const (
ResponseModeDefault = ResponseModeType("")
ResponseModeFormPost = ResponseModeType("form_post")
ResponseModeQuery = ResponseModeType("query")
ResponseModeFragment = ResponseModeType("fragment")
)
const (
RequestContextKey = ContextKey("request")
AccessRequestContextKey = ContextKey("accessRequest")
AccessResponseContextKey = ContextKey("accessResponse")
AuthorizeRequestContextKey = ContextKey("authorizeRequest")
AuthorizeResponseContextKey = ContextKey("authorizeResponse")
)
const (
AccessToken TokenType = "access_token"
RefreshToken TokenType = "refresh_token"
AuthorizeCode TokenType = "authorize_code"
IDToken TokenType = "id_token"
BearerAccessToken string = "bearer"
)
const DefaultBCryptWorkFactor = 12
const MinParameterEntropy = 8
var (
// ErrInvalidatedAuthorizeCode is an error indicating that an authorization code has been
// used previously.
ErrInvalidatedAuthorizeCode = errors.New("Authorization code has ben invalidated")
// ErrSerializationFailure is an error indicating that the transactional capable storage could not guarantee
// consistency of Update & Delete operations on the same rows between multiple sessions.
ErrSerializationFailure = errors.New("The request could not be completed due to concurrent access")
ErrUnknownRequest = &RFC6749Error{
ErrorField: errUnknownErrorName,
DescriptionField: "The handler is not responsible for this request.",
CodeField: http.StatusBadRequest,
}
ErrRequestForbidden = &RFC6749Error{
ErrorField: errRequestForbidden,
DescriptionField: "The request is not allowed.",
HintField: "You are not allowed to perform this action.",
CodeField: http.StatusForbidden,
}
ErrInvalidRequest = &RFC6749Error{
ErrorField: errInvalidRequestName,
DescriptionField: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
HintField: "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
CodeField: http.StatusBadRequest,
}
= &RFC6749Error{
ErrorField: errUnauthorizedClientName,
DescriptionField: "The client is not authorized to request a token using this method.",
HintField: "Make sure that client id and secret are correctly specified and that the client exists.",
CodeField: http.StatusBadRequest,
}
ErrAccessDenied = &RFC6749Error{
ErrorField: errAccessDeniedName,
DescriptionField: "The resource owner or authorization server denied the request.",
HintField: "Make sure that the request you are making is valid. Maybe the credential or request parameters you are using are limited in scope or otherwise restricted.",
CodeField: http.StatusForbidden,
}
ErrUnsupportedResponseType = &RFC6749Error{
ErrorField: errUnsupportedResponseTypeName,
DescriptionField: "The authorization server does not support obtaining a token using this method.",
CodeField: http.StatusBadRequest,
}
ErrUnsupportedResponseMode = &RFC6749Error{
ErrorField: errUnsupportedResponseModeName,
DescriptionField: "The authorization server does not support obtaining a response using this response mode.",
CodeField: http.StatusBadRequest,
}
ErrInvalidScope = &RFC6749Error{
ErrorField: errInvalidScopeName,
DescriptionField: "The requested scope is invalid, unknown, or malformed.",
CodeField: http.StatusBadRequest,
}
ErrServerError = &RFC6749Error{
ErrorField: errServerErrorName,
DescriptionField: "The authorization server encountered an unexpected condition that prevented it from fulfilling the request.",
CodeField: http.StatusInternalServerError,
}
= &RFC6749Error{
ErrorField: errTemporarilyUnavailableName,
DescriptionField: "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.",
CodeField: http.StatusServiceUnavailable,
}
ErrUnsupportedGrantType = &RFC6749Error{
ErrorField: errUnsupportedGrantTypeName,
DescriptionField: "The authorization grant type is not supported by the authorization server.",
CodeField: http.StatusBadRequest,
}
ErrInvalidGrant = &RFC6749Error{
ErrorField: errInvalidGrantName,
DescriptionField: "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
CodeField: http.StatusBadRequest,
}
ErrInvalidClient = &RFC6749Error{
ErrorField: errInvalidClientName,
DescriptionField: "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).",
CodeField: http.StatusUnauthorized,
}
ErrInvalidState = &RFC6749Error{
ErrorField: errInvalidStateName,
DescriptionField: "The state is missing or does not have enough characters and is therefore considered too weak.",
CodeField: http.StatusBadRequest,
}
ErrMisconfiguration = &RFC6749Error{
ErrorField: errMisconfigurationName,
DescriptionField: "The request failed because of an internal error that is probably caused by misconfiguration.",
CodeField: http.StatusInternalServerError,
}
ErrInsufficientEntropy = &RFC6749Error{
ErrorField: errInsufficientEntropyName,
DescriptionField: "The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy.",
CodeField: http.StatusBadRequest,
}
ErrNotFound = &RFC6749Error{
ErrorField: errNotFoundName,
DescriptionField: "Could not find the requested resource(s).",
CodeField: http.StatusNotFound,
}
= &RFC6749Error{
ErrorField: errRequestUnauthorizedName,
DescriptionField: "The request could not be authorized.",
HintField: "Check that you provided valid credentials in the right format.",
CodeField: http.StatusUnauthorized,
}
ErrTokenSignatureMismatch = &RFC6749Error{
ErrorField: errTokenSignatureMismatchName,
DescriptionField: "Token signature mismatch.",
HintField: "Check that you provided a valid token in the right format.",
CodeField: http.StatusBadRequest,
}
ErrInvalidTokenFormat = &RFC6749Error{
ErrorField: errInvalidTokenFormatName,
DescriptionField: "Invalid token format.",
HintField: "Check that you provided a valid token in the right format.",
CodeField: http.StatusBadRequest,
}
ErrTokenExpired = &RFC6749Error{
ErrorField: errTokenExpiredName,
DescriptionField: "Token expired.",
HintField: "The token expired.",
CodeField: http.StatusUnauthorized,
}
ErrScopeNotGranted = &RFC6749Error{
ErrorField: errScopeNotGrantedName,
DescriptionField: "The token was not granted the requested scope.",
HintField: "The resource owner did not grant the requested scope.",
CodeField: http.StatusForbidden,
}
ErrTokenClaim = &RFC6749Error{
ErrorField: errTokenClaimName,
DescriptionField: "The token failed validation due to a claim mismatch.",
HintField: "One or more token claims failed validation.",
CodeField: http.StatusUnauthorized,
}
ErrInactiveToken = &RFC6749Error{
ErrorField: errTokenInactiveName,
DescriptionField: "Token is inactive because it is malformed, expired or otherwise invalid.",
HintField: "Token validation failed.",
CodeField: http.StatusUnauthorized,
}
ErrLoginRequired = &RFC6749Error{
ErrorField: errLoginRequired,
DescriptionField: "The Authorization Server requires End-User authentication.",
CodeField: http.StatusBadRequest,
}
ErrInteractionRequired = &RFC6749Error{
DescriptionField: "The Authorization Server requires End-User interaction of some form to proceed.",
ErrorField: errInteractionRequired,
CodeField: http.StatusBadRequest,
}
ErrConsentRequired = &RFC6749Error{
DescriptionField: "The Authorization Server requires End-User consent.",
ErrorField: errConsentRequired,
CodeField: http.StatusBadRequest,
}
ErrRequestNotSupported = &RFC6749Error{
DescriptionField: "The OP does not support use of the request parameter.",
ErrorField: errRequestNotSupportedName,
CodeField: http.StatusBadRequest,
}
ErrRequestURINotSupported = &RFC6749Error{
DescriptionField: "The OP does not support use of the request_uri parameter.",
ErrorField: errRequestURINotSupportedName,
CodeField: http.StatusBadRequest,
}
ErrRegistrationNotSupported = &RFC6749Error{
DescriptionField: "The OP does not support use of the registration parameter.",
ErrorField: errRegistrationNotSupportedName,
CodeField: http.StatusBadRequest,
}
ErrInvalidRequestURI = &RFC6749Error{
DescriptionField: "The request_uri in the Authorization Request returns an error or contains invalid data.",
ErrorField: errInvalidRequestURI,
CodeField: http.StatusBadRequest,
}
ErrInvalidRequestObject = &RFC6749Error{
DescriptionField: "The request parameter contains an invalid Request Object.",
ErrorField: errInvalidRequestObject,
CodeField: http.StatusBadRequest,
}
ErrJTIKnown = &RFC6749Error{
DescriptionField: "The jti was already used.",
ErrorField: errJTIKnownName,
CodeField: http.StatusBadRequest,
}
)
var FormPostDefaultTemplate = template.Must(template.New("form_post").Parse(`<html> <head> <title>Submit This Form</title> </head> <body onload="javascript:document.forms[0].submit()"> <form method="post" action="{{ .RedirURL }}"> {{ range $key,$value := .Parameters }} {{ range $parameter:= $value}} <input type="hidden" name="{{$key}}" value="{{$parameter}}"/> {{end}} {{ end }} </form> </body> </html>`))
func AccessTokenFromRequest(req *http.Request) string
func AddLocalizerToErr(catalog i18n.MessageCatalog, err error, requester Requester) error
AddLocalizerToErr augments the error object with the localizer based on the language set in the requester object. This is primarily required for response writers like introspection that do not take in the requester in the Write* function that produces the translated message. See - WriteIntrospectionError, for example.
func AddLocalizerToErrWithLang(catalog i18n.MessageCatalog, lang language.Tag, err error) error
AddLocalizerToErrWithLang augments the error object with the localizer based on the language passed in. This is primarily required for response writers like introspection that do not take in the requester in the Write* function that produces the translated message. See - WriteIntrospectionError, for example.
func DefaultAudienceMatchingStrategy(haystack []string, needle []string) error
func EscapeJSONString(str string) string
EscapeJSONString does a poor man's JSON encoding. Useful when we do not want to use full JSON encoding because we just had an error doing the JSON encoding. The characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F). See: https://tools.ietf.org/html/std90#section-7
func ExactAudienceMatchingStrategy(haystack []string, needle []string) error
ExactAudienceMatchingStrategy does not assume that audiences are URIs, but compares strings as-is and does matching with exact string comparison. It requires that all strings in "needle" are present in "haystack". Use this strategy when your audience values are not URIs (e.g., you use client IDs for audience and they are UUIDs or random strings).
func ExactScopeStrategy(haystack []string, needle string) bool
func GetAudiences(form url.Values) []string
GetAudiences allows audiences to be provided as repeated "audience" form parameter, or as a space-delimited "audience" form parameter if it is not repeated. RFC 8693 in section 2.1 specifies that multiple audience values should be multiple query parameters, while RFC 6749 says that that request parameter must not be included more than once (and thus why we use space-delimited value). This function tries to satisfy both. If "audience" form parameter is repeated, we do not split the value by space.
func GetPostFormHTMLTemplate(f Fosite) *template.Template
func HierarchicScopeStrategy(haystack []string, needle string) bool
func IsLocalhost(redirectURI *url.URL) bool
func IsRedirectURISecure(redirectURI *url.URL) bool
func IsRedirectURISecureStrict(redirectURI *url.URL) bool
IsRedirectURISecureStrict is stricter than IsRedirectURISecure and it does not allow custom-scheme URLs because they can be hijacked for native apps. Use claimed HTTPS redirects instead. See discussion in https://github.com/ory/fosite/pull/489.
func IsValidRedirectURI(redirectURI *url.URL) bool
IsValidRedirectURI validates a redirect_uri as specified in:
* https://tools.ietf.org/html/rfc6749#section-3.1.2
func MatchRedirectURIWithClientRedirectURIs(rawurl string, client Client) (*url.URL, error)
MatchRedirectURIWithClientRedirectURIs if the given uri is a registered redirect uri. Does not perform uri validation.
Considered specifications
https://tools.ietf.org/html/rfc6749#section-3.1.2.3 If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.
When a redirection URI is included in an authorization request, the authorization server MUST compare and match the value received against at least one of the registered redirection URIs (or URI components) as defined in [RFC3986] Section 6, if any redirection URIs were registered. If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986] Section 6.2.1.
* https://tools.ietf.org/html/rfc6819#section-4.4.1.7
func NewContext() context.Context
func RemoveEmpty(args []string) (ret []string)
func StringInSlice(needle string, haystack []string) bool
StringInSlice returns true if needle exists in haystack
func URLSetFragment(source *url.URL, fragment url.Values)
Deprecated: Do not use.
func WildcardScopeStrategy(matchers []string, needle string) bool
func WriteAuthorizeFormPostResponse(redirectURL string, parameters url.Values, template *template.Template, rw io.Writer)
type AccessRequest struct {
GrantTypes Arguments `json:"grantTypes" gorethink:"grantTypes"`
HandledGrantType Arguments `json:"handledGrantType" gorethink:"handledGrantType"`
Request
}
func NewAccessRequest(session Session) *AccessRequest
func (a *AccessRequest) GetGrantTypes() Arguments
AccessRequester is a token endpoint's request context.
type AccessRequester interface {
// GetGrantType returns the requests grant type.
GetGrantTypes() (grantTypes Arguments)
Requester
}
AccessResponder is a token endpoint's response.
type AccessResponder interface {
// SetExtra sets a key value pair for the access response.
SetExtra(key string, value interface{})
// GetExtra returns a key's value.
GetExtra(key string) interface{}
SetExpiresIn(time.Duration)
SetScopes(scopes Arguments)
// SetAccessToken sets the responses mandatory access token.
SetAccessToken(token string)
// SetTokenType set's the responses mandatory token type
SetTokenType(tokenType string)
// SetAccessToken returns the responses access token.
GetAccessToken() (token string)
// GetTokenType returns the responses token type.
GetTokenType() (token string)
// ToMap converts the response to a map.
ToMap() map[string]interface{}
}
type AccessResponse struct {
Extra map[string]interface{}
AccessToken string
TokenType string
}
func NewAccessResponse() *AccessResponse
func (a *AccessResponse) GetAccessToken() string
func (a *AccessResponse) GetExtra(key string) interface{}
func (a *AccessResponse) GetTokenType() string
func (a *AccessResponse) SetAccessToken(token string)
func (a *AccessResponse) SetExpiresIn(expiresIn time.Duration)
func (a *AccessResponse) SetExtra(key string, value interface{})
func (a *AccessResponse) SetScopes(scopes Arguments)
func (a *AccessResponse) SetTokenType(name string)
func (a *AccessResponse) ToMap() map[string]interface{}
type Arguments []string
func (r Arguments) Exact(name string) bool
Deprecated: Use ExactOne, Matches or MatchesExact
func (r Arguments) ExactOne(name string) bool
ExactOne checks, by string case, that a single argument equals the provided string.
func (r Arguments) Has(items ...string) bool
Has checks, in a case-insensitive manner, that all of the items provided exists in arguments.
func (r Arguments) HasOneOf(items ...string) bool
HasOneOf checks, in a case-insensitive manner, that one of the items provided exists in arguments.
func (r Arguments) Matches(items ...string) bool
Matches performs an case-insensitive, out-of-order check that the items provided exist and equal all of the args in arguments. Note:
func (r Arguments) MatchesExact(items ...string) bool
MatchesExact checks, by order and string case, that the items provided equal those in arguments.
type AudienceMatchingStrategy func(haystack []string, needle []string) error
type AuthorizeEndpointHandler interface {
// HandleAuthorizeRequest handles an authorize endpoint request. To extend the handler's capabilities, the http request
// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
// the authorize request, he must return nil and NOT modify session nor responder neither requester.
//
// The following spec is a good example of what HandleAuthorizeRequest should do.
// * https://tools.ietf.org/html/rfc6749#section-3.1.1
// response_type REQUIRED.
// The value MUST be one of "code" for requesting an
// authorization code as described by Section 4.1.1, "token" for
// requesting an access token (implicit grant) as described by
// Section 4.2.1, or a registered extension value as described by Section 8.4.
HandleAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder AuthorizeResponder) error
}
AuthorizeEndpointHandlers is a list of AuthorizeEndpointHandler
type AuthorizeEndpointHandlers []AuthorizeEndpointHandler
func (a *AuthorizeEndpointHandlers) Append(h AuthorizeEndpointHandler)
Append adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
AuthorizeRequest is an implementation of AuthorizeRequester
type AuthorizeRequest struct {
ResponseTypes Arguments `json:"responseTypes" gorethink:"responseTypes"`
RedirectURI *url.URL `json:"redirectUri" gorethink:"redirectUri"`
State string `json:"state" gorethink:"state"`
HandledResponseTypes Arguments `json:"handledResponseTypes" gorethink:"handledResponseTypes"`
ResponseMode ResponseModeType `json:"ResponseModes" gorethink:"ResponseModes"`
DefaultResponseMode ResponseModeType `json:"DefaultResponseMode" gorethink:"DefaultResponseMode"`
Request
}
func NewAuthorizeRequest() *AuthorizeRequest
func (d *AuthorizeRequest) DidHandleAllResponseTypes() bool
func (d *AuthorizeRequest) GetDefaultResponseMode() ResponseModeType
func (d *AuthorizeRequest) GetRedirectURI() *url.URL
func (d *AuthorizeRequest) GetResponseMode() ResponseModeType
func (d *AuthorizeRequest) GetResponseTypes() Arguments
func (d *AuthorizeRequest) GetState() string
func (d *AuthorizeRequest) IsRedirectURIValid() bool
func (d *AuthorizeRequest) SetDefaultResponseMode(defaultResponseMode ResponseModeType)
func (d *AuthorizeRequest) SetResponseTypeHandled(name string)
AuthorizeRequester is an authorize endpoint's request context.
type AuthorizeRequester interface {
// GetResponseTypes returns the requested response types
GetResponseTypes() (responseTypes Arguments)
// SetResponseTypeHandled marks a response_type (e.g. token or code) as handled indicating that the response type
// is supported.
SetResponseTypeHandled(responseType string)
// DidHandleAllResponseTypes returns if all requested response types have been handled correctly
DidHandleAllResponseTypes() (didHandle bool)
// GetRedirectURI returns the requested redirect URI
GetRedirectURI() (redirectURL *url.URL)
// IsRedirectURIValid returns false if the redirect is not rfc-conform (i.e. missing client, not on white list,
// or malformed)
IsRedirectURIValid() (isValid bool)
// GetState returns the request's state.
GetState() (state string)
// GetResponseMode returns response_mode of the authorization request
GetResponseMode() ResponseModeType
// SetDefaultResponseMode sets default response mode for a response type in a flow
SetDefaultResponseMode(responseMode ResponseModeType)
// GetDefaultResponseMode gets default response mode for a response type in a flow
GetDefaultResponseMode() ResponseModeType
Requester
}
AuthorizeResponder is an authorization endpoint's response.
type AuthorizeResponder interface {
// GetCode returns the response's authorize code if set.
GetCode() string
// GetHeader returns the response's header
GetHeader() (header http.Header)
// AddHeader adds an header key value pair to the response
AddHeader(key, value string)
// GetParameters returns the response's parameters
GetParameters() (query url.Values)
// AddParameter adds key value pair to the response
AddParameter(key, value string)
}
AuthorizeResponse is an implementation of AuthorizeResponder
type AuthorizeResponse struct {
Header http.Header
Parameters url.Values
// contains filtered or unexported fields
}
func NewAuthorizeResponse() *AuthorizeResponse
func (a *AuthorizeResponse) AddHeader(key, value string)
func (a *AuthorizeResponse) AddParameter(key, value string)
func (a *AuthorizeResponse) GetCode() string
func (a *AuthorizeResponse) GetHeader() http.Header
func (a *AuthorizeResponse) GetParameters() url.Values
BCrypt implements the Hasher interface by using BCrypt.
type BCrypt struct {
WorkFactor int
}
func (b *BCrypt) Compare(ctx context.Context, hash, data []byte) error
func (b *BCrypt) Hash(ctx context.Context, data []byte) ([]byte, error)
Client represents a client or an app.
type Client interface {
// GetID returns the client ID.
GetID() string
// GetHashedSecret returns the hashed secret as it is stored in the store.
GetHashedSecret() []byte
// GetRedirectURIs returns the client's allowed redirect URIs.
GetRedirectURIs() []string
// GetGrantTypes returns the client's allowed grant types.
GetGrantTypes() Arguments
// GetResponseTypes returns the client's allowed response types.
// All allowed combinations of response types have to be listed, each combination having
// response types of the combination separated by a space.
GetResponseTypes() Arguments
// GetScopes returns the scopes this client is allowed to request.
GetScopes() Arguments
// IsPublic returns true, if this client is marked as public.
IsPublic() bool
// GetAudience returns the allowed audience(s) for this client.
GetAudience() Arguments
}
ClientAuthenticationStrategy provides a method signature for authenticating a client request
type ClientAuthenticationStrategy func(context.Context, *http.Request, url.Values) (Client, error)
ClientManager defines the (persistent) manager interface for clients.
type ClientManager interface {
// GetClient loads the client by its ID or returns an error
// if the client does not exist or another error occurred.
GetClient(ctx context.Context, id string) (Client, error)
// ClientAssertionJWTValid returns an error if the JTI is
// known or the DB check failed and nil if the JTI is not known.
ClientAssertionJWTValid(ctx context.Context, jti string) error
// SetClientAssertionJWT marks a JTI as known for the given
// expiry time. Before inserting the new JTI, it will clean
// up any existing JTIs that have expired as those tokens can
// not be replayed due to the expiry.
SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error
}
ClientWithSecretRotation extends Client interface by a method providing a slice of rotated secrets.
type ClientWithSecretRotation interface {
Client
// GetRotatedHashes returns a slice of hashed secrets used for secrets rotation.
GetRotatedHashes() [][]byte
}
type ContextKey string
DefaultClient is a simple default implementation of the Client interface.
type DefaultClient struct {
ID string `json:"id"`
Secret []byte `json:"client_secret,omitempty"`
RotatedSecrets [][]byte `json:"rotated_secrets,omitempty"`
RedirectURIs []string `json:"redirect_uris"`
GrantTypes []string `json:"grant_types"`
ResponseTypes []string `json:"response_types"`
Scopes []string `json:"scopes"`
Audience []string `json:"audience"`
Public bool `json:"public"`
}
func (c *DefaultClient) GetAudience() Arguments
func (c *DefaultClient) GetGrantTypes() Arguments
func (c *DefaultClient) GetHashedSecret() []byte
func (c *DefaultClient) GetID() string
func (c *DefaultClient) GetRedirectURIs() []string
func (c *DefaultClient) GetResponseTypes() Arguments
func (c *DefaultClient) GetRotatedHashes() [][]byte
func (c *DefaultClient) GetScopes() Arguments
func (c *DefaultClient) IsPublic() bool
type DefaultJWKSFetcherStrategy struct {
sync.Mutex
// contains filtered or unexported fields
}
func (s *DefaultJWKSFetcherStrategy) Resolve(location string, forceRefresh bool) (*jose.JSONWebKeySet, error)
type DefaultOpenIDConnectClient struct {
*DefaultClient
JSONWebKeysURI string `json:"jwks_uri"`
JSONWebKeys *jose.JSONWebKeySet `json:"jwks"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"`
RequestURIs []string `json:"request_uris"`
RequestObjectSigningAlgorithm string `json:"request_object_signing_alg"`
TokenEndpointAuthSigningAlgorithm string `json:"token_endpoint_auth_signing_alg"`
}
func (c *DefaultOpenIDConnectClient) GetJSONWebKeys() *jose.JSONWebKeySet
func (c *DefaultOpenIDConnectClient) GetJSONWebKeysURI() string
func (c *DefaultOpenIDConnectClient) GetRequestObjectSigningAlgorithm() string
func (c *DefaultOpenIDConnectClient) GetRequestURIs() []string
func (c *DefaultOpenIDConnectClient) GetTokenEndpointAuthMethod() string
func (c *DefaultOpenIDConnectClient) GetTokenEndpointAuthSigningAlgorithm() string
type DefaultResponseModeClient struct {
*DefaultClient
ResponseModes []ResponseModeType `json:"response_modes"`
}
func (c *DefaultResponseModeClient) GetResponseModes() []ResponseModeType
type DefaultResponseModeHandler struct{}
func (d *DefaultResponseModeHandler) ResponseModes() ResponseModeTypes
func (d *DefaultResponseModeHandler) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error)
func (d *DefaultResponseModeHandler) WriteAuthorizeResponse(rw http.ResponseWriter, ar AuthorizeRequester, resp AuthorizeResponder)
DefaultSession is a default implementation of the session interface.
type DefaultSession struct {
ExpiresAt map[TokenType]time.Time
Username string
Subject string
Extra map[string]interface{}
}
func (s *DefaultSession) Clone() Session
func (s *DefaultSession) GetExpiresAt(key TokenType) time.Time
func (s *DefaultSession) GetExtraClaims() map[string]interface{}
GetExtraClaims implements ExtraClaimsSession for DefaultSession. The returned value can be modified in-place.
func (s *DefaultSession) GetSubject() string
func (s *DefaultSession) GetUsername() string
func (s *DefaultSession) SetExpiresAt(key TokenType, exp time.Time)
func (s *DefaultSession) SetSubject(subject string)
ExtraClaimsSession provides an interface for session to store any extra claims.
type ExtraClaimsSession interface {
// GetExtraClaims returns a map to store extra claims.
// The returned value can be modified in-place.
GetExtraClaims() map[string]interface{}
}
Fosite implements OAuth2Provider.
type Fosite struct {
Store Storage
AuthorizeEndpointHandlers AuthorizeEndpointHandlers
TokenEndpointHandlers TokenEndpointHandlers
TokenIntrospectionHandlers TokenIntrospectionHandlers
RevocationHandlers RevocationHandlers
Hasher Hasher
ScopeStrategy ScopeStrategy
AudienceMatchingStrategy AudienceMatchingStrategy
JWKSFetcherStrategy JWKSFetcherStrategy
HTTPClient *http.Client
UseLegacyErrorFormat bool
// TokenURL is the the URL of the Authorization Server's Token Endpoint.
TokenURL string
// SendDebugMessagesToClients if set to true, includes error debug messages in response payloads. Be aware that sensitive
// data may be exposed, depending on your implementation of Fosite. Such sensitive data might include database error
// codes or other information. Proceed with caution!
SendDebugMessagesToClients bool
// MinParameterEntropy controls the minimum size of state and nonce parameters. Defaults to fosite.MinParameterEntropy.
MinParameterEntropy int
// FormPostHTMLTemplate sets html template for rendering the authorization response when the request has response_mode=form_post. Defaults to fosite.FormPostDefaultTemplate
FormPostHTMLTemplate *template.Template
// ClientAuthenticationStrategy provides an extension point to plug a strategy to authenticate clients
ClientAuthenticationStrategy ClientAuthenticationStrategy
ResponseModeHandlerExtension ResponseModeHandler
// MessageCatalog is the catalog of messages used for i18n
MessageCatalog i18n.MessageCatalog
}
func (f *Fosite) AuthenticateClient(ctx context.Context, r *http.Request, form url.Values) (Client, error)
AuthenticateClient authenticates client requests using the configured strategy `Fosite.ClientAuthenticationStrategy`, if nil it uses `Fosite.DefaultClientAuthenticationStrategy`
func (f *Fosite) DefaultClientAuthenticationStrategy(ctx context.Context, r *http.Request, form url.Values) (Client, error)
DefaultClientAuthenticationStrategy provides the fosite's default client authentication strategy, HTTP Basic Authentication and JWT Bearer
func (f *Fosite) GetMinParameterEntropy() int
GetMinParameterEntropy returns MinParameterEntropy if set. Defaults to fosite.MinParameterEntropy.
func (f *Fosite) IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scopes ...string) (TokenUse, AccessRequester, error)
func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (AccessRequester, error)
Implements
func (f *Fosite) NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)
func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error)
func (f *Fosite) NewAuthorizeResponse(ctx context.Context, ar AuthorizeRequester, session Session) (AuthorizeResponder, error)
func (f *Fosite) NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (IntrospectionResponder, error)
NewIntrospectionRequest initiates token introspection as defined in https://tools.ietf.org/search/rfc7662#section-2.1
The protected resource calls the introspection endpoint using an HTTP POST [RFC7231] request with parameters sent as "application/x-www-form-urlencoded" data as defined in [W3C.REC-html5-20141028]. The protected resource sends a parameter representing the token along with optional parameters representing additional context that is known by the protected resource to aid the authorization server in its response.
* token REQUIRED. The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, this is the "refresh_token" value returned from the token endpoint as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types are outside the scope of this specification.
* token_type_hint OPTIONAL. A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. Values for this field are defined in the "OAuth Token Type Hints" registry defined in OAuth Token Revocation [RFC7009].
The introspection endpoint MAY accept other OPTIONAL parameters to provide further context to the query. For instance, an authorization server may desire to know the IP address of the client accessing the protected resource to determine if the correct client is likely to be presenting the token. The definition of this or any other parameters are outside the scope of this specification, to be defined by service documentation or extensions to this specification. If the authorization server is unable to determine the state of the token without additional information, it SHOULD return an introspection response indicating the token is not active as described in Section 2.2.
To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint, such as client authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth 2.0 access token such as the bearer token described in OAuth 2.0 Bearer Token Usage [RFC6750]. The methods of managing and validating these authentication credentials are out of scope of this specification.
For example, the following shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer token. The protected resource is using a separate OAuth 2.0 bearer token to authorize this call.
The following is a non-normative example request:
POST /introspect HTTP/1.1 Host: server.example.com Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Bearer 23410913-abewfq.123483 token=2YotnFZFEjr1zCsicMWpAA
In this example, the protected resource uses a client identifier and client secret to authenticate itself to the introspection endpoint. The protected resource also sends a token type hint indicating that it is inquiring about an access token.
The following is a non-normative example request:
POST /introspect HTTP/1.1 Host: server.example.com Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=mF_9.B5f-4.1JqM&token_type_hint=access_token
func (f *Fosite) NewRevocationRequest(ctx context.Context, r *http.Request) error
NewRevocationRequest handles incoming token revocation requests and validates various parameters as specified in: https://tools.ietf.org/html/rfc7009#section-2.1
The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below.
In the next step, the authorization server invalidates the token. The invalidation takes place immediately, and the token cannot be used again after the revocation.
* https://tools.ietf.org/html/rfc7009#section-2.2 An invalid token type hint value is ignored by the authorization server and does not influence the revocation response.
func (f *Fosite) ParseResponseMode(r *http.Request, request *AuthorizeRequest) error
func (f *Fosite) ResponseModeHandler() ResponseModeHandler
func (f *Fosite) WriteAccessError(rw http.ResponseWriter, req AccessRequester, err error)
func (f *Fosite) WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error)
func (f *Fosite) WriteAuthorizeResponse(rw http.ResponseWriter, ar AuthorizeRequester, resp AuthorizeResponder)
func (f *Fosite) WriteIntrospectionError(rw http.ResponseWriter, err error)
WriteIntrospectionError responds with token metadata discovered by token introspection as defined in https://tools.ietf.org/search/rfc7662#section-2.2
If the protected resource uses OAuth 2.0 client credentials to authenticate to the introspection endpoint and its credentials are invalid, the authorization server responds with an HTTP 401 (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].
If the protected resource uses an OAuth 2.0 bearer token to authorize its call to the introspection endpoint and the token used for authorization does not contain sufficient privileges or is otherwise invalid for this request, the authorization server responds with an HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token Usage [RFC6750].
Note that a properly formed and authorized query for an inactive or otherwise invalid token (or a token the protected resource is not allowed to know about) is not considered an error response by this specification. In these cases, the authorization server MUST instead respond with an introspection response with the "active" field set to "false" as described in Section 2.2.
func (f *Fosite) WriteIntrospectionResponse(rw http.ResponseWriter, r IntrospectionResponder)
WriteIntrospectionResponse responds with an error if token introspection failed as defined in https://tools.ietf.org/search/rfc7662#section-2.3
The server responds with a JSON object [RFC7159] in "application/ json" format with the following top-level members.
* active REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). See Section 4 for information on implementation of such checks.
* scope OPTIONAL. A JSON string containing a space-separated list of scopes associated with this token, in the format described in Section 3.3 of OAuth 2.0 [RFC6749].
* client_id OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.
* username OPTIONAL. Human-readable identifier for the resource owner who authorized this token.
* token_type OPTIONAL. Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].
* exp OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire, as defined in JWT [RFC7519].
* iat OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued, as defined in JWT [RFC7519].
* nbf OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before, as defined in JWT [RFC7519].
* sub OPTIONAL. Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token.
* aud OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].
* iss OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].
* jti OPTIONAL. String identifier for the token, as defined in JWT [RFC7519].
Specific implementations MAY extend this structure with their own service-specific response names as top-level members of this JSON object. Response names intended to be used across domains MUST be registered in the "OAuth Token Introspection Response" registry defined in Section 3.1.
The authorization server MAY respond differently to different protected resources making the same request. For instance, an authorization server MAY limit which scopes from a given token are returned for each protected resource to prevent a protected resource from learning more about the larger network than is necessary for its operation.
The response MAY be cached by the protected resource to improve performance and reduce load on the introspection endpoint, but at the cost of liveness of the information used by the protected resource to make authorization decisions. See Section 4 for more information regarding the trade off when the response is cached.
For example, the following response contains a set of information about an active token:
The following is a non-normative example response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"client_id": "l238j323ds-23ij4",
"username": "jdoe",
"scope": "read write dolphin",
"sub": "Z5O3upPC88QrAjx00dis",
"aud": "https://protected.example.net/resource",
"iss": "https://server.example.com/",
"exp": 1419356238,
"iat": 1419350238,
"extension_field": "twenty-seven"
}
If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the "active" field set to "false". Note that to avoid disclosing too much of the authorization server's state to a third party, the authorization server SHOULD NOT include any additional information about an inactive token, including why the token is inactive.
The following is a non-normative example response for a token that has been revoked or is otherwise invalid:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}
func (f *Fosite) WriteRevocationResponse(rw http.ResponseWriter, err error)
WriteRevocationResponse writes a token revocation response as specified in: https://tools.ietf.org/html/rfc7009#section-2.2
The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.
Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.
G11NContext is the globalization context
type G11NContext interface {
// GetLang returns the current language in the context
GetLang() language.Tag
}
Hasher defines how a oauth2-compatible hasher should look like.
type Hasher interface {
// Compare compares data with a hash and returns an error
// if the two do not match.
Compare(ctx context.Context, hash, data []byte) error
// Hash creates a hash from data or returns an error.
Hash(ctx context.Context, data []byte) ([]byte, error)
}
IntrospectionResponder is the response object that will be returned when token introspection was successful, for example when the client is allowed to perform token introspection. Refer to https://tools.ietf.org/search/rfc7662#section-2.2 for more details.
type IntrospectionResponder interface {
// IsActive returns true if the introspected token is active and false otherwise.
IsActive() bool
// AccessRequester returns nil when IsActive() is false and the original access request object otherwise.
GetAccessRequester() AccessRequester
// GetTokenUse optionally returns the type of the token that was introspected. This could be "access_token", "refresh_token",
// or if the type can not be determined an empty string.
GetTokenUse() TokenUse
//GetAccessTokenType optionally returns the type of the access token that was introspected. This could be "bearer", "mac",
// or empty string if the type of the token is refresh token.
GetAccessTokenType() string
}
type IntrospectionResponse struct {
Active bool `json:"active"`
AccessRequester AccessRequester `json:"extra"`
TokenUse TokenUse `json:"token_use,omitempty"`
AccessTokenType string `json:"token_type,omitempty"`
Lang language.Tag `json:"-"`
}
func (r *IntrospectionResponse) GetAccessRequester() AccessRequester
func (r *IntrospectionResponse) GetAccessTokenType() string
func (r *IntrospectionResponse) GetTokenUse() TokenUse
func (r *IntrospectionResponse) IsActive() bool
JWKSFetcherStrategy is a strategy which pulls (optionally caches) JSON Web Key Sets from a location, typically a client's jwks_uri.
type JWKSFetcherStrategy interface {
// Resolve returns the JSON Web Key Set, or an error if something went wrong. The forceRefresh, if true, forces
// the strategy to fetch the keys from the remote. If forceRefresh is false, the strategy may use a caching strategy
// to fetch the key.
Resolve(location string, forceRefresh bool) (*jose.JSONWebKeySet, error)
}
func NewDefaultJWKSFetcherStrategy() JWKSFetcherStrategy
OAuth2Provider is an interface that enables you to write OAuth2 handlers with only a few lines of code. Check fosite.Fosite for an implementation of this interface.
type OAuth2Provider interface {
// NewAuthorizeRequest returns an AuthorizeRequest.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.1
// Extension response types MAY contain a space-delimited (%x20) list of
// values, where the order of values does not matter (e.g., response
// type "a b" is the same as "b a"). The meaning of such composite
// response types is defined by their respective specifications.
// * https://tools.ietf.org/html/rfc6749#section-3.1.2
// The redirection endpoint URI MUST be an absolute URI as defined by
// [RFC3986] Section 4.3. The endpoint URI MAY include an
// "application/x-www-form-urlencoded" formatted (per Appendix B) query
// component ([RFC3986] Section 3.4), which MUST be retained when adding
// additional query parameters. The endpoint URI MUST NOT include a
// fragment component.
// * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
NewAuthorizeRequest(ctx context.Context, req *http.Request) (AuthorizeRequester, error)
// NewAuthorizeResponse iterates through all response type handlers and returns their result or
// ErrUnsupportedResponseType if none of the handler's were able to handle it.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.1.1
// Extension response types MAY contain a space-delimited (%x20) list of
// values, where the order of values does not matter (e.g., response
// type "a b" is the same as "b a"). The meaning of such composite
// response types is defined by their respective specifications.
// If an authorization request is missing the "response_type" parameter,
// or if the response type is not understood, the authorization server
// MUST return an error response as described in Section 4.1.2.1.
NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (AuthorizeResponder, error)
// WriteAuthorizeError returns the error codes to the redirection endpoint or shows the error to the user, if no valid
// redirect uri was given. Implements rfc6749#section-4.1.2.1
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.1.2
// The redirection endpoint URI MUST be an absolute URI as defined by
// [RFC3986] Section 4.3. The endpoint URI MAY include an
// "application/x-www-form-urlencoded" formatted (per Appendix B) query
// component ([RFC3986] Section 3.4), which MUST be retained when adding
// additional query parameters. The endpoint URI MUST NOT include a
// fragment component.
// * https://tools.ietf.org/html/rfc6749#section-4.1.2.1 (everything)
// * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
WriteAuthorizeError(rw http.ResponseWriter, requester AuthorizeRequester, err error)
// WriteAuthorizeResponse persists the AuthorizeSession in the store and redirects the user agent to the provided
// redirect url or returns an error if storage failed.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#rfc6749#section-4.1.2.1
// After completing its interaction with the resource owner, the
// authorization server directs the resource owner's user-agent back to
// the client. The authorization server redirects the user-agent to the
// client's redirection endpoint previously established with the
// authorization server during the client registration process or when
// making the authorization request.
// * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
WriteAuthorizeResponse(rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
// NewAccessRequest creates a new access request object and validates
// various parameters.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.2 (everything)
// * https://tools.ietf.org/html/rfc6749#section-3.2.1 (everything)
//
// Furthermore the registered handlers should implement their specs accordingly.
NewAccessRequest(ctx context.Context, req *http.Request, session Session) (AccessRequester, error)
// NewAccessResponse creates a new access response and validates that access_token and token_type are set.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc6749#section-5.1
NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)
// WriteAccessError writes an access request error response.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-5.2 (everything)
WriteAccessError(rw http.ResponseWriter, requester AccessRequester, err error)
// WriteAccessResponse writes the access response.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc6749#section-5.1
WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
// NewRevocationRequest handles incoming token revocation requests and validates various parameters.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc7009#section-2.1
NewRevocationRequest(ctx context.Context, r *http.Request) error
// WriteRevocationResponse writes the revoke response.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc7009#section-2.2
WriteRevocationResponse(rw http.ResponseWriter, err error)
// IntrospectToken returns token metadata, if the token is valid. Tokens generated by the authorization endpoint,
// such as the authorization code, can not be introspected.
IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scope ...string) (TokenUse, AccessRequester, error)
// NewIntrospectionRequest initiates token introspection as defined in
// https://tools.ietf.org/search/rfc7662#section-2.1
NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (IntrospectionResponder, error)
// WriteIntrospectionError responds with an error if token introspection failed as defined in
// https://tools.ietf.org/search/rfc7662#section-2.3
WriteIntrospectionError(rw http.ResponseWriter, err error)
// WriteIntrospectionResponse responds with token metadata discovered by token introspection as defined in
// https://tools.ietf.org/search/rfc7662#section-2.2
WriteIntrospectionResponse(rw http.ResponseWriter, r IntrospectionResponder)
}
OpenIDConnectClient represents a client capable of performing OpenID Connect requests.
type OpenIDConnectClient interface {
// GetRequestURIs is an array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY
// cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request.
// OPs can require that request_uri values used be pre-registered with the require_request_uri_registration
// discovery parameter.
GetRequestURIs() []string
// GetJSONWebKeys returns the JSON Web Key Set containing the public keys used by the client to authenticate.
GetJSONWebKeys() *jose.JSONWebKeySet
// GetJSONWebKeys returns the URL for lookup of JSON Web Key Set containing the
// public keys used by the client to authenticate.
GetJSONWebKeysURI() string
// JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP.
// All Request Objects from this Client MUST be rejected, if not signed with this algorithm.
GetRequestObjectSigningAlgorithm() string
// Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,
// client_secret_basic, client_secret_jwt, private_key_jwt, and none.
GetTokenEndpointAuthMethod() string
// JWS [JWS] alg algorithm [JWA] that MUST be used for signing the JWT [JWT] used to authenticate the
// Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.
GetTokenEndpointAuthSigningAlgorithm() string
}
type RFC6749Error struct {
ErrorField string
DescriptionField string
HintField string
CodeField int
DebugField string
// contains filtered or unexported fields
}
func ErrorToRFC6749Error(err error) *RFC6749Error
func (e *RFC6749Error) Cause() error
func (e *RFC6749Error) Debug() string
func (e RFC6749Error) Error() string
func (e *RFC6749Error) GetDescription() string
GetDescription returns a more description description, combined with hint and debug (when available).
func (e RFC6749Error) Is(err error) bool
func (e RFC6749Error) MarshalJSON() ([]byte, error)
func (e *RFC6749Error) Reason() string
func (e *RFC6749Error) RequestID() string
func (e *RFC6749Error) Sanitize() *RFC6749Error
Sanitize strips the debug field
Deprecated: Use WithExposeDebug instead.
func (e *RFC6749Error) StackTrace() (trace errors.StackTrace)
StackTrace returns the error's stack trace.
func (e *RFC6749Error) Status() string
func (e *RFC6749Error) StatusCode() int
func (e *RFC6749Error) ToValues() url.Values
func (e *RFC6749Error) UnmarshalJSON(b []byte) error
func (e RFC6749Error) Unwrap() error
func (e *RFC6749Error) WithDebug(debug string) *RFC6749Error
func (e *RFC6749Error) WithDebugf(debug string, args ...interface{}) *RFC6749Error
func (e *RFC6749Error) WithDescription(description string) *RFC6749Error
func (e *RFC6749Error) WithExposeDebug(exposeDebug bool) *RFC6749Error
WithExposeDebug if set to true exposes debug messages
func (e *RFC6749Error) WithHint(hint string) *RFC6749Error
func (e *RFC6749Error) WithHintIDOrDefaultf(ID string, def string, args ...interface{}) *RFC6749Error
WithHintIDOrDefaultf accepts the ID of the hint message
func (e *RFC6749Error) WithHintTranslationID(ID string) *RFC6749Error
WithHintTranslationID accepts the ID of the hint message and should be paired with WithHint and WithHintf to add a default message and vaargs.
func (e *RFC6749Error) WithHintf(hint string, args ...interface{}) *RFC6749Error
func (e RFC6749Error) WithLegacyFormat(useLegacyFormat bool) *RFC6749Error
func (e *RFC6749Error) WithLocalizer(catalog i18n.MessageCatalog, lang language.Tag) *RFC6749Error
func (e *RFC6749Error) WithTrace(err error) *RFC6749Error
func (e RFC6749Error) WithWrap(cause error) *RFC6749Error
func (e *RFC6749Error) Wrap(err error)
RFC6749ErrorJson is a helper struct for JSON encoding/decoding of RFC6749Error.
type RFC6749ErrorJson struct {
Name string `json:"error"`
Description string `json:"error_description"`
Hint string `json:"error_hint,omitempty"`
Code int `json:"status_code,omitempty"`
Debug string `json:"error_debug,omitempty"`
}
Request is an implementation of Requester
type Request struct {
ID string `json:"id" gorethink:"id"`
RequestedAt time.Time `json:"requestedAt" gorethink:"requestedAt"`
Client Client `json:"client" gorethink:"client"`
RequestedScope Arguments `json:"scopes" gorethink:"scopes"`
GrantedScope Arguments `json:"grantedScopes" gorethink:"grantedScopes"`
Form url.Values `json:"form" gorethink:"form"`
Session Session `json:"session" gorethink:"session"`
RequestedAudience Arguments `json:"requestedAudience"`
GrantedAudience Arguments `json:"grantedAudience"`
Lang language.Tag `json:"-"`
}
func NewRequest() *Request
func (a *Request) AppendRequestedAudience(audience string)
func (a *Request) AppendRequestedScope(scope string)
func (a *Request) GetClient() Client
func (a *Request) GetGrantedAudience() Arguments
func (a *Request) GetGrantedScopes() Arguments
func (a *Request) GetID() string
func (a *Request) GetLang() language.Tag
func (a *Request) GetRequestForm() url.Values
func (a *Request) GetRequestedAt() time.Time
func (a *Request) GetRequestedAudience() (audience Arguments)
func (a *Request) GetRequestedScopes() Arguments
func (a *Request) GetSession() Session
func (a *Request) GrantAudience(audience string)
func (a *Request) GrantScope(scope string)
func (a *Request) Merge(request Requester)
func (a *Request) Sanitize(allowedParameters []string) Requester
func (a *Request) SetID(id string)
func (a *Request) SetRequestedAudience(s Arguments)
func (a *Request) SetRequestedScopes(s Arguments)
func (a *Request) SetSession(session Session)
Requester is an abstract interface for handling requests in Fosite.
type Requester interface {
// SetID sets the unique identifier.
SetID(id string)
// GetID returns a unique identifier.
GetID() string
// GetRequestedAt returns the time the request was created.
GetRequestedAt() (requestedAt time.Time)
// GetClient returns the request's client.
GetClient() (client Client)
// GetRequestedScopes returns the request's scopes.
GetRequestedScopes() (scopes Arguments)
// GetRequestedAudience returns the requested audiences for this request.
GetRequestedAudience() (audience Arguments)
// SetRequestedScopes sets the request's scopes.
SetRequestedScopes(scopes Arguments)
// SetRequestedAudience sets the requested audience.
SetRequestedAudience(audience Arguments)
// AppendRequestedScope appends a scope to the request.
AppendRequestedScope(scope string)
// GetGrantScopes returns all granted scopes.
GetGrantedScopes() (grantedScopes Arguments)
// GetGrantedAudience returns all granted audiences.
GetGrantedAudience() (grantedAudience Arguments)
// GrantScope marks a request's scope as granted.
GrantScope(scope string)
// GrantAudience marks a request's audience as granted.
GrantAudience(audience string)
// GetSession returns a pointer to the request's session or nil if none is set.
GetSession() (session Session)
// SetSession sets the request's session pointer.
SetSession(session Session)
// GetRequestForm returns the request's form input.
GetRequestForm() url.Values
// Merge merges the argument into the method receiver.
Merge(requester Requester)
// Sanitize returns a sanitized clone of the request which can be used for storage.
Sanitize(allowedParameters []string) Requester
}
ResponseModeClient represents a client capable of handling response_mode
type ResponseModeClient interface {
// GetResponseMode returns the response modes that client is allowed to send
GetResponseModes() []ResponseModeType
}
ResponseModeHandler provides a contract for handling custom response modes
type ResponseModeHandler interface {
// ResponseModes returns a set of supported response modes handled
// by the interface implementation.
//
// In an authorize request with any of the provide response modes
// methods `WriteAuthorizeResponse` and `WriteAuthorizeError` will be
// invoked to write the successful or error authorization responses respectively.
ResponseModes() ResponseModeTypes
// WriteAuthorizeResponse writes successful responses
//
// Following headers are expected to be set by default:
// header.Set("Cache-Control", "no-store")
// header.Set("Pragma", "no-cache")
WriteAuthorizeResponse(rw http.ResponseWriter, ar AuthorizeRequester, resp AuthorizeResponder)
// WriteAuthorizeError writes error responses
//
// Following headers are expected to be set by default:
// header.Set("Cache-Control", "no-store")
// header.Set("Pragma", "no-cache")
WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error)
}
type ResponseModeType string
type ResponseModeTypes []ResponseModeType
func (rs ResponseModeTypes) Has(item ResponseModeType) bool
RevocationHandler is the interface that allows token revocation for an OAuth2.0 provider. https://tools.ietf.org/html/rfc7009
RevokeToken is invoked after a new token revocation request is parsed.
https://tools.ietf.org/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.
type RevocationHandler interface {
// RevokeToken handles access and refresh token revocation.
RevokeToken(ctx context.Context, token string, tokenType TokenType, client Client) error
}
RevocationHandlers is a list of RevocationHandler
type RevocationHandlers []RevocationHandler
func (t *RevocationHandlers) Append(h RevocationHandler)
Append adds an RevocationHandler to this list. Ignores duplicates based on reflect.TypeOf.
ScopeStrategy is a strategy for matching scopes.
type ScopeStrategy func(haystack []string, needle string) bool
Session is an interface that is used to store session data between OAuth2 requests. It can be used to look up when a session expires or what the subject's name was.
type Session interface {
// SetExpiresAt sets the expiration time of a token.
//
// session.SetExpiresAt(fosite.AccessToken, time.Now().UTC().Add(time.Hour))
SetExpiresAt(key TokenType, exp time.Time)
// GetExpiresAt returns the expiration time of a token if set, or time.IsZero() if not.
//
// session.GetExpiresAt(fosite.AccessToken)
GetExpiresAt(key TokenType) time.Time
// GetUsername returns the username, if set. This is optional and only used during token introspection.
GetUsername() string
// GetSubject returns the subject, if set. This is optional and only used during token introspection.
GetSubject() string
// Clone clones the session.
Clone() Session
}
Storage defines fosite's minimal storage interface.
type Storage interface {
ClientManager
}
type TokenEndpointHandler interface {
// PopulateTokenEndpointResponse is responsible for setting return values and should only be executed if
// the handler's HandleTokenEndpointRequest did not return ErrUnknownRequest.
PopulateTokenEndpointResponse(ctx context.Context, requester AccessRequester, responder AccessResponder) error
// HandleTokenEndpointRequest handles an authorize request. If the handler is not responsible for handling
// the request, this method should return ErrUnknownRequest and otherwise handle the request.
HandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) error
// CanSkipClientAuth indicates if client authentication can be skipped. By default it MUST be false, unless you are
// implementing extension grant type, which allows unauthenticated client. CanSkipClientAuth must be called
// before HandleTokenEndpointRequest to decide, if AccessRequester will contain authenticated client.
CanSkipClientAuth(requester AccessRequester) bool
// CanHandleRequest indicates, if TokenEndpointHandler can handle this request or not. If true,
// HandleTokenEndpointRequest can be called.
CanHandleTokenEndpointRequest(requester AccessRequester) bool
}
TokenEndpointHandlers is a list of TokenEndpointHandler
type TokenEndpointHandlers []TokenEndpointHandler
func (t *TokenEndpointHandlers) Append(h TokenEndpointHandler)
Append adds an TokenEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
TokenIntrospectionHandlers is a list of TokenValidator
type TokenIntrospectionHandlers []TokenIntrospector
func (t *TokenIntrospectionHandlers) Append(h TokenIntrospector)
Append adds an AccessTokenValidator to this list. Ignores duplicates based on reflect.TypeOf.
type TokenIntrospector interface {
IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, accessRequest AccessRequester, scopes []string) (TokenUse, error)
}
type TokenType string
type TokenUse = TokenType