modulepackage
0.0.0-20160908143337-11f62933e071
Repository: https://github.com/ericchiang/oidc.git
Documentation: pkg.go.dev
# README
OpenID Connect client support for Go
This package implements OpenID Connect client logic for the golang.org/x/oauth2 package.
provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")
if err != nil {
return err
}
// Configure an OpenID Connect aware OAuth2 client.
oauth2Config := oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: redirectURL,
Endpoint: provider.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
OAuth2 redirects are unchanged.
func handleRedirect(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
})
For callbacks the provider can be used to query for user information such as email.
func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
// Verify state...
oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
return
}
userinfo, err := provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
if err != nil {
http.Error(w, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
return
}
// ...
})
Or the provider can be used to verify and inspect the OpenID Connect ID Token in the token response.
verifier := provider.NewVerifier(ctx)
The verifier itself can be constructed with addition checks, such as verifing a token was issued for a specific client or hasn't expired.
verifier := provier.NewVerifier(ctx, oidc.VerifyAudience(clientID), oidc.VerifyExpiry())
The returned verifier can be used to ensure the ID Token (a JWT) is signed by the provider.
func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
// Verify state...
oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
return
}
// Extract the ID Token from oauth2 token.
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
http.Error(w, "No ID Token found", http.StatusInternalServerError)
return
}
// Verify that the ID Token is signed by the provider.
idToken, err := verifier.Verify(rawIDToken)
if err != nil {
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
return
}
// Unmarshal ID Token for expected custom claims.
var claims struct {
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
}
if err := idToken.Claims(&claims); err != nil {
http.Error(w, "Failed to unmarshal ID Token claims: "+err.Error(), http.StatusInternalServerError)
return
}
// ...
})
# Functions
NewProvider uses the OpenID Connect disovery mechanism to construct a Provider.
Nonce returns an auth code option which requires the ID Token created by the OpenID Connect provider to contain the specified nonce.
VerifyAudience ensures that an ID Token was issued for the specific client.
VerifyExpiry ensures that an ID Token has not expired.
VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source.
# Constants
ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting OAuth2 refresh tokens.
ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests.
# Variables
ErrNotSupported indicates that the requested optional OpenID Connect endpoint is not supported by the provider.
ErrTokenExpired indicates that a token parsed by a verifier has expired.
# Structs
IDToken is an OpenID Connect extension that provides a predictable representation of an authorization event.
IDTokenVerifier provides verification for ID Tokens.
Provider contains the subset of the OpenID Connect provider metadata needed to request and verify ID Tokens.
UserInfo represents the OpenID Connect userinfo claims.
# Interfaces
NonceSource represents a source which can verify a nonce is valid and has not been claimed before.
VerificationOption is an option provided to Provider.NewVerifier.