
	// token failed.
	ErrCSRFValidationFailed = errors.New("CSRF validation failed")
)

Functions ¶

This section is empty.

Types ¶

type Configuration ¶

type Configuration struct {
	// contains filtered or unexported fields
}

Configuration wraps an OIDC service

func Configure ¶

func Configure(address string, callbackURL string, opts ...option) (*Configuration, error)

Configure parses the well-known config and returns a Configuration based on it. The .well-known/openid-configuration is automatically appended. In case of a non-standard endpoint, the direct response is also parsed. callbackURL is where the callback-handler is wired up to.

func (*Configuration) Callback ¶

func (cfg *Configuration) Callback(code, state string) (*Token, error)

Callback completes the authentication of a user and returns a token for the user.

func (*Configuration) GetAuthorizationURL ¶

func (cfg *Configuration) GetAuthorizationURL() string

GetAuthorizationURL returns the authorization URL. Redirect your user to the returned URL and be happy.

func (*Configuration) LogoutURL ¶

func (cfg *Configuration) LogoutURL() string

LogoutURL returns the generic logout URL

func (*Configuration) ParseJWT ¶

func (cfg *Configuration) ParseJWT(token string) (*Token, error)

ParseJWT parses and validates a provided token for example from an Authorization header.

func (*Configuration) SetCredentials ¶

func (cfg *Configuration) SetCredentials(clientID, clientSecret string)

SetCredentials sets the clientID and clientSecret for the service.

func (*Configuration) SetScopes ¶

func (cfg *Configuration) SetScopes(scopes ...string) error

SetScopes sets the scopes for the service. They are checked against the scopes advertised by the service, and ErrScopeUnsupported is returned if the service does not advertise support for this scope.

func (*Configuration) UseAppPassword ¶

func (cfg *Configuration) UseAppPassword(username, password string) (*Token, error)

UseAppPassword returns a token using the app password flow. This is less secure and should be generally avoided.

type Token ¶

type Token struct {
	// contains filtered or unexported fields
}

Token returns an OIDC token returned by the service

func (*Token) Address ¶

func (t *Token) Address() *openid.AddressClaim

func (*Token) Audience ¶

func (t *Token) Audience() []string

func (*Token) Birthdate ¶

func (t *Token) Birthdate() time.Time

func (*Token) Email ¶

func (t *Token) Email() string

func (*Token) EmailVerified ¶

func (t *Token) EmailVerified() bool

func (*Token) Expiration ¶

func (t *Token) Expiration() time.Time

func (*Token) FamilyName ¶

func (t *Token) FamilyName() string

func (*Token) Gender ¶

func (t *Token) Gender() string

func (*Token) GetField ¶

func (t *Token) GetField(field string) (any, bool)

GetField returns the specified field and whether or not it is set.

func (*Token) GivenName ¶

func (t *Token) GivenName() string

func (*Token) Locale ¶

func (t *Token) Locale() string

func (*Token) LogoutURL ¶

func (t *Token) LogoutURL() string

LogoutURL returns the logout URL to invalidate the token

func (*Token) MiddleName ¶

func (t *Token) MiddleName() string

func (*Token) Name ¶

func (t *Token) Name() string

func (*Token) Nickname ¶

func (t *Token) Nickname() string

func (*Token) PhoneNumber ¶

func (t *Token) PhoneNumber() string

func (*Token) PhoneNumberVerified ¶

func (t *Token) PhoneNumberVerified() bool

func (*Token) Picture ¶

func (t *Token) Picture() string

func (*Token) PreferredUsername ¶

func (t *Token) PreferredUsername() string

func (*Token) Profile ¶

func (t *Token) Profile() string

func (*Token) String ¶

func (t *Token) String() string

String returns the initially received ID Token

func (*Token) Subject ¶

func (t *Token) Subject() string

func (*Token) Token ¶

func (t *Token) Token() (*oauth2.Token, error)

Token returns the current OAuth2 token associated with the OIDC token. You probably don't want this.

func (*Token) UpdateClaims ¶

func (t *Token) UpdateClaims() error

UpdateClaims forces an update of the information in a token. By default, the results are cached and if a user was to change any field in the identity provider, they have to login again for the token to reflect that.

func (*Token) UpdatedAt ¶

func (t *Token) UpdatedAt() time.Time

func (*Token) Valid ¶

func (t *Token) Valid() bool

Valid returns true if the token is still valid

func (*Token) Website ¶

func (t *Token) Website() string

func (*Token) Zoneinfo ¶

func (t *Token) Zoneinfo() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
example

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL