package module
Version: v0.0.0-...-86b427b Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 7, 2021 License: GPL-3.0 Imports: 6 Imported by: 1



Native Golang implementation of the ai/sso single sign-on mechanism.

This repository also used to include the login service, which has now been split off into its own repository at id/sso-server.




This section is empty.


View Source
var (
	// ErrMissingRequiredField is returned when a ticket does not
	// contain a required field.
	ErrMissingRequiredField = errors.New("missing required field")

	// ErrDeserialization means that the input is not valid base64.
	ErrDeserialization = errors.New("deserialization error")

	// ErrUnsupportedTicketVersion is returned for unsupported
	// ticket versions (either too old or too recent).
	ErrUnsupportedTicketVersion = errors.New("unsupported ticket version")

	// ErrMessageTooShort means that the input is shorter than the
	// fixed signature length + minimum ticket size.
	ErrMessageTooShort = errors.New("encoded message too short")

	// ErrBadSignature is returned when the signature does not
	// match the given public key.
	ErrBadSignature = errors.New("bad signature")

	// ErrBadService is returned when validation fails due to a
	// SSO service mismatch.
	ErrBadService = errors.New("service mismatch")

	// ErrBadDomain is returned when validation fails due to a SSO
	// domain mismatch.
	ErrBadDomain = errors.New("auth domain mismatch")

	// ErrBadNonce is returned when validation fails due to a
	// nonce mismatch.
	ErrBadNonce = errors.New("nonce mismatch")

	// ErrExpired means the ticket has expired.
	ErrExpired = errors.New("ticket expired")

	// ErrUnauthorized is returned when the user lacks the
	// necessary group membership.
	ErrUnauthorized = errors.New("unauthorized")


func InspectTicket

func InspectTicket(encoded string) (string, string, error)

InspectTicket reads a ticket without validating it (beyond syntax), returning user and service. The results are untrusted.


type Signer

type Signer interface {
	Sign(*Ticket) (string, error)

A Signer can sign tickets.

func NewSigner

func NewSigner(privateKey []byte) (Signer, error)

NewSigner creates a new ED25519 signer with the given private key.

type Ticket

type Ticket struct {
	User    string
	Service string
	Domain  string
	Nonce   string
	Groups  []string
	Expires time.Time

A Ticket attests a user's identity within the scope of a specific service, when properly signed.

func NewTicket

func NewTicket(user, service, domain, nonce string, groups []string, validity time.Duration) *Ticket

NewTicket creates a new Ticket, filling in all required values.

type Validator

type Validator interface {
	Validate(string, string, string, []string) (*Ticket, error)

A Validator can verify that a ticket is valid.

func NewValidator

func NewValidator(publicKey []byte, domain string) (Validator, error)

NewValidator creates a new ED25519 validator for a specific domain, with the provided public key.

Source Files


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto