auth

package
v2.14.11+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 11, 2021 License: Apache-2.0 Imports: 15 Imported by: 66

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type OIDCIssuer

type OIDCIssuer interface {
	// AuthCodeURL returns a URL to OpenID provider's consent page
	// that asks for permissions for the required scopes explicitly.
	//
	// state is a token to protect the user from CSRF attacks. You must
	// always provide a non-zero string and validate that it matches the
	// the state query parameter on your redirect callback.
	// See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
	AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string

	// Exchange converts an authorization code into a token.
	Exchange(ctx context.Context, code string) (OIDCToken, error)
}

OIDCIssuer exposes methods for getting OIDC tokens

type OIDCIssuerVerifier

type OIDCIssuerVerifier interface {
	OIDCIssuer
	TokenVerifier
}

OIDCIssuerVerifier combines OIDCIssuer and TokenVerifier

type OIDCToken

type OIDCToken struct {
	// AccessToken is the token that authorizes and authenticates
	// the requests.
	AccessToken string

	// RefreshToken is a token that's used by the application
	// (as opposed to the user) to refresh the access token
	// if it expires.
	RefreshToken string

	// Expiry is the optional expiration time of the access token.
	//
	// If zero, TokenSource implementations will reuse the same
	// token forever and RefreshToken or equivalent
	// mechanisms for that TokenSource will not be used.
	Expiry time.Time

	// IDToken is the token that contains claims about authenticated user
	//
	// Users should use TokenVerifier.Verify method to verify and extract claim from the token
	IDToken string
}

OIDCToken represents the credentials used to authorize the requests to access protected resources on the OAuth 2.0 provider's backend.

type OpenIDClient

type OpenIDClient struct {
	// contains filtered or unexported fields
}

OpenIDClient implements OIDCIssuerVerifier and TokenExtractorVerifier

func NewOpenIDClient

func NewOpenIDClient(issuer, clientID, clientSecret, redirectURI string, extractor TokenExtractor, insecureSkipVerify bool, rootCertificates *x509.CertPool) (*OpenIDClient, error)

NewOpenIDClient returns an authentication middleware which authenticates against an openID server. If rootCertificates is nil, the host's root CAs will be used.

func (*OpenIDClient) AuthCodeURL

func (o *OpenIDClient) AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string

AuthCodeURL returns a URL to OpenID provider's consent page that asks for permissions for the required scopes explicitly.

State is a token to protect the user from CSRF attacks. You must always provide a non-zero string and validate that it matches the the state query parameter on your redirect callback. See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.

func (*OpenIDClient) Exchange

func (o *OpenIDClient) Exchange(ctx context.Context, code string) (OIDCToken, error)

Exchange converts an authorization code into a token.

func (*OpenIDClient) Extract

func (o *OpenIDClient) Extract(rq *http.Request) (string, error)

Extractor knows how to extract the ID token from the request

func (*OpenIDClient) Verify

func (o *OpenIDClient) Verify(ctx context.Context, token string) (TokenClaims, error)

Verify parses a raw ID Token, verifies it's been signed by the provider, preforms any additional checks depending on the Config, and returns the payload as TokenClaims.

type ServiceAccountAuthClient

type ServiceAccountAuthClient struct {
	// contains filtered or unexported fields
}

ServiceAccountAuthClient implements TokenExtractorVerifier interface

func NewServiceAccountAuthClient

func NewServiceAccountAuthClient(headerBearerTokenExtractor TokenExtractor, jwtTokenAuthenticator serviceaccount.TokenAuthenticator, saTokenProvider provider.PrivilegedServiceAccountTokenProvider) *ServiceAccountAuthClient

NewServiceAccountAuthClient returns a client that knows how to read and verify service account's tokens

func (*ServiceAccountAuthClient) Extract

func (s *ServiceAccountAuthClient) Extract(rq *http.Request) (string, error)

Extractor knows how to extract the ID token from the request

func (*ServiceAccountAuthClient) Verify

Verify parses a raw ID Token, verifies it's been signed by the provider, preforms any additional checks depending on the Config, and returns the payload as TokenClaims.

type TokenClaims

type TokenClaims struct {
	Name    string
	Email   string
	Subject string
	Groups  []string
	Expiry  apiv1.Time
}

TokenClaims holds various claims extracted from the id_token

type TokenExtractor

type TokenExtractor interface {
	// Extract gets a token from the given HTTP request
	Extract(r *http.Request) (string, error)
}

TokenExtractor is an interface that knows how to extract a token

func NewCombinedExtractor

func NewCombinedExtractor(extractors ...TokenExtractor) TokenExtractor

NewCombinedExtractor returns an token extractor which tries a list of token extractors until it finds a token

func NewCookieHeaderBearerTokenExtractor

func NewCookieHeaderBearerTokenExtractor(header string) TokenExtractor

func NewHeaderBearerTokenExtractor

func NewHeaderBearerTokenExtractor(header string) TokenExtractor

NewHeaderBearerTokenExtractor returns a token extractor which extracts the token from the given header

func NewQueryParamBearerTokenExtractor

func NewQueryParamBearerTokenExtractor(header string) TokenExtractor

NewQueryParamBearerTokenExtractor returns a token extractor which extracts the token from the given query parameter

type TokenExtractorPlugins

type TokenExtractorPlugins struct {
	// contains filtered or unexported fields
}

TokenExtractorPlugins implements TokenExtractor by calling registered plugins for a token extraction

func NewTokenExtractorPlugins

func NewTokenExtractorPlugins(plugins []TokenExtractor) *TokenExtractorPlugins

NewTokenExtractorPlugins creates a new instance of TokenExtractorPlugins with the given plugins

func (*TokenExtractorPlugins) Extract

func (p *TokenExtractorPlugins) Extract(r *http.Request) (string, error)

Extract calls all registered plugins to get a token from the given request. This method stops when a token has been found and doesn't try remaining plugins. If all plugins were checked an error is returned.

type TokenExtractorVerifier

type TokenExtractorVerifier interface {
	TokenVerifier
	TokenExtractor
}

TokenExtractorVerifier combines TokenVerifier and TokenExtractor interfaces

type TokenVerifier

type TokenVerifier interface {
	// Verify parses a raw ID Token, verifies it's been signed by the provider, preforms
	// any additional checks depending on the Config, and returns the payload as TokenClaims.
	Verify(ctx context.Context, token string) (TokenClaims, error)
}

TokenVerifier knows how to verify a token

type TokenVerifierPlugins

type TokenVerifierPlugins struct {
	// contains filtered or unexported fields
}

TokenVerifierPlugins implements TokenVerifier interface by calling registered plugins for a token verification

func NewTokenVerifierPlugins

func NewTokenVerifierPlugins(plugins []TokenVerifier) *TokenVerifierPlugins

NewTokenVerifierPlugins creates a new instance of TokenVerifierPlugins with the given plugins

func (*TokenVerifierPlugins) Verify

func (p *TokenVerifierPlugins) Verify(ctx context.Context, token string) (TokenClaims, error)

Verify calls all registered plugins to check the given token. This method stops when a token has been validated and doesn't try remaining plugins. If all plugins were checked an error is returned.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL