auth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 5, 2020 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrRequestObjectAndReference = fmt.Errorf(`%w: only one of "request" or "request_uri" may be specified'`, oidc.ErrInvalidRequest)
	ErrRequestExpired            = fmt.Errorf(`%w: request had expired`, oidc.ErrInvalidRequest)
	ErrRequestUriUnregistered    = fmt.Errorf(`%w: "request_uri" was not pre-registered`, oidc.ErrInvalidRequestUri)
)
View Source 
var (
	ErrClientIdMismatch = fmt.Errorf(`%w: "client_id" mismatch`, oidc.ErrInvalidRequest)
)
View Source 
var (
	ErrRequestNotFound = fmt.Errorf("%w: request not found or have expired", oidc.ErrInvalidRequest)
)
View Source 
var (
	InteractionSignal = errors.New("interaction required")
)

Functions

This section is empty.

Types

type BrowserStateUserSessionResolver 

type BrowserStateUserSessionResolver struct{}

BrowserStateUserSessionResolver resolves user subject by adding all valid user sessions represented by the browser state into the collector. A valid session must not be expired and must not exceed request max age. This implementation assumes browser state has been set on the context.

func (BrowserStateUserSessionResolver) Resolve 

func (r BrowserStateUserSessionResolver) Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error

type ConsentRecordResolver 

type ConsentRecordResolver struct {
	ConsentStorage user.ConsentStorage
}

ConsentRecordResolver is an implementation of UserConsentResolver that go through the granted scopes of all non-expired user consent record, and add any requested scope to the collector. To use this resolver, Request.Interaction must have resolved a single user session, which indicates the subject for consent records.

func (*ConsentRecordResolver) Resolve 

func (r *ConsentRecordResolver) Resolve(ctx context.Context, ar *Request, collector GrantedScopeCollector) error

type GrantedScopeCollector 

type GrantedScopeCollector interface {
	// AddScope adds a scope to collector
	AddScope(scope oidc.Scope)
	// ContainsScope returns true if the collector has the scope
	ContainsScope(scope oidc.Scope) bool
	// ClearAllScopes removes all scopes from collector
	ClearAllScopes()
	// NumberOfGrantedScopes returns the total number of collected scopes
	NumberOfGrantedScopes() int
	// ForEachGrantedScope iterates all collected granted scopes and invoke the callback.
	// Iteration order is not stable. Any error is immediately returned.
	ForEachGrantedScope(callback func(scope oidc.Scope) error) error
}

GrantedScopeCollector holds candidate of previously granted scopes by the user.

type IdTokenHintUserSessionResolver 

type IdTokenHintUserSessionResolver struct {
	ServerJwks         *gojosev2.JSONWebKeySet
	ClientJwksStrategy client.KeySetStrategy
	PairwiseSalt       []byte
	Logger             *zerolog.Logger
}

IdTokenHintUserSessionResolver is an implementation of UserSessionResolver that selects the hinted subject session from current candidates and eliminates non-hinted candidate sessions. For any session to be eliminated, the subject field of the id_token_hint must match the subject field of the candidate user session, according to subject_type rules (i.e. may need to perform pseudonymous subject calculation on the candidate subject in order to match).

func (*IdTokenHintUserSessionResolver) Resolve 

func (r *IdTokenHintUserSessionResolver) Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error

type InteractionStateCollector 

type InteractionStateCollector struct {
	// contains filtered or unexported fields
}

InteractionStateCollector maintains the state before and during the user interaction process. Its result will directly determined if the request can be forwarded to process, or redirected to user interaction, or just denied.

func NewInteractionStateCollector 

func NewInteractionStateCollector() *InteractionStateCollector

Create a new interaction state collector with fields initialized to non-nil

func (*InteractionStateCollector) AddScope 

func (c *InteractionStateCollector) AddScope(scope oidc.Scope)

func (*InteractionStateCollector) AddSession 

func (c *InteractionStateCollector) AddSession(session *user.Session)

func (*InteractionStateCollector) ClearAllScopes 

func (c *InteractionStateCollector) ClearAllScopes()

func (*InteractionStateCollector) ClearAllSessions 

func (c *InteractionStateCollector) ClearAllSessions()

func (*InteractionStateCollector) ContainsScope 

func (c *InteractionStateCollector) ContainsScope(scope oidc.Scope) bool

func (*InteractionStateCollector) ForEachGrantedScope 

func (c *InteractionStateCollector) ForEachGrantedScope(callback func(scope oidc.Scope) error) error

func (*InteractionStateCollector) ForEachSession 

func (c *InteractionStateCollector) ForEachSession(callback func(session *user.Session) error) error

func (*InteractionStateCollector) GetFirst 

func (c *InteractionStateCollector) GetFirst() *user.Session

func (*InteractionStateCollector) HasGrantedScope 

func (c *InteractionStateCollector) HasGrantedScope(scope oidc.Scope) bool

func (*InteractionStateCollector) HasMarkedConsentStage 

func (c *InteractionStateCollector) HasMarkedConsentStage() bool

func (*InteractionStateCollector) HasMarkedSubjectStage 

func (c *InteractionStateCollector) HasMarkedSubjectStage() bool

func (*InteractionStateCollector) MarkConsentStage 

func (c *InteractionStateCollector) MarkConsentStage()

func (*InteractionStateCollector) MarkSubjectStage 

func (c *InteractionStateCollector) MarkSubjectStage()

func (*InteractionStateCollector) MarshalJSON 

func (c *InteractionStateCollector) MarshalJSON() ([]byte, error)

func (*InteractionStateCollector) NumberOfGrantedScopes 

func (c *InteractionStateCollector) NumberOfGrantedScopes() int

func (*InteractionStateCollector) NumberOfSessions 

func (c *InteractionStateCollector) NumberOfSessions() int

func (*InteractionStateCollector) RemoveSession 

func (c *InteractionStateCollector) RemoveSession(subject string)

func (*InteractionStateCollector) UnmarshalJSON 

func (c *InteractionStateCollector) UnmarshalJSON(raw []byte) error

type Params 

type Params struct {
	ClientId            string          `json:"client_id"`
	ResponseType        string          `json:"response_type"`
	RedirectUri         string          `json:"redirect_uri"`
	Scope               string          `json:"scope"`
	State               string          `json:"state"`
	ResponseMode        string          `json:"response_mode"`
	Nonce               string          `json:"nonce"`
	Display             string          `json:"display"`
	Prompt              string          `json:"prompt"`
	MaxAge              string          `json:"max_age"`
	UiLocales           string          `json:"ui_locales"`
	IdTokenHint         string          `json:"id_token_hint"`
	LoginHint           string          `json:"login_hint"`
	AcrValues           string          `json:"acr_values"`
	Claims              json.RawMessage `json:"claims"`
	ClaimsLocales       string          `json:"claims_locales"`
	CodeChallenge       string          `json:"code_challenge"`
	CodeChallengeMethod string          `json:"code_challenge_method"`

	// AudienceHint is a custom parameter that requests may include a space delimited
	// case-sensitive string to indicate the intended audiences for access token and/or id token.
	AudienceHint string `json:"aud_hint"`
}

Params represents the parameters in the raw http request.

func (*Params) FillRequest 

func (p *Params) FillRequest(req *Request) (err error)

ToRequest converts the parameters to proper types in the request. The provided request prototype must have client already set.

func (*Params) Merge 

func (p *Params) Merge(q *Params) error

Merge combines values from both p and q, values from p will have precedence.

type Parser 

type Parser struct {
	ServerJwks            *gojosev2.JSONWebKeySet
	ClientLookup          client.Lookup
	ClientJwksStrategy    client.KeySetStrategy
	RequestStorage        RequestStorage
	RequestObjectStrategy RequestObjectStrategy
	Provider              *pkg.Provider
}

func (*Parser) ParseFirstAuthorize 

func (s *Parser) ParseFirstAuthorize(ctx context.Context, r *http.Request) (req *Request, err error)

func (*Parser) ParseInteraction 

func (s *Parser) ParseInteraction(ctx context.Context, r *http.Request) (req *Request, err error)

func (*Parser) ParseResumeAuthorize 

func (s *Parser) ParseResumeAuthorize(ctx context.Context, r *http.Request) (req *Request, err error)

type PromptLogicConsentResolver 

type PromptLogicConsentResolver struct {
	DownstreamResolvers []UserConsentResolver
}

PromptLogicConsentResolver wraps one or more downstream UserConsentResolver with OpenID Connect prompt parameter logic.

func (*PromptLogicConsentResolver) Resolve 

func (r *PromptLogicConsentResolver) Resolve(ctx context.Context, ar *Request, collector GrantedScopeCollector) error

type PromptLogicUserSessionResolver 

type PromptLogicUserSessionResolver struct {
	DownstreamResolvers []UserSessionResolver
}

PromptLogicUserSessionResolver wraps one or more downstream UserSessionResolver with OpenID Connect prompt parameter logic.

func (*PromptLogicUserSessionResolver) Resolve 

func (r *PromptLogicUserSessionResolver) Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error

type RedisRequestStorage 

type RedisRequestStorage struct {
	RedisClient  redis.UniversalClient
	ClientLookup client.Lookup
	Logger       *zerolog.Logger
}

func (*RedisRequestStorage) Delete 

func (s *RedisRequestStorage) Delete(ctx context.Context, id string) error

func (*RedisRequestStorage) Get 

func (s *RedisRequestStorage) Get(ctx context.Context, id string) (*Request, error)

func (*RedisRequestStorage) Save 

func (s *RedisRequestStorage) Save(ctx context.Context, request *Request) error

type Request 

type Request struct {
	Id                  string
	Expiry              time.Time
	Client              *client.Client
	ResponseType        oidc.ResponseType
	RedirectUri         oidc.RedirectUri
	Scopes              oidc.ScopeSet
	State               string
	Nonce               string
	ResponseMode        oidc.ResponseMode
	Display             oidc.Display
	Prompts             oidc.PromptSet
	MaxAge              oidc.MaxAge
	UiLocales           []string
	IdTokenHint         string
	LoginHint           string
	AcrValues           []string
	Claims              *oidc.Claims
	ClaimsLocales       []string
	AudienceHint        []string
	CodeChallenge       string
	CodeChallengeMethod oidc.CodeChallengeMethod
	Interaction         *InteractionStateCollector
}

Request is the model of a parsed OpenID Connect authentication request.

func (*Request) AllScopesGranted 

func (r *Request) AllScopesGranted() bool

HasNotGrantedScopes returns true if there's one or more scope that was not granted.

func (*Request) Expired 

func (r *Request) Expired() bool

Expired returns true if the request has expired.

func (*Request) HasPrompt 

func (r *Request) HasPrompt(p oidc.Prompt) bool

HasPrompt returns true if the prompt p is requested.

func (*Request) MarshalJSON 

func (r *Request) MarshalJSON() ([]byte, error)

func (*Request) RequestedScope 

func (r *Request) RequestedScope(scope oidc.Scope) bool

RequestedScope returns true if the scope is requested.

func (*Request) Validate 

func (r *Request) Validate(rules ...Rule) error

Validate validates the request against a set of rules and return the first violation.

type RequestObjectStrategy 

type RequestObjectStrategy interface {
	Resolve(ctx context.Context, ref string) (raw string, err error)
}

RequestObjectStrategy abstracts how is a raw request object resolved from a reference uri.

func FetchRequestObjectStrategy 

func FetchRequestObjectStrategy() RequestObjectStrategy

FetchRequestObjectStrategy is a RequestObjectStrategy implementation that directly fetches request object from the remote reference URI. The process respects the context and can be cancelled. If the reference URI has a fragment component, the fragment is treated as an expected SHA-256 hash which is used to further validate the fetched payload.

type RequestStorage 

type RequestStorage interface {
	// Save the request.
	Save(ctx context.Context, request *Request) error
	// Get the request by its id.
	Get(ctx context.Context, id string) (*Request, error)
	// Delete request by its id from the store.
	Delete(ctx context.Context, id string) error
}

RequestStorage persists the request.

func MemoryRequestStorage 

func MemoryRequestStorage() RequestStorage

MemoryRequestStorage returns an in-memory implementation of RequestStorage. It is not thread-safe and is not intended for production usage.

type Response 

type Response struct {
	Code         string
	IdToken      string
	SessionState string
	State        string
}

Response is the response to OpenID Connect authentication request. Because we made a conscious decision to now allow access tokens be returned on the authorization endpoint. This model does not contain any access token fields.

type Rule 

type Rule func(ar *Request) error

Rule enforces a certain aspect of the request.

type RuleSet 

type RuleSet struct{}

func (RuleSet) Basic 

func (_ RuleSet) Basic(provider *pkg.Provider) Rule

func (RuleSet) Interaction 

func (_ RuleSet) Interaction() Rule

type UserConsentResolver 

type UserConsentResolver interface {
	// Resolve collects or eliminate user granted scopes candidates from various sources. Implementation should not return
	// errors when it is unable to resolve candidates. The error return value is reserved for hard failures only.
	Resolve(ctx context.Context, ar *Request, collector GrantedScopeCollector) error
}

UserConsentResolver defines a unified interface to resolve (or eliminate) user granted scopes from various sources. Its ultimate goal is to collect as many valid granted scopes so we can avoid prompting user.

type UserSessionCollector 

type UserSessionCollector interface {
	// AddSession adds a new user.Session to the collector. If a previous session
	// by the same subject exists, overwrites it.
	AddSession(session *user.Session)
	// RemoveSession removes all sessions by the subject.
	RemoveSession(subject string)
	// ClearAllSessions resets the collector.
	ClearAllSessions()
	// ForEachSession iterates all collected sessions and invokes the callback. The iteration order
	// is not guaranteed to be stable. Any error is immediately returned.
	ForEachSession(callback func(session *user.Session) error) error
	// NumberOfSessions return the total number of collected sessions.
	NumberOfSessions() int
	// GetFirst returns the first session in the collection. It is usually used in conjunction with
	// NumberOfSessions to retrieve the only session in the collection.
	GetFirst() *user.Session
}

UserSessionCollector holds candidate user.Session during the process of SessionResolver. The candidates may be added, removed at the discretion of each SessionResolver.

type UserSessionResolver 

type UserSessionResolver interface {
	// Resolve collects or eliminate user session candidates from various sources. Implementation should not return
	// errors when it is unable to resolve candidates. The error return value is reserved for hard failures only.
	Resolve(ctx context.Context, ar *Request, collector UserSessionCollector) error
}

UserSessionResolver defines a unified interface to resolve (or eliminate) user sessions from various sources. Its ultimate goal is to find a single user session that can be used as the subject for the request.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.