eb10752e48
FEATURES (and FIXES): - support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009) - handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) - handle response mode - added some information to the discovery endpoint: - revocation_endpoint (added with token revocation) - revocation_endpoint_auth_methods_supported (added with token revocation) - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation) - token_endpoint_auth_signing_alg_values_supported (was missing) - introspection_endpoint_auth_signing_alg_values_supported (was missing) - request_object_signing_alg_values_supported (added with request object) - request_parameter_supported (added with request object) - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171) - improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`) - improved MarshalJSON and added MarshalJSONWithStatus - removed deprecated PEM decryption from `BytesToPrivateKey` [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19) - NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52) BREAKING CHANGE: - move functions from `utils` package into separate packages - added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32) - added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391) - remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14) |
||
|---|---|---|
| .codecov | ||
| .github | ||
| example | ||
| pkg | ||
| .gitignore | ||
| .releaserc.js | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| doc.go | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| README.md | ||
| SECURITY.md | ||
OpenID Connect SDK (client and server) for Go
What Is It
This project is a easy to use client (RP) and server (OP) implementation for the OIDC (Open ID Connect) standard written for Go.
The RP is certified for the basic and config profile.
Whenever possible we tried to reuse / extend existing packages like OAuth2 for Go.
How To Use It
Check the /example folder where example code for different scenarios is located.
# start oidc op server
# oidc discovery http://localhost:9998/.well-known/openid-configuration
CAOS_OIDC_DEV=1 go run github.com/caos/oidc/example/server/default
# start oidc web client
CLIENT_ID=web CLIENT_SECRET=web ISSUER=http://localhost:9998/ SCOPES=openid PORT=5556 go run github.com/caos/oidc/example/client/app
- browser http://localhost:5556/login will redirect to op server
- input id to login
- redirect to client app display user info
Features
| Code Flow | Implicit Flow | Hybrid Flow | Discovery | PKCE | Token Exchange | mTLS | JWT Profile | Refresh Token | |
|---|---|---|---|---|---|---|---|---|---|
| Relaying Party | yes | no1 | no | yes | yes | partial | not yet | yes | yes |
| Origin Party | yes | yes | not yet | yes | yes | not yet | not yet | yes | yes |
Resources
For your convenience you can find the relevant standards linked below.
- OpenID Connect Core 1.0 incorporating errata set 1
- Proof Key for Code Exchange by OAuth Public Clients
- OAuth 2.0 Token Exchange
- OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
Supported Go Versions
| Version | Supported |
|---|---|
| <1.13 | ❌ |
| 1.14 | ✅ |
| 1.15 | ✅ |
| 1.16 | ✅ |
| 1.17 | ✅ |
Why another library
As of 2020 there are not a lot of OIDC library's in Go which can handle server and client implementations. CAOS is strongly committed to the general field of IAM (Identity and Access Management) and as such, we need solid frameworks to implement services.
Goals
Other Go OpenID Connect libraries
https://github.com/coreos/go-oidc
The go-oidc does only support RP and is not feasible to use as OP that's why we could not rely on go-oidc
We did not choose fosite because it implements OAuth 2.0 on its own and does not rely on the golang provided package. Nonetheless this is a great project.
License
The full functionality of this library is and stays open source and free to use for everyone. Visit our website and get in touch.
See the exact licensing terms here
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.