func ClientContext(ctxcontext.Context, client *http.Client)context.Context

func InsecureIssuerURLContext(ctxcontext.Context, issuerURLstring)context.Context

func Nonce(noncestring)oauth2.AuthCodeOption

type Config struct {// Expected audience of the token. For a majority of the cases this is expected to be// the ID of the client that initialized the login flow. It may occasionally differ if// the provider supports the authorizing party (azp) claim.//// If not provided, users must explicitly set SkipClientIDCheck.ClientIDstring// If specified, only this set of algorithms may be used to sign the JWT.//// If the IDTokenVerifier is created from a provider with (*Provider).Verifier, this// defaults to the set of algorithms the provider supports. Otherwise this values// defaults to RS256.SupportedSigningAlgs []string// If true, no ClientID check performed. Must be true if ClientID field is empty.SkipClientIDCheckbool// If true, token expiry is not checked.SkipExpiryCheckbool// SkipIssuerCheck is intended for specialized cases where the the caller wishes to// defer issuer validation. When enabled, callers MUST independently verify the Token's// Issuer is a known good value.//// Mismatched issuers often indicate client mis-configuration. If mismatches are// unexpected, evaluate if the provided issuer URL is incorrect instead of enabling// this option.SkipIssuerCheckbool// Time function to check Token expiry. Defaults to time.NowNow func()time.Time// InsecureSkipSignatureCheck causes this package to skip JWT signature validation.// It's intended for special cases where providers (such as Azure), use the "none"// algorithm.//// This option can only be enabled safely when the ID Token is received directly// from the provider after the token exchange.//// This option MUST NOT be used when receiving an ID Token from sources other// than the token endpoint.InsecureSkipSignatureCheckbool}

type IDToken struct {// The URL of the server which issued this token. OpenID Connect// requires this value always be identical to the URL used for// initial discovery.//// Note: Because of a known issue with Google Accounts' implementation// this value may differ when using Google.//// See:https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfoIssuerstring// The client ID, or set of client IDs, that this token is issued for. For// common uses, this is the client that initialized the auth flow.//// This package ensures the audience contains an expected value.Audience []string// A unique string which identifies the end user.Subjectstring// Expiry of the token. Ths package will not process tokens that have// expired unless that validation is explicitly turned off.Expirytime.Time// When the token was issued by the provider.IssuedAttime.Time// Initial nonce provided during the authentication redirect.//// This package does NOT provided verification on the value of this field// and it's the user's responsibility to ensure it contains a valid value.Noncestring// at_hash claim, if set in the ID token. Callers can verify an access token// that corresponds to the ID token using the VerifyAccessToken method.AccessTokenHashstring// contains filtered or unexported fields}

func (*IDToken)Claims¶

func (i *IDToken) Claims(v interface{})error

Claims unmarshals the raw JSON payload of the ID Token into a provided struct.

idToken, err := idTokenVerifier.Verify(rawIDToken)if err != nil {// handle error}var claims struct {Email         string `json:"email"`EmailVerified bool   `json:"email_verified"`}if err := idToken.Claims(&claims); err != nil {// handle error}

func (*IDToken)VerifyAccessToken¶

func (i *IDToken) VerifyAccessToken(accessTokenstring)error

VerifyAccessToken verifies that the hash of the access token that corresponds to the iD tokenmatches the hash in the id token. It returns an error if the hashes don't match.It is the caller's responsibility to ensure that the optional access token hash is present for the ID tokenbefore calling this method. Seehttps://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

type IDTokenVerifier struct {// contains filtered or unexported fields}

funcNewVerifier¶

func NewVerifier(issuerURLstring, keySetKeySet, config *Config) *IDTokenVerifier

NewVerifier returns a verifier manually constructed from a key set and issuer URL.

It's easier to use provider discovery to construct an IDTokenVerifier than creatingone directly. This method is intended to be used with provider that don't supportmetadata discovery, or avoiding round trips when the key set URL is already known.

This constructor can be used to create a verifier directly using the issuer URL andJSON Web Key Set URL without using discovery:

keySet := oidc.NewRemoteKeySet(ctx, "https://www.googleapis.com/oauth2/v3/certs")verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)

Or a static key set (e.g. for testing):

keySet := &oidc.StaticKeySet{PublicKeys: []crypto.PublicKey{pub1, pub2}}verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)

func (*IDTokenVerifier)Verify¶

func (v *IDTokenVerifier) Verify(ctxcontext.Context, rawIDTokenstring) (*IDToken,error)

Verify parses a raw ID Token, verifies it's been signed by the provider, performsany additional checks depending on the Config, and returns the payload.

Verify does NOT do nonce validation, which is the callers responsibility.

See:https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))if err != nil {    // handle error}// Extract the ID Token from oauth2 token.rawIDToken, ok := oauth2Token.Extra("id_token").(string)if !ok {    // handle error}token, err := verifier.Verify(ctx, rawIDToken)

type KeySet interface {// VerifySignature parses the JSON web token, verifies the signature, and returns// the raw payload. Header and claim fields are validated by other parts of the// package. For example, the KeySet does not need to check values such as signature// algorithm, issuer, and audience since the IDTokenVerifier validates these values// independently.//// If VerifySignature makes HTTP requests to verify the token, it's expected to// use any HTTP client associated with the context through ClientContext.VerifySignature(ctxcontext.Context, jwtstring) (payload []byte, errerror)}

type Provider struct {// contains filtered or unexported fields}

funcNewProvider¶

func NewProvider(ctxcontext.Context, issuerstring) (*Provider,error)

NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.The issuer is the URL identifier for the service. For example: "https://accounts.google.com"or "https://login.salesforce.com".

OpenID Connect providers that don't implement discovery or host the discoverydocument at a non-spec complaint path (such as requiring a URL parameter),should useProviderConfig instead.

See:https://openid.net/specs/openid-connect-discovery-1_0.html

func (*Provider)Claims¶

func (p *Provider) Claims(v interface{})error

Claims unmarshals raw fields returned by the server during discovery.

var claims struct {    ScopesSupported []string `json:"scopes_supported"`    ClaimsSupported []string `json:"claims_supported"`}if err := provider.Claims(&claims); err != nil {    // handle unmarshaling error}

For a list of fields defined by the OpenID Connect spec see:https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

func (*Provider)Endpoint¶

func (p *Provider) Endpoint()oauth2.Endpoint

Endpoint returns the OAuth2 auth and token endpoints for the given provider.

func (*Provider)UserInfo¶

func (p *Provider) UserInfo(ctxcontext.Context, tokenSourceoauth2.TokenSource) (*UserInfo,error)

UserInfo uses the token source to query the provider's user info endpoint.

func (*Provider)UserInfoEndpoint¶added inv3.6.0

func (p *Provider) UserInfoEndpoint()string

UserInfoEndpoint returns the OpenID Connect userinfo endpoint for the givenprovider.

func (*Provider)Verifier¶

func (p *Provider) Verifier(config *Config) *IDTokenVerifier

Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.

The returned verifier uses a background context for all requests to the upstreamJWKs endpoint. To control that context, use VerifierContext instead.

func (*Provider)VerifierContext¶added inv3.6.0

func (p *Provider) VerifierContext(ctxcontext.Context, config *Config) *IDTokenVerifier

VerifierContext returns an IDTokenVerifier that uses the provider's key set toverify JWTs. As opposed to Verifier, the context is used to configure requeststo the upstream JWKs endpoint. The provided context's cancellation is ignored.

type ProviderConfig struct {// IssuerURL is the identity of the provider, and the string it uses to sign// ID tokens with. For example "https://accounts.google.com". This value MUST// match ID tokens exactly.IssuerURLstring `json:"issuer"`// AuthURL is the endpoint used by the provider to support the OAuth 2.0// authorization endpoint.AuthURLstring `json:"authorization_endpoint"`// TokenURL is the endpoint used by the provider to support the OAuth 2.0// token endpoint.TokenURLstring `json:"token_endpoint"`// DeviceAuthURL is the endpoint used by the provider to support the OAuth 2.0// device authorization endpoint.DeviceAuthURLstring `json:"device_authorization_endpoint"`// UserInfoURL is the endpoint used by the provider to support the OpenID// Connect UserInfo flow.////https://openid.net/specs/openid-connect-core-1_0.html#UserInfoUserInfoURLstring `json:"userinfo_endpoint"`// JWKSURL is the endpoint used by the provider to advertise public keys to// verify issued ID tokens. This endpoint is polled as new keys are made// available.JWKSURLstring `json:"jwks_uri"`// Algorithms, if provided, indicate a list of JWT algorithms allowed to sign// ID tokens. If not provided, this defaults to the algorithms advertised by// the JWK endpoint, then the set of algorithms supported by this package.Algorithms []string `json:"id_token_signing_alg_values_supported"`}

func (*ProviderConfig)NewProvider¶added inv3.2.0

func (p *ProviderConfig) NewProvider(ctxcontext.Context) *Provider

NewProvider initializes a provider from a set of endpoints, rather thanthrough discovery.

The provided context is only used forhttp.Client configuration throughClientContext, not cancelation.

type RemoteKeySet struct {// contains filtered or unexported fields}

funcNewRemoteKeySet¶

func NewRemoteKeySet(ctxcontext.Context, jwksURLstring) *RemoteKeySet

NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTPGETs to fetch JSON web token sets hosted at a remote URL. This is automaticallyused by NewProvider using the URLs returned by OpenID Connect discovery, but isexposed for providers that don't support discovery or to prevent round trips to thediscovery URL.

The returned KeySet is a long lived verifier that caches keys based on anykeys change. Reuse a common remote key set instead of creating new ones as needed.

func (*RemoteKeySet)VerifySignature¶

func (r *RemoteKeySet) VerifySignature(ctxcontext.Context, jwtstring) ([]byte,error)

VerifySignature validates a payload against a signature from the jwks_uri.

Users MUST NOT call this method directly and should use an IDTokenVerifierinstead. This method skips critical validations such as 'alg' values and isonly exported to implement the KeySet interface.

type StaticKeySet struct {// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey and// *ecdsa.PublicKey.PublicKeys []crypto.PublicKey}

func (*StaticKeySet)VerifySignature¶added inv3.2.0

func (s *StaticKeySet) VerifySignature(ctxcontext.Context, jwtstring) ([]byte,error)

VerifySignature compares the signature against a static set of public keys.

type TokenExpiredError struct {// Expiry is the time when the token expired.Expirytime.Time}

func (*TokenExpiredError)Error¶added inv3.3.0

func (e *TokenExpiredError) Error()string

type UserInfo struct {Subjectstring `json:"sub"`Profilestring `json:"profile"`Emailstring `json:"email"`EmailVerifiedbool   `json:"email_verified"`// contains filtered or unexported fields}

func (*UserInfo)Claims¶

func (u *UserInfo) Claims(v interface{})error

Claims unmarshals the raw JSON object claims into the provided object.