providers

package
v7.0.0-...-1c7ecba Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 11, 2023 License: MIT Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source
const (
	CodeChallengeMethodPlain = "plain"
	CodeChallengeMethodS256  = "S256"
)

Variables

View Source
var (
	// ErrNotImplemented is returned when a provider did not override a default
	// implementation method that doesn't have sensible defaults
	ErrNotImplemented = errors.New("not implemented")

	// ErrMissingCode is returned when a Redeem method is called with an empty
	// code
	ErrMissingCode = errors.New("missing code")

	// ErrMissingIDToken is returned when an oidc.Token does not contain the
	// extra `id_token` field for an IDToken.
	ErrMissingIDToken = errors.New("missing id_token")

	// ErrMissingOIDCVerifier is returned when a provider didn't set `Verifier`
	// but an attempt to call `Verifier.Verify` was about to be made.
	ErrMissingOIDCVerifier = errors.New("oidc verifier is not configured")
)

Functions

This section is empty.

Types

type ADFSProvider

type ADFSProvider struct {
	*OIDCProvider
	// contains filtered or unexported fields
}

ADFSProvider represents an ADFS based Identity Provider

func NewADFSProvider

func NewADFSProvider(p *ProviderData, opts options.ADFSOptions) *ADFSProvider

NewADFSProvider initiates a new ADFSProvider

func (*ADFSProvider) EnrichSession

func (p *ADFSProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession calls the OIDC ProfileURL to backfill any fields missing from the claims. If Email is missing, falls back to ADFS `upn` claim.

func (*ADFSProvider) GetLoginURL

func (p *ADFSProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL Override to double encode the state parameter. If not query params are lost More info here: https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-saml2-settings

func (*ADFSProvider) RefreshSession

func (p *ADFSProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession refreshes via the OIDC implementation. If email is missing, falls back to ADFS `upn` claim.

type AzureProvider

type AzureProvider struct {
	*ProviderData
	Tenant          string
	GraphGroupField string
	// contains filtered or unexported fields
}

AzureProvider represents an Azure based Identity Provider

func NewAzureProvider

func NewAzureProvider(p *ProviderData, opts options.AzureOptions) *AzureProvider

NewAzureProvider initiates a new AzureProvider

func (*AzureProvider) EnrichSession

func (p *AzureProvider) EnrichSession(ctx context.Context, session *sessions.SessionState) error

EnrichSession enriches the session state with userID, mail and groups

func (*AzureProvider) GetLoginURL

func (p *AzureProvider) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

func (*AzureProvider) Redeem

func (p *AzureProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*AzureProvider) RefreshSession

func (p *AzureProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*AzureProvider) ValidateSession

func (p *AzureProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type BitbucketProvider

type BitbucketProvider struct {
	*ProviderData
	Team       string
	Repository string
}

BitbucketProvider represents an Bitbucket based Identity Provider

func NewBitbucketProvider

func NewBitbucketProvider(p *ProviderData, opts options.BitbucketOptions) *BitbucketProvider

NewBitbucketProvider initiates a new BitbucketProvider

func (*BitbucketProvider) GetEmailAddress

func (p *BitbucketProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the email of the authenticated user

type DigitalOceanProvider

type DigitalOceanProvider struct {
	*ProviderData
}

DigitalOceanProvider represents a DigitalOcean based Identity Provider

func NewDigitalOceanProvider

func NewDigitalOceanProvider(p *ProviderData) *DigitalOceanProvider

NewDigitalOceanProvider initiates a new DigitalOceanProvider

func (*DigitalOceanProvider) GetEmailAddress

func (p *DigitalOceanProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*DigitalOceanProvider) ValidateSession

func (p *DigitalOceanProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type FacebookProvider

type FacebookProvider struct {
	*ProviderData
}

FacebookProvider represents an Facebook based Identity Provider

func NewFacebookProvider

func NewFacebookProvider(p *ProviderData) *FacebookProvider

NewFacebookProvider initiates a new FacebookProvider

func (*FacebookProvider) GetEmailAddress

func (p *FacebookProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*FacebookProvider) ValidateSession

func (p *FacebookProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type GitHubProvider

type GitHubProvider struct {
	*ProviderData
	Org   string
	Team  string
	Repo  string
	Token string
	Users []string
}

GitHubProvider represents an GitHub based Identity Provider

func NewGitHubProvider

func NewGitHubProvider(p *ProviderData, opts options.GitHubOptions) *GitHubProvider

NewGitHubProvider initiates a new GitHubProvider

func (*GitHubProvider) EnrichSession

func (p *GitHubProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession updates the User & Email after the initial Redeem

func (*GitHubProvider) ValidateSession

func (p *GitHubProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type GitLabProvider

type GitLabProvider struct {
	*OIDCProvider
	// contains filtered or unexported fields
}

GitLabProvider represents a GitLab based Identity Provider

func NewGitLabProvider

func NewGitLabProvider(p *ProviderData, opts options.GitLabOptions) (*GitLabProvider, error)

NewGitLabProvider initiates a new GitLabProvider

func (*GitLabProvider) EnrichSession

func (p *GitLabProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession enriches the session with the response from the userinfo API endpoint & projects API endpoint for allowed projects.

func (*GitLabProvider) RefreshSession

func (p *GitLabProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession refreshes the session with the OIDCProvider implementation but preserves the custom GitLab projects added in the `EnrichSession` stage.

type GoogleProvider

type GoogleProvider struct {
	*ProviderData

	RedeemRefreshURL *url.URL
	// contains filtered or unexported fields
}

GoogleProvider represents an Google based Identity Provider

func NewGoogleProvider

func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProvider, error)

NewGoogleProvider initiates a new GoogleProvider

func (*GoogleProvider) EnrichSession

func (p *GoogleProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error

EnrichSession checks the listed Google Groups configured and adds any that the user is a member of to session.Groups.

func (*GoogleProvider) Redeem

func (p *GoogleProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*GoogleProvider) RefreshSession

func (p *GoogleProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

type KeycloakOIDCProvider

type KeycloakOIDCProvider struct {
	*OIDCProvider
}

KeycloakOIDCProvider creates a Keycloak provider based on OIDCProvider

func NewKeycloakOIDCProvider

func NewKeycloakOIDCProvider(p *ProviderData, opts options.KeycloakOptions) *KeycloakOIDCProvider

NewKeycloakOIDCProvider makes a KeycloakOIDCProvider using the ProviderData

func (*KeycloakOIDCProvider) CreateSessionFromToken

func (p *KeycloakOIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*KeycloakOIDCProvider) EnrichSession

func (p *KeycloakOIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*KeycloakOIDCProvider) RefreshSession

func (p *KeycloakOIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession adds role extraction logic to the refresh flow

type KeycloakProvider

type KeycloakProvider struct {
	*ProviderData
}

func NewKeycloakProvider

func NewKeycloakProvider(p *ProviderData, opts options.KeycloakOptions) *KeycloakProvider

NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData

func (*KeycloakProvider) EnrichSession

func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession uses the Keycloak userinfo endpoint to populate the session's email and groups.

func (*KeycloakProvider) ValidateSession

func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type LinkedInProvider

type LinkedInProvider struct {
	*ProviderData
}

LinkedInProvider represents an LinkedIn based Identity Provider

func NewLinkedInProvider

func NewLinkedInProvider(p *ProviderData) *LinkedInProvider

NewLinkedInProvider initiates a new LinkedInProvider

func (*LinkedInProvider) GetEmailAddress

func (p *LinkedInProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*LinkedInProvider) ValidateSession

func (p *LinkedInProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type LoginGovProvider

type LoginGovProvider struct {
	*ProviderData

	// TODO (@timothy-spencer): Ideally, the nonce would be in the session state, but the session state
	// is created only upon code redemption, not during the auth, when this must be supplied.
	Nonce     string
	JWTKey    *rsa.PrivateKey
	PubJWKURL *url.URL
}

LoginGovProvider represents an OIDC based Identity Provider

func NewLoginGovProvider

func NewLoginGovProvider(p *ProviderData, opts options.LoginGovOptions) (*LoginGovProvider, error)

NewLoginGovProvider initiates a new LoginGovProvider

func (*LoginGovProvider) GetLoginURL

func (p *LoginGovProvider) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL overrides GetLoginURL to add login.gov parameters

func (*LoginGovProvider) Redeem

func (p *LoginGovProvider) Redeem(ctx context.Context, _, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*LoginGovProvider) ValidateSession

func (p *LoginGovProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type NextcloudProvider

type NextcloudProvider struct {
	*ProviderData
}

NextcloudProvider represents an Nextcloud based Identity Provider

func NewNextcloudProvider

func NewNextcloudProvider(p *ProviderData) *NextcloudProvider

NewNextcloudProvider initiates a new NextcloudProvider

func (*NextcloudProvider) EnrichSession

func (p *NextcloudProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession uses the Nextcloud userinfo endpoint to populate the session's email, user, and groups.

func (*NextcloudProvider) ValidateSession

func (p *NextcloudProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type OIDCProvider

type OIDCProvider struct {
	*ProviderData

	SkipNonce bool
}

OIDCProvider represents an OIDC based Identity Provider

func NewOIDCProvider

func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider

NewOIDCProvider initiates a new OIDCProvider

func (*OIDCProvider) CreateSessionFromToken

func (p *OIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*OIDCProvider) EnrichSession

func (p *OIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*OIDCProvider) GetLoginURL

func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL makes the LoginURL with optional nonce support

func (*OIDCProvider) Redeem

func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*OIDCProvider) RefreshSession

func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*OIDCProvider) ValidateSession

func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession checks that the session's IDToken is still valid

type Provider

type Provider interface {
	Data() *ProviderData
	GetLoginURL(redirectURI, finalRedirect, nonce string, extraParams url.Values) string
	Redeem(ctx context.Context, redirectURI, code, codeVerifier string) (*sessions.SessionState, error)
	// Deprecated: Migrate to EnrichSession
	GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)
	EnrichSession(ctx context.Context, s *sessions.SessionState) error
	Authorize(ctx context.Context, s *sessions.SessionState) (bool, error)
	ValidateSession(ctx context.Context, s *sessions.SessionState) bool
	RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)
	CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)
}

Provider represents an upstream identity provider implementation

func NewProvider

func NewProvider(providerConfig options.Provider) (Provider, error)

type ProviderData

type ProviderData struct {
	ProviderName       string
	LoginURL           *url.URL
	RedeemURL          *url.URL
	ProfileURL         *url.URL
	ProtectedResource  *url.URL
	ValidateURL        *url.URL
	ValidateURLspecial *url.URL
	ClientID           string
	ClientSecret       string
	ClientSecretFile   string
	Scope              string
	// The picked CodeChallenge Method or empty if none.
	CodeChallengeMethod string
	// Code challenge methods supported by the Provider
	SupportedCodeChallengeMethods []string `json:"code_challenge_methods_supported,omitempty"`

	// Common OIDC options for any OIDC-based providers to consume
	AllowUnverifiedEmail bool
	UserClaim            string
	EmailClaim           string
	GroupsClaim          string
	Verifier             internaloidc.IDTokenVerifier

	// Universal Group authorization data structure
	// any provider can set to consume
	AllowedGroups map[string]struct{}
	// contains filtered or unexported fields
}

ProviderData contains information required to configure all implementations of OAuth2 providers

func (*ProviderData) Authorize

func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error)

Authorize performs global authorization on an authenticated session. This is not used for fine-grained per route authorization rules.

func (*ProviderData) CreateSessionFromToken

func (p *ProviderData) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*ProviderData) Data

func (p *ProviderData) Data() *ProviderData

Data returns the ProviderData

func (*ProviderData) EnrichSession

func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*ProviderData) GetClientSecret

func (p *ProviderData) GetClientSecret() (clientSecret string, err error)

func (*ProviderData) GetEmailAddress

func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address Deprecated: Migrate to EnrichSession

func (*ProviderData) GetLoginURL

func (p *ProviderData) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL with typical oauth parameters codeChallenge and codeChallengeMethod are the PKCE challenge and method to append to the URL params. they will be empty strings if no code challenge should be presented

func (*ProviderData) GetTokenValidateURL

func (p *ProviderData) GetTokenValidateURL() *url.URL

func (*ProviderData) LoginURLParams

func (p *ProviderData) LoginURLParams(overrides url.Values) url.Values

LoginURLParams returns the parameter values that should be passed to the IdP login URL. This is the default set of parameters configured for this provider, optionally overridden by the given overrides (typically from the URL of the /oauth2/start request) according to the configured rules for this provider.

func (*ProviderData) Redeem

func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem provides a default implementation of the OAuth2 token redemption process The codeVerifier is set if a code_verifier parameter should be sent for PKCE

func (*ProviderData) RefreshSession

func (p *ProviderData) RefreshSession(_ context.Context, _ *sessions.SessionState) (bool, error)

RefreshSession refreshes the user's session

func (*ProviderData) ValidateSession

func (p *ProviderData) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL