README
¶
Auth
The purpose of the Auth package is to facilitate the authentication and authorization process using the openid connect (OIDC) standard.
Usage
HTTP middleware authentication against OIDC provider:
zap, err := log.NewLoggerZap(log.ZapConfig{})
if err != nil {
panic(err)
}
oidc, err := auth.New(zap, clientID, issuer)
if err != nil {
panic(err)
}
r := chi.NewRouter()
// enable authentication middleware to all endpoints.
// request context will be populated with scopes and roles.
r.Use(oidc.Auth)
// apply role middleware to /payment, only tokens with "charge" execute paymentHandler.
r.With(auth.HasRoleMiddleware("charge")).Get("/payment", paymentHandler)
zap.Fatal(context.Background(), "ending http", log.Error(http.ListenAndServe(":8181", r)))
Validation outside transport layer
Maybe you want to use decorator pattern outside http and apply to your service. Remember to pass request context to service calls, they'll be populated with scope and roles.
Suppose you have a service:
type Payment interface{
Create(context.Context, charge) error
}
You can decorate with your own type:
var ErrRole = errors.New("invalid role")
type PaymentAuth struct{
createRole string
Payment
}
func NewPaymentAuth(createRole string, p Payment) *PaymentAuth {
return &PaymentAuth{
createRole: craeteRole,
Payment: p,
}
}
func (p *Payment) Create(ctx context.Context, c charge) error {
if !auth.HasRole(ctx, p.createRole) {
return errors.Wrapf(ErrRole, "missing '%s' role", p.createRole)
}
return p.Payment.Create(ctx, c)
}
Later in your service start:
// Other starts before, including Payment at payment identifier
paymentAuth := NewPaymentAuth("charge", payment)
// Another service which requires Payment interface. PaymentAuth implements
// Payment with authorization.
cli := NewCli(paymentAuth)
Documentation
¶
Overview ¶
Package auth exists to ease the difficult to handle authentication and to some extent authorization. auth do not implement the token creation, third-party software like keycloak, casdoor etc should be used as issuer.
Index ¶
- func GetRootClaim(ctx context.Context, claim string) interface{}
- func HasRole(ctx context.Context, role string) bool
- func HasRoleMiddleware(role string) func(next http.Handler) http.Handler
- func HasScope(ctx context.Context, scope string) bool
- func HasScopeMiddleware(scope string) func(next http.Handler) http.Handler
- type Claims
- type OIDC
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetRootClaim ¶
GetRootClaim return claim from ctx. ctx should be populated before calling GetRootClaim with the token claims, generally using OIDC.Auth method.
func HasRole ¶
HasRole inspect ctx for role claim, if present returns true. Before using this function ctx should be populated with the token claims, generally using OIDC.Auth method.
func HasRoleMiddleware ¶
HasRoleMiddleware wrap HasRole inside an http middleware to prevent access to handlers after. OIDC.Auth must be present before this middleware, otherwise claims will not be present at http.Request.Context.
func HasScope ¶
HasScope inspect ctx for scope claim, if present returns true. Before using this function ctx should be populated with the token claims, generally using OIDC.Auth method.
func HasScopeMiddleware ¶
HasScopeMiddleware wrap HasRole inside an http middleware to prevent access to handlers after. OIDC.Auth must be present before this middleware, otherwise claims will not be present at http.Request.Context.
Types ¶
type OIDC ¶
type OIDC struct {
// contains filtered or unexported fields
}
OIDC represents our authentication using openid connect and required dependencies like logger.
Source Files