oauth2

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 23, 2024 License: Apache-2.0 Imports: 18 Imported by: 22

Documentation

Index

Constants

View Source
const (
	ClaimNameUserName = "https://pulsar.apache.org/username"
	ClaimNameName     = "name"
	ClaimNameSubject  = "sub"
)
View Source
const (
	FILE = "file://"
	DATA = "data://"
)

Variables

This section is empty.

Functions

func ExtractUserName

func ExtractUserName(token oauth2.Token) (string, error)

ExtractUserName extracts the username claim from an authorization grant conforms to draft-ietf-oauth-access-token-jwt

Types

type AuthorizationCodeExchangeRequest

type AuthorizationCodeExchangeRequest struct {
	TokenEndpoint string
	ClientID      string
	CodeVerifier  string
	Code          string
	RedirectURI   string
}

AuthorizationCodeExchangeRequest is used to request the exchange of an authorization code for a token

type AuthorizationGrant

type AuthorizationGrant struct {
	// Type describes the type of authorization grant represented by this structure
	Type AuthorizationGrantType `json:"type"`

	// Audience is the intended audience of the access tokens
	Audience string `json:"audience,omitempty"`

	// ClientID is an OAuth2 client identifier used by some flows
	ClientID string `json:"client_id,omitempty"`

	// ClientCredentials is credentials data for the client credentials grant type
	ClientCredentials *KeyFile `json:"client_credentials,omitempty"`

	// the token endpoint
	TokenEndpoint string `json:"token_endpoint"`

	// Token contains an access token in the client credentials grant type,
	// and a refresh token in the device authorization grant type
	Token *oauth2.Token `json:"token,omitempty"`

	// Scopes contains the scopes associated with the grant, or the scopes
	// to request in the client credentials grant type
	Scopes []string `json:"scopes,omitempty"`
}

AuthorizationGrant is a credential representing the resource owner's authorization to access its protected resources, and is used by the client to obtain an access token

type AuthorizationGrantRefresher

type AuthorizationGrantRefresher interface {
	// Refresh refreshes an authorization grant to contain a fresh access token
	Refresh(grant *AuthorizationGrant) (*AuthorizationGrant, error)
}

AuthorizationGrantRefresher refreshes OAuth 2.0 authorization grant

type AuthorizationGrantType

type AuthorizationGrantType string
const (
	// GrantTypeClientCredentials represents a client credentials grant
	GrantTypeClientCredentials AuthorizationGrantType = "client_credentials"

	// GrantTypeDeviceCode represents a device code grant
	GrantTypeDeviceCode AuthorizationGrantType = "device_code"
)

type AuthorizationTokenResponse

type AuthorizationTokenResponse struct {
	AccessToken  string `json:"access_token"`
	ExpiresIn    int    `json:"expires_in"`
	IDToken      string `json:"id_token"`
	RefreshToken string `json:"refresh_token"`
	TokenType    string `json:"token_type"`
}

AuthorizationTokenResponse is the HTTP response when asking for a new token. Note that not all fields will contain data based on what kind of request was sent

type ClientCredentialsExchangeRequest

type ClientCredentialsExchangeRequest struct {
	TokenEndpoint string
	ClientID      string
	ClientSecret  string
	Audience      string
	Scopes        []string
}

ClientCredentialsExchangeRequest is used to request the exchange of client credentials for a token

type ClientCredentialsExchanger

type ClientCredentialsExchanger interface {
	ExchangeClientCredentials(req ClientCredentialsExchangeRequest) (*TokenResult, error)
}

ClientCredentialsExchanger abstracts exchanging client credentials for tokens

type ClientCredentialsFlow

type ClientCredentialsFlow struct {
	// contains filtered or unexported fields
}

ClientCredentialsFlow takes care of the mechanics needed for getting an access token using the OAuth 2.0 "Client Credentials Flow"

func NewDefaultClientCredentialsFlow

func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*ClientCredentialsFlow, error)

NewDefaultClientCredentialsFlow provides an easy way to build up a default client credentials flow with all the correct configuration.

func (*ClientCredentialsFlow) Authorize

func (c *ClientCredentialsFlow) Authorize(audience string) (*AuthorizationGrant, error)

type ClientCredentialsFlowOptions

type ClientCredentialsFlowOptions struct {
	KeyFile          string
	AdditionalScopes []string
}

type ClientCredentialsGrantRefresher

type ClientCredentialsGrantRefresher struct {
	// contains filtered or unexported fields
}

func NewDefaultClientCredentialsGrantRefresher

func NewDefaultClientCredentialsGrantRefresher(clock clock.Clock) (*ClientCredentialsGrantRefresher, error)

func (*ClientCredentialsGrantRefresher) Refresh

type ClientCredentialsProvider

type ClientCredentialsProvider interface {
	GetClientCredentials() (*KeyFile, error)
}

ClientCredentialsProvider abstracts getting client credentials

type ConfigBackedCachingProvider

type ConfigBackedCachingProvider struct {
	// contains filtered or unexported fields
}

ConfigBackedCachingProvider wraps a configProvider in order to conform to the cachingProvider interface

func NewConfigBackedCachingProvider

func NewConfigBackedCachingProvider(clientID, audience string, config configProvider) *ConfigBackedCachingProvider

NewConfigBackedCachingProvider builds and returns a CachingTokenProvider that utilizes a configProvider to cache tokens

func (*ConfigBackedCachingProvider) CacheTokens

func (c *ConfigBackedCachingProvider) CacheTokens(toCache *TokenResult) error

CacheTokens caches the id and refresh token from TokenResult in the configProvider

func (*ConfigBackedCachingProvider) GetTokens

func (c *ConfigBackedCachingProvider) GetTokens() (*TokenResult, error)

GetTokens gets the tokens from the cache and returns them as a TokenResult

type DeviceAuthorizationGrantRefresher

type DeviceAuthorizationGrantRefresher struct {
	// contains filtered or unexported fields
}

func NewDefaultDeviceAuthorizationGrantRefresher

func NewDefaultDeviceAuthorizationGrantRefresher(clock clock.Clock) (*DeviceAuthorizationGrantRefresher, error)

NewDefaultDeviceAuthorizationGrantRefresher constructs a grant refresher based on the result of the device authorization flow.

func (*DeviceAuthorizationGrantRefresher) Refresh

type DeviceCodeCallback

type DeviceCodeCallback func(code *DeviceCodeResult) error

type DeviceCodeExchangeRequest

type DeviceCodeExchangeRequest struct {
	TokenEndpoint string
	ClientID      string
	DeviceCode    string
	PollInterval  time.Duration
}

DeviceCodeExchangeRequest is used to request the exchange of a device code for a token

type DeviceCodeFlow

type DeviceCodeFlow struct {
	// contains filtered or unexported fields
}

DeviceCodeFlow takes care of the mechanics needed for getting an access token using the OAuth 2.0 "Device Code Flow"

func NewDefaultDeviceCodeFlow

func NewDefaultDeviceCodeFlow(options DeviceCodeFlowOptions,
	callback DeviceCodeCallback) (*DeviceCodeFlow, error)

NewDefaultDeviceCodeFlow provides an easy way to build up a default device code flow with all the correct configuration. If refresh tokens should be allowed pass in true for <allowRefresh>

func (*DeviceCodeFlow) Authorize

func (p *DeviceCodeFlow) Authorize(audience string) (*AuthorizationGrant, error)

type DeviceCodeFlowOptions

type DeviceCodeFlowOptions struct {
	IssuerEndpoint   string
	ClientID         string
	AdditionalScopes []string
	AllowRefresh     bool
}

type DeviceCodeProvider

type DeviceCodeProvider interface {
	GetCode(audience string, additionalScopes ...string) (*DeviceCodeResult, error)
}

AuthorizationCodeProvider abstracts getting an authorization code

type DeviceCodeRequest

type DeviceCodeRequest struct {
	ClientID string
	Scopes   []string
	Audience string
}

type DeviceCodeResult

type DeviceCodeResult struct {
	DeviceCode              string `json:"device_code"`
	UserCode                string `json:"user_code"`
	VerificationURI         string `json:"verification_uri"`
	VerificationURIComplete string `json:"verification_uri_complete"`
	ExpiresIn               int    `json:"expires_in"`
	Interval                int    `json:"interval"`
}

DeviceCodeResult holds the device code gotten from the device code URL.

type DeviceTokenExchanger

type DeviceTokenExchanger interface {
	ExchangeDeviceCode(ctx context.Context, req DeviceCodeExchangeRequest) (*TokenResult, error)
	ExchangeRefreshToken(req RefreshTokenExchangeRequest) (*TokenResult, error)
}

DeviceTokenExchanger abstracts exchanging for tokens

type Flow

type Flow interface {
	// Authorize obtains an authorization grant based on an OAuth 2.0 authorization flow.
	// The method returns a grant which may contain an initial access token.
	Authorize(audience string) (*AuthorizationGrant, error)
}

Flow abstracts an OAuth 2.0 authentication and authorization flow

type HTTPAuthTransport

type HTTPAuthTransport interface {
	Do(request *http.Request) (*http.Response, error)
}

HTTPAuthTransport abstracts how an HTTP exchange request is sent and received

type Issuer

type Issuer struct {
	IssuerEndpoint string
	ClientID       string
	Audience       string
}

Issuer holds information about the issuer of tokens

type KeyFile

type KeyFile struct {
	Type         string `json:"type"`
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
	ClientEmail  string `json:"client_email"`
	IssuerURL    string `json:"issuer_url"`
	Scope        string `json:"scope"`
}

type KeyFileProvider

type KeyFileProvider struct {
	KeyFile string
}

func NewClientCredentialsProviderFromKeyFile

func NewClientCredentialsProviderFromKeyFile(keyFile string) *KeyFileProvider

func (*KeyFileProvider) GetClientCredentials

func (k *KeyFileProvider) GetClientCredentials() (*KeyFile, error)

type LocalDeviceCodeProvider

type LocalDeviceCodeProvider struct {
	// contains filtered or unexported fields
}

DeviceCodeProvider holds the information needed to easily get a device code locally.

func NewLocalDeviceCodeProvider

func NewLocalDeviceCodeProvider(
	options LocalDeviceCodeProviderOptions,
	oidcWellKnownEndpoints OIDCWellKnownEndpoints,
	authTransport HTTPAuthTransport) *LocalDeviceCodeProvider

NewLocalDeviceCodeProvider allows for the easy setup of LocalDeviceCodeProvider

func (*LocalDeviceCodeProvider) GetCode

func (cp *LocalDeviceCodeProvider) GetCode(audience string, additionalScopes ...string) (*DeviceCodeResult, error)

GetCode obtains a new device code. Additional scopes beyond openid and email can be sent by passing in arguments for <additionalScopes>.

type LocalDeviceCodeProviderOptions

type LocalDeviceCodeProviderOptions struct {
	ClientID string
}

type OIDCWellKnownEndpoints

type OIDCWellKnownEndpoints struct {
	AuthorizationEndpoint       string `json:"authorization_endpoint"`
	TokenEndpoint               string `json:"token_endpoint"`
	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
}

OIDCWellKnownEndpoints holds the well known OIDC endpoints

func GetOIDCWellKnownEndpointsFromIssuerURL

func GetOIDCWellKnownEndpointsFromIssuerURL(issuerURL string) (*OIDCWellKnownEndpoints, error)

GetOIDCWellKnownEndpointsFromIssuerURL gets the well known endpoints for the passed in issuer url

type RefreshTokenExchangeRequest

type RefreshTokenExchangeRequest struct {
	TokenEndpoint string
	ClientID      string
	RefreshToken  string
}

RefreshTokenExchangeRequest is used to request the exchange of a refresh token for a refreshed token

type TokenError

type TokenError struct {
	ErrorCode        string
	ErrorDescription string
}

func (*TokenError) Error

func (e *TokenError) Error() string

type TokenErrorResponse

type TokenErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
}

TokenErrorResponse is used to parse error responses from the token endpoint

type TokenResult

type TokenResult struct {
	AccessToken  string `json:"access_token"`
	IDToken      string `json:"id_token"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int    `json:"expires_in"`
}

TokenResult holds token information

type TokenRetriever

type TokenRetriever struct {
	// contains filtered or unexported fields
}

TokenRetriever implements AuthTokenExchanger in order to facilitate getting Tokens

func NewTokenRetriever

func NewTokenRetriever(authTransport HTTPAuthTransport) *TokenRetriever

NewTokenRetriever allows a TokenRetriever the internal of a new TokenRetriever to be easily set up

func (*TokenRetriever) ExchangeClientCredentials

func (ce *TokenRetriever) ExchangeClientCredentials(req ClientCredentialsExchangeRequest) (*TokenResult, error)

ExchangeClientCredentials uses the ClientCredentialsExchangeRequest to exchange client credentials for tokens

func (*TokenRetriever) ExchangeCode

ExchangeCode uses the AuthCodeExchangeRequest to exchange an authorization code for tokens

func (*TokenRetriever) ExchangeDeviceCode

func (ce *TokenRetriever) ExchangeDeviceCode(ctx context.Context, req DeviceCodeExchangeRequest) (*TokenResult, error)

ExchangeDeviceCode uses the DeviceCodeExchangeRequest to exchange a device code for tokens

func (*TokenRetriever) ExchangeRefreshToken

func (ce *TokenRetriever) ExchangeRefreshToken(req RefreshTokenExchangeRequest) (*TokenResult, error)

ExchangeRefreshToken uses the RefreshTokenExchangeRequest to exchange a refresh token for refreshed tokens

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL