chore(linting): apply gofumpt & goimports to all .go files (#225)
This commit is contained in:
David Sharnoff
GitHub
parent
c4b7ef9160
commit
b5da6ec29b
45 changed files with 539 additions and 479 deletions
|
|
@ -1,40 +1,40 @@
|
|||
package oidc
|
||||
|
||||
const (
|
||||
//ScopeOpenID defines the scope `openid`
|
||||
//OpenID Connect requests MUST contain the `openid` scope value
|
||||
// ScopeOpenID defines the scope `openid`
|
||||
// OpenID Connect requests MUST contain the `openid` scope value
|
||||
ScopeOpenID = "openid"
|
||||
|
||||
//ScopeProfile defines the scope `profile`
|
||||
//This (optional) scope value requests access to the End-User's default profile Claims,
|
||||
//which are: name, family_name, given_name, middle_name, nickname, preferred_username,
|
||||
//profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
|
||||
// ScopeProfile defines the scope `profile`
|
||||
// This (optional) scope value requests access to the End-User's default profile Claims,
|
||||
// which are: name, family_name, given_name, middle_name, nickname, preferred_username,
|
||||
// profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
|
||||
ScopeProfile = "profile"
|
||||
|
||||
//ScopeEmail defines the scope `email`
|
||||
//This (optional) scope value requests access to the email and email_verified Claims.
|
||||
// ScopeEmail defines the scope `email`
|
||||
// This (optional) scope value requests access to the email and email_verified Claims.
|
||||
ScopeEmail = "email"
|
||||
|
||||
//ScopeAddress defines the scope `address`
|
||||
//This (optional) scope value requests access to the address Claim.
|
||||
// ScopeAddress defines the scope `address`
|
||||
// This (optional) scope value requests access to the address Claim.
|
||||
ScopeAddress = "address"
|
||||
|
||||
//ScopePhone defines the scope `phone`
|
||||
//This (optional) scope value requests access to the phone_number and phone_number_verified Claims.
|
||||
// ScopePhone defines the scope `phone`
|
||||
// This (optional) scope value requests access to the phone_number and phone_number_verified Claims.
|
||||
ScopePhone = "phone"
|
||||
|
||||
//ScopeOfflineAccess defines the scope `offline_access`
|
||||
//This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token
|
||||
//that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).
|
||||
// ScopeOfflineAccess defines the scope `offline_access`
|
||||
// This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token
|
||||
// that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).
|
||||
ScopeOfflineAccess = "offline_access"
|
||||
|
||||
//ResponseTypeCode for the Authorization Code Flow returning a code from the Authorization Server
|
||||
// ResponseTypeCode for the Authorization Code Flow returning a code from the Authorization Server
|
||||
ResponseTypeCode ResponseType = "code"
|
||||
|
||||
//ResponseTypeIDToken for the Implicit Flow returning id and access tokens directly from the Authorization Server
|
||||
// ResponseTypeIDToken for the Implicit Flow returning id and access tokens directly from the Authorization Server
|
||||
ResponseTypeIDToken ResponseType = "id_token token"
|
||||
|
||||
//ResponseTypeIDTokenOnly for the Implicit Flow returning only id token directly from the Authorization Server
|
||||
// ResponseTypeIDTokenOnly for the Implicit Flow returning only id token directly from the Authorization Server
|
||||
ResponseTypeIDTokenOnly ResponseType = "id_token"
|
||||
|
||||
DisplayPage Display = "page"
|
||||
|
|
@ -45,21 +45,21 @@ const (
|
|||
ResponseModeQuery ResponseMode = "query"
|
||||
ResponseModeFragment ResponseMode = "fragment"
|
||||
|
||||
//PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages.
|
||||
//An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed
|
||||
// PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages.
|
||||
// An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed
|
||||
PromptNone = "none"
|
||||
|
||||
//PromptLogin (`login`) directs the Authorization Server to prompt the End-User for reauthentication.
|
||||
// PromptLogin (`login`) directs the Authorization Server to prompt the End-User for reauthentication.
|
||||
PromptLogin = "login"
|
||||
|
||||
//PromptConsent (`consent`) directs the Authorization Server to prompt the End-User for consent (of sharing information).
|
||||
// PromptConsent (`consent`) directs the Authorization Server to prompt the End-User for consent (of sharing information).
|
||||
PromptConsent = "consent"
|
||||
|
||||
//PromptSelectAccount (`select_account `) directs the Authorization Server to prompt the End-User to select a user account (to enable multi user / session switching)
|
||||
// PromptSelectAccount (`select_account `) directs the Authorization Server to prompt the End-User to select a user account (to enable multi user / session switching)
|
||||
PromptSelectAccount = "select_account"
|
||||
)
|
||||
|
||||
//AuthRequest according to:
|
||||
// AuthRequest according to:
|
||||
//https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||
type AuthRequest struct {
|
||||
Scopes SpaceDelimitedArray `json:"scope" schema:"scope"`
|
||||
|
|
@ -82,21 +82,21 @@ type AuthRequest struct {
|
|||
CodeChallenge string `json:"code_challenge" schema:"code_challenge"`
|
||||
CodeChallengeMethod CodeChallengeMethod `json:"code_challenge_method" schema:"code_challenge_method"`
|
||||
|
||||
//RequestParam enables OIDC requests to be passed in a single, self-contained parameter (as JWT, called Request Object)
|
||||
// RequestParam enables OIDC requests to be passed in a single, self-contained parameter (as JWT, called Request Object)
|
||||
RequestParam string `schema:"request"`
|
||||
}
|
||||
|
||||
//GetRedirectURI returns the redirect_uri value for the ErrAuthRequest interface
|
||||
// GetRedirectURI returns the redirect_uri value for the ErrAuthRequest interface
|
||||
func (a *AuthRequest) GetRedirectURI() string {
|
||||
return a.RedirectURI
|
||||
}
|
||||
|
||||
//GetResponseType returns the response_type value for the ErrAuthRequest interface
|
||||
// GetResponseType returns the response_type value for the ErrAuthRequest interface
|
||||
func (a *AuthRequest) GetResponseType() ResponseType {
|
||||
return a.ResponseType
|
||||
}
|
||||
|
||||
//GetState returns the optional state value for the ErrAuthRequest interface
|
||||
// GetState returns the optional state value for the ErrAuthRequest interface
|
||||
func (a *AuthRequest) GetState() string {
|
||||
return a.State
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,143 +9,143 @@ const (
|
|||
)
|
||||
|
||||
type DiscoveryConfiguration struct {
|
||||
//Issuer is the identifier of the OP and is used in the tokens as `iss` claim.
|
||||
// Issuer is the identifier of the OP and is used in the tokens as `iss` claim.
|
||||
Issuer string `json:"issuer,omitempty"`
|
||||
|
||||
//AuthorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start
|
||||
// AuthorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start
|
||||
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
|
||||
|
||||
//TokenEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow
|
||||
// TokenEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow
|
||||
TokenEndpoint string `json:"token_endpoint,omitempty"`
|
||||
|
||||
//IntrospectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint.
|
||||
// IntrospectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint.
|
||||
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
|
||||
|
||||
//UserinfoEndpoint is the URL where an access_token can be used to retrieve the Userinfo.
|
||||
// UserinfoEndpoint is the URL where an access_token can be used to retrieve the Userinfo.
|
||||
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
|
||||
|
||||
//RevocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint.
|
||||
// RevocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint.
|
||||
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
|
||||
|
||||
//EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP.
|
||||
// EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP.
|
||||
EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
|
||||
|
||||
//CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client.
|
||||
// CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client.
|
||||
CheckSessionIframe string `json:"check_session_iframe,omitempty"`
|
||||
|
||||
//JwksURI is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature.
|
||||
//It may also contain the OP's encryption keys that RPs can use to encrypt request to the OP.
|
||||
// JwksURI is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature.
|
||||
// It may also contain the OP's encryption keys that RPs can use to encrypt request to the OP.
|
||||
JwksURI string `json:"jwks_uri,omitempty"`
|
||||
|
||||
//RegistrationEndpoint is the URL for the Dynamic Client Registration.
|
||||
// RegistrationEndpoint is the URL for the Dynamic Client Registration.
|
||||
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
|
||||
|
||||
//ScopesSupported lists an array of supported scopes. This list must not include every supported scope by the OP.
|
||||
// ScopesSupported lists an array of supported scopes. This list must not include every supported scope by the OP.
|
||||
ScopesSupported []string `json:"scopes_supported,omitempty"`
|
||||
|
||||
//ResponseTypesSupported contains a list of the OAuth 2.0 response_type values that the OP supports (code, id_token, token id_token, ...).
|
||||
// ResponseTypesSupported contains a list of the OAuth 2.0 response_type values that the OP supports (code, id_token, token id_token, ...).
|
||||
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
|
||||
|
||||
//ResponseModesSupported contains a list of the OAuth 2.0 response_mode values that the OP supports. If omitted, the default value is ["query", "fragment"].
|
||||
// ResponseModesSupported contains a list of the OAuth 2.0 response_mode values that the OP supports. If omitted, the default value is ["query", "fragment"].
|
||||
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
|
||||
|
||||
//GrantTypesSupported contains a list of the OAuth 2.0 grant_type values that the OP supports. If omitted, the default value is ["authorization_code", "implicit"].
|
||||
// GrantTypesSupported contains a list of the OAuth 2.0 grant_type values that the OP supports. If omitted, the default value is ["authorization_code", "implicit"].
|
||||
GrantTypesSupported []GrantType `json:"grant_types_supported,omitempty"`
|
||||
|
||||
//ACRValuesSupported contains a list of Authentication Context Class References that the OP supports.
|
||||
// ACRValuesSupported contains a list of Authentication Context Class References that the OP supports.
|
||||
ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
|
||||
|
||||
//SubjectTypesSupported contains a list of Subject Identifier types that the OP supports (pairwise, public).
|
||||
// SubjectTypesSupported contains a list of Subject Identifier types that the OP supports (pairwise, public).
|
||||
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
|
||||
|
||||
//IDTokenSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for the ID Token.
|
||||
// IDTokenSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for the ID Token.
|
||||
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
|
||||
|
||||
//IDTokenEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the ID Token.
|
||||
// IDTokenEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the ID Token.
|
||||
IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`
|
||||
|
||||
//IDTokenEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the ID Token.
|
||||
// IDTokenEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the ID Token.
|
||||
IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`
|
||||
|
||||
//UserinfoSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for UserInfo Endpoint.
|
||||
// UserinfoSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for UserInfo Endpoint.
|
||||
UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`
|
||||
|
||||
//UserinfoEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the UserInfo Endpoint.
|
||||
// UserinfoEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the UserInfo Endpoint.
|
||||
UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`
|
||||
|
||||
//UserinfoEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the UserInfo Endpoint.
|
||||
// UserinfoEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the UserInfo Endpoint.
|
||||
UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`
|
||||
|
||||
//RequestObjectSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for Request Objects.
|
||||
//These algorithms are used both then the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter).
|
||||
// RequestObjectSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for Request Objects.
|
||||
// These algorithms are used both then the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter).
|
||||
RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
|
||||
|
||||
//RequestObjectEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for Request Objects.
|
||||
//These algorithms are used both when the Request Object is passed by value and by reference.
|
||||
// RequestObjectEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for Request Objects.
|
||||
// These algorithms are used both when the Request Object is passed by value and by reference.
|
||||
RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`
|
||||
|
||||
//RequestObjectEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for Request Objects.
|
||||
//These algorithms are used both when the Request Object is passed by value and by reference.
|
||||
// RequestObjectEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for Request Objects.
|
||||
// These algorithms are used both when the Request Object is passed by value and by reference.
|
||||
RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`
|
||||
|
||||
//TokenEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Token Endpoint. If omitted, the default is client_secret_basic.
|
||||
// TokenEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Token Endpoint. If omitted, the default is client_secret_basic.
|
||||
TokenEndpointAuthMethodsSupported []AuthMethod `json:"token_endpoint_auth_methods_supported,omitempty"`
|
||||
|
||||
//TokenEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Token Endpoint
|
||||
//for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
|
||||
// TokenEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Token Endpoint
|
||||
// for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
|
||||
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
|
||||
|
||||
//RevocationEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Revocation Endpoint. If omitted, the default is client_secret_basic.
|
||||
// RevocationEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Revocation Endpoint. If omitted, the default is client_secret_basic.
|
||||
RevocationEndpointAuthMethodsSupported []AuthMethod `json:"revocation_endpoint_auth_methods_supported,omitempty"`
|
||||
|
||||
//RevocationEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
|
||||
//for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
|
||||
// RevocationEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
|
||||
// for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
|
||||
RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
|
||||
|
||||
//IntrospectionEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Introspection Endpoint.
|
||||
// IntrospectionEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Introspection Endpoint.
|
||||
IntrospectionEndpointAuthMethodsSupported []AuthMethod `json:"introspection_endpoint_auth_methods_supported,omitempty"`
|
||||
|
||||
//IntrospectionEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
|
||||
//for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
|
||||
// IntrospectionEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
|
||||
// for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
|
||||
IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
|
||||
|
||||
//DisplayValuesSupported contains a list of display parameter values that the OP supports (page, popup, touch, wap).
|
||||
// DisplayValuesSupported contains a list of display parameter values that the OP supports (page, popup, touch, wap).
|
||||
DisplayValuesSupported []Display `json:"display_values_supported,omitempty"`
|
||||
|
||||
//ClaimTypesSupported contains a list of Claim Types that the OP supports (normal, aggregated, distributed). If omitted, the default is normal Claims.
|
||||
// ClaimTypesSupported contains a list of Claim Types that the OP supports (normal, aggregated, distributed). If omitted, the default is normal Claims.
|
||||
ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`
|
||||
|
||||
//ClaimsSupported contains a list of Claim Names the OP may be able to supply values for. This list might not be exhaustive.
|
||||
// ClaimsSupported contains a list of Claim Names the OP may be able to supply values for. This list might not be exhaustive.
|
||||
ClaimsSupported []string `json:"claims_supported,omitempty"`
|
||||
|
||||
//ClaimsParameterSupported specifies whether the OP supports use of the `claims` parameter. If omitted, the default is false.
|
||||
// ClaimsParameterSupported specifies whether the OP supports use of the `claims` parameter. If omitted, the default is false.
|
||||
ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
|
||||
|
||||
//CodeChallengeMethodsSupported contains a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by the OP.
|
||||
// CodeChallengeMethodsSupported contains a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by the OP.
|
||||
CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
|
||||
|
||||
//ServiceDocumentation is a URL where developers can get information about the OP and its usage.
|
||||
// ServiceDocumentation is a URL where developers can get information about the OP and its usage.
|
||||
ServiceDocumentation string `json:"service_documentation,omitempty"`
|
||||
|
||||
//ClaimsLocalesSupported contains a list of BCP47 language tag values that the OP supports for values of Claims returned.
|
||||
// ClaimsLocalesSupported contains a list of BCP47 language tag values that the OP supports for values of Claims returned.
|
||||
ClaimsLocalesSupported []language.Tag `json:"claims_locales_supported,omitempty"`
|
||||
|
||||
//UILocalesSupported contains a list of BCP47 language tag values that the OP supports for the user interface.
|
||||
// UILocalesSupported contains a list of BCP47 language tag values that the OP supports for the user interface.
|
||||
UILocalesSupported []language.Tag `json:"ui_locales_supported,omitempty"`
|
||||
|
||||
//RequestParameterSupported specifies whether the OP supports use of the `request` parameter. If omitted, the default value is false.
|
||||
// RequestParameterSupported specifies whether the OP supports use of the `request` parameter. If omitted, the default value is false.
|
||||
RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
|
||||
|
||||
//RequestURIParameterSupported specifies whether the OP supports use of the `request_uri` parameter. If omitted, the default value is true. (therefore no omitempty)
|
||||
// RequestURIParameterSupported specifies whether the OP supports use of the `request_uri` parameter. If omitted, the default value is true. (therefore no omitempty)
|
||||
RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`
|
||||
|
||||
//RequireRequestURIRegistration specifies whether the OP requires any `request_uri` to be pre-registered using the request_uris registration parameter. If omitted, the default value is false.
|
||||
// RequireRequestURIRegistration specifies whether the OP requires any `request_uri` to be pre-registered using the request_uris registration parameter. If omitted, the default value is false.
|
||||
RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
|
||||
|
||||
//OPPolicyURI is a URL the OP provides to the person registering the Client to read about the OP's requirements on how the RP can use the data provided by the OP.
|
||||
// OPPolicyURI is a URL the OP provides to the person registering the Client to read about the OP's requirements on how the RP can use the data provided by the OP.
|
||||
OPPolicyURI string `json:"op_policy_uri,omitempty"`
|
||||
|
||||
//OPTermsOfServiceURI is a URL the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service.
|
||||
// OPTermsOfServiceURI is a URL the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service.
|
||||
OPTermsOfServiceURI string `json:"op_tos_uri,omitempty"`
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ type clientCredentialsGrant struct {
|
|||
clientSecret string `schema:"client_secret"`
|
||||
}
|
||||
|
||||
//ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant
|
||||
//sending client_id and client_secret as basic auth header
|
||||
// ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant
|
||||
// sending client_id and client_secret as basic auth header
|
||||
func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic {
|
||||
return &clientCredentialsGrantBasic{
|
||||
grantType: "client_credentials",
|
||||
|
|
@ -22,8 +22,8 @@ func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic
|
|||
}
|
||||
}
|
||||
|
||||
//ClientCredentialsGrantValues creates an oauth2 `Client Credentials` Grant
|
||||
//sending client_id and client_secret as form values
|
||||
// ClientCredentialsGrantValues creates an oauth2 `Client Credentials` Grant
|
||||
// sending client_id and client_secret as form values
|
||||
func ClientCredentialsGrantValues(clientID, clientSecret string, scopes ...string) *clientCredentialsGrant {
|
||||
return &clientCredentialsGrant{
|
||||
clientCredentialsGrantBasic: ClientCredentialsGrantBasic(scopes...),
|
||||
|
|
|
|||
|
|
@ -6,9 +6,9 @@ type JWTProfileGrantRequest struct {
|
|||
GrantType GrantType `schema:"grant_type"`
|
||||
}
|
||||
|
||||
//NewJWTProfileGrantRequest creates an oauth2 `JSON Web Token (JWT) Profile` Grant
|
||||
// NewJWTProfileGrantRequest creates an oauth2 `JSON Web Token (JWT) Profile` Grant
|
||||
//`urn:ietf:params:oauth:grant-type:jwt-bearer`
|
||||
//sending a self-signed jwt as assertion
|
||||
// sending a self-signed jwt as assertion
|
||||
func NewJWTProfileGrantRequest(assertion string, scopes ...string) *JWTProfileGrantRequest {
|
||||
return &JWTProfileGrantRequest{
|
||||
GrantType: GrantTypeBearer,
|
||||
|
|
|
|||
|
|
@ -19,16 +19,16 @@ var (
|
|||
ErrKeyNone = errors.New("no possible keys matches")
|
||||
)
|
||||
|
||||
//KeySet represents a set of JSON Web Keys
|
||||
// KeySet represents a set of JSON Web Keys
|
||||
// - remotely fetch via discovery and jwks_uri -> `remoteKeySet`
|
||||
// - held by the OP itself in storage -> `openIDKeySet`
|
||||
// - dynamically aggregated by request for OAuth JWT Profile Assertion -> `jwtProfileKeySet`
|
||||
type KeySet interface {
|
||||
//VerifySignature verifies the signature with the given keyset and returns the raw payload
|
||||
// VerifySignature verifies the signature with the given keyset and returns the raw payload
|
||||
VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error)
|
||||
}
|
||||
|
||||
//GetKeyIDAndAlg returns the `kid` and `alg` claim from the JWS header
|
||||
// GetKeyIDAndAlg returns the `kid` and `alg` claim from the JWS header
|
||||
func GetKeyIDAndAlg(jws *jose.JSONWebSignature) (string, string) {
|
||||
keyID := ""
|
||||
alg := ""
|
||||
|
|
@ -40,11 +40,11 @@ func GetKeyIDAndAlg(jws *jose.JSONWebSignature) (string, string) {
|
|||
return keyID, alg
|
||||
}
|
||||
|
||||
//FindKey searches the given JSON Web Keys for the requested key ID, usage and key type
|
||||
// FindKey searches the given JSON Web Keys for the requested key ID, usage and key type
|
||||
//
|
||||
//will return the key immediately if matches exact (id, usage, type)
|
||||
// will return the key immediately if matches exact (id, usage, type)
|
||||
//
|
||||
//will return false none or multiple match
|
||||
// will return false none or multiple match
|
||||
//
|
||||
//deprecated: use FindMatchingKey which will return an error (more specific) instead of just a bool
|
||||
//moved implementation already to FindMatchingKey
|
||||
|
|
@ -53,35 +53,35 @@ func FindKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (jose.JSON
|
|||
return key, err == nil
|
||||
}
|
||||
|
||||
//FindMatchingKey searches the given JSON Web Keys for the requested key ID, usage and alg type
|
||||
// FindMatchingKey searches the given JSON Web Keys for the requested key ID, usage and alg type
|
||||
//
|
||||
//will return the key immediately if matches exact (id, usage, type)
|
||||
// will return the key immediately if matches exact (id, usage, type)
|
||||
//
|
||||
//will return a specific error if none (ErrKeyNone) or multiple (ErrKeyMultiple) match
|
||||
// will return a specific error if none (ErrKeyNone) or multiple (ErrKeyMultiple) match
|
||||
func FindMatchingKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (key jose.JSONWebKey, err error) {
|
||||
var validKeys []jose.JSONWebKey
|
||||
for _, k := range keys {
|
||||
//ignore all keys with wrong use (let empty use of published key pass)
|
||||
// ignore all keys with wrong use (let empty use of published key pass)
|
||||
if k.Use != use && k.Use != "" {
|
||||
continue
|
||||
}
|
||||
//ignore all keys with wrong algorithm type
|
||||
// ignore all keys with wrong algorithm type
|
||||
if !algToKeyType(k.Key, expectedAlg) {
|
||||
continue
|
||||
}
|
||||
//if we get here, use and alg match, so an equal (not empty) keyID is an exact match
|
||||
// if we get here, use and alg match, so an equal (not empty) keyID is an exact match
|
||||
if k.KeyID == keyID && keyID != "" {
|
||||
return k, nil
|
||||
}
|
||||
//keyIDs did not match or at least one was empty (if later, then it could be a match)
|
||||
// keyIDs did not match or at least one was empty (if later, then it could be a match)
|
||||
if k.KeyID == "" || keyID == "" {
|
||||
validKeys = append(validKeys, k)
|
||||
}
|
||||
}
|
||||
//if we get here, no match was possible at all (use / alg) or no exact match due to
|
||||
//the signed JWT and / or the published keys didn't have a kid
|
||||
//if later applies and only one key could be found, we'll return it
|
||||
//otherwise a corresponding error will be thrown
|
||||
// if we get here, no match was possible at all (use / alg) or no exact match due to
|
||||
// the signed JWT and / or the published keys didn't have a kid
|
||||
// if later applies and only one key could be found, we'll return it
|
||||
// otherwise a corresponding error will be thrown
|
||||
if len(validKeys) == 1 {
|
||||
return validKeys[0], nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
package oidc
|
||||
|
||||
//EndSessionRequest for the RP-Initiated Logout according to:
|
||||
// EndSessionRequest for the RP-Initiated Logout according to:
|
||||
//https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
|
||||
type EndSessionRequest struct {
|
||||
IdTokenHint string `schema:"id_token_hint"`
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
//BearerToken defines the token_type `Bearer`, which is returned in a successful token response
|
||||
// BearerToken defines the token_type `Bearer`, which is returned in a successful token response
|
||||
BearerToken = "Bearer"
|
||||
|
||||
PrefixBearer = BearerToken + " "
|
||||
|
|
@ -91,62 +91,62 @@ type accessTokenClaims struct {
|
|||
signatureAlg jose.SignatureAlgorithm `json:"-"`
|
||||
}
|
||||
|
||||
//GetIssuer implements the Claims interface
|
||||
// GetIssuer implements the Claims interface
|
||||
func (a *accessTokenClaims) GetIssuer() string {
|
||||
return a.Issuer
|
||||
}
|
||||
|
||||
//GetAudience implements the Claims interface
|
||||
// GetAudience implements the Claims interface
|
||||
func (a *accessTokenClaims) GetAudience() []string {
|
||||
return a.Audience
|
||||
}
|
||||
|
||||
//GetExpiration implements the Claims interface
|
||||
// GetExpiration implements the Claims interface
|
||||
func (a *accessTokenClaims) GetExpiration() time.Time {
|
||||
return time.Time(a.Expiration)
|
||||
}
|
||||
|
||||
//GetIssuedAt implements the Claims interface
|
||||
// GetIssuedAt implements the Claims interface
|
||||
func (a *accessTokenClaims) GetIssuedAt() time.Time {
|
||||
return time.Time(a.IssuedAt)
|
||||
}
|
||||
|
||||
//GetNonce implements the Claims interface
|
||||
// GetNonce implements the Claims interface
|
||||
func (a *accessTokenClaims) GetNonce() string {
|
||||
return a.Nonce
|
||||
}
|
||||
|
||||
//GetAuthenticationContextClassReference implements the Claims interface
|
||||
// GetAuthenticationContextClassReference implements the Claims interface
|
||||
func (a *accessTokenClaims) GetAuthenticationContextClassReference() string {
|
||||
return a.AuthenticationContextClassReference
|
||||
}
|
||||
|
||||
//GetAuthTime implements the Claims interface
|
||||
// GetAuthTime implements the Claims interface
|
||||
func (a *accessTokenClaims) GetAuthTime() time.Time {
|
||||
return time.Time(a.AuthTime)
|
||||
}
|
||||
|
||||
//GetAuthorizedParty implements the Claims interface
|
||||
// GetAuthorizedParty implements the Claims interface
|
||||
func (a *accessTokenClaims) GetAuthorizedParty() string {
|
||||
return a.AuthorizedParty
|
||||
}
|
||||
|
||||
//SetSignatureAlgorithm implements the Claims interface
|
||||
// SetSignatureAlgorithm implements the Claims interface
|
||||
func (a *accessTokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm) {
|
||||
a.signatureAlg = algorithm
|
||||
}
|
||||
|
||||
//GetSubject implements the AccessTokenClaims interface
|
||||
// GetSubject implements the AccessTokenClaims interface
|
||||
func (a *accessTokenClaims) GetSubject() string {
|
||||
return a.Subject
|
||||
}
|
||||
|
||||
//GetTokenID implements the AccessTokenClaims interface
|
||||
// GetTokenID implements the AccessTokenClaims interface
|
||||
func (a *accessTokenClaims) GetTokenID() string {
|
||||
return a.JWTID
|
||||
}
|
||||
|
||||
//SetPrivateClaims implements the AccessTokenClaims interface
|
||||
// SetPrivateClaims implements the AccessTokenClaims interface
|
||||
func (a *accessTokenClaims) SetPrivateClaims(claims map[string]interface{}) {
|
||||
a.claims = claims
|
||||
}
|
||||
|
|
@ -243,97 +243,97 @@ type idTokenClaims struct {
|
|||
signatureAlg jose.SignatureAlgorithm
|
||||
}
|
||||
|
||||
//GetIssuer implements the Claims interface
|
||||
// GetIssuer implements the Claims interface
|
||||
func (t *idTokenClaims) GetIssuer() string {
|
||||
return t.Issuer
|
||||
}
|
||||
|
||||
//GetAudience implements the Claims interface
|
||||
// GetAudience implements the Claims interface
|
||||
func (t *idTokenClaims) GetAudience() []string {
|
||||
return t.Audience
|
||||
}
|
||||
|
||||
//GetExpiration implements the Claims interface
|
||||
// GetExpiration implements the Claims interface
|
||||
func (t *idTokenClaims) GetExpiration() time.Time {
|
||||
return time.Time(t.Expiration)
|
||||
}
|
||||
|
||||
//GetIssuedAt implements the Claims interface
|
||||
// GetIssuedAt implements the Claims interface
|
||||
func (t *idTokenClaims) GetIssuedAt() time.Time {
|
||||
return time.Time(t.IssuedAt)
|
||||
}
|
||||
|
||||
//GetNonce implements the Claims interface
|
||||
// GetNonce implements the Claims interface
|
||||
func (t *idTokenClaims) GetNonce() string {
|
||||
return t.Nonce
|
||||
}
|
||||
|
||||
//GetAuthenticationContextClassReference implements the Claims interface
|
||||
// GetAuthenticationContextClassReference implements the Claims interface
|
||||
func (t *idTokenClaims) GetAuthenticationContextClassReference() string {
|
||||
return t.AuthenticationContextClassReference
|
||||
}
|
||||
|
||||
//GetAuthTime implements the Claims interface
|
||||
// GetAuthTime implements the Claims interface
|
||||
func (t *idTokenClaims) GetAuthTime() time.Time {
|
||||
return time.Time(t.AuthTime)
|
||||
}
|
||||
|
||||
//GetAuthorizedParty implements the Claims interface
|
||||
// GetAuthorizedParty implements the Claims interface
|
||||
func (t *idTokenClaims) GetAuthorizedParty() string {
|
||||
return t.AuthorizedParty
|
||||
}
|
||||
|
||||
//SetSignatureAlgorithm implements the Claims interface
|
||||
// SetSignatureAlgorithm implements the Claims interface
|
||||
func (t *idTokenClaims) SetSignatureAlgorithm(alg jose.SignatureAlgorithm) {
|
||||
t.signatureAlg = alg
|
||||
}
|
||||
|
||||
//GetNotBefore implements the IDTokenClaims interface
|
||||
// GetNotBefore implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetNotBefore() time.Time {
|
||||
return time.Time(t.NotBefore)
|
||||
}
|
||||
|
||||
//GetJWTID implements the IDTokenClaims interface
|
||||
// GetJWTID implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetJWTID() string {
|
||||
return t.JWTID
|
||||
}
|
||||
|
||||
//GetAccessTokenHash implements the IDTokenClaims interface
|
||||
// GetAccessTokenHash implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetAccessTokenHash() string {
|
||||
return t.AccessTokenHash
|
||||
}
|
||||
|
||||
//GetCodeHash implements the IDTokenClaims interface
|
||||
// GetCodeHash implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetCodeHash() string {
|
||||
return t.CodeHash
|
||||
}
|
||||
|
||||
//GetAuthenticationMethodsReferences implements the IDTokenClaims interface
|
||||
// GetAuthenticationMethodsReferences implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetAuthenticationMethodsReferences() []string {
|
||||
return t.AuthenticationMethodsReferences
|
||||
}
|
||||
|
||||
//GetClientID implements the IDTokenClaims interface
|
||||
// GetClientID implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetClientID() string {
|
||||
return t.ClientID
|
||||
}
|
||||
|
||||
//GetSignatureAlgorithm implements the IDTokenClaims interface
|
||||
// GetSignatureAlgorithm implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) GetSignatureAlgorithm() jose.SignatureAlgorithm {
|
||||
return t.signatureAlg
|
||||
}
|
||||
|
||||
//SetAccessTokenHash implements the IDTokenClaims interface
|
||||
// SetAccessTokenHash implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) SetAccessTokenHash(hash string) {
|
||||
t.AccessTokenHash = hash
|
||||
}
|
||||
|
||||
//SetUserinfo implements the IDTokenClaims interface
|
||||
// SetUserinfo implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) SetUserinfo(info UserInfo) {
|
||||
t.UserInfo = info
|
||||
}
|
||||
|
||||
//SetCodeHash implements the IDTokenClaims interface
|
||||
// SetCodeHash implements the IDTokenClaims interface
|
||||
func (t *idTokenClaims) SetCodeHash(hash string) {
|
||||
t.CodeHash = hash
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,33 +9,34 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
//GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow
|
||||
// GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow
|
||||
GrantTypeCode GrantType = "authorization_code"
|
||||
|
||||
//GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow
|
||||
// GrantTypeRefreshToken defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow
|
||||
GrantTypeRefreshToken GrantType = "refresh_token"
|
||||
|
||||
//GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow
|
||||
// GrantTypeClientCredentials defines the grant_type `client_credentials` used for the Token Request in the Client Credentials Token Flow
|
||||
GrantTypeClientCredentials GrantType = "client_credentials"
|
||||
|
||||
//GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
|
||||
// GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
|
||||
GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
|
||||
|
||||
//GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant
|
||||
// GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant
|
||||
GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange"
|
||||
|
||||
//GrantTypeImplicit defines the grant type `implicit` used for implicit flows that skip the generation and exchange of an Authorization Code
|
||||
// GrantTypeImplicit defines the grant type `implicit` used for implicit flows that skip the generation and exchange of an Authorization Code
|
||||
GrantTypeImplicit GrantType = "implicit"
|
||||
|
||||
//ClientAssertionTypeJWTAssertion defines the client_assertion_type `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
|
||||
//used for the OAuth JWT Profile Client Authentication
|
||||
// ClientAssertionTypeJWTAssertion defines the client_assertion_type `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
|
||||
// used for the OAuth JWT Profile Client Authentication
|
||||
ClientAssertionTypeJWTAssertion = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
|
||||
)
|
||||
|
||||
var AllGrantTypes = []GrantType{
|
||||
GrantTypeCode, GrantTypeRefreshToken, GrantTypeClientCredentials,
|
||||
GrantTypeBearer, GrantTypeTokenExchange, GrantTypeImplicit,
|
||||
ClientAssertionTypeJWTAssertion}
|
||||
ClientAssertionTypeJWTAssertion,
|
||||
}
|
||||
|
||||
type GrantType string
|
||||
|
||||
|
|
@ -60,12 +61,12 @@ func (a *AccessTokenRequest) GrantType() GrantType {
|
|||
return GrantTypeCode
|
||||
}
|
||||
|
||||
//SetClientID implements op.AuthenticatedTokenRequest
|
||||
// SetClientID implements op.AuthenticatedTokenRequest
|
||||
func (a *AccessTokenRequest) SetClientID(clientID string) {
|
||||
a.ClientID = clientID
|
||||
}
|
||||
|
||||
//SetClientSecret implements op.AuthenticatedTokenRequest
|
||||
// SetClientSecret implements op.AuthenticatedTokenRequest
|
||||
func (a *AccessTokenRequest) SetClientSecret(clientSecret string) {
|
||||
a.ClientSecret = clientSecret
|
||||
}
|
||||
|
|
@ -85,12 +86,12 @@ func (a *RefreshTokenRequest) GrantType() GrantType {
|
|||
return GrantTypeRefreshToken
|
||||
}
|
||||
|
||||
//SetClientID implements op.AuthenticatedTokenRequest
|
||||
// SetClientID implements op.AuthenticatedTokenRequest
|
||||
func (a *RefreshTokenRequest) SetClientID(clientID string) {
|
||||
a.ClientID = clientID
|
||||
}
|
||||
|
||||
//SetClientSecret implements op.AuthenticatedTokenRequest
|
||||
// SetClientSecret implements op.AuthenticatedTokenRequest
|
||||
func (a *RefreshTokenRequest) SetClientSecret(clientSecret string) {
|
||||
a.ClientSecret = clientSecret
|
||||
}
|
||||
|
|
@ -148,55 +149,55 @@ func (j *JWTTokenRequest) GetCustomClaim(key string) interface{} {
|
|||
return j.private[key]
|
||||
}
|
||||
|
||||
//GetIssuer implements the Claims interface
|
||||
// GetIssuer implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetIssuer() string {
|
||||
return j.Issuer
|
||||
}
|
||||
|
||||
//GetAudience implements the Claims and TokenRequest interfaces
|
||||
// GetAudience implements the Claims and TokenRequest interfaces
|
||||
func (j *JWTTokenRequest) GetAudience() []string {
|
||||
return j.Audience
|
||||
}
|
||||
|
||||
//GetExpiration implements the Claims interface
|
||||
// GetExpiration implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetExpiration() time.Time {
|
||||
return time.Time(j.ExpiresAt)
|
||||
}
|
||||
|
||||
//GetIssuedAt implements the Claims interface
|
||||
// GetIssuedAt implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetIssuedAt() time.Time {
|
||||
return time.Time(j.IssuedAt)
|
||||
}
|
||||
|
||||
//GetNonce implements the Claims interface
|
||||
// GetNonce implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetNonce() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
//GetAuthenticationContextClassReference implements the Claims interface
|
||||
// GetAuthenticationContextClassReference implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetAuthenticationContextClassReference() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
//GetAuthTime implements the Claims interface
|
||||
// GetAuthTime implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetAuthTime() time.Time {
|
||||
return time.Time{}
|
||||
}
|
||||
|
||||
//GetAuthorizedParty implements the Claims interface
|
||||
// GetAuthorizedParty implements the Claims interface
|
||||
func (j *JWTTokenRequest) GetAuthorizedParty() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
//SetSignatureAlgorithm implements the Claims interface
|
||||
// SetSignatureAlgorithm implements the Claims interface
|
||||
func (j *JWTTokenRequest) SetSignatureAlgorithm(_ jose.SignatureAlgorithm) {}
|
||||
|
||||
//GetSubject implements the TokenRequest interface
|
||||
// GetSubject implements the TokenRequest interface
|
||||
func (j *JWTTokenRequest) GetSubject() string {
|
||||
return j.Subject
|
||||
}
|
||||
|
||||
//GetScopes implements the TokenRequest interface
|
||||
// GetScopes implements the TokenRequest interface
|
||||
func (j *JWTTokenRequest) GetScopes() []string {
|
||||
return j.Scopes
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,11 +61,11 @@ type Verifier interface {
|
|||
Offset() time.Duration
|
||||
}
|
||||
|
||||
//ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim
|
||||
// ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim
|
||||
type ACRVerifier func(string) error
|
||||
|
||||
//DefaultACRVerifier implements `ACRVerifier` returning an error
|
||||
//if none of the provided values matches the acr claim
|
||||
// DefaultACRVerifier implements `ACRVerifier` returning an error
|
||||
// if none of the provided values matches the acr claim
|
||||
func DefaultACRVerifier(possibleValues []string) ACRVerifier {
|
||||
return func(acr string) error {
|
||||
if !str.Contains(possibleValues, acr) {
|
||||
|
|
@ -76,7 +76,7 @@ func DefaultACRVerifier(possibleValues []string) ACRVerifier {
|
|||
}
|
||||
|
||||
func DecryptToken(tokenString string) (string, error) {
|
||||
return tokenString, nil //TODO: impl
|
||||
return tokenString, nil // TODO: impl
|
||||
}
|
||||
|
||||
func ParseToken(tokenString string, claims interface{}) ([]byte, error) {
|
||||
|
|
@ -111,7 +111,7 @@ func CheckAudience(claims Claims, clientID string) error {
|
|||
return fmt.Errorf("%w: Audience must contain client_id %q", ErrAudience, clientID)
|
||||
}
|
||||
|
||||
//TODO: check aud trusted
|
||||
// TODO: check aud trusted
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -202,6 +202,7 @@ func CheckAuthorizationContextClassReference(claims Claims, acr ACRVerifier) err
|
|||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func CheckAuthTime(claims Claims, maxAge time.Duration) error {
|
||||
if maxAge == 0 {
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue