Documentation
¶
Index ¶
- Constants
- Variables
- func IsAllowedByMode(domain, path string, config MatchRules, proxyPrefix string) bool
- type Cookie
- type CookieStoreOptions
- type LegacyOptions
- type LegacyProvider
- type LoginURLParameter
- type MatchRules
- type OIDCOptions
- type Options
- type Provider
- type ProviderType
- type Providers
- type Rule
- type RuleType
- type Service
- type SessionOptions
- type SignatureData
- type URLParameterRule
Constants ¶
const ( // OIDCEmailClaim is the generic email claim used by the OIDC provider. OIDCEmailClaim = "email" // OIDCGroupsClaim is the generic groups claim used by the OIDC provider. OIDCGroupsClaim = "groups" )
Variables ¶
var CookieSessionStoreType = "cookie"
CookieSessionStoreType is used to indicate the CookieSessionStore should be used for storing sessions.
var OIDCAudienceClaims = []string{"aud"}
OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.
Functions ¶
func IsAllowedByMode ¶
func IsAllowedByMode(domain, path string, config MatchRules, proxyPrefix string) bool
Types ¶
type Cookie ¶
type Cookie struct {
Name string `mapstructure:"cookie_name"`
Secret string `mapstructure:"cookie_secret"`
Domains []string `mapstructure:"cookie_domains"`
Path string `mapstructure:"cookie_path"`
Expire time.Duration `mapstructure:"cookie_expire"`
Refresh time.Duration `mapstructure:"cookie_refresh"`
Secure bool `mapstructure:"cookie_secure"`
HTTPOnly bool `mapstructure:"cookie_httponly"`
SameSite string `mapstructure:"cookie_samesite"`
CSRFPerRequest bool `mapstructure:"cookie_csrf_per_request"`
CSRFExpire time.Duration `mapstructure:"cookie_csrf_expire"`
}
Cookie contains configuration options relating to Cookie configuration
type CookieStoreOptions ¶
type CookieStoreOptions struct {
Minimal bool `mapstructure:"session_cookie_minimal"`
}
CookieStoreOptions contains configuration options for the CookieSessionStore.
type LegacyOptions ¶
type LegacyOptions struct {
// Legacy options for single provider
LegacyProvider LegacyProvider `mapstructure:",squash"`
Options Options `mapstructure:",squash"`
}
func NewLegacyOptions ¶
func NewLegacyOptions() *LegacyOptions
func (*LegacyOptions) ToOptions ¶
func (l *LegacyOptions) ToOptions() (*Options, error)
type LegacyProvider ¶
type LegacyProvider struct {
ClientID string `mapstructure:"client_id"`
ClientSecret string `mapstructure:"client_secret"`
ProviderType string `mapstructure:"provider"`
OIDCIssuerURL string `mapstructure:"oidc_issuer_url"`
InsecureOIDCSkipIssuerVerification bool `mapstructure:"insecure_oidc_skip_issuer_verification"`
InsecureOIDCSkipNonce bool `mapstructure:"insecure_oidc_skip_nonce"`
SkipOIDCDiscovery bool `mapstructure:"skip_oidc_discovery"`
OIDCJwksURL string `mapstructure:"oidc_jwks_url"`
OIDCEmailClaim string `mapstructure:"oidc_email_claim"`
OIDCGroupsClaim string `mapstructure:"oidc_groups_claim"`
OIDCAudienceClaims []string `mapstructure:"oidc_audience_claims"`
OIDCExtraAudiences []string `mapstructure:"oidc_extra_audiences"`
OIDCVerifierRequestTimeout uint32 `mapstructure:"oidc_verifier_request_timeout"`
LoginURL string `mapstructure:"login_url"`
RedeemURL string `mapstructure:"redeem_url"`
RedeemTimeout uint32 `mapstructure:"redeem_timeout"`
ProfileURL string `mapstructure:"profile_url"`
SkipClaimsFromProfileURL bool `mapstructure:"skip_claims_from_profile_url"`
ValidateURL string `mapstructure:"validate_url"`
Scope string `mapstructure:"scope"`
Prompt string `mapstructure:"prompt"`
ApprovalPrompt string `mapstructure:"approval_prompt"`
UserIDClaim string `mapstructure:"user_id_claim"`
AllowedGroups []string `mapstructure:"allowed_groups"`
AcrValues string `mapstructure:"acr_values"`
CodeChallengeMethod string `mapstructure:"code_challenge_method"`
}
type LoginURLParameter ¶
type LoginURLParameter struct {
// Name specifies the name of the query parameter.
Name string `json:"name"`
// Default specifies a default value or values that will be
// passed to the IdP if not overridden.
//+optional
Default []string `json:"default,omitempty"`
// Allow specifies rules about how the default (if any) may be
// overridden via the query string to `/oauth2/start`. Only
// values that match one or more of the allow rules will be
// forwarded to the IdP.
//+optional
Allow []URLParameterRule `json:"allow,omitempty"`
}
LoginURLParameter is the configuration for a single query parameter that can be passed through from the `/oauth2/start` endpoint to the IdP login URL. The "default" option specifies the default value or values (if any) that will be passed to the IdP for this parameter, and "allow" is a list of options for ways in which this parameter can be set or overridden via the query string to `/oauth2/start`. If _only_ a default is specified and no "allow" then the parameter is effectively fixed - the default value will always be used and anything passed to the start URL will be ignored. If _only_ "allow" is specified but no default then the parameter will only be passed on to the IdP if the caller provides it, and no value will be sent otherwise.
Examples:
A parameter whose value is fixed ¶
``` name: organization default: - myorg ```
A parameter that is not passed by default, but may be set to one of a fixed set of values
``` name: prompt allow: - value: login - value: consent - value: select_account ```
A parameter that is passed by default but may be overridden by one of a fixed set of values
``` name: prompt default: ["login"] allow: - value: consent - value: select_account ```
A parameter that may be overridden, but only by values that match a regular expression. For example to restrict `login_hint` to email addresses in your organization's domain:
``` name: login_hint allow: - pattern: '^[^@]*@example\.com$' # this allows at most one "@" sign, and requires "example.com" domain. ```
Note that the YAML rules around exactly which characters are allowed and/or require escaping in different types of string literals are convoluted. For regular expressions the single quoted form is simplest as backslash is not considered to be an escape character. Alternatively use the "chomped block" format `|-`:
```
- pattern: |- ^[^@]*@example\.com$
```
The hyphen is important, a `|` block would have a trailing newline character.
type MatchRules ¶
type OIDCOptions ¶
type OIDCOptions struct {
// IssuerURL is the OpenID Connect issuer URL
// eg: https://accounts.google.com
IssuerURL string `json:"issuerURL,omitempty"`
// InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
// default set to 'false'
InsecureSkipIssuerVerification bool `json:"insecureSkipIssuerVerification,omitempty"`
// InsecureSkipNonce skips verifying the ID Token's nonce claim that must match
// the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
// after the initial OAuth redeem & subsequent token refreshes.
// default set to 'true'
// Warning: In a future release, this will change to 'false' by default for enhanced security.
InsecureSkipNonce bool `json:"insecureSkipNonce,omitempty"`
// SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
// default set to 'false'
SkipDiscovery bool `json:"skipDiscovery,omitempty"`
// JwksURL is the OpenID Connect JWKS URL
// eg: https://www.googleapis.com/oauth2/v3/certs
JwksURL string `json:"jwksURL,omitempty"`
// EmailClaim indicates which claim contains the user email,
// default set to 'email'
EmailClaim string `json:"emailClaim,omitempty"`
// GroupsClaim indicates which claim contains the user groups
// default set to 'groups'
GroupsClaim string `json:"groupsClaim,omitempty"`
// UserIDClaim indicates which claim contains the user ID
// default set to 'email'
UserIDClaim string `json:"userIDClaim,omitempty"`
// AudienceClaim allows to define any claim that is verified against the client id
// By default `aud` claim is used for verification.
AudienceClaims []string `json:"audienceClaims,omitempty"`
// ExtraAudiences is a list of additional audiences that are allowed
// to pass verification in addition to the client id.
ExtraAudiences []string `json:"extraAudiences,omitempty"`
VerifierRequestTimeout uint32 `json:"verifierTimeout,omitempty"`
}
type Options ¶
type Options struct {
ProxyPrefix string `mapstructure:"proxy_prefix"`
ReverseProxy bool `mapstructure:"reverse_proxy"`
RawRedirectURL string `mapstructure:"redirect_url"`
RelativeRedirectURL bool `mapstructure:"relative_redirect_url"`
WhitelistDomains []string `mapstructure:"whitelist_domains"`
Cookie Cookie `mapstructure:",squash"`
Session SessionOptions `mapstructure:",squash"`
Service Service `mapstructure:",squash"`
MatchRules MatchRules `mapstructure:",squash"`
Providers Providers
SkipAuthPreflight bool `mapstructure:"skip_auth_preflight"`
EncodeState bool `mapstructure:"encode_state"`
PassAuthorization bool `mapstructure:"pass_authorization_header"`
VerifierInterval time.Duration `mapstructure:"verifier_interval"`
UpdateKeysInterval time.Duration `mapstructure:"update_keys_interval"`
// contains filtered or unexported fields
}
Options holds Configuration Options that can be set by Command Line Flag, or Config File
func NewOptions ¶
func NewOptions() *Options
NewOptions constructs a new Options with defaulted values
func (*Options) GetRedirectURL ¶
Options for Getting internal values
func (*Options) SetRedirectURL ¶
Options for Setting internal values
type Provider ¶
type Provider struct {
// ClientID is the OAuth Client ID that is defined in the provider
// This value is required for all providers.
ClientID string `json:"clientID,omitempty"`
// ClientSecret is the OAuth Client Secret that is defined in the provider
// This value is required for all providers.
ClientSecret string `json:"clientSecret,omitempty"`
// OIDCConfig holds all configurations for OIDC provider
// or providers utilize OIDC configurations.
OIDCConfig OIDCOptions `json:"oidcConfig,omitempty"`
// ID should be a unique identifier for the provider.
// This value is required for all providers.
ID string `json:"id,omitempty"`
// Type is the OAuth provider
// must be set from the supported providers group,
// otherwise 'Google' is set as default
Type ProviderType `json:"provider,omitempty"`
// Name is the providers display name
// if set, it will be shown to the users in the login page.
Name string `json:"name,omitempty"`
// LoginURL is the authentication endpoint
LoginURL string `json:"loginURL,omitempty"`
// LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL
LoginURLParameters []LoginURLParameter `json:"loginURLParameters,omitempty"`
// RedeemURL is the token redemption endpoint
RedeemURL string `json:"redeemURL,omitempty"`
// ProfileURL is the profile access endpoint
ProfileURL string `json:"profileURL,omitempty"`
// SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token
// default set to 'false'
SkipClaimsFromProfileURL bool `json:"skipClaimsFromProfileURL,omitempty"`
// ValidateURL is the access token validation endpoint
ValidateURL string `json:"validateURL,omitempty"`
// Scope is the OAuth scope specification
Scope string `json:"scope,omitempty"`
// AllowedGroups is a list of restrict logins to members of this group
AllowedGroups []string `json:"allowedGroups,omitempty"`
// The code challenge method
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
// Client redeem request timeout
RedeemTimeout uint32 `json:"redeemTimeout"`
}
Provider holds all configuration for a single provider
type ProviderType ¶
type ProviderType string
ProviderType is used to enumerate the different provider type options Valid options are: adfs, azure, bitbucket, digitalocean facebook, github, gitlab, google, keycloak, keycloak-oidc, linkedin, login.gov, nextcloud and oidc.
const ( // OIDCProvider is the provider type for OIDC OIDCProvider ProviderType = "oidc" AliyunProvider ProviderType = "aliyun" )
type Service ¶
type Service struct {
// 带服务类型的完整 FQDN 名称,例如 keycloak.static, auth.dns
ServiceName string `mapstructure:"service_name"`
ServicePort int64 `mapstructure:"service_port"`
ServiceHost string `mapstructure:"service_host"`
}
Cookie contains configuration options relating to Service configuration
func (*Service) NewService ¶
func (s *Service) NewService() (wrapper.HttpClient, error)
type SessionOptions ¶
type SessionOptions struct {
Type string `mapstructure:"session_store_type"`
Cookie CookieStoreOptions `mapstructure:",squash"`
}
SessionOptions contains configuration options for the SessionStore providers.
type SignatureData ¶
SignatureData holds hmacauth signature hash and key
type URLParameterRule ¶
type URLParameterRule struct {
// A Value rule matches just this specific value
Value *string `json:"value,omitempty"`
// A Pattern rule gives a regular expression that must be matched by
// some substring of the value. The expression is _not_ automatically
// anchored to the start and end of the value, if you _want_ to restrict
// the whole parameter value you must anchor it yourself with `^` and `$`.
Pattern *string `json:"pattern,omitempty"`
}
URLParameterRule represents a rule by which query parameters passed to the `/oauth2/start` endpoint are checked to determine whether they are valid overrides for the given parameter passed to the IdP's login URL. Either Value or Pattern should be supplied, not both.
Source Files