handlers

package
v0.0.0-...-8d3f6a8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 25, 2025 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// c.Get(AccessTokenKey) -> string
	AccessTokenKey = "access_token"
	// c.Get(RefreshTokenKey) -> string
	RefreshTokenKey = "refresh_token"
	// c.Get(IDTokenKey) -> string
	IDTokenKey = "id_token"
	// Claims and Subject aren't tokens. They contain information pulled out of the ID token for convenience.
	// c.Get(ClaimsKey) -> map[string]any
	ClaimsKey = "claims"
	// c.Get(SubjectKey) -> string
	SubjectKey = "subject"
	// c.Get("oidc_provider") -> *oidc.Provider
	OIDCProviderKey = "oidc_provider"
	// c.Get("oauth_config") -> *oauth2.Config
	OAuthConfigKey = "oauth_config"
)

Variables

View Source 
var (
	ErrClaimNotExists = errors.New("claim not found in context")
	ErrKeyNotExists   = errors.New("key not found in context")
	ErrKeyWrongType   = errors.New("key is not of the expected type")
)

Functions

func GetAccessTokenStringFromContext 

func GetAccessTokenStringFromContext(c *gin.Context) (string, error)

func GetClaimFromContext 

func GetClaimFromContext(c *gin.Context, claim string) (any, error)

func GetClaimsFromContext 

func GetClaimsFromContext(c *gin.Context) (map[string]any, error)

func GetIDTokenStringFromContext 

func GetIDTokenStringFromContext(c *gin.Context) (string, error)

func GetRefreshTokenStringFromContext 

func GetRefreshTokenStringFromContext(c *gin.Context) (string, error)

func GetStringFromContext 

func GetStringFromContext(c *gin.Context, key string) (string, error)

func GetSubjectFromContext 

func GetSubjectFromContext(c *gin.Context) (string, error)

func OIDCProvider 

func OIDCProvider(oh *OauthHandlers) *oidc.Provider

OIDC Provider for for users that have OauthHandlers outside of a request context

func OIDCProviderFromContext 

func OIDCProviderFromContext(c *gin.Context) (*oidc.Provider, error)

OIDC Provider for users inside a request context

func RevokeToken 

func RevokeToken(revocationEndpoint, clientid, clientsecret, token, hint string) error

RFC7009 RevokeToken Authenticate with basic auth, Revoke a single token.

func TokenSource 

func TokenSource(oh *OauthHandlers, ctx context.Context, refreshToken string) oauth2.TokenSource

Token source for users that have OauthHandlers outside of a request context

func TokenSourceFromContext 

func TokenSourceFromContext(c *gin.Context) (oauth2.TokenSource, error)

Token source for users inside a request context.

func UserInfoFromContext 

func UserInfoFromContext(c *gin.Context) (*oidc.UserInfo, error)

helper to hit the OIDC UserInfo endpoint

Types

type OauthHandlers 

type OauthHandlers struct {
	// contains filtered or unexported fields
}

func NewOauthHandlers 

func NewOauthHandlers(
	oidcProvider,
	oauthClientID,
	oauthClientSecret,
	oauthRedirectUrl string,
	oauthScopes []string,
	addlOptions ...OauthHandlersOption) (*OauthHandlers, error)

func NewOauthHandlersWithOptions 

func NewOauthHandlersWithOptions(opts ...OauthHandlersOption) (*OauthHandlers, error)

NewOauthHandlersWithOptions creates a new OauthHandlers with the provided options. If you use this function, be aware that some options are required for proper functionality.

func (*OauthHandlers) HandleLogin 

func (h *OauthHandlers) HandleLogin(c *gin.Context)

HandleLogin This function initiates the login process. It is responsible for setting up the oauth state and a unique PKCE challenge, and sends the user off to go authenticate with the auth server. The state will eventually be used by the HandleRedirect function to direct the user to the page they want to look at, so we need to set that up now. This function takes url query parameter ?next= with the value set to the next URL base64url-encoded. The redirect will follow the discovered Auth Code URL.

func (*OauthHandlers) HandleLogout 

func (h *OauthHandlers) HandleLogout(c *gin.Context)

HandleLogout This function handles the logout process. It is responsible for removing the id_token from the user's session and it sends the user to the specified logout url. Many Oauth/OIDC servers have an endpoint that instructs the auth server to invalidate tokens. If you have one of those, it's good go use that as the Logout URL. Some have a revocation endpoint. If we discover a revocation end point during OIDC discovery, I'll try to revoke tokens with that before sending the user on to the oauthlogoutUrl

func (*OauthHandlers) HandleRedirect 

func (h *OauthHandlers) HandleRedirect(c *gin.Context)

HandleRedirect This function is the callback function where the user is redirected after login. It is responsible for completing the Oauth process. It extracts the auth code from the front channel and exchanges it for an access token on the back channel. Additionally, this function decodes the state parameter created at the HandleLogin phase. It uses the state parameter to determine where to send the the user next. Finally, saves the ID token to the user's session store and sends the user along.

func (*OauthHandlers) MiddlewareRequireLogin 

func (h *OauthHandlers) MiddlewareRequireLogin(loginUrl string) gin.HandlerFunc

MiddlewareRequireLogin This is a middleware that will block users who have not yet logged in or have an invalid token. It looks for an id_token in the user's session. This item is created by the HandleRedirect handler if the user has logged in previously. If there is no token, or if the token is invlid, then the user is redirected to the loginUrl. If everything goes well, then the user is passed to the next function. To make things a little easier for the next guy, a couple of values are set to the gin Context. "subject" -> the subject of the ID token. Can be used as a user identifier. "claims" -> a map containing whatever claims came with the token. This will vary depending on the requested scopes and the behavior of the auth server.

type OauthHandlersOption 

type OauthHandlersOption (func(*OauthHandlers) error)

func WithOauth2Config 

func WithOauth2Config(oauth2config *oauth2.Config) OauthHandlersOption

WithOauth2Config Provide your own oauth2.Config If you use this option, you will probably also want to use WithVerifier and WithOidcProvider options.

func WithOauthLogoutUrl 

func WithOauthLogoutUrl(logoutUrl string) OauthHandlersOption

WithOauthLogoutURL Where should users go after they log out? Check if your oauth provider has a logout endpoint.

func WithOauthPKCESecret 

func WithOauthPKCESecret(pkcesecret string) OauthHandlersOption

WithOauthPKCESecret PKCE (RFC7636) is a good security practice. The general idea is that in the first Oauth phase, we pass a hash sum to the auth server. Then, when we do token exchange we pass the original data. The auth server can then know that both requests came from the same place. Generally, you have to store this data somehow. In this implementation, we are stuffing this data into the state and encrypting it. This is the encryption key. If not set, encryption may include

func WithOauthRevocationUrl 

func WithOauthRevocationUrl(revocationUrl string) OauthHandlersOption

WithOauthRevocationUrl What URL should we use to revoke access tokens? Check if your oauth provider has a revocation endpoint.

func WithOauthSessionName 

func WithOauthSessionName(sessionName string) OauthHandlersOption

WithOauthSessionName We're using gin-contrib/sessions to store the oidc idtoken and other data to the session. You should create a session using whatever storage medium you wish. Use encryption if able. Use this variable to tell us which session you want login information to be stored.

func WithOidcProvider 

func WithOidcProvider(oidcProvider *oidc.Provider) OauthHandlersOption

WithOidcProvider Provide your own oidc.Provider If you use this option, you will probably also want to use WithOauth2Config and WithVerifier options.

func WithTokenDecrypter 

func WithTokenDecrypter(decrypter crypt.TokenDecrypter) OauthHandlersOption

WithTokenDecrypter Provide your own crypt.TokenDecrypter to decrypt JWE tokens

func WithVerifier 

func WithVerifier(verifier *oidc.IDTokenVerifier) OauthHandlersOption

WithVerifier Provide your own oidc.IDTokenVerifier. If you use this option, you will probably also want to use WithOauth2Config and WithOidcProvider options.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.