README
¶
OpenID Connect for IBM w3id
This is support code for authenticating using IBM's internal OpenID Connect authentication servers.
Copyright © IBM Corporation 2016.
Documentation
¶
Overview ¶
Package ibmoidc provides code for using OpenID Connect to authenticate users via IBM w3id and IBM blueID.
Index ¶
- Variables
- func ClaimSetFromRequest(r *http.Request) (*jwt.ClaimSet, bool)
- func Decode(payload []byte) (*jwt.ClaimSet, error)
- func MakeCSRFcookie(tok string) *http.Cookie
- func MakeCSRFtoken() (string, error)
- func ReadCSRFcookie(r *http.Request) string
- func RequestWithClaimSet(r *http.Request, cs *jwt.ClaimSet) *http.Request
- func UnmarshalJSON(jsondata []byte) (*jwt.ClaimSet, error)
- type Authenticator
Constants ¶
This section is empty.
Variables ¶
var IBMblueIDEndpoint = oauth2.Endpoint{
AuthURL: "https://idaas.iam.ibm.com/idaas/oidc/endpoint/default/authorize",
TokenURL: "https://idaas.iam.ibm.com/idaas/oidc/endpoint/default/token",
}
IBMblueIDEndpoint is the Endpoint for IBM blueID authentication
var IBMw3idEndpoint = oauth2.Endpoint{
AuthURL: "https://w3id.sso.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize",
TokenURL: "https://w3id.sso.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/token",
}
IBMw3idEndpoint is the Endpoint for IBM w3ID authentication.
var IBMw3idPublicKey = pemToRSA(`
-----BEGIN CERTIFICATE-----
MIIFijCCA3KgAwIBAgIIW9rTyXsPjfswDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UE
BhMCdXMxCzAJBgNVBAgTAnR4MRIwEAYDVQQHEwlzb2Z0bGF5ZXIxDDAKBgNVBAoT
A2libTENMAsGA1UECxMEaXNhbTEWMBQGA1UEAwwNKi5zc28uaWJtLmNvbTAeFw0x
NjA3MjYxODE3MjJaFw0yMTA3MjYxODE3MjJaMGMxCzAJBgNVBAYTAnVzMQswCQYD
VQQIEwJ0eDESMBAGA1UEBxMJc29mdGxheWVyMQwwCgYDVQQKEwNpYm0xDTALBgNV
BAsTBGlzYW0xFjAUBgNVBAMMDSouc3NvLmlibS5jb20wggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCzmGqNMH0mxwGfv1P/LlPeqseniWPC1j9Csy37nZnG
snUKoDT7nWUFhxgNDHWDODlsgE2hswSEfgqdYZyno5mQMGK7+jP3dnG0u+mpcQ8s
xQmpOOOzKmicWz1V5v8dCysVoBrVjV0DJnY/kdxcf4DJW5b5Jo/tdc0ILcJwechO
icOhndbkUdH6lQDVkmOcUY6fCDviZjUOjL33VfMvEZdhhEDhpjuANhcoq2vGUeg3
8ZuY8bK1MOmAcNcUNguWhi9NVjKEbfv/p8a0uet2bnfmkNkeqNtstRBa1XEAZLpO
LGxPqNL2v3SIRDNMavXKuecEYXMFFokga3IhmQzTRo9uktJbCl8B7THBvs+Ksm6S
hAlcgs0n7mhOiEMmcGMknl2Sc1VpRzb8gNMqq/C3YH8XC9xc0LyRXISN0ug6tQcs
YRoLUaN22vJU6Qu8kyADj1nVTNk1gq49l5mGGffhEbrghULIQLb0zLiapgX3Ma2a
4uhOmmKfH8HglOOfQemekuerXRNqZF0hMgyPagCga8w2LLiiMFUWQmS+qs7w55Cx
X+AIWjAOy6uddvgTF4JHdaPYFxP5/wynLC9OlP7+ijCJmW1enOVTdrn0nMdhE8sD
vjJCSWM03VQpxLQuXGoUQs3y+p9/22ft6VfYUOD8IXKPH+u6S0ZtaqqBdMXGHbKC
CwIDAQABo0IwQDAdBgNVHQ4EFgQU4dUZV6haEYrgZg0bKOaD2Hrgw7cwHwYDVR0j
BBgwFoAU4dUZV6haEYrgZg0bKOaD2Hrgw7cwDQYJKoZIhvcNAQEFBQADggIBAK9N
L+FdiQtsJKXjjRl7KiosJ+ez5fFqClzS23dSwXXWiXORTsIlnKfm5xetTPwnebRt
XbyfpdgeQ7x3mjhkfodtyj+of0OCskHLWCXzf3q/8XeGG6aOciQwrFL4KZEpBiQb
p3cMy0LmS+JOgchS37Y5WkXCwFGrHEIbb5X7qaOOmaMsQKoeztv+xPUVxfTb6n+i
2LGAXle6QXbmjhqE67EH2dLlAMVxFGDQIvXkz+mVQu78V10IPL2PTxx4y2ypXo/A
bIAlzhZmpUYvB/Qqs5nj8Hoxtspc9kluYfaSP2/o5QLyhFfxl3hfXyhxW8ngzkhQ
nXjDTqnXzes/ffcNw641gk8Nsb2l4KWicSVxPYcoaXDwn+L63cwCovn7pKiueoSK
gLldhFp/rjSqpYK8tZSGToeEgA1cl2Ia26phVKa5RnB27U0l4LLIZmzDoH9LOEyz
/VQAB3QQYQ7K3obcXraqcLeogf8vGYWChIqLL4nlqmeRrB0lDu/DZ7v5dgKrFws8
EYAmt7loO42lXpdqK6KwyRazDEQY2mCCEQiwGl3o7jri2zT6el6b1aO3gQEvGgf6
DDL5ZheWFybSPMYDdlqTMlrdq7PxhySnoqn0JjKWqJkN+1F0Kms/k6ZM8pqZX3Zm
1M/QwlvmNhXX3X0zORRmgusiV8MPDbiwkp82m335
-----END CERTIFICATE-----
`)
IBMw3idPublicKey is the rsa.PublicKey to use to verify the signature on an id_token value returned from IBMw3idEndpoint.TokenURL.
var IBMw3idTapEndpoint = oauth2.Endpoint{
AuthURL: "https://w3id.tap.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize",
TokenURL: "https://w3id.tap.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/token",
}
IBMw3idEndpoint is the TAP pilot endpoint for IBM w3ID authentication.
var IBMw3idTapPublicKey = pemToRSA(`
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgIQWOR/OBcrWWF01H2dMB/axDANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUwNDA4MDAwMDAwWhcNMTcwNDA3MjM1
OTU5WjCBgjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQH
FAZBcm1vbmsxNDAyBgNVBAoUK0ludGVybmF0aW9uYWwgQnVzaW5lc3MgTWFjaGlu
ZXMgQ29ycG9yYXRpb24xGTAXBgNVBAMUEHczaWQudGFwLmlibS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbNMnE20rYCN1kfPp58DZ8cgBeK3yh
Z6aVsPx2iqY0GtxWpAQv5P5dD3mc3ZoQItPPHLOduvoqOXxdxzj6/qQlqUou9nUU
mYp6V6eKvpu9JOk3/yrzc1255OPCzHfvZHvZhQ7JNIeVxLJnhzhqDor3BXEgF/VH
2rTipRkC3T5R++jObjQ2vmE55YdYMP9O86RqMzau5LXgW3Pov0XY2MgMmUaEDoew
49BUsiZ9aiW+Tfil8PL8tCDUxULZoJTHirIOOhA+ZPtD0d8M8LYthR89GmRXyvOI
wOSaNPi+y5O4ID0lGzAqTjgKm64R25ZLwleMBISm6nWZY7+HsrEsPVSVAgMBAAGj
ggGiMIIBnjAbBgNVHREEFDASghB3M2lkLnRhcC5pYm0uY29tMAkGA1UdEwQCMAAw
DgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9nbi5zeW1j
Yi5jb20vZ24uY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCBhDA/BggrBgEF
BQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0
b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdlb3RydXN0LmNv
bS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU0m/3lvSFP3I8MH0j2oV4m6N8WnwwVwYI
KwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ24uc3ltY2QuY29tMCYG
CCsGAQUFBzAChhpodHRwOi8vZ24uc3ltY2IuY29tL2duLmNydDANBgkqhkiG9w0B
AQsFAAOCAQEAPI8gm9gJThAQsKZy3Qr6MY51SRyY/HaHBK9Zq4kocReO+LI5kISc
d9JROIVHmnE/jbL/7z7tiSOkiQna43LrL7AUaCvDUPTCRqTClvfILXlpTHtiZ3Si
8fxV+Aac85NCVETv47X4K7G9err6ems0O2OIOU22SdHaWcB0Wtg0lmCFGnpdeKgA
AtFtuAk8BfGLVloXy9SGV09gwP8HbuUgUek4uMlA+ySXvMLrnEyl1KbWhm9b5N/Q
DSOIlfn+l1rSdDe6x6ss1yzYSb83G4F11i0vxUAncMSilNHJ3tKySwEoankiBhmS
Feny/MUth7ai8QV4J5//VfIh7lnVY0WWsg==
-----END CERTIFICATE-----
`)
IBMw3idPublicKey is the rsa.PublicKey to use to verify the signature on an id_token value returned from IBMw3idTapEndpoint.TokenURL.
Functions ¶
func ClaimSetFromRequest ¶
ClaimSetFromRequest obtains the authenticated claimset from the request's context, where it was stored earlier by RequestWithClaimSet. The boolean indicates whether an authenticated claimset was actually found in the request.
func Decode ¶
Decode unpacks an id_token payload, as returned from the token endpoint, from its raw base64-encoded value.
func MakeCSRFcookie ¶
MakeCSRFcookie turns a string generated by MakeCSRFtoken into a CSRF cookie.
func MakeCSRFtoken ¶
MakeCSRFtoken makes a random 32-character string for use as a CSRF token.
func ReadCSRFcookie ¶
ReadCSRFcookie gets the token from the CSRF cookie, if found.
func RequestWithClaimSet ¶
RequestWithClaimSet adds a claimset to the http request, using a private context key.
func UnmarshalJSON ¶
UnmarshalJSON turns a JSON payload from a JWS token into a set of claims, and handles remapping IBM-specific private claims to standard ones:
lastName → family_name firstName → given_name cn → name dn → sub emailAddress → email
The original emailAddress claim is left intact, as are the dn and realmName claims. The others are removed after remapping.
Types ¶
type Authenticator ¶
Authenticator is an object for processing IBM authentication responses.
func NewIntranetAuthenticator ¶
func NewIntranetAuthenticator() *Authenticator
NewIntranetAuthenticator creates an Authenticator object for processing intranet w3ID authentication server responses.
func (*Authenticator) BeginLogin ¶
func (auth *Authenticator) BeginLogin() http.Handler
BeginLogin redirects the browser to the federated authentication provider in order to being the login process.
func (*Authenticator) CompleteLogin ¶
func (auth *Authenticator) CompleteLogin(next http.Handler) http.Handler
CompleteLogin accepts the HTTP GET response from the federated authentication provider and completes the login process by fetching identity information from the provider. The verified identity is then added to the request context, so that it can be accessed by the next handler in the chain using ClaimSetFromRequest.
Source Files