oidc

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 1, 2026 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Overview

Package oidc provides an OpenID Connect (OIDC) client and utilities for token validation and management.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidToken    = errors.New("invalid token")
	ErrTokenValidation = errors.New("token validation failed")
	ErrInvalidClaims   = errors.New("invalid claims format")
)

Functions

func DefaultTokenSourceFactories 

func DefaultTokenSourceFactories() map[string]TokenSourceFactory

DefaultTokenSourceFactories returns a copy of the default token source registry.

func DeviceCodeUIConsoleQR 

func DeviceCodeUIConsoleQR(deviceCode *oauth2.DeviceAuthResponse) error

func DeviceCodeUIConsoleText 

func DeviceCodeUIConsoleText(deviceCode *oauth2.DeviceAuthResponse) error

func ExtractClaims 

func ExtractClaims[T jwtvalidator.CustomClaims](claims any) (jwtvalidator.RegisteredClaims, T, error)

func NewHTTPClientFromConfig 

func NewHTTPClientFromConfig(cfg *ClientConfig) (*http.Client, error)

NewHTTPClientFromConfig creates an HTTP client with a token source from a ClientConfig.

func NewMultiValidatorFromConfig 

func NewMultiValidatorFromConfig(configs []ValidatorConfig, opts ...validator.Option) (jwt.TokenValidator, error)

NewMultiValidatorFromConfig creates a MultiValidator from multiple configs.

func NewTokenSourceFromConfig 

func NewTokenSourceFromConfig(cfg ClientConfig) oauth2.TokenSource

NewTokenSourceFromConfig creates a token source from a ClientConfig.

func NewTokenSourceFromConfigWithFactories 

func NewTokenSourceFromConfigWithFactories(cfg ClientConfig, factories map[string]TokenSourceFactory, store TokenStore, clock Clock, ctx context.Context) (oauth2.TokenSource, error)

NewTokenSourceFromConfigWithFactories creates a token source using a custom registry and dependencies.

func NewValidatorDebugger 

func NewValidatorDebugger(v jwt.TokenValidator, opts ...DebuggerOpt) jwt.TokenValidator

NewValidatorDebugger wraps a TokenValidator with debugging output.

func NewValidatorFromConfig 

func NewValidatorFromConfig(cfg *ValidatorConfig) (jwt.TokenValidator, error)

NewValidatorFromConfig creates a TokenValidator from a ValidatorConfig.

func NewValidatorFromConfigWithOptions 

func NewValidatorFromConfigWithOptions(cfg *ValidatorConfig, opts ...ValidatorOpt) (jwt.TokenValidator, error)

NewValidatorFromConfigWithOptions creates a TokenValidator from a ValidatorConfig using custom options.

func NewWaitingTokenSource 

func NewWaitingTokenSource(ctx context.Context, source oauth2.TokenSource, interval, timeout time.Duration) oauth2.TokenSource

NewWaitingTokenSource returns a token source that waits for a token to be available.

func NewWaitingTokenSourceFromConfig 

func NewWaitingTokenSourceFromConfig(ctx context.Context, cfg ClientConfig, interval, timeout time.Duration) (oauth2.TokenSource, error)

NewWaitingTokenSourceFromConfig creates a waiting token source from a ClientConfig.

func ResolveTokenFromFile 

func ResolveTokenFromFile(filePath string) (*oauth2.Token, error)

ResolveTokenFromFile loads an OAuth2 token from a file.

func SaveTokenToFile 

func SaveTokenToFile(token *oauth2.Token, filePath string) error

SaveTokenToFile saves the provided OAuth2 token to a file.

func WithCustomClaims 

func WithCustomClaims[T jwtvalidator.CustomClaims](t T) func(e Endpoint)

WithCustomClaims configures the endpoint to return a specific CustomClaims implementation during validation.

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client represents an OIDC client.

func NewClient 

func NewClient(endpoint Endpoint, opts ...ClientOpt) *Client

NewClient creates a new OIDC client with the provided endpoint and options.

func NewClientFromConfig 

func NewClientFromConfig(config *ClientConfig) (*Client, error)

NewClientFromConfig creates a new OIDC client from the provided configuration.

func (*Client) AuthorizationCodeRedirectFlow 

func (c *Client) AuthorizationCodeRedirectFlow(ctx context.Context, state string, scopes []string, redirectURI string, opts ...RequestOpt) (string, error)

AuthorizationCodeRedirectFlow generates the authorization URL for the Authorization Code Flow TODO: figure out a better name

func (*Client) AuthorizationCodeToken 

func (c *Client) AuthorizationCodeToken(ctx context.Context, code string, redirect_uri string, opts ...RequestOpt) (*oauth2.Token, error)

func (*Client) ClientCredentialsToken 

func (c *Client) ClientCredentialsToken(ctx context.Context, opts ...RequestOpt) (*oauth2.Token, error)

ClientCredentialsToken gets a token using the client_credentials grant It sends the client_id and client_secret to the token endpoint and gets a token in response

func (*Client) DeviceToken 

func (c *Client) DeviceToken(ctx context.Context, scopes ...string) (*oauth2.Token, error)

func (*Client) Endpoint 

func (c *Client) Endpoint() Endpoint

func (*Client) GothProvider 

func (c *Client) GothProvider(callbackURL *url.URL, scopes ...string) (goth.Provider, error)

func (*Client) HTTPClient 

func (c *Client) HTTPClient(ctx context.Context, t *oauth2.Token) (*http.Client, error)

func (*Client) IntrospectToken 

func (c *Client) IntrospectToken(ctx context.Context, token string) (*IntrospectionResponse, error)

IntrospectToken introspects the token It sends the token to the introspection endpoint and gets the response

func (*Client) RefreshToken 

func (c *Client) RefreshToken(ctx context.Context, refreshToken string, opts ...RequestOpt) (*oauth2.Token, error)

func (*Client) RefreshingClientCredentialsToken 

func (c *Client) RefreshingClientCredentialsToken(ctx context.Context, opts ...RequestOpt) (oauth2.TokenSource, error)

func (*Client) TokenSource 

func (c *Client) TokenSource(t *oauth2.Token) (oauth2.TokenSource, error)

func (*Client) ValidateToken 

func (c *Client) ValidateToken(ctx context.Context, token string, audiences []string) (*jwtvalidator.ValidatedClaims, error)

ValidateToken VerifyToke verifies the token and returns the claims It fetches the verification keys from the OIDC server and uses them to verify the token

type ClientConfig 

type ClientConfig struct {
	// Provider     EndpointConfig    `json:"provider"` // e.g. "github", "keycloak"
	EndpointConfig `mapstructure:",squash"`
	ClientID       string            `json:"client-id" mapstructure:"client-id"`
	ClientSecret   util.MaskedString `json:"client-secret" mapstructure:"client-secret,omitempty"`

	Audience string `json:"audience,omitempty" mapstructure:"audience,omitempty"`

	// do these belong somewhere else?
	TokenFile string `json:"token-file,omitempty" mapstructure:"token-file,omitempty"`

	TLSConfig tls.ClientConfig `json:"tls-client-config" mapstructure:"tls-client-config,omitempty"`
}

ClientConfig captures client credentials and token acquisition options for an OIDC provider.

type ClientOpt 

type ClientOpt func(c *Client)

ClientOpt configures an OIDC Client.

func WithClientID 

func WithClientID(clientID string) ClientOpt

WithClientID sets the client identifier used for OIDC flows.

func WithClientIDAndSecret 

func WithClientIDAndSecret(clientID, clientSecret string) ClientOpt

WithClientIDAndSecret sets both the client ID and secret for the client.

func WithClock 

func WithClock(clock Clock) ClientOpt

WithClock sets a custom clock for time-dependent behavior.

func WithDeviceCodeUI 

func WithDeviceCodeUI(ui DeviceCodeUI) ClientOpt

WithDeviceCodeUI injects a custom device code UI handler for interactive flows.

func WithHTTPClient 

func WithHTTPClient(doer HTTPDoer) ClientOpt

WithHTTPClient sets a custom HTTP client for outbound requests.

func WithJWKSProvider 

func WithJWKSProvider(provider *jwks.CachingProvider) ClientOpt

WithJWKSProvider sets a custom JWKS caching provider for token validation.

func WithKeyCacheTTL 

func WithKeyCacheTTL(ttl time.Duration) ClientOpt

WithKeyCacheTTL overrides the cache TTL for JWKS keys used during validation.

func WithKeyFunc 

func WithKeyFunc(keyFunc func(context.Context) (any, error)) ClientOpt

WithKeyFunc sets a custom key function for token validation.

func WithValidatingSignatureAlgorithm 

func WithValidatingSignatureAlgorithm(algorithm jwtvalidator.SignatureAlgorithm) ClientOpt

WithValidatingSignatureAlgorithm sets the signature algorithm used when validating ID tokens.

type Clock 

type Clock interface {
	Now() time.Time
}

Clock abstracts time for deterministic tests.

type Config 

type Config struct {
	ProviderMap ProviderMap `json:"providers" mapstructure:"providers"`
}

Config contains a collection of provider configurations.

type DebuggerOpt 

type DebuggerOpt func(*validatorDebugger)

func WithLogger 

func WithLogger(logger zerolog.Logger) DebuggerOpt

type DeviceCodeUI 

type DeviceCodeUI func(deviceCode *oauth2.DeviceAuthResponse) error

type Endpoint 

type Endpoint interface {
	URL() *url.URL
	DiscoveryEndpoint() (*url.URL, error)
	DiscoveredConfiguration() (*OpenIDConfiguration, error)
	OAuth2Endpoint() (oauth2.Endpoint, error)
}

Endpoint defines the interface for an OpenID Connect provider endpoint.

func NewEndpoint 

func NewEndpoint(baseURL string, opts ...EndpointOption) (Endpoint, error)

func NewEndpointFromConfig 

func NewEndpointFromConfig(config *EndpointConfig) (Endpoint, error)

func NewGitHubActionsEndpoint 

func NewGitHubActionsEndpoint(baseURL string) (Endpoint, error)

NewGitHubActionsEndpoint creates a new GitHub Actions OIDC endpoint

func NewGitHubEndpoint 

func NewGitHubEndpoint(baseURL string) (Endpoint, error)

func NewKeycloakRealmEndpoint 

func NewKeycloakRealmEndpoint(baseURLStr, realm string, opts ...EndpointOption) (Endpoint, error)

type EndpointConfig 

type EndpointConfig struct {
	Type          string `json:"type,omitempty" mapstructure:"type,omitempty"`
	URL           string `json:"url" mapstructure:"url"`
	KeycloakRealm string `json:"keycloak-realm,omitempty" mapstructure:"keycloak-realm,omitempty"`
}

EndpointConfig describes the issuer endpoint and any provider-specific options.

type EndpointOption 

type EndpointOption func(e Endpoint)

EndpointOption is a functional option for configuring an Endpoint.

func WithHTTPDoer 

func WithHTTPDoer(doer HTTPDoer) EndpointOption

WithHTTPDoer configures a custom HTTP client for endpoint discovery.

type FileTokenStore 

type FileTokenStore struct {
	// contains filtered or unexported fields
}

FileTokenStore persists tokens in a file on disk.

func NewFileTokenStore 

func NewFileTokenStore(path string) *FileTokenStore

NewFileTokenStore creates a file-based token store.

func (*FileTokenStore) LoadToken 

func (s *FileTokenStore) LoadToken(_ context.Context) (*oauth2.Token, error)

LoadToken reads a token from disk.

func (*FileTokenStore) SaveToken 

func (s *FileTokenStore) SaveToken(_ context.Context, token *oauth2.Token) error

SaveToken writes a token to disk.

type GitHubActionsEndpoint 

type GitHubActionsEndpoint struct {
	// contains filtered or unexported fields
}

GitHubActionsEndpoint represents the GitHub Actions OIDC endpoint

func (*GitHubActionsEndpoint) DiscoveredConfiguration 

func (e *GitHubActionsEndpoint) DiscoveredConfiguration() (*OpenIDConfiguration, error)

DiscoveredConfiguration returns the OIDC configuration by fetching the discovery endpoint

func (*GitHubActionsEndpoint) DiscoveryEndpoint 

func (e *GitHubActionsEndpoint) DiscoveryEndpoint() (*url.URL, error)

DiscoveryEndpoint returns the OIDC discovery endpoint URL

func (*GitHubActionsEndpoint) OAuth2Endpoint 

func (e *GitHubActionsEndpoint) OAuth2Endpoint() (oauth2.Endpoint, error)

OAuth2Endpoint returns the OAuth2 endpoint configuration

func (*GitHubActionsEndpoint) URL 

func (e *GitHubActionsEndpoint) URL() *url.URL

URL returns the base URL for the GitHub Actions OIDC endpoint

type GitHubEndpoint 

type GitHubEndpoint struct {
	// contains filtered or unexported fields
}

GitHubEndpoint represents the GitHub OAuth endpoint.

func (*GitHubEndpoint) DiscoveredConfiguration 

func (e *GitHubEndpoint) DiscoveredConfiguration() (*OpenIDConfiguration, error)

func (*GitHubEndpoint) DiscoveryEndpoint 

func (e *GitHubEndpoint) DiscoveryEndpoint() (*url.URL, error)

func (*GitHubEndpoint) GothProvider 

func (e *GitHubEndpoint) GothProvider(clientID, clientSecret string, callbackURL *url.URL, scopes ...string) (goth.Provider, error)

func (*GitHubEndpoint) OAuth2Endpoint 

func (e *GitHubEndpoint) OAuth2Endpoint() (oauth2.Endpoint, error)

func (*GitHubEndpoint) URL 

func (e *GitHubEndpoint) URL() *url.URL

type GothEndpoint 

type GothEndpoint interface {
	GothProvider(clientID, clientSecret string, callbackURL *url.URL, scopes ...string) (goth.Provider, error)
}

GothEndpoint defines the interface for endpoints that support Goth provider creation.

type HTTPDoer 

type HTTPDoer interface {
	Do(req *http.Request) (*http.Response, error)
}

HTTPDoer abstracts HTTP calls for testability.

type IntrospectionResponse 

type IntrospectionResponse struct {
	ExpiresAt                           int      `json:"exp"`
	IssuedAt                            int      `json:"iat"`
	AuthTime                            int      `json:"auth_time"`
	ID                                  string   `json:"jti"`
	Issuer                              string   `json:"iss"`
	Audience                            string   `json:"aud"`
	Subject                             string   `json:"sub"`
	Type                                string   `json:"typ"`
	AuthorizedParty                     string   `json:"azp"`
	SessionID                           string   `json:"sid"`
	AuthenticationContextClassReference string   `json:"acr"`
	AllowedOrigins                      []string `json:"allowed-origins"`
	RealmAccess                         struct {
		Roles []string `json:"roles"`
	} `json:"realm_access"`
	ResourceAccess struct {
		Account struct {
			Roles []string `json:"roles"`
		} `json:"account"`
	} `json:"resource_access"`
	Scope             string   `json:"scope"`
	UserPrincipalName string   `json:"upn"`
	EmailVerified     bool     `json:"email_verified"`
	Name              string   `json:"name"`
	Groups            []string `json:"groups"`
	PreferredUsername string   `json:"preferred_username"`
	GivenName         string   `json:"given_name"`
	FamilyName        string   `json:"family_name"`
	Email             string   `json:"email"`
	ClientId          string   `json:"client_id"`
	Username          string   `json:"username"`
	TokenType         string   `json:"token_type"`
	Active            bool     `json:"active"`
	Website           string   `json:"website"`
	Organisation      []string `json:"org"`
	// contains filtered or unexported fields
}

IntrospectionResponse represents the fields returned by an RFC 7662 token introspection response, including some common provider extensions.

func (*IntrospectionResponse) Validate 

func (c *IntrospectionResponse) Validate(_ context.Context) error

Validate satisfies the validator interface for IntrospectionResponse.

type KeycloakEndpoint 

type KeycloakEndpoint struct {
	// contains filtered or unexported fields
}

KeycloakEndpoint represents a Keycloak OpenID Connect server endpoint.

func NewKeycloakEndpoint 

func NewKeycloakEndpoint(baseURLStr string) (*KeycloakEndpoint, error)

func (*KeycloakEndpoint) RealmEndpoint 

func (e *KeycloakEndpoint) RealmEndpoint(realm string, opts ...EndpointOption) (Endpoint, error)

type OpenIDConfiguration 

type OpenIDConfiguration struct {
	Issuer                                                    string   `json:"issuer"`
	AuthorizationEndpoint                                     string   `json:"authorization_endpoint"`
	TokenEndpoint                                             string   `json:"token_endpoint"`
	UserinfoEndpoint                                          string   `json:"userinfo_endpoint"`
	JWKSURI                                                   string   `json:"jwks_uri"`
	RegistrationEndpoint                                      string   `json:"registration_endpoint"`
	ScopesSupported                                           []string `json:"scopes_supported"`
	ResponseTypesSupported                                    []string `json:"response_types_supported"`
	GrantTypesSupported                                       []string `json:"grant_types_supported"`
	SubjectTypesSupported                                     []string `json:"subject_types_supported"`
	IDTokenSigningAlgValuesSupported                          []string `json:"id_token_signing_alg_values_supported"`
	TokenEndpointAuthMethodsSupported                         []string `json:"token_endpoint_auth_methods_supported"`
	ClaimsSupported                                           []string `json:"claims_supported"`
	CodeChallengeMethodsSupported                             []string `json:"code_challenge_methods_supported"`
	IntrospectionEndpoint                                     string   `json:"introspection_endpoint"`
	EndSessionEndpoint                                        string   `json:"end_session_endpoint"`
	FrontchannelLogoutSessionSupported                        bool     `json:"frontchannel_logout_session_supported"`
	FrontchannelLogoutSupported                               bool     `json:"frontchannel_logout_supported"`
	CheckSessionIframe                                        string   `json:"check_session_iframe"`
	AcrValuesSupported                                        []string `json:"acr_values_supported"`
	IDTokenEncryptionAlgValuesSupported                       []string `json:"id_token_encryption_alg_values_supported"`
	IDTokenEncryptionEncValuesSupported                       []string `json:"id_token_encryption_enc_values_supported"`
	UserinfoSigningAlgValuesSupported                         []string `json:"userinfo_signing_alg_values_supported"`
	UserinfoEncryptionAlgValuesSupported                      []string `json:"userinfo_encryption_alg_values_supported"`
	UserinfoEncryptionEncValuesSupported                      []string `json:"userinfo_encryption_enc_values_supported"`
	RequestObjectSigningAlgValuesSupported                    []string `json:"request_object_signing_alg_values_supported"`
	RequestObjectEncryptionAlgValuesSupported                 []string `json:"request_object_encryption_alg_values_supported"`
	RequestObjectEncryptionEncValuesSupported                 []string `json:"request_object_encryption_enc_values_supported"`
	ResponseModesSupported                                    []string `json:"response_modes_supported"`
	TokenEndpointAuthSigningAlgValuesSupported                []string `json:"token_endpoint_auth_signing_alg_values_supported"`
	IntrospectionEndpointAuthMethodsSupported                 []string `json:"introspection_endpoint_auth_methods_supported"`
	IntrospectionEndpointAuthSigningAlgValuesSupported        []string `json:"introspection_endpoint_auth_signing_alg_values_supported"`
	AuthorizationSigningAlgValuesSupported                    []string `json:"authorization_signing_alg_values_supported"`
	AuthorizationEncryptionAlgValuesSupported                 []string `json:"authorization_encryption_alg_values_supported"`
	AuthorizationEncryptionEncValuesSupported                 []string `json:"authorization_encryption_enc_values_supported"`
	ClaimTypesSupported                                       []string `json:"claim_types_supported"`
	ClaimsParameterSupported                                  bool     `json:"claims_parameter_supported"`
	RequestParameterSupported                                 bool     `json:"request_parameter_supported"`
	RequestURIParameterSupported                              bool     `json:"request_uri_parameter_supported"`
	RequireRequestURIRegistration                             bool     `json:"require_request_uri_registration"`
	TLSClientCertificateBoundAccessTokens                     bool     `json:"tls_client_certificate_bound_access_tokens"`
	RevocationEndpoint                                        string   `json:"revocation_endpoint"`
	RevocationEndpointAuthMethodsSupported                    []string `json:"revocation_endpoint_auth_methods_supported"`
	RevocationEndpointAuthSigningAlgValuesSupported           []string `json:"revocation_endpoint_auth_signing_alg_values_supported"`
	BackchannelLogoutSupported                                bool     `json:"backchannel_logout_supported"`
	BackchannelLogoutSessionSupported                         bool     `json:"backchannel_logout_session_supported"`
	DeviceAuthorizationEndpoint                               string   `json:"device_authorization_endpoint"`
	BackchannelTokenDeliveryModesSupported                    []string `json:"backchannel_token_delivery_modes_supported"`
	BackchannelAuthenticationEndpoint                         string   `json:"backchannel_authentication_endpoint"`
	BackchannelAuthenticationRequestSigningAlgValuesSupported []string `json:"backchannel_authentication_request_signing_alg_values_supported"`
	RequirePushedAuthorizationRequests                        bool     `json:"require_pushed_authorization_requests"`
	PushedAuthorizationRequestEndpoint                        string   `json:"pushed_authorization_request_endpoint"`
	MTLSEndpointAliases                                       struct {
		TokenEndpoint                      string `json:"token_endpoint"`
		RevocationEndpoint                 string `json:"revocation_endpoint"`
		IntrospectionEndpoint              string `json:"introspection_endpoint"`
		DeviceAuthorizationEndpoint        string `json:"device_authorization_endpoint"`
		RegistrationEndpoint               string `json:"registration_endpoint"`
		UserinfoEndpoint                   string `json:"userinfo_endpoint"`
		PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"`
		BackchannelAuthenticationEndpoint  string `json:"backchannel_authentication_endpoint"`
	} `json:"mtls_endpoint_aliases"`
	AuthorizationResponseIssParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
}

OpenIDConfiguration represents metadata returned by the OIDC discovery document.

type ProviderConfig 

type ProviderConfig struct {
	ClientID     string `json:"client-id" mapstructure:"client-id"`
	ClientSecret string `json:"client-secret" mapstructure:"client-secret"`
	Callback     string `json:"callback" mapstructure:"callback"`
}

ProviderConfig represents a single web provider configuration for Goth callbacks.

type ProviderMap 

type ProviderMap map[string]ProviderConfig

ProviderMap indexes provider configurations by name.

type RefreshingClientCredentialsTokenSource 

type RefreshingClientCredentialsTokenSource struct {
	// contains filtered or unexported fields
}

func (*RefreshingClientCredentialsTokenSource) Token 

func (ts *RefreshingClientCredentialsTokenSource) Token() (*oauth2.Token, error)

type RequestOpt 

type RequestOpt func(url.Values)

func WithAudience 

func WithAudience(audience string) RequestOpt

type TokenSourceFactory 

type TokenSourceFactory func(cfg ClientConfig) (oauth2.TokenSource, error)

TokenSourceFactory creates a token source from config.

type TokenStore 

type TokenStore interface {
	LoadToken(ctx context.Context) (*oauth2.Token, error)
	SaveToken(ctx context.Context, token *oauth2.Token) error
}

TokenStore abstracts token persistence.

type TokenValidator 

type TokenValidator = jwt.TokenValidator

TokenValidator is an alias for jwt.TokenValidator.

type TrustConfig 

type TrustConfig struct {
	Verifiers []ValidatorConfig `json:"validators" mapstructure:"validators"`
}

TrustConfig describes a set of validators that must all succeed.

type ValidatorConfig 

type ValidatorConfig struct {
	EndpointConfig     `mapstructure:",squash"`
	Audiences          []string       `json:"audiences" mapstructure:"audiences"`
	Issuer             string         `json:"issuer" mapstructure:"issuer"`
	CacheTTL           int            `json:"cache_ttl_seconds" mapsstructure:"cache_ttl_seconds"`
	SignatureAlgorithm string         `json:"signature_algorithm" mapstructure:"signature_algorithm"`
	AllowedClockSkew   int            `json:"allowed_clock_skew_seconds" mapstructure:"allowed_clock_skew_seconds"`
	Debug              bool           `json:"debug" mapstructure:"debug"`
	ClaimPredicate     map[string]any `json:"claim_predicates" mapstructure:"claim_predicates"`
}

ValidatorConfig controls validation behavior for issued tokens.

type ValidatorOpt 

type ValidatorOpt func(*validatorOptions)

ValidatorOpt configures validator creation.

func WithValidatorJWKSProvider 

func WithValidatorJWKSProvider(provider *jwks.CachingProvider) ValidatorOpt

WithValidatorJWKSProvider sets a custom JWKS caching provider.

func WithValidatorKeyFunc 

func WithValidatorKeyFunc(keyFunc func(context.Context) (any, error)) ValidatorOpt

WithValidatorKeyFunc sets a custom key function for validation.

Source Files

View all Source files

Directories

Path Synopsis
Package aws provides functionality to retrieve OIDC tokens from AWS STS GetWebIdentityToken API.
 Package aws provides functionality to retrieve OIDC tokens from AWS STS GetWebIdentityToken API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.