Documentation
¶
Overview ¶
Package openid contains functionality related to OpenID Connect protocol.
Index ¶
Constants ¶
const GoogleDiscoveryURL = "https://accounts.google.com/.well-known/openid-configuration"
GoogleDiscoveryURL is an URL of the Google OpenID Connect discovery document.
Variables ¶
This section is empty.
Functions ¶
func AudienceMatchesHost ¶
AudienceMatchesHost can be used as a AudienceCheck callback.
It verifies token's audience matches "Host" request header. Suitable for environments where "Host" header can be trusted.
Types ¶
type DiscoveryDoc ¶
type DiscoveryDoc struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
RevocationEndpoint string `json:"revocation_endpoint"`
JwksURI string `json:"jwks_uri"`
}
DiscoveryDoc describes a subset of OpenID Discovery JSON document.
See https://developers.google.com/identity/protocols/OpenIDConnect#discovery.
func FetchDiscoveryDoc ¶
func FetchDiscoveryDoc(ctx context.Context, url string) (*DiscoveryDoc, error)
FetchDiscoveryDoc fetches the discovery document from the given URL.
It is cached in the process cache for 24 hours.
func (*DiscoveryDoc) SigningKeys ¶
func (d *DiscoveryDoc) SigningKeys(ctx context.Context) (*JSONWebKeySet, error)
SigningKeys returns a JSON Web Key set fetched from the location specified in the discovery document.
It fetches them on the first use and then keeps them cached in the process cache for 6h.
May return both fatal and transient errors.
type GoogleIDTokenAuthMethod ¶
type GoogleIDTokenAuthMethod struct {
// Audience is a list of allowed audiences for tokens that identify Google
// service accounts ("*.gserviceaccount.com" emails).
Audience []string
// AudienceCheck is an optional callback to use to check tokens audience in
// case enumerating all expected audiences is not viable.
//
// Works in conjunction with Audience. Also, just like Audience, this check is
// used only for tokens that identify service accounts.
AudienceCheck func(ctx context.Context, r *http.Request, aud string) (valid bool, err error)
// contains filtered or unexported fields
}
GoogleIDTokenAuthMethod implements auth.Method by checking `Authorization` header which is expected to have an OpenID Connect ID token signed by Google.
The header value should have form "Bearer <base64 JWT>".
There are two variants of tokens signed by Google:
- ID tokens identifying end users. They always have an OAuth2 Client ID as an audience (`aud` field). Their `aud` is placed into User.ClientID, so it is later checked against a whitelist of client IDs by the LUCI auth stack.
- ID tokens identifying service accounts. They generally can have anything at all as an audience, but usually have an URL of the service being called. Their `aud` is checked against Audience list below.
func (*GoogleIDTokenAuthMethod) Authenticate ¶
func (m *GoogleIDTokenAuthMethod) Authenticate(ctx context.Context, r *http.Request) (*auth.User, auth.Session, error)
Authenticate extracts user information from the incoming request.
It returns:
- (*User, nil) on success.
- (nil, nil) if the method is not applicable.
- (nil, error) if the method is applicable, but credentials are invalid.
type IDToken ¶
type IDToken struct {
Iss string `json:"iss"`
AtHash string `json:"at_hash"`
EmailVerified bool `json:"email_verified"`
Sub string `json:"sub"`
Azp string `json:"azp"`
Email string `json:"email"`
Profile string `json:"profile"`
Picture string `json:"picture"`
Name string `json:"name"`
Aud string `json:"aud"`
Iat int64 `json:"iat"`
Exp int64 `json:"exp"`
Nonce string `json:"nonce"`
Hd string `json:"hd"`
}
IDToken is a verified deserialized ID token.
See https://developers.google.com/identity/protocols/OpenIDConnect.
func UserFromIDToken ¶
func UserFromIDToken(ctx context.Context, token string, discovery *DiscoveryDoc) (*IDToken, *auth.User, error)
UserFromIDToken validates the ID token and extracts user information from it.
Returns the partially validated token and auth.User extracted from it.
The caller is still responsible to verify token's Audience field.
func VerifyIDToken ¶
func VerifyIDToken(ctx context.Context, token string, keys *JSONWebKeySet, issuer string) (*IDToken, error)
VerifyIDToken deserializes and verifies the ID token.
It checks the signature, expiration time and verifies fields `iss` and `email_verified`.
It checks `aud` and `sub` are present, but does NOT verify them any further. It is the caller's responsibility to do so.
This is a fast local operation.
type JSONWebKeySet ¶
type JSONWebKeySet struct {
// contains filtered or unexported fields
}
JSONWebKeySet implements subset of functionality described in RFC7517.
It currently supports only RSA keys and RS256 alg. It's intended to be used to represent keys fetched from https://www.googleapis.com/oauth2/v3/certs.
It's used to verify ID token signatures.
func NewJSONWebKeySet ¶
func NewJSONWebKeySet(parsed *JSONWebKeySetStruct) (*JSONWebKeySet, error)
NewJSONWebKeySet makes the keyset from raw JSON Web Key set struct.
type JSONWebKeySetStruct ¶
type JSONWebKeySetStruct struct {
Keys []JSONWebKeyStruct `json:"keys"`
}
JSONWebKeySetStruct defines the JSON structure of JSONWebKeySet.
Read it from the wire and pass to NewJSONWebKeySet to get a usable object.
See https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters. We care only about RSA public keys (thus use 'n' and 'e').
type JSONWebKeyStruct ¶
type JSONWebKeyStruct struct {
Kty string `json:"kty"`
Alg string `json:"alg"`
Use string `json:"use"`
Kid string `json:"kid"`
N string `json:"n"` // raw URL-safe base64, NOT standard base64
E string `json:"e"` // same
}
JSONWebKeyStruct defines the JSON structure of a single key in the key set.
Source Files