Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type TokenExchangeD ¶
type TokenExchangeD struct { Authn *oidc.Authn Generate func(context.Context, *meshauth.JWT, string) (string, error) }
TokenExchangeD is an OAuth2 token exchange server, RFC8694 -(extending RFC6749 which covers OAuth2)
This is also called "Secure Token Service" - the source of trust is a "security token" - a K8S JWT with a special audience or a JWT from a different provider.
It currently accepts grant_type 'token-exchange', with a 'jwt' subject token.
It can returns access_token and JWT tokens.
func (*TokenExchangeD) ServeHTTP ¶
func (s *TokenExchangeD) ServeHTTP(w http.ResponseWriter, req *http.Request)
ServeStsRequests handles STS requests and sends exchanged token in responses. RFC8693 - token exchange
This is intended for localhost use with Envoy - it matches the protocol used by envoy. Envoy does send a JWT loaded from a file - this is ignored since we trust localhost in sidecar cases.
It can also be used as a service, with proper Authz prior to ¶
ex. for GCP: https://cloud.google.com/iam/docs/reference/sts/rest/v1beta/TopLevel/token https://cloud.google.com/iam/docs/reference/credentials/rest
Should be mapped to /v1/token (but other paths are possible)
type TokenExchangeRequest ¶
type TokenExchangeRequest struct { // REQUIRED. The value "urn:ietf:params:oauth:grant-type:token-exchange" // indicates that a token exchange is being performed. // // Other values: refresh_token, authorization_code, client_credentials // GrantType string `json:"grantType"` // REQUIRED. A security token that represents the identity of the party on // behalf of whom the request is being made. SubjectToken string `json:"subjectToken"` // REQUIRED. An identifier, that indicates the type of the security token in // the "subject_token" parameter. SubjectTokenType string `json:"subjectTokenType"` // OPTIONAL. An identifier, for the type of the requested security token. RequestedTokenType string `json:"requestedTokenType"` // OPTIONAL in RFC, required by GCP. // The logical name of the target service where the client intends // to use the requested security token. Audience string `json:"audience"` // OPTIONAL, required in GCP. A list of space-delimited, case-sensitive strings, that allow // the client to specify the desired Scope of the requested security token in the // context of the service or Resource where the token will be used. Scope string `json:"scope"` // OPTIONAL. Indicates the location of the target service or resource where // the client intends to use the requested security token. Resource string `json:"resource"` // OPTIONAL. A security token that represents the identity of the acting party. ActorToken string // An identifier, that indicates the type of the security token in the // "actor_token" parameter. ActorTokenType string }
TokenExchangeRequest stores all STS request attributes defined in https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16#section-2.1