Documentation
¶
Index ¶
- Constants
- Variables
- func CreateApp(db database.Store, accessURL *url.URL, auditor *audit.Auditor, ...) http.HandlerFunc
- func CreateAppSecret(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
- func CreateDynamicClientRegistration(db database.Store, accessURL *url.URL, auditor *audit.Auditor, ...) http.HandlerFunc
- func DeleteApp(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
- func DeleteAppSecret(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
- func DeleteClientConfiguration(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
- func GetApp(accessURL *url.URL) http.HandlerFunc
- func GetAppSecrets(db database.Store) http.HandlerFunc
- func GetAuthorizationServerMetadata(accessURL *url.URL) http.HandlerFunc
- func GetClientConfiguration(db database.Store) http.HandlerFunc
- func GetProtectedResourceMetadata(accessURL *url.URL) http.HandlerFunc
- func ListApps(db database.Store, accessURL *url.URL) http.HandlerFunc
- func ProcessAuthorize(db database.Store) http.HandlerFunc
- func RequireRegistrationAccessToken(db database.Store) func(http.Handler) http.Handler
- func RevokeApp(db database.Store) http.HandlerFunc
- func RevokeToken(db database.Store, logger slog.Logger) http.HandlerFunc
- func ShowAuthorizePage(accessURL *url.URL) http.HandlerFunc
- func Tokens(db database.Store, lifetimes codersdk.SessionLifetime) http.HandlerFunc
- func UpdateApp(db database.Store, accessURL *url.URL, auditor *audit.Auditor, ...) http.HandlerFunc
- func UpdateClientConfiguration(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
- func VerifyPKCE(challenge, verifier string) bool
- type AppSecret
- type HashedAppSecret
Constants ¶
const (
// SecretIdentifier is the prefix added to all generated secrets.
SecretIdentifier = "coder"
)
Variables ¶
var ( // ErrTokenNotBelongsToClient is returned when a token does not belong to the requesting client ErrTokenNotBelongsToClient = xerrors.New("token does not belong to requesting client") // ErrInvalidTokenFormat is returned when a token has an invalid format ErrInvalidTokenFormat = xerrors.New("invalid token format") )
Functions ¶
func CreateApp ¶
func CreateApp(db database.Store, accessURL *url.URL, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
CreateApp returns an http.HandlerFunc that handles POST /oauth2-provider/apps
func CreateAppSecret ¶
func CreateAppSecret(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
CreateAppSecret returns an http.HandlerFunc that handles POST /oauth2-provider/apps/{app}/secrets
func CreateDynamicClientRegistration ¶
func CreateDynamicClientRegistration(db database.Store, accessURL *url.URL, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
CreateDynamicClientRegistration returns an http.HandlerFunc that handles POST /oauth2/register
func DeleteApp ¶
DeleteApp returns an http.HandlerFunc that handles DELETE /oauth2-provider/apps/{app}
func DeleteAppSecret ¶
func DeleteAppSecret(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
DeleteAppSecret returns an http.HandlerFunc that handles DELETE /oauth2-provider/apps/{app}/secrets/{secretID}
func DeleteClientConfiguration ¶
func DeleteClientConfiguration(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
DeleteClientConfiguration returns an http.HandlerFunc that handles DELETE /oauth2/clients/{client_id}
func GetApp ¶
func GetApp(accessURL *url.URL) http.HandlerFunc
GetApp returns an http.HandlerFunc that handles GET /oauth2-provider/apps/{app}
func GetAppSecrets ¶
func GetAppSecrets(db database.Store) http.HandlerFunc
GetAppSecrets returns an http.HandlerFunc that handles GET /oauth2-provider/apps/{app}/secrets
func GetAuthorizationServerMetadata ¶
func GetAuthorizationServerMetadata(accessURL *url.URL) http.HandlerFunc
GetAuthorizationServerMetadata returns an http.HandlerFunc that handles GET /.well-known/oauth-authorization-server
func GetClientConfiguration ¶
func GetClientConfiguration(db database.Store) http.HandlerFunc
GetClientConfiguration returns an http.HandlerFunc that handles GET /oauth2/clients/{client_id}
func GetProtectedResourceMetadata ¶
func GetProtectedResourceMetadata(accessURL *url.URL) http.HandlerFunc
GetProtectedResourceMetadata returns an http.HandlerFunc that handles GET /.well-known/oauth-protected-resource
func ProcessAuthorize ¶
func ProcessAuthorize(db database.Store) http.HandlerFunc
ProcessAuthorize handles POST /oauth2/authorize requests to process the user's authorization decision and generate an authorization code.
func RequireRegistrationAccessToken ¶
RequireRegistrationAccessToken returns middleware that validates the registration access token for RFC 7592 endpoints
func RevokeToken ¶ added in v2.28.0
RevokeToken implements RFC 7009 OAuth2 Token Revocation Authentication is unique for this endpoint in that it does not use the standard token authentication middleware. Instead, it expects the token that is being revoked to be valid. TODO: Currently the token validation occurs in the revocation logic itself. This code should be refactored to share token validation logic with other parts of the OAuth2 provider/http middleware.
func ShowAuthorizePage ¶
func ShowAuthorizePage(accessURL *url.URL) http.HandlerFunc
ShowAuthorizePage handles GET /oauth2/authorize requests to display the HTML authorization page.
func Tokens ¶
func Tokens(db database.Store, lifetimes codersdk.SessionLifetime) http.HandlerFunc
Tokens Uses Sessions.DefaultDuration for access token (API key) TTL and Sessions.RefreshDefaultDuration for refresh token TTL.
func UpdateApp ¶
func UpdateApp(db database.Store, accessURL *url.URL, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
UpdateApp returns an http.HandlerFunc that handles PUT /oauth2-provider/apps/{app}
func UpdateClientConfiguration ¶
func UpdateClientConfiguration(db database.Store, auditor *audit.Auditor, logger slog.Logger) http.HandlerFunc
UpdateClientConfiguration returns an http.HandlerFunc that handles PUT /oauth2/clients/{client_id}
func VerifyPKCE ¶
VerifyPKCE verifies that the code_verifier matches the code_challenge using the S256 method as specified in RFC 7636.
Types ¶
type AppSecret ¶
type AppSecret struct {
// Formatted contains the secret. This value is owned by the client, not the
// server. It is formatted to include the prefix.
Formatted string
// Secret is the raw secret value. This value should only be known to the client.
Secret string
// Prefix is the ID of this secret owned by the server. When a client uses a
// secret, this is the matching string to do a lookup on the hashed value. We
// cannot use the hashed value directly because the server does not store the
// salt.
Prefix string
}
func ParseFormattedSecret ¶ added in v2.28.0
ParseFormattedSecret parses a formatted secret like "coder_<prefix>_<secret"
type HashedAppSecret ¶ added in v2.28.0
type HashedAppSecret struct {
AppSecret
// Hashed is the server stored hash(secret,salt,...). Used for verifying a
// secret.
Hashed []byte
}
func GenerateSecret ¶
func GenerateSecret() (HashedAppSecret, error)
GenerateSecret generates a secret to be used as a client secret, refresh token, or authorization code.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package oauth2providertest provides comprehensive testing utilities for OAuth2 identity provider functionality.
|
Package oauth2providertest provides comprehensive testing utilities for OAuth2 identity provider functionality. |