coreos package

import "code.pfad.fr/gopenidclient/coreos"

package coreos provides a Provider for OpenID Connect (code.pfad.fr/gopenidclient), backed by the github.com/coreos/go-oidc/v3/oidc package.

// persist the privateKey somewhere (can be serialized using x509.MarshalPKCS1PrivateKey for instance)
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
	log.Fatal(err)
}

// create the (downgradable) certificate
certificate := assertion.NewSesquiennial(privateKey, "Example Org")
rs256 := assertion.RS256{
	GetThumbprint: certificate.Thumbprint,
	Validity:      time.Minute,
	CliendID:      "<OAUTH2_CLIENT_ID from identity provider>",
	Key:           privateKey,
}

// setup the provider using the assertion (instead of the client secret)
var provider gopenidclient.Provider = (&coreos.OIDC{
	Issuer:          "issuer_url",
	ClientID:        rs256.CliendID,
	Scopes:          []string{"openid", "email", "profile"},
	ClientAssertion: rs256,
	// ClientSecret can be omitted
})

// the provider can be used like any other provider
provider.SetRedirectURL("http://localhost:8080/auth/callback")

// the public certificate can be exposed to ease the transmission to the identity provider
http.HandleFunc("/auth/certificate.pem", func(w http.ResponseWriter, r *http.Request) {
	certificate.ServeDER(w, r)
})

// the certificate can be downgraded on ExchangeHandler.HandleCallback error

Index ¶

• type OIDC
  • func (o *OIDC) AuthCodeURL(state string) (string, string, error)
  • func (o *OIDC) EndSessionURL() (*url.URL, error)
  • func (o *OIDC) Exchange(code, verifier string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)
  • func (o *OIDC) Refresh(refreshToken string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)
  • func (o *OIDC) SetRedirectURL(url string)

Examples ¶

• Package

type OIDC ¶

type OIDC struct {
	Issuer   string
	ClientID string
	// ClientAssertion is more secure than ClientSecret, see the example.
	ClientAssertion gopenidclient.Assertion
	// ClientSecret can be left blank, when ClientAssertion is used.
	ClientSecret string
	Scopes       []string
	HTTPClient   *http.Client // will use http.DefaultClient if let nil
	// contains filtered or unexported fields
}

OIDC implements a Provider for the OpenID Connect flow of code.pfad.fr/gopenidclient. The unexported fields have a suitable default values (hence no New method needed).

func (*OIDC) AuthCodeURL ¶

func (o *OIDC) AuthCodeURL(state string) (string, string, error)

AuthCodeURL returns the Auth-URL to redirect the user to

func (*OIDC) EndSessionURL ¶

func (o *OIDC) EndSessionURL() (*url.URL, error)

func (*OIDC) Exchange ¶

func (o *OIDC) Exchange(code, verifier string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)

Exchange exchanges the code and provides a way to unmarshal the user info

func (*OIDC) Refresh ¶

func (o *OIDC) Refresh(refreshToken string) (token *oauth2.Token, unmarshalUser func(interface{}) error, err error)

func (*OIDC) SetRedirectURL ¶

func (o *OIDC) SetRedirectURL(url string)

SetRedirectURL sets the local callback URL.

Source Files ¶

oidc.go