Documentation ¶
Overview ¶
Package idp contains a http middleware and a client for the authentication with the IdentityProvider-App
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Authenticate ¶
func Authenticate(validator Validator, getSystemBaseUriFromCtx, getTenantIdFromCtx func(ctx context.Context) (string, error), allowExternalValidation bool, logError, logInfo func(ctx context.Context, message string)) func(http.Handler) http.Handler
Authenticate authenticates the user using the IdentityProvider-App
If the user is already logged in the credentials of the user are taken from the http request. Otherwise the request is redirected to the IdentityProvider for authentication and redirected back to the resource which has been originally invoked. If the user is logged in successfully information about the user (principal) and the authSession can be taken from the context. The parameter allowExternalValidation determines if the handler accepts external users. External users are those who have been successfully authenticated by an external identity provider such as Google, but have NOT been added to the pool of known users of this particular d.velop cloud tenant so far. USE THIS FEATURE WITH CAUTION. You don't know much about external users and should restrict the rights of external users to a minimum if you must allow access for external users at all. If external users are enabled (allowExternalValidation is true) the principal struct representing an external user doesn't provide any information apart from the e-mail address and a the reserved group ID '3E093BE5-CCCE-435D-99F8-544656B98681' which marks the user as an external user which is unknown to the system. This group ID can be used to distinguish external from internal users. If you are unsure, you should set allowExternalValidation to false, as you usually don't want external users to access your app.
Example:
func main() { idpClient,err := idpclient.New() if err != nil { // error handling } authenticate := idp.Authenticate(idpClient, tenant.SystemBaseUriFromCtx, tenant.IdFromCtx, false, logError, logInfo) authenticateExternal := idp.Authenticate(idpClient, tenant.SystemBaseUriFromCtx, tenant.IdFromCtx, true, logerror, loginfo) mux := http.NewServeMux() mux.Handle("/hello", authenticate(helloHandler())) mux.Handle("/resource", authenticate(resourceHandler())) mux.Handle("/resource4ExternalUsers", authenticateExternal(resource4ExternalUsersHandler())) } func helloHandler() http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // get user from context principal,err := idp.PrincipalFromCtx(r.Context()) // get authSessionId From context authSessionId,err := idp.AuthSessionIdFromCtx(r.Context()) fmt.Fprintf(w, "Hello %v your authsessionId is %v", principal.DisplayName, authSessionId) }) }
Types ¶
type Validator ¶
type Validator interface { // Validate checks if the authSessionId is valid for the tenant specified by systemBaseUri and tenantId. // // If the authSessionId is valid, that is it belongs to a principal and has not expired, a none nil *scim.Principal is returned. // Otherwise the returned *scim.Principal is nil. // // An error is returned if something unexpected occurred. Validate(ctx context.Context, systemBaseUri string, tenantId string, authSessionId string) (*scim.Principal, error) }
Validator is an interface representing the ability to validate an authSessionId
Directories ¶
Path | Synopsis |
---|---|
name 'idpclient' is used although it repeats the name of the outer package 'idp' in order to improve readability functions like e.g.
|
name 'idpclient' is used although it repeats the name of the outer package 'idp' in order to improve readability functions like e.g. |
Package scim provides types for representing users and groups using the Simple Cloud Identity Management (SCIM) core schema 1.0
|
Package scim provides types for representing users and groups using the Simple Cloud Identity Management (SCIM) core schema 1.0 |