coreos package

import "code.pfad.fr/gopenidclient/coreos"

package coreos provides a Provider for OpenID Connect (code.pfad.fr/gopenidclient), backed by the github.com/coreos/go-oidc/v3/oidc package.

package main

import (
	"crypto/rand"
	"crypto/rsa"
	"log"
	"net/http"
	"time"

	"code.pfad.fr/gopenidclient"
	"code.pfad.fr/gopenidclient/assertion"
	"code.pfad.fr/gopenidclient/coreos"
)

func main() {
	// persist the privateKey somewhere (can be serialized using x509.MarshalPKCS1PrivateKey for instance)
	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		log.Fatal(err)
	}

	// create the (downgradable) certificate
	certificate := assertion.NewSesquiennial(privateKey, "Example Org")
	rs256 := assertion.RS256{
		GetThumbprint: certificate.Thumbprint,
		Validity:      time.Minute,
		CliendID:      "<OAUTH2_CLIENT_ID from identity provider>",
		Key:           privateKey,
	}

	// setup the provider using the assertion (instead of the client secret)
	var provider gopenidclient.Provider = (&coreos.OIDC{
		Issuer:          "issuer_url",
		ClientID:        rs256.CliendID,
		Scopes:          []string{"openid", "email", "profile"},
		ClientAssertion: rs256,
		// ClientSecret can be omitted
	})

	// the provider can be used like any other provider
	provider.SetRedirectURL("http://localhost:8080/auth/callback")

	// the public certificate can be exposed to ease the transmission to the identity provider
	http.HandleFunc("/auth/certificate.pem", func(w http.ResponseWriter, r *http.Request) {
		certificate.ServeDER(w, r)
	})

	// the certificate can be downgraded on ExchangeHandler.HandleCallback error
}

Index ¶

• type OIDC
  • func (o *OIDC) AuthCodeURL(state string) (string, string, error)
  • func (o *OIDC) EndSessionURL() (*url.URL, error)
  • func (o *OIDC) Exchange(code, verifier string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)
  • func (o *OIDC) Refresh(refreshToken string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)
  • func (o *OIDC) SetRedirectURL(url string)

Examples ¶

• Package

type OIDC ¶

type OIDC struct {
	Issuer   string
	ClientID string
	// ClientAssertion is more secure than ClientSecret, see the example.
	ClientAssertion gopenidclient.Assertion
	// ClientSecret can be left blank, when ClientAssertion is used.
	ClientSecret string
	Scopes       []string
	HTTPClient   *http.Client // will use http.DefaultClient if let nil
	// contains filtered or unexported fields
}

OIDC implements a Provider for the OpenID Connect flow of code.pfad.fr/gopenidclient. The unexported fields have a suitable default values (hence no New method needed).

func (*OIDC) AuthCodeURL ¶

func (o *OIDC) AuthCodeURL(state string) (string, string, error)

AuthCodeURL returns the Auth-URL to redirect the user to

func (*OIDC) EndSessionURL ¶

func (o *OIDC) EndSessionURL() (*url.URL, error)

func (*OIDC) Exchange ¶

func (o *OIDC) Exchange(code, verifier string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)

Exchange exchanges the code and provides a way to unmarshal the user info

func (*OIDC) Refresh ¶

func (o *OIDC) Refresh(refreshToken string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)

func (*OIDC) SetRedirectURL ¶

func (o *OIDC) SetRedirectURL(url string)

SetRedirectURL sets the local callback URL.

Source Files ¶

oidc.go