{"id":13676643,"url":"https://github.com/hashicorp/cap","last_synced_at":"2025-05-13T23:06:10.036Z","repository":{"id":40557103,"uuid":"314332327","full_name":"hashicorp/cap","owner":"hashicorp","description":"A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP","archived":false,"fork":false,"pushed_at":"2025-04-16T23:37:38.000Z","size":688,"stargazers_count":457,"open_issues_count":3,"forks_count":18,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-04-17T12:19:01.012Z","etag":null,"topics":["golang","ldap","ldap-authentication","oidc","oidc-client","oidc-testing"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hashicorp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-19T18:12:50.000Z","updated_at":"2025-04-16T23:37:40.000Z","dependencies_parsed_at":"2023-02-04T10:32:17.434Z","dependency_job_id":"73ffdbe4-fccb-41e6-a82a-3558636e3e0e","html_url":"https://github.com/hashicorp/cap","commit_stats":{"total_commits":179,"total_committers":21,"mean_commits":8.523809523809524,"dds":0.553072625698324,"last_synced_commit":"b85f9a71c328388b9bd1d506efa3479f8d22c5b7"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fcap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fcap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fcap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fcap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hashicorp","download_url":"https://codeload.github.com/hashicorp/cap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254040781,"owners_count":22004613,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","ldap","ldap-authentication","oidc","oidc-client","oidc-testing"],"created_at":"2024-08-02T13:00:30.850Z","updated_at":"2025-05-13T23:06:05.021Z","avatar_url":"https://github.com/hashicorp.png","language":"Go","readme":"# cap\n\n`cap` (collection of authentication packages) provides a collection of related\npackages which enable support for OIDC, JWT Verification and Distributed Claims.\n\n**Please note**: We take security and our users' trust very seriously. If you \nbelieve you have found a security issue, please [responsibly\ndisclose](https://www.hashicorp.com/security#vulnerability-reporting) by\ncontacting us at security@hashicorp.com.\n\n## Contributing\n\nThank you for your interest in contributing! Please refer to\n[CONTRIBUTING.md](https://github.com/hashicorp/cap/blob/main/CONTRIBUTING.md)\nfor guidance. \n\n\u003chr\u003e\n\n### [`oidc package`](./oidc) \n[![Go Reference](https://pkg.go.dev/badge/github.com/hashicorp/cap/oidc.svg)](https://pkg.go.dev/github.com/hashicorp/cap/oidc)\n \n A package for writing clients that integrate with OIDC Providers. Primary types provided by the\n package are: \n 1. Request\n 2. Token\n 3. Config\n 4. Provider \n\nThe package also provides callbacks (in the form of http.HandlerFunc) for\nhandling OIDC provider responses to authorization code flow (with optional PKCE)\nand implicit flow authentication attempts.\n\u003chr\u003e\n\nExample of a provider using an authorization code flow:\n```go\n// Create a new provider config\npc, err := oidc.NewConfig(\n \"http://your-issuer.com/\",\n \"your_client_id\",\n \"your_client_secret\",\n []oidc.Alg{oidc.RS256},\n []string{\"https://your_redirect_url\"},\n)\nif err != nil {\n // handle error\n}\n\n// Create a provider\np, err := oidc.NewProvider(pc)\nif err != nil {\n // handle error\n}\ndefer p.Done()\n\n\n// Create a Request for a user's authorization code flow authentication attempt, \n// with a 2 min timeout for completion. \noidcRequest, err := oidc.NewRequest(2 * time.Minute, \"https://your_redirect_url\")\nif err != nil {\n // handle error\n}\n\n\n// Create an auth URL\nauthURL, err := p.AuthURL(ctx, oidcRequest)\nif err != nil {\n // handle error\n}\nfmt.Println(\"open url to kick-off authentication: \", authURL)\n```\n\nCreate a http.Handler for OIDC authentication response redirects.\n```go\nfunc NewHandler(ctx context.Context, p *oidc.Provider, r callback.RequestReader) (http.HandlerFunc, error)\n if p == nil { \n // handle error\n }\n if rw == nil {\n // handle error\n }\n return func(w http.ResponseWriter, req *http.Request) {\n oidcRequest, err := rw.Read(ctx, req.FormValue(\"state\"))\n if err != nil {\n // handle error\n }\n // Exchange(...) will verify the tokens before returning. \n token, err := p.Exchange(ctx, oidcRequest, req.FormValue(\"state\"), req.FormValue(\"code\"))\n if err != nil {\n // handle error\n }\n var claims map[string]interface{}\n if err := token.IDToken().Claims(\u0026claims); err != nil {\n // handle error\n }\n\n // Get the user's claims via the provider's UserInfo endpoint\n var infoClaims map[string]interface{}\n err = p.UserInfo(ctx, token.StaticTokenSource(), claims[\"sub\"].(string), \u0026infoClaims)\n if err != nil {\n // handle error\n }\n resp := struct {\n\t\t IDTokenClaims map[string]interface{}\n\t\t UserInfoClaims map[string]interface{}\n\t\t}{claims, infoClaims}\n\t\tenc := json.NewEncoder(w)\n\t\tif err := enc.Encode(resp); err != nil {\n\t\t\t// handle error\n }\n }\n}\n```\n\n### [`jwt package`](./jwt) \n[![Go Reference](https://pkg.go.dev/badge/github.com/hashicorp/cap/jwt.svg)](https://pkg.go.dev/github.com/hashicorp/cap/jwt)\n\nPackage jwt provides signature verification and claims set validation for JSON Web Tokens (JWT)\nof the JSON Web Signature (JWS) form.\n\nJWT claims set validation provided by the package includes the option to validate\nall registered claim names defined in [rfc7519#section-4.1](https://tools.ietf.org/html/rfc7519#section-4.1).\n\nJOSE header validation provided by the the package includes the option to validate the \"alg\"\n(Algorithm) Header Parameter defined in [rfc7515#section-4.1](https://tools.ietf.org/html/rfc7515#section-4.1).\n\nJWT signature verification is supported by providing keys from the following sources:\n\n- JSON Web Key Set (JWKS) URL\n- OIDC Discovery mechanism\n- Local public keys\n\nJWT signature verification supports the following asymmetric algorithms defined in\n[rfc7518.html#section-3.1](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1):\n \n| Identifier | Signing Algorithm |\n| ---------- | :--------------------------------------------- |\n| RS256 | RSASSA-PKCS1-v1_5 using SHA-256 |\n| RS384 | RSASSA-PKCS1-v1_5 using SHA-384 |\n| RS512 | RSASSA-PKCS1-v1_5 using SHA-512 |\n| ES256 | ECDSA using P-256 and SHA-256 |\n| ES384 | ECDSA using P-384 and SHA-384 |\n| ES512 | ECDSA using P-521 and SHA-512 |\n| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |\n| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 |\n| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 |\n| EdDSA | Ed25519 using SHA-512 |\n\n\u003chr\u003e\n\nExample usage of JWT signature verification and claims set validation using keys from a JWKS URL:\n\n```go\nctx := context.Background()\n\nkeySet, err := jwt.NewJSONWebKeySet(ctx, \"your_jwks_url\", \"your_jwks_ca_pem\")\nif err != nil {\n\tlog.Fatal(err)\n}\n\nvalidator, err := jwt.NewValidator(keySet)\nif err != nil {\n\tlog.Fatal(err)\n}\n\nexpected := jwt.Expected{\n\tIssuer: \"your_expected_issuer\",\n\tSubject: \"your_expected_subject\",\n\tID: \"your_expected_jwt_id\",\n\tAudiences: []string{\"your_expected_audiences\"},\n\tSigningAlgorithms: []jwt.Alg{jwt.RS256},\n}\n\ntoken := \"header.payload.signature\"\nclaims, err := validator.Validate(ctx, token, expected)\nif err != nil {\n\tlog.Fatal(err)\n}\n```\n\nFor additional documentation and usage examples, see [jwt/README.md](./jwt).\n\n\n\u003chr\u003e\n\n### [`ldap package`](./ldap) \n[![Go\nReference](https://pkg.go.dev/badge/github.com/hashicorp/cap/ldap.svg)](https://pkg.go.dev/github.com/hashicorp/cap/ldap)\n\nldap is a package for writing clients that authenticate using Active Directory\nor LDAP.\n\nPrimary types provided by the package:\n\n* `ldap.Client`\n* `ldap.ClientConfig`\n\n\u003chr\u003e\n\n### Example usage\n\nAn abbreviated example of authenticating a user:\n\n```go\nclient, err := ldap.NewClient(ctx, \u0026clientConfig)\nif err != nil { \n // handle error appropriately\n}\n\n// authenticate and get the user's groups as well.\nresult, err := client.Authenticate(ctx, username, passwd, ldap.WithGroups())\nif err != nil { \n // handle error appropriately\n}\n\nif result.Success {\n // user successfully authenticated...\n if len(result.Groups) \u003e 0 {\n // we found some groups associated with the authenticated user...\n }\n}\n```\n\n### [`saml package`](./saml)\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/hashicorp/cap/saml.svg)](https://pkg.go.dev/github.com/hashicorp/cap/saml)\n\nA package for writing clients that integrate with SAML Providers.\n\nThe SAML library orients mainly on the implementation profile for\n[federation interoperability](https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html)\n(also known as interoperable SAML), a set of software conformance requirements\nintended to facilitate interoperability within the context of full mesh identity\nfederations. It supports the Web Browser SSO profile with HTTP-Post and\nHTTP-Redirect as supported service bindings. The default SAML settings follow\nthe requirements of the interoperable SAML\n[deployment profile](https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_service_provider_requirements).\n\n#### Example usage\n\n```go\n // Create a new saml config providing the necessary provider information:\n cfg, err := saml.NewConfig(\u003centityID\u003e, \u003cacs\u003e, \u003cmetadata\u003e, options...)\n\t// handle error\n\n // Use the config to create the service provider:\n sp, err := saml.NewServiceProvider(cfg)\n // handle error\n\n // With the service provider you can create saml authentication requests:\n\n // Generate a saml auth request with HTTP Post-Binding\n template, err := sp.AuthRequestPost(\"relay state\", options...)\n // handle error\n\n // Generate a saml auth request with HTTP Request-Binding\n redirectURL, err := sp.AuthRequestRedirect(\"relay state\", options...)\n // handle error\n\n // Parsing a SAML response:\n r.ParseForm()\n samlResp := r.PostForm.Get(\"SAMLResponse\")\n\n response, err := sp.ParseResponse(samlResp, \"Response ID\", options...)\n // handle error\n```\n\nYou can find the full demo code in the [`saml/demo`](./saml/demo/main.go)\npackage.\n","funding_links":[],"categories":["Middlewares \u0026 framework add-ons","Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fcap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhashicorp%2Fcap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fcap/lists"}