openid

package
v0.1.0-cvefix.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 18, 2022 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source
const (
	JwksURL     = "jwks_url"
	ConfigURL   = "config_url"
	ClaimName   = "claim_name"
	ClaimPrefix = "claim_prefix"
	ClientID    = "client_id"
	Scopes      = "scopes"

	EnvIdentityOpenIDClientID    = "MINIO_IDENTITY_OPENID_CLIENT_ID"
	EnvIdentityOpenIDJWKSURL     = "MINIO_IDENTITY_OPENID_JWKS_URL"
	EnvIdentityOpenIDURL         = "MINIO_IDENTITY_OPENID_CONFIG_URL"
	EnvIdentityOpenIDClaimName   = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
	EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
	EnvIdentityOpenIDScopes      = "MINIO_IDENTITY_OPENID_SCOPES"
)

OpenID keys and envs.

View Source
const (
	EnvIamJwksURL = "MINIO_IAM_JWKS_URL"
)

Legacy envs

Variables

View Source
var (
	SigningMethodES3256 *jwt.SigningMethodECDSA
	SigningMethodES3384 *jwt.SigningMethodECDSA
	SigningMethodES3512 *jwt.SigningMethodECDSA
)

Specific instances for EC256 and company

View Source
var (
	SigningMethodRS3256 *jwt.SigningMethodRSA
	SigningMethodRS3384 *jwt.SigningMethodRSA
	SigningMethodRS3512 *jwt.SigningMethodRSA
)

Specific instances for RS256 and company

View Source
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   ConfigURL,
			Value: "",
		},
		config.KV{
			Key:   ClientID,
			Value: "",
		},
		config.KV{
			Key:   ClaimName,
			Value: iampolicy.PolicyName,
		},
		config.KV{
			Key:   ClaimPrefix,
			Value: "",
		},
		config.KV{
			Key:   Scopes,
			Value: "",
		},
		config.KV{
			Key:   JwksURL,
			Value: "",
		},
	}
)

DefaultKVS - default config for OpenID config

View Source
var (
	ErrTokenExpired = errors.New("token expired")
)

ErrTokenExpired - error token expired

View Source
var (
	Help = config.HelpKVS{
		config.HelpKV{
			Key:         ConfigURL,
			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"`,
			Type:        "url",
		},
		config.HelpKV{
			Key:         ClientID,
			Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"`,
			Type:        "string",
			Optional:    true,
		},
		config.HelpKV{
			Key:         ClaimName,
			Description: `JWT canned policy claim name, defaults to "policy"`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimPrefix,
			Description: `JWT claim namespace prefix e.g. "customer1/"`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         Scopes,
			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
			Optional:    true,
			Type:        "csv",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,
			Type:        "sentence",
		},
	}
)

Help template for OpenID identity feature.

Functions

func Enabled

func Enabled(kvs config.KVS) bool

Enabled returns if jwks is enabled.

func GetDefaultExpiration

func GetDefaultExpiration(dsecs string) (time.Duration, error)

GetDefaultExpiration - returns the expiration seconds expected.

func SetIdentityOpenID

func SetIdentityOpenID(s config.Config, cfg Config)

SetIdentityOpenID - One time migration code needed, for migrating from older config to new for OpenIDConfig.

Types

type Config

type Config struct {
	JWKS struct {
		URL *xnet.URL `json:"url"`
	} `json:"jwks"`
	URL          *xnet.URL `json:"url,omitempty"`
	ClaimPrefix  string    `json:"claimPrefix,omitempty"`
	ClaimName    string    `json:"claimName,omitempty"`
	DiscoveryDoc DiscoveryDoc
	ClientID     string
	// contains filtered or unexported fields
}

Config - OpenID Config RSA authentication target arguments

func LookupConfig

func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (c Config, err error)

LookupConfig lookup jwks from config, override with any ENVs.

func (*Config) PopulatePublicKey

func (r *Config) PopulatePublicKey() error

PopulatePublicKey - populates a new publickey from the JWKS URL.

func (*Config) UnmarshalJSON

func (r *Config) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data.

type DiscoveryDoc

type DiscoveryDoc struct {
	Issuer                           string   `json:"issuer,omitempty"`
	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
	JwksURI                          string   `json:"jwks_uri,omitempty"`
	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
}

DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration

type ID

type ID string

ID - holds identification name authentication validator target.

type JWKS

type JWKS struct {
	Keys []*JWKS `json:"keys,omitempty"`

	Kty string `json:"kty"`
	Use string `json:"use,omitempty"`
	Kid string `json:"kid,omitempty"`
	Alg string `json:"alg,omitempty"`

	Crv string `json:"crv,omitempty"`
	X   string `json:"x,omitempty"`
	Y   string `json:"y,omitempty"`
	D   string `json:"d,omitempty"`
	N   string `json:"n,omitempty"`
	E   string `json:"e,omitempty"`
	K   string `json:"k,omitempty"`
}

JWKS - https://tools.ietf.org/html/rfc7517

func (*JWKS) DecodePublicKey

func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error)

DecodePublicKey - decodes JSON Web Key (JWK) as public key

type JWT

type JWT struct {
	Config
}

JWT - rs client grants provider details.

func NewJWT

func NewJWT(c Config) *JWT

NewJWT - initialize new jwt authenticator.

func (*JWT) ID

func (p *JWT) ID() ID

ID returns the provider name and authentication type.

func (*JWT) Validate

func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error)

Validate - validates the access token.

type Validator

type Validator interface {
	// Validate is a custom validator function for this provider,
	// each validation is authenticationType or provider specific.
	Validate(token string, duration string) (map[string]interface{}, error)

	// ID returns provider name of this provider.
	ID() ID
}

Validator interface describes basic implementation requirements of various authentication providers.

type Validators

type Validators struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Validators - holds list of providers indexed by provider id.

func NewValidators

func NewValidators() *Validators

NewValidators - creates Validators.

func (*Validators) Add

func (list *Validators) Add(provider Validator) error

Add - adds unique provider to provider list.

func (*Validators) Get

func (list *Validators) Get(id ID) (p Validator, err error)

Get - returns the provider for the given providerID, if not found returns an error.

func (*Validators) List

func (list *Validators) List() []ID

List - returns available provider IDs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL