Fork of: https://github.com/zitadel/oidc/ https://zitadel.com

certified client code-flow code-flow-pkce discovery go golang jwt library oauth oauth2 oidc openid-connect openidconnect pkce refresh-token relying-party server standard

Find a file

Livio Amstutz a27ba09872 feat(op): dynamic issuer depending on request / host BREAKING CHANGE: The OpenID Provider package is now able to handle multiple issuers with a single storage implementation. The issuer will be selected from the host of the request and passed into the context, where every function can read it from if necessary. This results in some fundamental changes: - `Configuration` interface: - `Issuer() string` has been changed to `IssuerFromRequest(r http.Request) string` - `Insecure() bool` has been added - OpenIDProvider interface and dependants: - `Issuer` has been removed from Config struct - `NewOpenIDProvider` now takes an additional parameter `issuer` and returns a pointer to the public/default implementation and not an OpenIDProvider interface: `NewOpenIDProvider(ctx context.Context, config Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)` changed to `NewOpenIDProvider(ctx context.Context, issuer string, config Config, storage Storage, opOpts ...Option) (Provider, error)` - therefore the parameter type Option changed to the public type as well: `Option func(o Provider) error` - `AuthCallbackURL(o OpenIDProvider) func(string) string` has been changed to `AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string` - `IDTokenHintVerifier() IDTokenHintVerifier` (Authorizer, OpenIDProvider, SessionEnder interfaces), `AccessTokenVerifier() AccessTokenVerifier` (Introspector, OpenIDProvider, Revoker, UserinfoProvider interfaces) and `JWTProfileVerifier() JWTProfileVerifier` (IntrospectorJWTProfile, JWTAuthorizationGrantExchanger, OpenIDProvider, RevokerJWTProfile interfaces) now take a context.Context parameter `IDTokenHintVerifier(context.Context) IDTokenHintVerifier`, `AccessTokenVerifier(context.Context) AccessTokenVerifier` and `JWTProfileVerifier(context.Context) JWTProfileVerifier` - `OidcDevMode` (CAOS_OIDC_DEV) environment variable check has been removed, use `WithAllowInsecure()` Option - Signing: the signer is not kept in memory anymore, but created on request from the loaded key: - `Signer` interface and func `NewSigner` have been removed - `ReadySigner(s Signer) ProbesFn` has been removed - `CreateDiscoveryConfig(c Configuration, s Signer) oidc.DiscoveryConfiguration` has been changed to `CreateDiscoveryConfig(r http.Request, config Configuration, storage DiscoverStorage) oidc.DiscoveryConfiguration` - `Storage` interface: - `GetSigningKey(context.Context, chan<- jose.SigningKey)` has been changed to `SigningKey(context.Context) (SigningKey, error)` - `KeySet(context.Context) ([]Key, error)` has been added - `GetKeySet(context.Context) (jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)` - `SigAlgorithms(s Signer) []string` has been changed to `SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string` - KeyProvider interface: `GetKeySet(context.Context) (jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)` - `CreateIDToken`: the Signer parameter has been removed		2022-04-22 14:23:29 +02:00
.codecov	docs(example): implement OpenID Provider (#165 )	2022-04-21 17:54:00 +02:00
.github	chore(deps): bump actions/setup-go from 2 to 3 (#170 )	2022-04-12 08:00:56 +02:00
example	feat(op): dynamic issuer depending on request / host	2022-04-22 14:23:29 +02:00
pkg	feat(op): dynamic issuer depending on request / host	2022-04-22 14:23:29 +02:00
.gitignore	Fix: userinfo (#15 )	2020-03-06 17:14:30 +01:00
.releaserc.js	fix: improve JWS and key verification (#128 )	2021-09-14 15:13:44 +02:00
CODE_OF_CONDUCT.md	chore: code of conduct (#112 )	2021-08-03 16:52:16 +02:00
CONTRIBUTING.md	chore: add CONTRIBUTING.md	2021-08-27 15:26:41 +02:00
doc.go	initial commit	2020-01-31 15:22:16 +01:00
go.mod	feat(op): dynamic issuer depending on request / host	2022-04-22 14:23:29 +02:00
go.sum	feat(op): dynamic issuer depending on request / host	2022-04-22 14:23:29 +02:00
LICENSE	initial commit	2020-01-31 15:22:16 +01:00
README.md	docs(example): implement OpenID Provider (#165 )	2022-04-21 17:54:00 +02:00
SECURITY.md	docs(security): typo	2020-02-05 14:49:53 +01:00

README.md

OpenID Connect SDK (client and server) for Go

What Is It

This project is an easy-to-use client (RP) and server (OP) implementation for the OIDC (OpenID Connect) standard written for Go.

The RP is certified for the basic and config profile.

Whenever possible we tried to reuse / extend existing packages like OAuth2 for Go.

Basic Overview

The most important packages of the library:

/pkg
    /client     clients using the OP for retrieving, exchanging and verifying tokens       
        /rp     definition and implementation of an OIDC Relying Party (client)
        /rs     definition and implementation of an OAuth Resource Server (API)
    /op         definition and implementation of an OIDC OpenID Provider (server)
    /oidc       definitions shared by clients and server

/example
    /api        example of an api / resource server implementation using token introspection
    /app        web app / RP demonstrating authorization code flow using various authentication methods (code, PKCE, JWT profile)
    /github     example of the extended OAuth2 library, providing an HTTP client with a reuse token source
    /service    demonstration of JWT Profile Authorization Grant
    /server     example of an OpenID Provider implementation including some very basic login UI

How To Use It

Check the /example folder where example code for different scenarios is located.

# start oidc op server
# oidc discovery http://localhost:9998/.well-known/openid-configuration
go run github.com/caos/oidc/example/server
# start oidc web client
CLIENT_ID=web CLIENT_SECRET=secret ISSUER=http://localhost:9998/ SCOPES="openid profile" PORT=9999 go run github.com/caos/oidc/example/client/app

open http://localhost:9999/login in your browser
you will be redirected to op server and the login UI
login with user test-user and password verysecure
the OP will redirect you to the client app, which displays the user info

Features

	Code Flow	Implicit Flow	Hybrid Flow	Discovery	PKCE	Token Exchange	mTLS	JWT Profile	Refresh Token
Relying Party	yes	no¹	no	yes	yes	partial	not yet	yes	yes
OpenID Provider	yes	yes	not yet	yes	yes	not yet	not yet	yes	yes

Resources

For your convenience you can find the relevant standards linked below.

Supported Go Versions

For security reasons, we only support and recommend the use of one of the latest two Go versions (✅).
Versions that also build are marked with ⚠️.

Version	Supported
<1.15	❌
1.15	⚠️
1.16	⚠️
1.17	✅
1.18	✅

Why another library

As of 2020 there are not a lot of OIDC library's in Go which can handle server and client implementations. CAOS is strongly committed to the general field of IAM (Identity and Access Management) and as such, we need solid frameworks to implement services.

Goals

Certify this library as OP

Other Go OpenID Connect libraries

https://github.com/coreos/go-oidc

The go-oidc does only support RP and is not feasible to use as OP that's why we could not rely on go-oidc

https://github.com/ory/fosite

We did not choose fosite because it implements OAuth 2.0 on its own and does not rely on the golang provided package. Nonetheless this is a great project.

License

The full functionality of this library is and stays open source and free to use for everyone. Visit our website and get in touch.

See the exact licensing terms here

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

https://github.com/caos/oidc/issues/135#issuecomment-950563892 ↩︎