Documentation
¶
Overview ¶
Package openid provides identity providers that use OpenID to determine the identity.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewOpenIDConnectIdentityProvider ¶
func NewOpenIDConnectIdentityProvider(params OpenIDConnectParams) idp.IdentityProvider
NewOpenIDConnectIdentityProvider creates a new identity provider using OpenID connect.
func ProviderID ¶ added in v1.7.0
func ProviderID(provider string, id *oidc.IDToken) store.ProviderIdentity
ProviderID creates a ProviderIdentity using the Subject and Issuer from the given ID token.
Types ¶
type GroupsRetriever ¶ added in v1.12.0
type GroupsRetriever interface {
// RetrieveGroups retrieves groups from the OpenID token.
RetrieveGroups(context.Context, *oauth2.Token, func(interface{}) error) ([]string, error)
}
A GroupsRetriever is used to retrieve a list of user groups from the OpenID token returned by the OpenID authentication process.
type IdentityCreator ¶ added in v1.7.0
type IdentityCreator interface {
// Create an identity using the provided token. The identity must
// include a ProviderID which will remain constant for all
// authentications made by the same user, it is recommended that the
// ProviderID function is used for this purpose.
//
// If the identity includes a username then that username will be
// used as the default when creating a new user. If a user already
// exists that are identified by the ProviderID then the username
// will not be updated.
//
// If the Name or Email values are non-zero these values will either
// replace any currently stored values, or be used as defaults when
// registering a new user.
CreateIdentity(context.Context, *oauth2.Token) (store.Identity, error)
}
An IdentityCreator is used to create a candid identity from the OAuth2 token returned by the OAuth2 authentication process.
type OpenIDConnectParams ¶
type OpenIDConnectParams struct {
// Name is the name that will be given to the identity provider.
Name string `yaml:"name"`
// Description is the description that will be used with the
// identity provider. If this is not set then Name will be used.
Description string `yaml:"description"`
// Icon contains the URL or path of an icon.
Icon string `yaml:"icon"`
// Domain is the domain with which all identities created by this
// identity provider will be tagged (not including the @ separator).
Domain string `yaml:"domain"`
// Issuer is the OpenID connect issuer for the identity provider.
// Discovery will be performed for this issuer.
Issuer string `yaml:"issuer"`
// Scopes contains the OAuth scopes to request.
Scopes []string `yaml:"scopes"`
// ClientID is the ID of the client as registered with the issuer.
ClientID string `yaml:"client-id"`
// ClientSecret is a client specific secret agreed with the issuer.
ClientSecret string `yaml:"client-secret"`
// Hidden is set if the IDP should be hidden from interactive
// prompts.
Hidden bool `yaml:"hidden"`
// MatchEmailAddr is a regular expression that is used to determine if
// this identity provider can be used for a particular user email.
MatchEmailAddr string `yaml:"match-email-addr"`
// IdentityCreator is the IdentityCreator that the identity provider
// will use to convert the OAuth2 token into a candid Identity. If
// this is nil the default implementation provided by the
// openIDConnect identity provider will be used.
IdentityCreator IdentityCreator
// GroupsRetriever is the GroupsRetriever that the identity provider
// will use to retrieve a list of groups from the OAuth2 token. If
// this is nil the default implementation provided by the
// openIDConnect identity provider will be used.
GroupsRetriever GroupsRetriever
}
Source Files
Click to show internal directories.
Click to hide internal directories.