certauth

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2025 License: Apache-2.0 Imports: 41 Imported by: 0

Documentation

Overview

Package certauth implements the main server logic for the CertAuth OpenID Provider and OID4VP Relying Party.

Index

Constants

View Source 
const (
	CertificateBackEndpoint = "/certificate-back"
)

Variables

This section is empty.

Functions

func GenerateNonce 

func GenerateNonce() string

func VerifyCertificate 

func VerifyCertificate(data string, url string) ([]byte, error)

VerifyCertificate verifies a certificate using the EUDSS service.

Types

type Config 

type Config struct {
	// If Development is true, we log more and use some default configuration options
	Development bool

	// The profile that we are running with
	Profile string

	// The URL and internal port for the CertAuth server, the one acting as an IdP
	CertAuthURL  string
	CertAuthPort string

	// The URL and internal port for the CertSec server, the one receiving directly the certificate from the user browser
	CertSecURL  string
	CertSecPort string

	// The Qualified Timestamping Authority configuration, to use for timestamping
	TSAConfig *tsaservice.TSAConfig

	// The email configuration, to use for sending emails to the user
	EmailConfig *email.EmailConfig

	// The URL for the management system where onboardings are reqistered
	ManagementURL string

	// The URL for the Digital Signature Services. We use it now for verification of certificates only.
	EUDSSURL string
}

Configuration for the CertAuth server

type EUDSSVerifyCertificateRequest 

type EUDSSVerifyCertificateRequest struct {
	Certificate struct {
		EncodedCertificate string `json:"encodedCertificate"`
	} `json:"certificate"`
	TokenExtractionStrategy string `json:"tokenExtractionStrategy"`
}

type OID4VPAuthRequest 

type OID4VPAuthRequest struct {
	jwt.RegisteredClaims
	Scope          string `json:"scope,omitempty"`
	ResponseType   string `json:"response_type,omitempty"`
	ResponseMode   string `json:"response_mode,omitempty"`
	ClientId       string `json:"client_id,omitempty"`
	ClientIdScheme string `json:"client_id_scheme,omitempty"`
	ResponseUri    string `json:"response_uri,omitempty"`
	State          string `json:"state,omitempty"`
	Nonce          string `json:"nonce,omitempty"`
}

func (*OID4VPAuthRequest) String 

func (o *OID4VPAuthRequest) String() string

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server represents the CertAuth server It acts as an OpenID Provider with the Relying Parties, and as an OID4VP Relying Party for the Wallet. In this way it insulates the OID4VP protocol from the Relying Parties, which just use standard OIDC to authenticate users and get an ID Token and an Access Token.

func New 

func New(
	db *database.Database,
	authprocCache *cache.GenericCache[string, *models.AuthProcess],
	ssoCache *cache.GenericCache[string, *models.SSOSession],
	adminPassword string,
	cfg *Config) (*Server, error)

New creates a new CertAuth server

func (*Server) APIDiscovery 

func (s *Server) APIDiscovery(c *fiber.Ctx) error

APIDiscovery handles the discovery endpoint, where the Relying Party can retrieve information about the server

func (*Server) APIJWKS 

func (s *Server) APIJWKS(c *fiber.Ctx) error

APIJWKS handles the JSON Web Key Set endpoint

func (*Server) APITokenExchange 

func (s *Server) APITokenExchange(c *fiber.Ctx) error

APITokenExchange handles OAuth2 token endpoint. This is the last step for the RP in the authentication flow.

func (*Server) APIWalletAuthenticationRequest 

func (s *Server) APIWalletAuthenticationRequest(c *fiber.Ctx) error

APIWalletAuthenticationRequest is the endpoint that the Wallet calls to retrieve the OID4VP Authentication Request object

func (*Server) APIWalletAuthenticationResponse 

func (s *Server) APIWalletAuthenticationResponse(c *fiber.Ctx) error

APIWalletAuthenticationResponse is the endpoint that the Wallet calls to send the Authentication Response with the LEARCredential

func (*Server) APIWalletLoginPagePoll 

func (s *Server) APIWalletLoginPagePoll(c *fiber.Ctx) error

APIWalletLoginPagePoll is the endpoint called periodically by the Wallet Login page to check if the authentication request has been processed or is still pending.

func (*Server) AdminDashboard 

func (s *Server) AdminDashboard(c *fiber.Ctx) error

AdminDashboard handles admin dashboard

func (*Server) Authorization 

func (s *Server) Authorization(c *fiber.Ctx) error

Authorization handles OAuth2 authorization endpoint. This is the first step of the authorization process. We support two types of authorization: with an eIDAS certificate and with a Verifiable Credential

func (*Server) CreateRP 

func (s *Server) CreateRP(c *fiber.Ctx) error

CreateRP creates a new relying party

func (*Server) DeleteRP 

func (s *Server) DeleteRP(c *fiber.Ctx) error

DeleteRP deletes a relying party

func (*Server) ListRP 

func (s *Server) ListRP(c *fiber.Ctx) error

ListRP lists all relying parties

func (*Server) Logout 

func (s *Server) Logout(c *fiber.Ctx) error

Logout handles logout endpoint

func (*Server) PageLogin 

func (s *Server) PageLogin(c *fiber.Ctx) error

func (*Server) PageWalletLogin 

func (s *Server) PageWalletLogin(c *fiber.Ctx) error

PageWalletLogin presents the QR code for Wallet authentication. It is called from the main login page of CertAuth.

func (*Server) Start 

func (s *Server) Start(ctx context.Context) error

Start starts the server

func (*Server) UpdateRP 

func (s *Server) UpdateRP(c *fiber.Ctx) error

UpdateRP updates an existing relying party

func (*Server) UserInfo 

func (s *Server) UserInfo(c *fiber.Ctx) error

UserInfo handles OpenID Connect userinfo endpoint

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.