oidc-idp/internal/models/oidc.go

196 lines
6.8 KiB
Go
Raw Normal View History

/*
Copyright CAcert Inc.
2023-05-13 11:27:19 +00:00
SPDX-License-Identifier: Apache-2.0
2023-05-13 11:27:19 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
2023-05-13 11:27:19 +00:00
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
2023-05-13 11:27:19 +00:00
// Package models contains data models
package models
2023-05-13 11:27:19 +00:00
import "errors"
var ErrNoValue = errors.New("value not found")
// IndividualClaimsRequest represents an individual claim request.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
2023-05-13 11:27:19 +00:00
type IndividualClaimsRequest map[string]interface{}
// ClaimElement represents a claim element
2023-05-13 11:27:19 +00:00
type ClaimElement map[string]*IndividualClaimsRequest
// OIDCClaimsRequest the claims request parameter sent with the authorization request.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
type OIDCClaimsRequest map[string]ClaimElement
// GetUserInfo extracts the userinfo claim element from the request.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
//
// Requests that the listed individual Claims be returned from the UserInfo
// Endpoint. If present, the listed Claims are being requested to be added to
// any Claims that are being requested using scope values. If not present, the
// Claims being requested from the UserInfo Endpoint are only those requested
// using scope values.
//
// When the userinfo member is used, the request MUST also use a response_type
// value that results in an Access Token being issued to the Client for use at
// the UserInfo Endpoint.
func (r OIDCClaimsRequest) GetUserInfo() *ClaimElement {
if userInfo, ok := r["userinfo"]; ok {
return &userInfo
}
2023-05-13 11:27:19 +00:00
return nil
}
// GetIDToken extracts the id_token claim element from the request.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
//
// Requests that the listed individual Claims be returned in the ID Token. If
// present, the listed Claims are being requested to be added to the default
// Claims in the ID Token. If not present, the default ID Token Claims are
// requested, as per the ID Token definition in Section 2 and per the
// additional per-flow ID Token requirements in Sections 3.1.3.6, 3.2.2.10,
// 3.3.2.11, and 3.3.3.6.
func (r OIDCClaimsRequest) GetIDToken() *ClaimElement {
if idToken, ok := r["id_token"]; ok {
return &idToken
}
2023-05-13 11:27:19 +00:00
return nil
}
2023-05-13 11:27:19 +00:00
// IsEssential checks whether the individual claim is an essential claim.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
//
// Indicates whether the Claim being requested is an Essential Claim. If the
// value is true, this indicates that the Claim is an Essential Claim. For
// instance, the Claim request:
//
2023-05-13 11:27:19 +00:00
// "auth_time": {"essential": true}
//
// can be used to specify that it is Essential to return an auth_time Claim
// Value. If the value is false, it indicates that it is a Voluntary Claim.
// The default is false.
//
// By requesting Claims as Essential Claims, the RP indicates to the End-User
// that releasing these Claims will ensure a smooth authorization for the
// specific task requested by the End-User.
//
// Note that even if the Claims are not available because the End-User did not
2023-05-13 11:27:19 +00:00
// authorize their release, or they are not present, the Authorization Server
// MUST NOT generate an error when Claims are not returned, whether they are
// Essential or Voluntary, unless otherwise specified in the description of
// the specific claim.
2023-05-13 11:27:19 +00:00
func (i IndividualClaimsRequest) IsEssential() bool {
if essential, ok := i["essential"]; ok {
2023-05-13 11:27:19 +00:00
if e, ok := essential.(bool); ok {
return e
}
}
2023-05-13 11:27:19 +00:00
return false
}
2023-05-13 11:27:19 +00:00
// WantedValue returns the wanted value for an individual claim request.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
//
// Requests that the Claim be returned with a particular value. For instance
// the Claim request:
//
2023-05-13 11:27:19 +00:00
// "sub": {"value": "248289761001"}
//
// can be used to specify that the request apply to the End-User with Subject
// Identifier 248289761001. The value of the value member MUST be a valid
// value for the Claim being requested. Definitions of individual Claims can
// include requirements on how and whether the value qualifier is to be used
// when requesting that Claim.
2023-05-13 11:27:19 +00:00
func (i IndividualClaimsRequest) WantedValue() (string, error) {
if value, ok := i["value"]; ok {
2023-05-13 11:27:19 +00:00
if valueString, ok := value.(string); ok {
return valueString, nil
}
}
2023-05-13 11:27:19 +00:00
return "", ErrNoValue
}
2023-05-13 11:27:19 +00:00
// AllowedValues gets the allowed values for an individual claim request that specifies
// a values field.
//
2023-05-13 11:27:19 +00:00
// # Specification
//
// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
//
// Requests that the Claim be returned with one of a set of values, with the
// values appearing in order of preference. For instance the Claim request:
//
2023-05-13 11:27:19 +00:00
// "acr": {"essential": true,
// "values": ["urn:mace:incommon:iap:silver",
// "urn:mace:incommon:iap:bronze"]}
//
// specifies that it is Essential that the acr Claim be returned with either
// the value urn:mace:incommon:iap:silver or urn:mace:incommon:iap:bronze.
// The values in the values member array MUST be valid values for the Claim
// being requested. Definitions of individual Claims can include requirements
// on how and whether the values qualifier is to be used when requesting that
// Claim.
2023-05-13 11:27:19 +00:00
func (i IndividualClaimsRequest) AllowedValues() []string {
if values, ok := i["values"]; ok {
2023-05-13 11:27:19 +00:00
if v, ok := values.([]string); ok {
return v
}
}
2023-05-13 11:27:19 +00:00
return nil
}
// OpenIDConfiguration contains the parts of the OpenID discovery information
// that are relevant for us.
//
2023-05-13 11:27:19 +00:00
// # Specifications
//
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
//
// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OPMetadata
type OpenIDConfiguration struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserInfoEndpoint string `json:"userinfo_endpoint"`
2023-05-13 11:27:19 +00:00
JwksURI string `json:"jwks_uri"`
RegistrationEndpoint string `json:"registration_endpoint"`
ScopesSupported []string `json:"scopes_supported"`
EndSessionEndpoint string `json:"end_session_endpoint"`
ClaimTypesSupported []string `json:"claim_types_supported"`
ClaimsSupported []string `json:"claims_supported"`
}