Documentation ¶
Index ¶
- type CommonClaims
- type IDTokenSource
- type OAuthHandlers
- type OIDCHandlers
- type OIDCWebFlowFlags
- type OIDCWebFlowServer
- func (s *OIDCWebFlowServer) Address() string
- func (s *OIDCWebFlowServer) AuthStartURL() string
- func (s *OIDCWebFlowServer) HealthCheck(w http.ResponseWriter, r *http.Request)
- func (s *OIDCWebFlowServer) NotFoundHandler(w http.ResponseWriter, r *http.Request)
- func (s *OIDCWebFlowServer) Run() (*IDTokenSource, error)
- type Proxy
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CommonClaims ¶
type CommonClaims struct { AtHash string `json:"at_hash"` Aud string `json:"aud"` AzP string `json:"azp"` Email string `json:"email"` EmailVerified bool `json:"email_verified"` Exp int `json:"exp"` FamilyName string `json:"family_name"` GivenName string `json:"given_name"` Locale string `json:"locale"` HD string `json:"hd"` IAT int `json:"iat"` ISS string `json:"iss"` Name string `json:"name"` Nonce string `json:"nonce"` Picture string `json:"picture"` Sub string `json:"sub"` }
CommonClaims is a type representing common claims. At least as provided by Google's OIDC
type IDTokenSource ¶
type IDTokenSource struct { Source oauth2.TokenSource Verifier *oidc.IDTokenVerifier }
IDTokenSource is a wrapper around a TokenSource that returns the OpenID token as the access token.
func (*IDTokenSource) AccessTokenSource ¶
func (s *IDTokenSource) AccessTokenSource() oauth2.TokenSource
AccessTokenSource returns a token source for the underlying access token obtained as part of the OIDC flow. This can be used with the UserProfile service to get the profile information of the user. https://developers.google.com/identity/openid-connect/openid-connect#obtaininguserprofileinformation
type OAuthHandlers ¶
type OAuthHandlers struct {
// contains filtered or unexported fields
}
OAuthHandlers provides helpers for server side web apps. see: https://developers.google.com/identity/protocols/oauth2/web-server
See also the flow diagram
https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow https://developers.google.com/identity/protocols/oauth2#webserver
Since it runs on the server it can use the client secret without worrying about the client secret being compromised because the client secret isn't distributed to the clients as it would in a desktop application or JS application.
OAuthHandlers providers two methods that can be invoked from your webserver to deal with the OAuth web flow.
First, the appropriate handler in your webserver should call to RedirectToAuthURL. This will
return a redirect 302 to the OAuth web server. This handler sets an appropriate state cookie. The value of the state is returned to the caller so that it can be used as a cookie to link data across server invocations. This will set the OAuth2 redirect URI to the redirect URI specified in the config.
Second, your server should have a handler for the redirect URI specified in oauth2.config. That handler
should invoke HandleAuthCode. That function will take the Auth code returned by the server and exchange it for an access token. The access token is returned as an oauth2.TokenSource which the caller can then use in subsequent calls. In addition it returns the value of the state cookie. This allows the server to know which client issued the call and should be associated with the token source.
func NewOAuthHandlers ¶
func NewOAuthHandlers(config oauth2.Config) (*OAuthHandlers, error)
func (*OAuthHandlers) HandleAuthCode ¶
func (s *OAuthHandlers) HandleAuthCode(w http.ResponseWriter, r *http.Request) (string, oauth2.TokenSource, error)
HandleAuthCode handles the Auth Code returned by the Authorization server. It exchanges the auth code for an access token (and refresh token if access type is offline) and creates a TokenSource.
This should be invoked in step 5 of the Auth flow as described in https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow) and takes care of steps 6 & 7.
It returns the tokensource along with the state value. The caller can use the tokensource to make calls to authorized APIs.
func (*OAuthHandlers) RedirectToAuthURL ¶
func (s *OAuthHandlers) RedirectToAuthURL(w http.ResponseWriter, r *http.Request) (string, error)
RedirectToAuthURL kicks off the OAuthWebFlow by redirecting to the AuthCode URL. It returns the value of the state variable. This gets set in a cookie and is also passed through by the OAuth server on redirect. The server can use this to track state across the flow.
type OIDCHandlers ¶
type OIDCHandlers struct {
// contains filtered or unexported fields
}
OIDCHandlers provides helpers for server side web apps that want to use OIDC for login. It is based on the code in https://github.com/coreos/go-oidc/blob/v3/example/idtoken/app.go.
OIDC is very similar to the OAuth flow. see: https://developers.google.com/identity/openid-connect/openid-connect#authenticationuriparameters
These handlers are intended to run on the server it can use the client secret without worrying about the client secret being compromised because the client secret isn't distributed to the clients as it would in a desktop application or JS application.
OIDCHandlers providers two methods that can be invoked from your webserver to deal with the OAuth web flow.
First, the appropriate handler in your webserver should initiate the login flow by mapping the login URL e.g. "/login" to RedirectToAuthURL.
This handler returns a redirect 302 to the OAuth web server. This handler sets an appropriate state cookie. The value of the state is returned to the caller so that it can be used as a cookie to link data across server invocations. This will set the OAuth2 redirect URI to the redirect URI specified in the config.
Second, your server should have a handler for the redirect URI specified in oauth2.config. That handler
should invoke HandleAuthCode. That function will take the Auth code returned by the server and exchange it for an access token. This is then used to obtain an IDToken. A token source is then returned which will use the JWT as the access code. This can be used to authenticate to services that use the JWT.
func NewOIDCHandlers ¶
func NewOIDCHandlers(config oauth2.Config, verifier *oidc.IDTokenVerifier) (*OIDCHandlers, error)
func (*OIDCHandlers) Config ¶
func (s *OIDCHandlers) Config() oauth2.Config
func (*OIDCHandlers) HandleAuthCode ¶
func (s *OIDCHandlers) HandleAuthCode(w http.ResponseWriter, r *http.Request) (string, *IDTokenSource, error)
HandleAuthCode handles the Auth Code returned by the Authorization server. It exchanges the auth code for an access token (and refresh token if access type is offline) and creates a TokenSource.
This should be invoked in step 5 of the Auth flow as described in https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow) and takes care of steps 6 & 7.
It returns the tokensource along with the state value. The caller can use the tokensource to make calls to authorized APIs.
func (*OIDCHandlers) RedirectToAuthURL ¶
func (s *OIDCHandlers) RedirectToAuthURL(w http.ResponseWriter, r *http.Request) (string, error)
RedirectToAuthURL kicks off the OIDCWebFlow by redirecting to the AuthCode URL. It returns the value of the state variable. This gets set in a cookie and is also passed through by the OAuth server on redirect. The server can use this to track state across the flow.
type OIDCWebFlowFlags ¶
OIDCWebFlowFlags creates the OIDCWebFlowServer from command line flags.
func (*OIDCWebFlowFlags) AddFlags ¶
func (f *OIDCWebFlowFlags) AddFlags(cmd *cobra.Command)
func (*OIDCWebFlowFlags) Flow ¶
func (f *OIDCWebFlowFlags) Flow() (*OIDCWebFlowServer, error)
type OIDCWebFlowServer ¶
type OIDCWebFlowServer struct {
// contains filtered or unexported fields
}
OIDCWebFlowServer creates a server to be used to go through the web flow to get a token source for use in a CLI.
It is based on the code in https://github.com/coreos/go-oidc/blob/v3/example/idtoken/app.go.
N.B: https://github.com/coreos/go-oidc/issues/354 is discussing creating a reusable server.
Your OAuth2 credential should have http://127.0.0.1/auth/callback as an allowed redirect URL. The port doesn't matter.
Refer to oidc_webflow_int_test.go for an example of how to use this. TODO(jeremy): Add caching of the refresh token.
func NewOIDCWebFlowServer ¶
func NewOIDCWebFlowServer(config oauth2.Config, verifier *oidc.IDTokenVerifier, log logr.Logger) (*OIDCWebFlowServer, error)
func (*OIDCWebFlowServer) Address ¶
func (s *OIDCWebFlowServer) Address() string
func (*OIDCWebFlowServer) AuthStartURL ¶
func (s *OIDCWebFlowServer) AuthStartURL() string
AuthStartURL returns the URL to kickoff the oauth login flow.
func (*OIDCWebFlowServer) HealthCheck ¶
func (s *OIDCWebFlowServer) HealthCheck(w http.ResponseWriter, r *http.Request)
func (*OIDCWebFlowServer) NotFoundHandler ¶
func (s *OIDCWebFlowServer) NotFoundHandler(w http.ResponseWriter, r *http.Request)
func (*OIDCWebFlowServer) Run ¶
func (s *OIDCWebFlowServer) Run() (*IDTokenSource, error)
Run runs the flow to create a tokensource. The server is shutdown after the flow is complete. Since the flow should return a refresh token it shouldn't be necessary to keep it running.
type Proxy ¶
type Proxy struct {
// contains filtered or unexported fields
}
Proxy is an OIDC proxy. It mimics IAP when running a server locally. It will programmatically obtain an OIDC token from Google and then set the appropriate header before forwarding the request to the target
func NewProxy ¶
func NewProxy(h *OIDCHandlers, port int) (*Proxy, error)
NewProxy creates a new server running on localhost.
func (*Proxy) StartAndBlock ¶
func (p *Proxy) StartAndBlock()
StartAndBlock starts the server and blocks.