11# go-oidc
22
33[ ![ Go Reference] ( https://pkg.go.dev/badge/github.com/coreos/go-oidc/v3/oidc.svg )] ( https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc )
4- ![ github.com/coreos/go-oidc/v3] ( https://github.com/coreos/go-oidc/workflows/test/badge.svg?branch=v3 )
54
6- ## Updates from v2 to v3
7-
8- There were two breaking changes made to the v3 branch. The import path has changed from:
9-
10- ```
11- github.com/coreos/go-oidc
12- ```
13-
14- to:
15-
16- ```
17- github.com/coreos/go-oidc/v3/oidc
5+ OpenID Connect is a specification on top of OAuth 2.0 that adds a
6+ provider-agnostic API for user attributes. End users perform the regular OAuth 2.0 flow
7+ and the response includes a JWT signed by the identity provider with [ standard
8+ claims] [ oidc-claims ] for a stable identifier, email, display name, and other
9+ attributes.
10+
11+ ``` json
12+ {
13+ "sub" : " 12345abcd" ,
14+ "email" : " janedoe@example.com" ,
15+ "email_verified" : true ,
16+ "name" : " Jane Doe"
17+ }
1818```
1919
20- And the return type of ` NewRemoteKeySet() ` is now ` *RemoteKeySet ` instead of an interface ([ #262 ] ( https://github.com/coreos/go-oidc/pull/262 ) ).
20+ [ oidc-claims ] : https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
21+
22+ This package can be used to identify users (and even [ workload identities] [ github-workload ] )
23+ across a large number of identity providers:
24+
25+ - Consumer
26+ - [ Google] ( https://developers.google.com/identity/openid-connect/openid-connect )
27+ - [ Apple (Sign in with Apple)] ( https://developer.apple.com/sign-in-with-apple/ )
28+ - [ Microsoft] ( https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc )
29+ - [ Facebook Login] ( https://developers.facebook.com/docs/facebook-login/ )
30+ - [ LinkedIn] ( https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2 )
31+ - Enterprise
32+ - [ Microsoft Entra ID] ( https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc )
33+ - [ Okta] ( https://developer.okta.com/docs/concepts/oauth-openid/ )
34+ - [ Auth0] ( https://auth0.com/docs/authenticate/protocols/openid-connect-protocol )
35+ - [ Amazon Cognito] ( https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html )
36+ - [ OneLogin] ( https://developers.onelogin.com/openid-connect )
37+ - Workload
38+ - [ GitHub Actions] ( https://docs.github.com/en/actions/concepts/security/openid-connect )
39+ - [ GitLab CI/CD (ID tokens)] ( https://docs.gitlab.com/ci/cloud_services/ )
40+ - [ Google Cloud Workload Identity Federation] ( https://cloud.google.com/iam/docs/workload-identity-federation )
41+ - [ AWS (IAM OIDC identity providers)] ( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html )
42+ - [ Kubernetes (service account / OIDC tokens)] ( https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens )
43+ - [ HashiCorp HCP Terraform] ( https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens )
44+
45+ [ github-workload ] : https://oblique.security/blog/github-actions-identity/
46+
47+ go-oidc is a mature OpenID Connect client, and is imported by [ over 1000] [ go-oidc-imports ]
48+ open source projects.
49+
50+ [ go-oidc-imports ] : https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc?tab=importedby
2151
2252## OpenID Connect support for Go
2353
24- This package enables OpenID Connect support for the [ golang.org/x/oauth2] ( https://godoc.org/golang.org/x/oauth2 ) package.
54+ This package enables OpenID Connect support for the [ golang.org/x/oauth2] [ go-oauth2-doc ] package.
55+ The client can be initialized through OpenID Connect discovery with the issuer
56+ URL and a few additional scopes on the ` oauth2.Config ` .
57+
58+ [ go-oauth2-doc ] : https://pkg.go.dev/golang.org/x/oauth2
2559
2660``` go
2761provider , err := oidc.NewProvider (ctx, " https://accounts.google.com" )
@@ -41,6 +75,9 @@ oauth2Config := oauth2.Config{
4175 // "openid" is a required scope for OpenID Connect flows.
4276 Scopes : []string {oidc.ScopeOpenID , " profile" , " email" },
4377}
78+
79+ // Create an ID Token verifier.
80+ idTokenVerifier := provider.Verifier (&oidc.Config {ClientID: clientID})
4481```
4582
4683OAuth2 redirects are unchanged.
@@ -51,11 +88,9 @@ func handleRedirect(w http.ResponseWriter, r *http.Request) {
5188}
5289```
5390
54- The on responses , the provider can be used to verify ID Tokens.
91+ Then, on the response , the ID Token verifier can be used to verify ID Tokens.
5592
5693``` go
57- var verifier = provider.Verifier (&oidc.Config {ClientID: clientID})
58-
5994func handleOAuth2Callback (w http .ResponseWriter , r *http .Request ) {
6095 // Verify state and errors.
6196
@@ -71,15 +106,17 @@ func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
71106 }
72107
73108 // Parse and verify ID Token payload.
74- idToken , err := verifier .Verify (ctx, rawIDToken)
109+ idToken , err := idTokenVerifier .Verify (ctx, rawIDToken)
75110 if err != nil {
76111 // handle error
77112 }
78113
79114 // Extract custom claims
80115 var claims struct {
81- Email string ` json:"email"`
82- Verified bool ` json:"email_verified"`
116+ Email string ` json:"email"`
117+ EmailVerified bool ` json:"email_verified"`
118+ Name string ` json:"name"`
119+ Picture string ` json:"picture"`
83120 }
84121 if err := idToken.Claims (&claims); err != nil {
85122 // handle error
0 commit comments