¶ Standard agreement certification module
Update Time: 2025-06-11 08:01:00
This module contains authentication of OIDC、OAuth 2.0、SAML、CAS standard protocol, obtains tokens, checking tokens, and logout. The method of initiating authentication needs to be used at the front end, get a token, check the token, and other methods need to be used in the backend.
Instructions:
// Initialization using AppId and secret
authenticationClient := NewClient(AppId, Secret)
authenticationClient.BuildAuthorizeUrl; // Texture front end login link
authenticationClient.GetAccessTokenByCode; // Code change Token
authenticationClient.GetUserInfoByAccessToken; // Token change user information
authenticationClient.GetNewAccessTokenByRefreshToken; // Refresh Token
authenticationClient.IntrospectToken; // check Token status
authenticationClient.ValidateToken; // check Token legality
authenticationClient.RevokeToken; // withdraw Token
authenticationClient.GetAccessTokenByClientCredentials; // Machine license Access Token
¶ OIDC
OpenID Connect is abbreviated as OIDC, an extension of OAuth 2.0, which mainly adds a semantic user information field.
¶ initialization
Parameters when initializing AuthenticationClient:
appId<String> Apply ID, required.secret<String> Apply the key, required.host<String> Apply the full address, such as https://sample-app.authing.cn, without the last slash '/'.redirectUri<String> Business callback URL, mustal. Please see Document。protocol<ProtocolEnum> Protocol type, optional valueOIDC、OAUTH、SAML、CAS, default isOIDC。tokenEndPointAuthMethod<AuthMethodEnum> Get the Token endpoint Verification Mode, optional valueCLIENT_SECRET_POST、CLIENT_SECRET_BASIC、NONE, default isCLIENT_SECRET_POST。introspectionEndPointAuthMethod<AuthMethodEnum> Check the way to verify the Token endpoint, optional valueCLIENT_SECRET_POST、CLIENT_SECRET_BASIC、NONE, default isCLIENT_SECRET_POST.revocationEndPointAuthMethod<AuthMethodEnum> Withdraw the Token endpoint Validation, optional value isCLIENT_SECRET_POST、CLIENT_SECRET_BASIC、NONE, default isCLIENT_SECRET_POST。
¶ Example
// Initialization using AppId and secret
AuthenticationClient authentication = new AuthenticationClient(AppId, Secret);
authenticationClient.Host = "https://demo.authing.cn"
authenticationClient.Protocol = constant.OIDC
authenticationClient.TokenEndPointAuthMethod = constant.None
// Business callback address
authentication.setRedirectUri(REDIRECT_URI);
¶ A user login link to generate an OIDC protocol
authenticationClient.BuildAuthorizeUrlByOidc(options)
A user login link to generate an OIDC protocol
¶ parameter
options<model.OidcParams> Parameters that need to be filled in when launching a license login. Please see Using OIDC Authorization Code Mode。options.scope<String> Request permission item, option, OIDC protocol defaultopenid profile email phone address, OAuth 2.0 protocol is defaultuser.options.nonce<String> Random strings, optional, default automatically generated.options.state<String> Random strings, optional, default automatically generated.options.responseMode<String> Response type, optional, optional valuequery、fragment、form_post; default isquery, Is redirected by the browser to send the Code to the callback address.options.responseType<String> Response type, optional, optional valuecode、code id_token token、code id_token、code id_token、code token、id_token token、id_token、none; default iscode, Authorize code mode.options.redirectUri<String> The redirectUri parameter when the callback address, optional, and defaults to SDK initialization.
¶ Example
// Splicing OIDC license link
authenticationClient := NewClient(AppId, Secret)
authenticationClient.Protocol = constant.OIDC
authenticationClient.TokenEndPointAuthMethod = constant.None
req := model.OidcParams{
AppId: AppId,
RedirectUri: "https://xxxxx.com/",
Nonce: "test",
}
resp, err := authenticationClient.BuildAuthorizeUrlByOidc(req)
if err != nil {
fmt.Println(err)
} else {
fmt.Println(resp)
}
¶ Sample data
https://oidcdemo.authing.cn/oidc/auth?client_id=60a6f980dd9a9a7642da768a&nonce=test&redirect_uri=https%3A%2F%2Fmvnrepository.com%2F&response_type=code&scope=openid+profile+email+phone+address&state=stcnehi8rt57
¶ Code change Token
authenticationClient.getAccessTokenByCode(code)
Use the authorization code Code to get the user's Token information.
¶ parameter
code<String> Authorization code Code, the user will send the authorization code code to the callback address after the authentication is successful. Please see OIDC Authorization Code Mode.
¶ Example
resp, err := authenticationClient.GetAccessTokenByCode('Authorization code')
¶ Sample data
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJqdGkiOiJsdzg0NW5zdGcwS3EtMTlodVpQOHYiLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJpYXQiOjE2MTU4ODM1ODYsImV4cCI6MTYxNTg4NzE4Niwic2NvcGUiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSBwaG9uZSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIn0.VvYKBcWcr8iIi1b37ugWQ9hsvog4_7EqDQyFqwhIuvM0NHlHH3Bhw83EQIKSNfbWV4nv3ihfeNGPLMzslbQr-wwjnWZTLMYl1bcn7IdVtD_kTN3Zz10MwF5td-VQ7UndU28wJ0HE1mo6E8QH93kYGckS5FSZXmCBa0M5H59Jec_a1MHI1MZrr_V9cZ9EfeF97V-PcqU8JVAwDZclCJ3mWY_Mb65RnMR9yEVqUZzJStmaXGMuRIzjkm2pklqt0CtQQJfzECXq_4USpwRXDiYLWILYPUCcO6hGxDjhMEd8IcxdG51TQP-w1UM6LyIRn61uSJvDsz8zg5dStDKyocypiA",
"expires_in": 3600,
"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3QzQDEyMy5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInN1YiI6IjVmZjcwMWQ4NDZiOTIwM2UyZjZhYzZmMyIsImJpcnRoZGF0ZSI6bnVsbCwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6IlUiLCJnaXZlbl9uYW1lIjpudWxsLCJsb2NhbGUiOm51bGwsIm1pZGRsZV9uYW1lIjpudWxsLCJuYW1lIjpudWxsLCJuaWNrbmFtZSI6bnVsbCwicGljdHVyZSI6Imh0dHBzOi8vZmlsZXMuYXV0aGluZy5jby9hdXRoaW5nLWNvbnNvbGUvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInByb2ZpbGUiOm51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTAzLTE1VDA1OjU0OjU0LjY4NVoiLCJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwicGhvbmVfbnVtYmVyIjpudWxsLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJub25jZSI6IjcwVEU3eW9NVFEiLCJhdF9oYXNoIjoiUFNnOGw5eDRldGxmLXA4UDdjYnVoQSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiaXNzMiI6Imh0dHBzOi8vYmFpZHUuY29tIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIiwiZXhwIjoxNjE1ODg3MTg3LCJpYXQiOjE2MTU4ODM1ODh9.OlX-FP7znIEqx0YpnOQ8kxadMe1toHDj1KPVm0dbEVc",
"scope": "email openid profile phone",
"token_type": "Bearer"
}
Field Explanation:
| Field name | meaning |
|---|---|
| token_type | Token Type, fixed value Bearer |
| scope | Wheelcence, authorized acquisition items |
| id_token | Id token,Authing Issued Id token |
| expires_in | Access token expiration |
| access_token | Access token,Authing Issued Access token |
¶ Token for user information
authenticationClient.getUserInfoByAccessToken('access_token')
Use Access token to get user information.
¶ parameter
access_token<String> Access token, use the contents of Access token with the authorization code code. Please seeUsing OIDC Authorization Code Mode.
¶ Example
resp, err := authenticationClient.GetUserInfoByAccessToken('Access token')
¶ Sample data
{
"address": {
"country": null,
"postal_code": null,
"region": null,
"formatted": null
},
"birthdate": null,
"family_name": null,
"gender": "U",
"given_name": null,
"locale": null,
"middle_name": null,
"name": null,
"nickname": null,
"picture": "https://files.authing.co/authing-console/default-user-avatar.png",
"preferred_username": null,
"profile": null,
"updated_at": "2021-03-03T06:17:14.485Z",
"website": null,
"zoneinfo": null,
"email": "test1@authing.cn",
"email_verified": false,
"sub": "603f184cec4505e2868431fc",
"phone_number": null,
"phone_number_verified": false
}
Field Explanation:
| Field name | translation |
|---|---|
| sub | Subject's abbreviation, unique identifier, generally user ID |
| name | name |
| given_name | given name |
| family_name | family name |
| middle_name | middle name |
| nickname | nickname |
| preferred_username | preferred username |
| profile | Basic information |
| picture | Avatar |
| website | website |
| email_verified | Whether the mailbox is certified |
| gender | gender |
| birthdate | birthdate |
| zoneinfo | Time zone |
| locale | area |
| phone_number | phone number |
| phone_number_verified | Certified mobile phone number |
| address | Address object |
| address.formatted | Address |
| address.street_address | Street address |
| address.locality | city |
| address.region | region |
| address.postal_code | postal code |
| address.country | country |
| updated_at | Information update time |
¶ Refresh Access Token
authenticationClient.getNewAccessTokenByRefreshToken(refreshToken)
Use Refresh token get new Access token。
¶ parameter
refreshToken<String> Refresh token,可以从 authenticationClient.getAccessTokenByCode 方法的返回值中的 refresh_token 获得。详情请见刷新 Access token。
¶ Example
resp, err := authenticationClient.GetNewAccessTokenByRefreshToken('Access token')
¶ Sample data
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJqdGkiOiJZUHB4NUVEWGlQWVJvNUFQWXAzci0iLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJpYXQiOjE2MTQwOTE0OTksImV4cCI6MTYxNDA5NTA5OSwic2NvcGUiOiJvZmZsaW5lX2FjY2VzcyBwcm9maWxlIG9wZW5pZCIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIn0.ZN_SlfVg1oNMz7uAK-5K84dqqqmlZehmAPOLytOR9HnLHImKJ9VO5u1hRsAjGCob0kMUV5wVxQhX3EFks7FtMamiX2Jvn-NYh4V_5T6l3LFf4uoKF6AykAg483nG3EEENuGgQo15bBszsoCGqFnNmUd0T4Cgxx0zbxXPxMdp_dcE14KzmNz1w-Qg3yVeYmSTZFdcLtZA2BYnVEa7LYA2yA3DgawwAcRmrlyEfnvCO3uY2TcsTKEAfQ-QgVIGRWOfyUE5f-_X3TolliO1fXnwZBdxEKMXLGW5E2bPVcePyiV0upYbUnQ079UxBlEiWlgeW_rpkTPXDxHAgiE488gtlg",
"expires_in": 3600,
"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJiaXJ0aGRhdGUiOm51bGwsImZhbWlseV9uYW1lIjpudWxsLCJnZW5kZXIiOiJVIiwiZ2l2ZW5fbmFtZSI6bnVsbCwibG9jYWxlIjpudWxsLCJtaWRkbGVfbmFtZSI6bnVsbCwibmFtZSI6bnVsbCwibmlja25hbWUiOm51bGwsInBpY3R1cmUiOiJodHRwczovL2ZpbGVzLmF1dGhpbmcuY28vYXV0aGluZy1jb25zb2xlL2RlZmF1bHQtdXNlci1hdmF0YXIucG5nIiwicHJlZmVycmVkX3VzZXJuYW1lIjpudWxsLCJwcm9maWxlIjpudWxsLCJ1cGRhdGVkX2F0IjoiMjAyMS0wMi0yM1QxNDo0NDoxOC4wODVaIiwid2Vic2l0ZSI6bnVsbCwiem9uZWluZm8iOm51bGwsImF0X2hhc2giOiIxaWRJSUxaWExpZkRscXJMY3ZNeV9BIiwiS0VZIjoiVkFMVUUiLCJhdWQiOiI1ZjE3YTUyOWY2NGZiMDA5Yjc5NGEyZmYiLCJleHAiOjE2MTQwOTUwOTgsImlhdCI6MTYxNDA5MTQ5OSwiaXNzIjoiaHR0cHM6Ly9vaWRjMS5hdXRoaW5nLmNuL29pZGMifQ._H59237sqpsY0OgyY_RM7CvuG6cFo1x03y-DBhd5hik",
"refresh_token": "3T49f4Y48szoMmwBXragjqLwQZC4QhgnsM5Oy2WfmU-",
"scope": "openid offline_access profile",
"token_type": "Bearer"
}
¶ Check Access Token
authenticationClient.introspectToken(token)
Check Access token or Refresh token status.
¶ parameter
token<String> Access token or Refresh token, you can get access_token、refresh_token from the return value of authenticationClient.getAccessTokenByCode.
¶ Example
resp, err := authenticationClient.IntrospectToken('Access token or Refresh token')
¶ Sample data
Token is returned when returning:
{
"active": true,
"sub": "60097f4d5bc08f75da104d18", // subject 的缩写,为用户 ID
"client_id": "60097391b1358c17c5fb0f4e",
"exp": 1612445888,
"iat": 1611236288,
"iss": "https://core.littleimp.cn/oidc",
"jti": "TV4J0gAbe4KR4-8CtYcOa",
"scope": "openid profile email phone offline_access",
"token_type": "Bearer"
}
Token returns when it is not legal:
{
"active": false
}
The test process fails will throw an error.
¶ check Id Token legality
authenticationClient.validateToken(param)
Online Interface Verify Id token or Access token via Authing. A network request will be generated.
¶ parameter
param<ValidateTokenParams>param.dToken<String> Access token or Refresh token, you can get id_token from the return value of authenticationClient.getAccessTokenByCode.param.accessToken<String> Access token, you can get access_token from the return value of authenticationClient.getAccessTokenByCode
¶ Example
req := model.ValidateTokenRequest{
AccessToken: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjQ0bnJHU05YQ3NDLTByd1J5Q0hENjBzdmc0elpLNF9iV2VnQjluOFRhQzQifQ.eyJqdGkiOiJ3NjJmNkVieHYxd19wbEV3YWMwWlIiLCJzdWIiOiI2MGUyNmI2ZjdiMGRkN2MwYWY4M2VjZDkiLCJpYXQiOjE2MjU0OTI3NjUsImV4cCI6MTYyNjcwMjM2NSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgYWRkcmVzcyBwcm9maWxlIGVtYWlsIiwiaXNzIjoiaHR0cHM6Ly8zMmw1aGItZGVtby5hdXRoaW5nLmNuL29pZGMiLCJhdWQiOiI2MGE2Zjk4MGRkOWE5YTc2NDJkYTc2OGEifQ.KOMWqEtbyH3qdBv_bHX3Dof2t_3XBQ7QDg4-x7fIr9W2YtCnwNnqVehOVYjWpcF-pkVyzBlpmKIc6_X9F8GA-oYbdUKJzhxfoAATj1JnRCRs6Wsxpo3U41up1pgXs5B7JS7gVbiw_IucMg4vLYw_QJ_aPgBTkjCkBZVsPf3NRYCd2cVwiZwvoa8GT6jGP9PJ908rJSSSdsqt6JNzydVbJ9a7p4mBhV3WxUAckXePjIE0QDNDe_GxFwFDktkTbLBIJZBL4bSg3pHGQKHiF9wabfjBRfWV8ChRe8i95n7pq-Gw9fw2fKNv7ieC5bK52D1j6R9L5h7wRvTstgiR7p8krQ",
IdToken: "",
}
resp, err := authenticationClient.ValidateToken(req)
¶ Sample data
id_token Returns when verifying:
{
"sub": "5f64afd1ad501364e3b43c1e",
"birthdate": null,
"family_name": null,
"gender": "U",
"given_name": null,
"locale": null,
"middle_name": null,
"name": null,
"nickname": null,
"picture": "https://usercontents.authing.cn/authing-avatar.png",
"preferred_username": "test1",
"profile": null,
"updated_at": "2020-09-27T06:06:29.853Z",
"website": null,
"zoneinfo": null,
"email": "test1@123.com",
"email_verified": false,
"phone_number": null,
"phone_number_verified": false,
"nonce": "CQsguqUdl7",
"at_hash": "10iOtwuTNtyQLzlNYXAHeg",
"aud": "5f17a529f64fb009b794a2ff",
"exp": 1601460494,
"iat": 1601456894,
"iss": "https://oidc1.authing.cn/oidc"
}
Id token returns the illegal time:
{ "code": 400, "message": "id_token Format is incorrect" }
{ "code": 400, "message": "id_token illegal" }
Access token Returns when verifying:
{
"jti": "K5TYewNhvdGBdHiRifMyW",
"sub": "5f64afd1ad501364e3b43c1e", // subject 的缩写,为用户 ID
"iat": 1601456894,
"exp": 1601460494,
"scope": "openid profile email phone",
"iss": "https://oidc1.authing.cn/oidc",
"aud": "5f17a529f64fb009b794a2ff"
}
Access token returns the illegal time:
{ "code": 400, "message": "access_token Format is incorrect" }
{ "code": 400, "message": "access_token illegal" }
¶ Client Credentials Mode acquisition Access Token
authenticationClient.getAccessTokenByClientCredentials(scope, options)
Use Programming Access Accountget permission Access Token。
¶ parameter
scope<String> Permission items, space separated strings, each represents a permission. Please see Machine (M2M) Authorization。options<ClientCredentialInput> Programming Access AK and SK information.options.accessKey<String> Programming Access Account AccessKey.options.secretKey<String> Programming Access Account SecretKey.
¶ Example
input := model.ClientCredentialInput{
AccessKey: "60519949a70e7dda12785693",
SecretKey: "be1a5596b3185d88c097ae310e3184ed",
}
req := model.GetAccessTokenByClientCredentialsRequest{
Scope: "openid",
ClientCredentialInput: &input,
}
resp, err := authenticationClient.GetAccessTokenByClientCredentials(req)
if err != nil {
fmt.Println(err)
} else {
fmt.Println(resp)
}
¶ Sample data
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJqdGkiOiJsdzg0NW5zdGcwS3EtMTlodVpQOHYiLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJpYXQiOjE2MTU4ODM1ODYsImV4cCI6MTYxNTg4NzE4Niwic2NvcGUiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSBwaG9uZSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIn0.VvYKBcWcr8iIi1b37ugWQ9hsvog4_7EqDQyFqwhIuvM0NHlHH3Bhw83EQIKSNfbWV4nv3ihfeNGPLMzslbQr-wwjnWZTLMYl1bcn7IdVtD_kTN3Zz10MwF5td-VQ7UndU28wJ0HE1mo6E8QH93kYGckS5FSZXmCBa0M5H59Jec_a1MHI1MZrr_V9cZ9EfeF97V-PcqU8JVAwDZclCJ3mWY_Mb65RnMR9yEVqUZzJStmaXGMuRIzjkm2pklqt0CtQQJfzECXq_4USpwRXDiYLWILYPUCcO6hGxDjhMEd8IcxdG51TQP-w1UM6LyIRn61uSJvDsz8zg5dStDKyocypiA",
"expires_in": 3600,
"scope": "email openid profile phone",
"token_type": "Bearer"
}
¶ Withdraw Access Token or Refresh token
authenticationClient.revokeToken(token)
Withdraw Access token or Refresh token. Access token or Refresh token holders can notify Authing no longer need token, I hope Authing will revoke it.
¶ parameter
token<string> Access token or Refresh token, you can get access_token、refresh_token from the value of authenticationClient.GetAccessTokenByCode.
¶ Example
resp, err := authenticationClient.RevokeToken("Access token 或 Refresh token")
if err != nil {
fmt.Println(err)
} else {
fmt.Println(resp)
}
¶ Sample data
Returns True when the withdrawn is successful.
Throw an error when the withdrawal fails.