oauth

package
v0.0.0-...-1fb332c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 24, 2026 License: Apache-2.0 Imports: 43 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	AuthorizationCodeGrantType = "authorization_code"
	RefreshTokenGrantType      = "refresh_token"
	ClientCredentialsGrantType = "client_credentials"
	// nolint:gosec
	TokenExchangeGrantType = "urn:ietf:params:oauth:grant-type:token-exchange"

	AnonymousRequestGrantType = "urn:authgear:params:oauth:grant-type:anonymous-request"
	BiometricRequestGrantType = "urn:authgear:params:oauth:grant-type:biometric-request"
	App2AppRequestGrantType   = "urn:authgear:params:oauth:grant-type:app2app-request"
	// nolint:gosec
	IDTokenGrantType        = "urn:authgear:params:oauth:grant-type:id-token"
	SettingsActionGrantType = "urn:authgear:params:oauth:grant-type:settings-action"
)
View Source 
const (
	// The scope openid must be present.
	// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
	ScopeOpenID = "openid"
	// Scope "profile" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeProfile = "profile"
	// Scope "email" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeEmail = "email"
	// Scope "address" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopeAddress = "address"
	// Scope "phone" is defined in
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
	ScopePhone = "phone"
)
View Source 
const DeviceSSOScope = "device_sso"
View Source 
const FullAccessScope = "https://authgear.com/scopes/full-access"
View Source 
const FullUserInfoScope = "https://authgear.com/scopes/full-userinfo"
View Source 
const OfflineAccess = "offline_access"
View Source 
const PreAuthenticatedURLScope = "https://authgear.com/scopes/pre-authenticated-url"
View Source 
const (
	PreAuthenticatedURLTokenLifetime = duration.Short
)

Variables

View Source 
var AllowedScopes = []string{

	OfflineAccess,
	DeviceSSOScope,

	ScopeOpenID,
	ScopeProfile,
	ScopeEmail,
	ScopeAddress,
	ScopePhone,

	FullAccessScope,
	FullUserInfoScope,
	PreAuthenticatedURLScope,
}
View Source 
var ClientLikeNotFound = &ClientLike{
	IsFirstParty:        false,
	PIIAllowedInIDToken: false,
}
View Source 
var DependencySet = wire.NewSet(
	wire.Struct(new(MetadataProvider), "*"),
	wire.Struct(new(Resolver), "*"),
	wire.Struct(new(SessionManager), "*"),
	wire.Struct(new(OfflineGrantService), "*"),
	wire.Struct(new(PromptResolver), "*"),

	wire.Struct(new(AccessTokenEncoding), "*"),
	wire.Bind(new(AccessTokenDecoder), new(*AccessTokenEncoding)),
	wire.Struct(new(AuthorizationService), "*"),
	wire.Bind(new(OfflineGrantSessionManager), new(*SessionManager)),

	wire.Struct(new(AppSessionTokenService), "*"),
	wire.Bind(new(AppSessionTokenServiceOfflineGrantService), new(*OfflineGrantService)),

	wire.Struct(new(AccessGrantService), "*"),

	wire.Bind(new(PreAuthenticatedURLTokenAccessGrantService), new(*AccessGrantService)),
	wire.Bind(new(PreAuthenticatedURLTokenOfflineGrantService), new(*OfflineGrantService)),
)
View Source 
var ErrAuthorizationNotFound = errors.New("oauth authorization not found")
View Source 
var ErrAuthorizationScopesNotGranted = errors.New("oauth authorization scopes not granted")
View Source 
var ErrGrantNotFound = errors.New("oauth grant not found")
View Source 
var ErrInvalidDPoPKeyBinding = protocol.NewError(dpop.InvalidDPoPProof, "Invalid DPoP key binding")
View Source 
var ErrUnmatchedClient = errors.New("unmatched client ID")
View Source 
var ErrUnmatchedSession = errors.New("unmatched session ID")

Functions

func ContainsAllScopes 

func ContainsAllScopes(scopes []string, shouldContainsScopes []string) bool

func DecodeRefreshToken 

func DecodeRefreshToken(encodedToken string) (token string, grantID string, err error)

func DecodeSID 

func DecodeSID(sid string) (typ session.Type, sessionID string, ok bool)

func EncodeRefreshToken 

func EncodeRefreshToken(token string, grantID string) string

func EncodeSID 

func EncodeSID(s SessionLike) string

func EncodeSIDByRawValues 

func EncodeSIDByRawValues(sessionType session.Type, sessionID string) string

func FormPost 

func FormPost(w http.ResponseWriter, r *http.Request, redirectURI *url.URL, response map[string]string)

func GenerateToken 

func GenerateToken() string

func GetAllowedGrantTypes 

func GetAllowedGrantTypes(c *config.OAuthClientConfig) []string

func HTTP200HTMLRedirect 

func HTTP200HTMLRedirect(rw http.ResponseWriter, r *http.Request, redirectURI string)

func HTTP303HTMLRedirect 

func HTTP303HTMLRedirect(rw http.ResponseWriter, r *http.Request, redirectURI string)

func HashToken 

func HashToken(token string) string

func IsScopeAllowed 

func IsScopeAllowed(scope string, allowedScopes []string) bool

func RequireScope 

func RequireScope(scopes ...string) func(http.Handler) http.Handler

RequireScope allow request to pass if session contains one of the required scopes. If there is no required scopes, only validity of session is checked.

func ScopeAllowsClaim 

func ScopeAllowsClaim(scope string, claimName string) bool

func SessionScopes 

func SessionScopes(s session.ResolvedSession) []string

func ValidateScopes 

func ValidateScopes(scopes []string, allowedScopes []string) error

func ValidateScopesByClientConfig 

func ValidateScopesByClientConfig(client *config.OAuthClientConfig, scopes []string) error

func WriteResponse 

func WriteResponse(w http.ResponseWriter, r *http.Request, options WriteResponseOptions)

Types

type AccessGrant 

type AccessGrant struct {
	AppID           string           `json:"app_id"`
	AuthorizationID string           `json:"authz_id"`
	SessionID       string           `json:"session_id"`
	SessionKind     GrantSessionKind `json:"session_kind"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	Scopes    []string  `json:"scopes"`
	TokenHash string    `json:"token_hash"`
	// Only exist when session_kind is offline_grant
	// It does not change even the refresh token rotated
	InitialRefreshTokenHash string `json:"refresh_token_hash"`
}

type AccessGrantService 

type AccessGrantService struct {
	AppID config.AppID

	AccessGrants      AccessGrantStore
	AccessTokenIssuer AccessTokenEncoding
	Clock             clock.Clock
}

func (*AccessGrantService) PrepareUserAccessGrant 

func (s *AccessGrantService) PrepareUserAccessGrant(
	ctx context.Context,
	options PrepareUserAccessGrantOptions,
) (PrepareUserAccessTokenResult, error)

type AccessGrantStore 

type AccessGrantStore interface {
	GetAccessGrant(ctx context.Context, tokenHash string) (*AccessGrant, error)
	CreateAccessGrant(ctx context.Context, g *AccessGrant) error
	DeleteAccessGrant(ctx context.Context, g *AccessGrant) error
}

type AccessTokenDecoder 

type AccessTokenDecoder interface {
	DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)
}

type AccessTokenEncoding 

type AccessTokenEncoding struct {
	Secrets       *config.OAuthKeyMaterials
	Clock         clock.Clock
	IDTokenIssuer IDTokenIssuer
	BaseURL       BaseURLProvider
	Events        EventService
	Identities    AccessTokenEncodingIdentityService
}

func (*AccessTokenEncoding) DecodeAccessToken 

func (e *AccessTokenEncoding) DecodeAccessToken(encodedToken string) (tok string, isHash bool, err error)

func (*AccessTokenEncoding) EncodeClientAccessToken 

func (e *AccessTokenEncoding) EncodeClientAccessToken(ctx context.Context, options EncodeClientAccessTokenOptions) (string, error)

func (*AccessTokenEncoding) MakeUserAccessTokenFromPreparationResult 

func (e *AccessTokenEncoding) MakeUserAccessTokenFromPreparationResult(
	ctx context.Context,
	options MakeUserAccessTokenFromPreparationOptions,
) (*IssueAccessGrantResult, error)

func (*AccessTokenEncoding) PrepareUserAccessToken 

func (e *AccessTokenEncoding) PrepareUserAccessToken(ctx context.Context, options EncodeUserAccessTokenOptions) (PrepareUserAccessTokenResult, error)

type AccessTokenEncodingIdentityService 

type AccessTokenEncodingIdentityService interface {
	ListIdentitiesThatHaveStandardAttributes(ctx context.Context, userID string) ([]*identity.Info, error)
}

type AddOfflineGrantRefreshTokenOptions 

type AddOfflineGrantRefreshTokenOptions struct {
	OfflineGrantID                 string
	AccessInfo                     access.Info
	OfflineGrantExpireAt           time.Time
	ShortLivedRefreshTokenExpireAt *time.Time
	TokenHash                      string
	ClientID                       string
	Scopes                         []string
	AuthorizationID                string
	DPoPJKT                        string
}

type AppSession 

type AppSession struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt               time.Time `json:"created_at"`
	ExpireAt                time.Time `json:"expire_at"`
	TokenHash               string    `json:"token_hash"`
	InitialRefreshTokenHash string    `json:"refresh_token_hash"`
}

type AppSessionStore 

type AppSessionStore interface {
	GetAppSession(ctx context.Context, tokenHash string) (*AppSession, error)
	CreateAppSession(ctx context.Context, s *AppSession) error
	DeleteAppSession(ctx context.Context, s *AppSession) error
}

type AppSessionToken 

type AppSessionToken struct {
	AppID          string `json:"app_id"`
	OfflineGrantID string `json:"offline_grant_id"`

	CreatedAt               time.Time `json:"created_at"`
	ExpireAt                time.Time `json:"expire_at"`
	TokenHash               string    `json:"token_hash"`
	InitialRefreshTokenHash string    `json:"refresh_token_hash"`
}

type AppSessionTokenInput 

type AppSessionTokenInput struct {
	AppSessionToken string
	RedirectURI     string
}

type AppSessionTokenService 

type AppSessionTokenService struct {
	AppSessions         AppSessionStore
	AppSessionTokens    AppSessionTokenStore
	OfflineGrantService AppSessionTokenServiceOfflineGrantService
	Cookies             AppSessionTokenServiceCookieManager
	Clock               clock.Clock
}

func (*AppSessionTokenService) Exchange 

func (s *AppSessionTokenService) Exchange(ctx context.Context, appSessionToken string) (string, error)

func (*AppSessionTokenService) Handle 

func (s *AppSessionTokenService) Handle(ctx context.Context, input AppSessionTokenInput) (httputil.Result, error)

type AppSessionTokenServiceCookieManager 

type AppSessionTokenServiceCookieManager interface {
	ValueCookie(def *httputil.CookieDef, value string) *http.Cookie
}

type AppSessionTokenServiceOfflineGrantService 

type AppSessionTokenServiceOfflineGrantService interface {
	GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)
}

type AppSessionTokenStore 

type AppSessionTokenStore interface {
	GetAppSessionToken(ctx context.Context, tokenHash string) (*AppSessionToken, error)
	CreateAppSessionToken(ctx context.Context, t *AppSessionToken) error
	DeleteAppSessionToken(ctx context.Context, t *AppSessionToken) error
}

type Authorization 

type Authorization struct {
	ID        string
	AppID     string
	ClientID  string
	UserID    string
	CreatedAt time.Time
	UpdatedAt time.Time
	Scopes    []string
}

func ApplyAuthorizationFilters 

func ApplyAuthorizationFilters(authzs []*Authorization, filters ...AuthorizationFilter) (out []*Authorization)

func (Authorization) IsAuthorized 

func (z Authorization) IsAuthorized(scopes []string) bool

func (Authorization) ToAPIModel 

func (z Authorization) ToAPIModel() *model.Authorization

func (Authorization) WithScopesAdded 

func (z Authorization) WithScopesAdded(scopes []string) *Authorization

type AuthorizationFilter 

type AuthorizationFilter interface {
	Keep(authz *Authorization) bool
}

type AuthorizationFilterFunc 

type AuthorizationFilterFunc func(a *Authorization) bool

func (AuthorizationFilterFunc) Keep 

func (f AuthorizationFilterFunc) Keep(a *Authorization) bool

type AuthorizationService 

type AuthorizationService struct {
	AppID               config.AppID
	Store               AuthorizationStore
	Clock               clock.Clock
	OAuthSessionManager OfflineGrantSessionManager
	OfflineGrantService *OfflineGrantService
	OfflineGrantStore   OfflineGrantStore
}

func (*AuthorizationService) Check 

func (s *AuthorizationService) Check(
	ctx context.Context,
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) CheckAndGrant 

func (s *AuthorizationService) CheckAndGrant(
	ctx context.Context,
	clientID string,
	userID string,
	scopes []string,
) (*Authorization, error)

func (*AuthorizationService) Delete 

func (s *AuthorizationService) Delete(ctx context.Context, a *Authorization) error

func (*AuthorizationService) GetByID 

func (s *AuthorizationService) GetByID(ctx context.Context, id string) (*Authorization, error)

func (*AuthorizationService) ListByUser 

func (s *AuthorizationService) ListByUser(ctx context.Context, userID string, filters ...AuthorizationFilter) ([]*Authorization, error)

type AuthorizationStore 

type AuthorizationStore interface {
	Get(ctx context.Context, userID, clientID string) (*Authorization, error)
	GetByID(ctx context.Context, id string) (*Authorization, error)
	ListByUserID(ctx context.Context, userID string) ([]*Authorization, error)
	Create(ctx context.Context, a *Authorization) error
	Delete(ctx context.Context, a *Authorization) error
	ResetAll(ctx context.Context, userID string) error
	UpdateScopes(ctx context.Context, a *Authorization) error
}

type BaseURLProvider 

type BaseURLProvider interface {
	Origin() *url.URL
}

type ClientLike 

type ClientLike struct {
	IsFirstParty        bool
	PIIAllowedInIDToken bool
	Scopes              []string
}

func ClientClientLike 

func ClientClientLike(client *config.OAuthClientConfig, scopes []string) *ClientLike

func SessionClientLike 

func SessionClientLike(s session.ResolvedSession, clientResolver OAuthClientResolver) *ClientLike

type CodeGrant 

type CodeGrant struct {
	AppID              string               `json:"app_id"`
	AuthorizationID    string               `json:"authz_id"`
	AuthenticationInfo authenticationinfo.T `json:"authentication_info"`
	IDTokenHintSID     string               `json:"id_token_hint_sid"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	CodeHash  string    `json:"code_hash"`
	DPoPJKT   string    `json:"dpop_jkt"`

	RedirectURI          string                        `json:"redirect_uri"`
	AuthorizationRequest protocol.AuthorizationRequest `json:"authorization_request"`

	// IdentitySpecs is for supporting include_identity_attributes_in_id_token.
	IdentitySpecs []*identity.Spec `json:"identity_specs,omitzero"`
}

func (*CodeGrant) MatchDPoPJKT 

func (g *CodeGrant) MatchDPoPJKT(
	ctx context.Context,
	client *config.OAuthClientConfig,
	errorLogger func(err error),
) error

type CodeGrantStore 

type CodeGrantStore interface {
	GetCodeGrant(ctx context.Context, codeHash string) (*CodeGrant, error)
	CreateCodeGrant(ctx context.Context, g *CodeGrant) error
	DeleteCodeGrant(ctx context.Context, g *CodeGrant) error
}

type CreateNewRefreshTokenOptions 

type CreateNewRefreshTokenOptions struct {
	OfflineGrant                   *OfflineGrant
	ClientID                       string
	Scopes                         []string
	AuthorizationID                string
	DPoPJKT                        string
	ShortLivedRefreshTokenExpireAt *time.Time
}

type CreateNewRefreshTokenResult 

type CreateNewRefreshTokenResult struct {
	Token     string
	TokenHash string
}

type EncodeClientAccessTokenOptions 

type EncodeClientAccessTokenOptions struct {
	OriginalToken string
	ClientConfig  *config.OAuthClientConfig
	ResourceURI   string
	Scope         string
	CreatedAt     time.Time
	ExpireAt      time.Time
}

type EncodeUserAccessTokenOptions 

type EncodeUserAccessTokenOptions struct {
	OriginalToken      string
	ClientConfig       *config.OAuthClientConfig
	ClientLike         *ClientLike
	AccessGrant        *AccessGrant
	AuthenticationInfo authenticationinfo.T
}

type EndpointsProvider 

type EndpointsProvider interface {
	AuthorizeEndpointURL() *url.URL
	ConsentEndpointURL() *url.URL
	TokenEndpointURL() *url.URL
	RevokeEndpointURL() *url.URL
}

type EventService 

type EventService interface {
	DispatchEventOnCommit(ctx context.Context, payload event.Payload) error
	PrepareBlockingEventWithTx(ctx context.Context, payload event.BlockingPayload) (e *event.Event, err error)
	DispatchEventWithoutTx(ctx context.Context, e *event.Event) (err error)
}

type GrantSessionKind 

type GrantSessionKind string
const (
	GrantSessionKindOffline GrantSessionKind = "offline_grant"
	GrantSessionKindSession GrantSessionKind = "idp_session"
)

func GrantSessionKindFromSessionType 

func GrantSessionKindFromSessionType(typ session.Type) GrantSessionKind

func (GrantSessionKind) SessionType 

func (k GrantSessionKind) SessionType() session.Type

type IDTokenIssuer 

type IDTokenIssuer interface {
	Iss() string
	PopulateUserClaimsInIDToken(ctx context.Context, token jwt.Token, userID string, clientLike *ClientLike) error
}

type IssueAccessGrantResult 

type IssueAccessGrantResult struct {
	Token     string
	TokenType string
	ExpiresIn int
}

func (*IssueAccessGrantResult) WriteTo 

func (r *IssueAccessGrantResult) WriteTo(resp protocol.TokenResponse)

type KeepThirdPartyAuthorizationFilter 

type KeepThirdPartyAuthorizationFilter struct {
	ThirdPartyClientIDSet setutil.Set[string]
}

func NewKeepThirdPartyAuthorizationFilter 

func NewKeepThirdPartyAuthorizationFilter(oauthConfig *config.OAuthConfig) *KeepThirdPartyAuthorizationFilter

func (*KeepThirdPartyAuthorizationFilter) Keep 

func (f *KeepThirdPartyAuthorizationFilter) Keep(authz *Authorization) bool

type LoginHint 

type LoginHint struct {
	Type    LoginHintType
	Enforce bool

	// Specific to LoginHintTypeAnonymous
	PromotionCode string
	JWT           string

	// Specific to LoginHintTypeAppSessionToken
	AppSessionToken string

	// Specific to LoginHintTypeLoginID
	LoginIDEmail    string
	LoginIDUsername string
	LoginIDPhone    string
}

func ParseLoginHint 

func ParseLoginHint(s string) (*LoginHint, error)

func (*LoginHint) String 

func (h *LoginHint) String() string

type LoginHintType 

type LoginHintType string
const (
	LoginHintTypeAnonymous LoginHintType = "anonymous"
	// nolint: gosec
	LoginHintTypeAppSessionToken LoginHintType = "app_session_token"
	LoginHintTypeLoginID         LoginHintType = "login_id"
)

type MakeUserAccessTokenFromPreparationOptions 

type MakeUserAccessTokenFromPreparationOptions struct {
	PreparationResult PrepareUserAccessTokenResult
}

type MetadataProvider 

type MetadataProvider struct {
	Endpoints EndpointsProvider
}

func (*MetadataProvider) PopulateMetadata 

func (p *MetadataProvider) PopulateMetadata(meta map[string]interface{})

type OAuthClientResolver 

type OAuthClientResolver interface {
	ResolveClient(clientID string) *config.OAuthClientConfig
}

type OfflineGrant 

type OfflineGrant struct {
	AppID           string `json:"app_id"`
	ID              string `json:"id"`
	InitialClientID string `json:"client_id"`
	// IDPSessionID refers to the IDP session.
	IDPSessionID string `json:"idp_session_id,omitempty"`
	// IdentityID refers to the identity.
	// It is only set for biometric authentication.
	IdentityID string `json:"identity_id,omitempty"`

	CreatedAt       time.Time `json:"created_at"`
	AuthenticatedAt time.Time `json:"authenticated_at"`

	Attrs      session.Attrs `json:"attrs"`
	AccessInfo access.Info   `json:"access_info"`

	DeviceInfo map[string]interface{} `json:"device_info,omitempty"`

	SSOEnabled bool `json:"sso_enabled,omitempty"`

	App2AppDeviceKeyJWKJSON string `json:"app2app_device_key_jwk_json"`
	DeviceSecretHash        string `json:"device_secret_hash"`
	DeviceSecretDPoPJKT     string `json:"device_secret_dpop_jkt"`

	RefreshTokens []OfflineGrantRefreshToken `json:"refresh_tokens,omitempty"`

	ParticipatedSAMLServiceProviderIDs []string `json:"participated_saml_service_provider_ids,omitempty"`

	// Readonly fields for backward compatibility.
	// Write these fields in OfflineGrantRefreshToken
	Deprecated_AuthorizationID string   `json:"authz_id"`
	Deprecated_Scopes          []string `json:"scopes"`
	Deprecated_TokenHash       string   `json:"token_hash"`

	// ExpireAtForResolvedSession is a transient field that tells when the session will exire at, computed now.
	// Note that ExpireAtForResolvedSession will keep changing if idle timeout is enabled.
	// This is NOT supposed to be stored, hence it is json-ignored.
	// This field is always the expiry of the OfflineGrant, but not the expiry of any of the children refresh tokens
	// Expiry of children refresh tokens could be shorter due to different last access time
	ExpireAtForResolvedSession time.Time `json:"-"`
}

func (*OfflineGrant) EqualSession 

func (g *OfflineGrant) EqualSession(ss session.SessionBase) bool

func (*OfflineGrant) GetAccessInfo 

func (g *OfflineGrant) GetAccessInfo() *access.Info

func (*OfflineGrant) GetAllRemovableInitialTokenHashesExcludeClientIDs 

func (g *OfflineGrant) GetAllRemovableInitialTokenHashesExcludeClientIDs(
	clientIDs []string) (tokenHashes []string, shouldRemoveOfflinegrant bool)

func (*OfflineGrant) GetAuthenticatedAt 

func (g *OfflineGrant) GetAuthenticatedAt() time.Time

func (*OfflineGrant) GetAuthenticationInfo 

func (g *OfflineGrant) GetAuthenticationInfo() authenticationinfo.T

func (*OfflineGrant) GetCreatedAt 

func (g *OfflineGrant) GetCreatedAt() time.Time

func (*OfflineGrant) GetDeviceInfo 

func (g *OfflineGrant) GetDeviceInfo() (map[string]interface{}, bool)

func (*OfflineGrant) GetOIDCAMR 

func (g *OfflineGrant) GetOIDCAMR() ([]string, bool)

func (*OfflineGrant) GetParticipatedSAMLServiceProviderIDsSet 

func (s *OfflineGrant) GetParticipatedSAMLServiceProviderIDsSet() setutil.Set[string]

func (*OfflineGrant) GetRemovableInitialTokenHashesByAuthorizationID 

func (g *OfflineGrant) GetRemovableInitialTokenHashesByAuthorizationID(
	authorizationID string) (tokenHashes []string, shouldRemoveOfflinegrant bool)

func (*OfflineGrant) GetScopes 

func (g *OfflineGrant) GetScopes(clientID string) []string

func (*OfflineGrant) GetUserID 

func (g *OfflineGrant) GetUserID() string

func (*OfflineGrant) HasAllScopes 

func (g *OfflineGrant) HasAllScopes(clientID string, requiredScopes []string) bool

func (*OfflineGrant) HasClientID 

func (g *OfflineGrant) HasClientID(clientID string) bool

func (*OfflineGrant) HasValidTokens 

func (g *OfflineGrant) HasValidTokens() bool

func (*OfflineGrant) IsOnlyUsedInClientIDs 

func (g *OfflineGrant) IsOnlyUsedInClientIDs(clientIDs []string) bool

func (*OfflineGrant) IsSameSSOGroup 

func (g *OfflineGrant) IsSameSSOGroup(ss session.SessionBase) bool

IsSameSSOGroup returns true when the session argument - is the same offline grant - is idp session in the same sso group (current offline grant needs to be sso enabled) - is offline grant in the same sso group (current offline grant needs to be sso enabled)

func (*OfflineGrant) ListableSession 

func (g *OfflineGrant) ListableSession()

func (*OfflineGrant) MatchCurrentHash 

func (g *OfflineGrant) MatchCurrentHash(refreshTokenHash string) bool

func (*OfflineGrant) MatchDeviceSecretDPoPJKT 

func (g *OfflineGrant) MatchDeviceSecretDPoPJKT(
	ctx context.Context,
	client *config.OAuthClientConfig,
	errorLogger func(err error),
) error

func (*OfflineGrant) SSOGroupIDPSessionID 

func (g *OfflineGrant) SSOGroupIDPSessionID() string

func (*OfflineGrant) SessionID 

func (g *OfflineGrant) SessionID() string

func (*OfflineGrant) SessionType 

func (g *OfflineGrant) SessionType() session.Type

func (*OfflineGrant) ToAPIModel 

func (g *OfflineGrant) ToAPIModel() *model.Session

func (*OfflineGrant) ToSession 

func (g *OfflineGrant) ToSession(refreshTokenHash string) (*OfflineGrantSession, bool)

type OfflineGrantRefreshToken 

type OfflineGrantRefreshToken struct {
	// InitialTokenHash is effectively the ID of this OfflineGrantRefreshToken
	InitialTokenHash string    `json:"token_hash"`
	ClientID         string    `json:"client_id"`
	CreatedAt        time.Time `json:"created_at"`
	Scopes           []string  `json:"scopes"`
	AuthorizationID  string    `json:"authz_id"`
	DPoPJKT          string    `json:"dpop_jkt"`
	// AccessInfo was added on 2025-07-15
	// Refresh token created before the day has nil AccessInfo
	AccessInfo *access.Info `json:"access_info"`
	// ExpireAt was added on 2025-07-28
	// Refresh token created before the day has nil ExpireAt.
	// Only short-lived pre-authenticated URL refresh token created after the day has non-nil ExpireAt.
	ExpireAt *time.Time `json:"expire_at"`

	// Set after the refresh token rotated at least once
	RotatedTokenHash *string    `json:"rotated_token_hash,omitzero"`
	RotatedAt        *time.Time `json:"rotated_at,omitzero"`
}

func (*OfflineGrantRefreshToken) MatchCurrentHash 

func (t *OfflineGrantRefreshToken) MatchCurrentHash(anotherHash string) bool

func (*OfflineGrantRefreshToken) MatchInitialHash 

func (t *OfflineGrantRefreshToken) MatchInitialHash(anotherHash string) bool

type OfflineGrantService 

type OfflineGrantService struct {
	RemoteIP        httputil.RemoteIP
	UserAgentString httputil.UserAgentString

	OAuthConfig    *config.OAuthConfig
	Clock          clock.Clock
	IDPSessions    ServiceIDPSessionProvider
	ClientResolver OAuthClientResolver
	AccessEvents   OfflineGrantServiceAccessEventProvider
	MeterService   OfflineGrantServiceMeterService

	OfflineGrants OfflineGrantStore
}

func (*OfflineGrantService) AccessOfflineGrant 

func (s *OfflineGrantService) AccessOfflineGrant(ctx context.Context, grantID string, initialRefreshTokenHash string, accessEvent *access.Event, expireAt time.Time) (*OfflineGrant, error)

AccessOfflineGrant accesses oauth offline grant with 3 targeted side effects 1. set grant.AccessInfo.LastAccess to new accessEvent 2. call RecordAccess 3. call TrackActiveUser

func (*OfflineGrantService) AddSAMLServiceProviderParticipant 

func (s *OfflineGrantService) AddSAMLServiceProviderParticipant(
	ctx context.Context,
	grant *OfflineGrant,
	serviceProviderID string,
) (*OfflineGrant, error)

func (*OfflineGrantService) CheckSessionExpired 

func (s *OfflineGrantService) CheckSessionExpired(session *OfflineGrant) (bool, time.Time, error)

func (*OfflineGrantService) ComputeOfflineGrantExpiry 

func (s *OfflineGrantService) ComputeOfflineGrantExpiry(session *OfflineGrant) (expiry time.Time, err error)

func (*OfflineGrantService) CreateNewRefreshToken 

func (s *OfflineGrantService) CreateNewRefreshToken(
	ctx context.Context,
	options CreateNewRefreshTokenOptions,
) (*CreateNewRefreshTokenResult, *OfflineGrant, error)

func (*OfflineGrantService) GetOfflineGrant 

func (s *OfflineGrantService) GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)

func (*OfflineGrantService) RotateRefreshToken 

func (s *OfflineGrantService) RotateRefreshToken(
	ctx context.Context,
	options RotateRefreshTokenOptions,
) (*RotateRefreshTokenResult, *OfflineGrant, error)

type OfflineGrantServiceAccessEventProvider 

type OfflineGrantServiceAccessEventProvider interface {
	RecordAccess(ctx context.Context, sessionID string, expiry time.Time, event *access.Event) error
}

type OfflineGrantServiceMeterService 

type OfflineGrantServiceMeterService interface {
	TrackActiveUser(ctx context.Context, userID string) error
}

type OfflineGrantSession 

type OfflineGrantSession struct {
	OfflineGrant     *OfflineGrant
	CreatedAt        time.Time
	InitialTokenHash string
	ClientID         string
	Scopes           []string
	AuthorizationID  string
	DPoPJKT          string
}

func (*OfflineGrantSession) CreateNewAuthenticationInfoByThisSession 

func (o *OfflineGrantSession) CreateNewAuthenticationInfoByThisSession() authenticationinfo.T

func (*OfflineGrantSession) GetAccessInfo 

func (o *OfflineGrantSession) GetAccessInfo() *access.Info

func (*OfflineGrantSession) GetAuthenticationInfo 

func (o *OfflineGrantSession) GetAuthenticationInfo() authenticationinfo.T

func (*OfflineGrantSession) GetCreatedAt 

func (o *OfflineGrantSession) GetCreatedAt() time.Time

func (*OfflineGrantSession) GetExpireAt 

func (o *OfflineGrantSession) GetExpireAt() time.Time

func (*OfflineGrantSession) MatchDPoPJKT 

func (g *OfflineGrantSession) MatchDPoPJKT(
	ctx context.Context,
	client *config.OAuthClientConfig,
	errorLogger func(err error),
) error

func (*OfflineGrantSession) SSOGroupIDPSessionID 

func (o *OfflineGrantSession) SSOGroupIDPSessionID() string

func (*OfflineGrantSession) Session 

func (o *OfflineGrantSession) Session()

func (*OfflineGrantSession) SessionID 

func (o *OfflineGrantSession) SessionID() string

func (*OfflineGrantSession) SessionType 

func (o *OfflineGrantSession) SessionType() session.Type

type OfflineGrantSessionManager 

type OfflineGrantSessionManager interface {
	List(ctx context.Context, userID string) ([]session.ListableSession, error)
	Delete(ctx context.Context, session session.ListableSession) error
}

type OfflineGrantStore 

type OfflineGrantStore interface {
	GetOfflineGrantWithoutExpireAt(ctx context.Context, id string) (*OfflineGrant, error)
	CreateOfflineGrant(ctx context.Context, offlineGrant *OfflineGrant) error
	DeleteOfflineGrant(ctx context.Context, g *OfflineGrant) error

	UpdateOfflineGrantWithMutator(ctx context.Context, grantID string, expireAt time.Time, mutator func(*OfflineGrant) *OfflineGrant) (*OfflineGrant, error)
	UpdateOfflineGrantDeviceInfo(ctx context.Context, id string, deviceInfo map[string]interface{}, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantAuthenticatedAt(ctx context.Context, id string, authenticatedAt time.Time, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantApp2AppDeviceKey(ctx context.Context, id string, newKey string, expireAt time.Time) (*OfflineGrant, error)
	UpdateOfflineGrantDeviceSecretHash(
		ctx context.Context,
		grantID string,
		newDeviceSecretHash string,
		dpopJKT string,
		expireAt time.Time) (*OfflineGrant, error)
	RemoveOfflineGrantRefreshTokens(ctx context.Context, grantID string, tokenHashes []string, expireAt time.Time) (*OfflineGrant, error)
	AddOfflineGrantRefreshToken(
		ctx context.Context,
		options AddOfflineGrantRefreshTokenOptions,
	) (*OfflineGrant, error)
	AddOfflineGrantSAMLServiceProviderParticipant(
		ctx context.Context,
		grantID string,
		newServiceProviderID string,
		expireAt time.Time,
	) (*OfflineGrant, error)
	RotateOfflineGrantRefreshToken(
		ctx context.Context,
		opts RotateOfflineGrantRefreshTokenOptions,
		expireAt time.Time,
	) (*OfflineGrant, error)

	ListOfflineGrants(ctx context.Context, userID string) ([]*OfflineGrant, error)
	ListClientOfflineGrants(ctx context.Context, clientID string, userID string) ([]*OfflineGrant, error)

	CleanUpForDeletingUserID(ctx context.Context, userID string) error
}

type PreAuthenticatedURLToken 

type PreAuthenticatedURLToken struct {
	AppID           string   `json:"app_id"`
	AuthorizationID string   `json:"authorization_id"`
	ClientID        string   `json:"client_id"`
	OfflineGrantID  string   `json:"offline_grant_id"`
	Scopes          []string `json:"scopes"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	TokenHash string    `json:"token_hash"`
}

type PreAuthenticatedURLTokenAccessGrantService 

type PreAuthenticatedURLTokenAccessGrantService interface {
	PrepareUserAccessGrant(
		ctx context.Context,
		options PrepareUserAccessGrantOptions,
	) (PrepareUserAccessTokenResult, error)
}

type PreAuthenticatedURLTokenOfflineGrantService 

type PreAuthenticatedURLTokenOfflineGrantService interface {
	GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)
	CreateNewRefreshToken(
		ctx context.Context,
		options CreateNewRefreshTokenOptions,
	) (*CreateNewRefreshTokenResult, *OfflineGrant, error)
}

type PreAuthenticatedURLTokenStore 

type PreAuthenticatedURLTokenStore interface {
	CreatePreAuthenticatedURLToken(ctx context.Context, t *PreAuthenticatedURLToken) error
	ConsumePreAuthenticatedURLToken(ctx context.Context, tokenHash string) (*PreAuthenticatedURLToken, error)
}

type PrepareUserAccessGrantOptions 

type PrepareUserAccessGrantOptions struct {
	ClientConfig            *config.OAuthClientConfig
	Scopes                  []string
	AuthorizationID         string
	AuthenticationInfo      authenticationinfo.T
	SessionLike             SessionLike
	InitialRefreshTokenHash string
}

type PrepareUserAccessTokenResult 

type PrepareUserAccessTokenResult interface {
	// contains filtered or unexported methods
}

type PromptResolver 

type PromptResolver struct {
	Clock clock.Clock
}

func (*PromptResolver) ResolvePrompt 

func (r *PromptResolver) ResolvePrompt(req protocol.AuthorizationRequest, sidSession session.ListableSession) (prompt []string)

type Resolver 

type Resolver struct {
	RemoteIP            httputil.RemoteIP
	UserAgentString     httputil.UserAgentString
	OAuthConfig         *config.OAuthConfig
	Authorizations      AuthorizationStore
	AccessGrants        AccessGrantStore
	AppSessions         AppSessionStore
	AccessTokenDecoder  AccessTokenDecoder
	Sessions            ResolverSessionProvider
	Cookies             ResolverCookieManager
	Clock               clock.Clock
	OfflineGrantService ResolverOfflineGrantService
}

func (*Resolver) Resolve 

func (re *Resolver) Resolve(ctx context.Context, rw http.ResponseWriter, r *http.Request) (session.ResolvedSession, error)

type ResolverCookieManager 

type ResolverCookieManager interface {
	GetCookie(r *http.Request, def *httputil.CookieDef) (*http.Cookie, error)
}

type ResolverOfflineGrantService 

type ResolverOfflineGrantService interface {
	AccessOfflineGrant(ctx context.Context, grantID string, refreshTokenHash string, accessEvent *access.Event, expireAt time.Time) (*OfflineGrant, error)
	GetOfflineGrant(ctx context.Context, id string) (*OfflineGrant, error)
}

type ResolverSessionProvider 

type ResolverSessionProvider interface {
	AccessWithID(ctx context.Context, id string, accessEvent access.Event) (*idpsession.IDPSession, error)
}

type RotateOfflineGrantRefreshTokenOptions 

type RotateOfflineGrantRefreshTokenOptions struct {
	OfflineGrantID          string
	InitialRefreshTokenHash string
	NewRefreshTokenHash     string
}

type RotateRefreshTokenOptions 

type RotateRefreshTokenOptions struct {
	OfflineGrant            *OfflineGrant
	InitialRefreshTokenHash string
}

type RotateRefreshTokenResult 

type RotateRefreshTokenResult struct {
	GrantID   string
	Token     string
	TokenHash string
}

func (*RotateRefreshTokenResult) WriteTo 

func (r *RotateRefreshTokenResult) WriteTo(resp protocol.TokenResponse)

type ServiceIDPSessionProvider 

type ServiceIDPSessionProvider interface {
	Get(ctx context.Context, id string) (*idpsession.IDPSession, error)
	CheckSessionExpired(session *idpsession.IDPSession) (expired bool)
}

type SessionLike 

type SessionLike interface {
	SessionID() string
	SessionType() session.Type
}

type SessionManager 

type SessionManager struct {
	Store   OfflineGrantStore
	Config  *config.OAuthConfig
	Service OfflineGrantService
}

func (*SessionManager) CleanUpForDeletingUserID 

func (m *SessionManager) CleanUpForDeletingUserID(ctx context.Context, userID string) error

func (*SessionManager) ClearCookie 

func (m *SessionManager) ClearCookie() []*http.Cookie

func (*SessionManager) Delete 

func (m *SessionManager) Delete(ctx context.Context, session session.ListableSession) error

func (*SessionManager) Get 

func (m *SessionManager) Get(ctx context.Context, id string) (session.ListableSession, error)

func (*SessionManager) List 

func (m *SessionManager) List(ctx context.Context, userID string) ([]session.ListableSession, error)

func (*SessionManager) TerminateAllExcept 

func (m *SessionManager) TerminateAllExcept(ctx context.Context, userID string, currentSession session.ResolvedSession) ([]session.ListableSession, error)

type SettingsActionGrant 

type SettingsActionGrant struct {
	AppID  string `json:"app_id"`
	UserID string `json:"user_id,omitempty"`

	CreatedAt time.Time `json:"created_at"`
	ExpireAt  time.Time `json:"expire_at"`
	CodeHash  string    `json:"code_hash"`

	RedirectURI          string                        `json:"redirect_uri"`
	AuthorizationRequest protocol.AuthorizationRequest `json:"authorization_request"`
}

type SettingsActionGrantStore 

type SettingsActionGrantStore interface {
	GetSettingsActionGrant(ctx context.Context, codeHash string) (*SettingsActionGrant, error)
	CreateSettingsActionGrant(ctx context.Context, g *SettingsActionGrant) error
	DeleteSettingsActionGrant(ctx context.Context, g *SettingsActionGrant) error
}

type WriteResponseOptions 

type WriteResponseOptions struct {
	RedirectURI  *url.URL
	ResponseMode string
	UseHTTP200   bool
	Response     map[string]string
}

Source Files

View all Source files

Directories

Path Synopsis
handler
protocol

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.