oidc

Documentation

Index

• type AuthError
  • func (e AuthError) Error() string
  • func (e AuthError) Unwrap() error
• type AuthenticationResult
• type Opts
• type Verifier
  • func NewVerifier(issuer string, clientID string, audience string, ...) (*Verifier, error)
  • func (o *Verifier) Auth(ctx context.Context, w http.ResponseWriter, r *http.Request) (*AuthenticationResult, error)
  • func (o *Verifier) Callback(w http.ResponseWriter, r *http.Request)
  • func (o *Verifier) ExpireConfig()
  • func (*Verifier) IsRequest(r *http.Request) bool
  • func (o *Verifier) Login(w http.ResponseWriter, r *http.Request)
  • func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request)
  • func (o *Verifier) WriteHeaders(w http.ResponseWriter) error

Types

type AuthError

type AuthError struct {
	Err error
}

AuthError represents an authentication error. If an error of this type is returned, the caller should call WriteHeaders on the response so that the client has the necessary information to log in using the device flow.

func (AuthError) Error

func (e AuthError) Error() string

Error implements the error interface for AuthError.

func (AuthError) Unwrap

func (e AuthError) Unwrap() error

Unwrap implements the xerrors.Wrapper interface for AuthError.

type AuthenticationResult

type AuthenticationResult struct {
	IdentityType           string
	Subject                string
	Email                  string
	Name                   string
	IdentityProviderGroups []string
}

AuthenticationResult represents an authenticated OIDC client.

type Opts

type Opts struct {
	GroupsClaim string
}

Opts contains optional configurable fields for the Verifier.

type Verifier

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier holds all information needed to verify an access token offline.

func NewVerifier

func NewVerifier(issuer string, clientID string, audience string, clusterCert func() *shared.CertInfo, identityCache *identity.Cache, httpClientFunc func() (*http.Client, error), options *Opts) (*Verifier, error)

NewVerifier returns a Verifier.

func (*Verifier) Auth

func (o *Verifier) Auth(ctx context.Context, w http.ResponseWriter, r *http.Request) (*AuthenticationResult, error)

Auth extracts OIDC tokens from the request, verifies them, and returns the subject.

func (*Verifier) Callback

func (o *Verifier) Callback(w http.ResponseWriter, r *http.Request)

Callback is a http.HandlerFunc which implements the code exchange required on the /oidc/callback endpoint.

func (*Verifier) ExpireConfig

func (o *Verifier) ExpireConfig()

ExpireConfig sets the expiry time of the current configuration to zero. This forces the verifier to reconfigure the relying party the next time a user authenticates.

func (*Verifier) IsRequest

func (*Verifier) IsRequest(r *http.Request) bool

IsRequest checks if the request is using OIDC authentication. We check for the presence of the Authorization header or one of the ID or refresh tokens and the session cookie.

func (*Verifier) Login

func (o *Verifier) Login(w http.ResponseWriter, r *http.Request)

Login is a http.Handler than initiates the login flow for the UI.

func (*Verifier) Logout

func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request)

Logout deletes the ID and refresh token cookies and redirects the user to the login page.

func (*Verifier) WriteHeaders

func (o *Verifier) WriteHeaders(w http.ResponseWriter) error

WriteHeaders writes the OIDC configuration as HTTP headers so the client can initatiate the device code flow.