View Source
const (
	ErrAuthContext    errors.ErrorCode = "AUTH_CONTEXT_SETUP_FAILED"
	ErrConfigFileRead errors.ErrorCode = "CONFIG_OPTION_FILE_READ_FAILED"
View Source
const (
	ErrSecureCookie errors.ErrorCode = "SECURE_COOKIE_ERROR"
	// #nosec
	ErrInvalidCsrfToken errors.ErrorCode = "CSRF_TOKEN_VALIDATION_FAILED"
View Source
const (
	ErrB64Decoding errors.ErrorCode = "BINARY_DECODING_FAILED"
	// #nosec
	ErrTokenNil errors.ErrorCode = "EMPTY_OAUTH_TOKEN"
View Source
const (
	RedirectURLParameter = "redirect_url"
	FromHTTPKey          = "from_http"
	FromHTTPVal          = "true"

	PrincipalContextKey contextutils.Key = "principal"
View Source
const (
	ErrRefreshingToken errors.ErrorCode = "TOKEN_REFRESH_FAILURE"
	ErrTokenExpired    errors.ErrorCode = "JWT_EXPIRED"
	ErrJwtValidation   errors.ErrorCode = "JWT_VERIFICATION_FAILED"
View Source
const AuthorizationResponseCodeType = "code"
View Source
const BearerScheme = "Bearer"
View Source
const CsrfFormKey = "state"

    OAuth2 Parameters

    View Source
    const DefaultAuthorizationHeader = "authorization"
    View Source
    const (
    	ErrIdpClient errors.ErrorCode = "IDP_REQUEST_FAILED"
    View Source
    const (
    	IdpConnectionTimeout = 10 * time.Second
    View Source
    const MetadataEndpoint = ".well-known/oauth-authorization-server" This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path

      View Source
      const OfflineAccessType = "offline_access"

        IDP specific

        View Source
        const OidcScope = "openid"
        View Source
        const ProfileScope = "profile"
        View Source
        const RefreshToken = "refresh_token"


        View Source
        var AllowedChars = []rune("abcdefghijklmnopqrstuvwxyz1234567890")


        func AuthenticationLoggingInterceptor

        func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

        func GetAndValidateTokenObjectFromContext

        func GetAndValidateTokenObjectFromContext(ctx context.Context, claims config.Claims,
        	provider *oidc.Provider) (*oidc.IDToken, error)

          This function attempts to extract a token from the context, and will then call the validation function, passing up any errors.

          func GetAuthenticationCustomMetadataInterceptor

          func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor

            This function produces a gRPC middleware interceptor intended to be used when running authentication with non-default gRPC headers (metadata). Because the default `authorization` header is reserved for use by Envoy, clients wishing to pass tokens to Admin will need to use a different string, specified in this package's Config object. This interceptor will scan for that arbitrary string, and then rename it to the default string, which the downstream auth/auditing interceptors will detect and validate.

            func GetAuthenticationInterceptor

            func GetAuthenticationInterceptor(authContext interfaces.AuthenticationContext) func(context.Context) (context.Context, error)

              This is the function that chooses to enforce or not enforce authentication. It will attempt to get the token from the incoming context, validate it, and decide whether or not to let the request through.

              func GetCallbackHandler

              func GetCallbackHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc

              func GetLoginHandler

              func GetLoginHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc

              func GetMeEndpointHandler

              func GetMeEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

                TODO: Add this to the Admin service IDL in Flyte IDL so that this can be exposed from gRPC as well. This returns a handler that will retrieve user info, from the OAuth2 authorization server. See the OpenID Connect spec at for more information.

                func GetMetadataEndpointRedirectHandler

                func GetMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc

                  This returns a handler that will redirect (303) to the well-known metadata endpoint for the OAuth2 authorization server See for more information.

                  func GetOauth2Config

                  func GetOauth2Config(options config.OAuthOptions) (oauth2.Config, error)

                    This creates a oauth2 library config object, with values from the Flyte Admin config

                    func GetRefreshedToken

                    func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)

                      Refresh a JWT

                      func HashCsrfState

                      func HashCsrfState(csrf string) string

                      func NewCsrfCookie

                      func NewCsrfCookie() http.Cookie

                      func NewCsrfToken

                      func NewCsrfToken(seed int64) string

                      func NewRedirectCookie

                      func NewRedirectCookie(ctx context.Context, redirectURL string) *http.Cookie

                        This function takes in a string and returns a cookie that's used to keep track of where to send the user after the OAuth2 login flow is complete.

                        func NewSecureCookie

                        func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte) (http.Cookie, error)

                        func ParseAndValidate

                        func ParseAndValidate(ctx context.Context, claims config.Claims, accessToken string,
                        	provider *oidc.Provider) (*oidc.IDToken, error)

                        func ReadSecureCookie

                        func ReadSecureCookie(ctx context.Context, cookie http.Cookie, hashKey, blockKey []byte) (string, error)

                        func RefreshTokensIfExists

                        func RefreshTokensIfExists(ctx context.Context, authContext interfaces.AuthenticationContext, handlerFunc http.HandlerFunc) http.HandlerFunc

                          Look for access token and refresh token, if both are present and the access token is expired, then attempt to refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to the landing page.

                          func VerifyCsrfCookie

                          func VerifyCsrfCookie(ctx context.Context, request *http.Request) error

                          func WithAuditFields

                          func WithAuditFields(ctx context.Context, clientIds []string, tokenIssuedAt time.Time) context.Context

                          func WithUserEmail

                          func WithUserEmail(ctx context.Context, email string) context.Context


                          type Context

                          type Context struct {
                          	// contains filtered or unexported fields

                            Please see the comment on the corresponding AuthenticationContext for more information.

                            func NewAuthenticationContext

                            func NewAuthenticationContext(ctx context.Context, options config.OAuthOptions) (Context, error)

                            func (Context) Claims

                            func (c Context) Claims() config.Claims

                            func (Context) CookieManager

                            func (c Context) CookieManager() interfaces.CookieHandler

                            func (Context) GetBaseURL

                            func (c Context) GetBaseURL() *url.URL

                            func (Context) GetHTTPClient

                            func (c Context) GetHTTPClient() *http.Client

                            func (Context) GetMetadataURL

                            func (c Context) GetMetadataURL() *url.URL

                            func (Context) GetUserInfoURL

                            func (c Context) GetUserInfoURL() *url.URL

                            func (Context) OAuth2Config

                            func (c Context) OAuth2Config() *oauth2.Config

                            func (Context) OidcProvider

                            func (c Context) OidcProvider() *oidc.Provider

                            func (Context) Options

                            func (c Context) Options() config.OAuthOptions

                            type CookieManager

                            type CookieManager struct {
                            	// contains filtered or unexported fields

                            func NewCookieManager

                            func NewCookieManager(ctx context.Context, hashKeyEncoded, blockKeyEncoded string) (CookieManager, error)

                            func (CookieManager) DeleteCookies

                            func (c CookieManager) DeleteCookies(ctx context.Context, writer http.ResponseWriter)

                            func (CookieManager) RetrieveTokenValues

                            func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (accessToken string,
                            	refreshToken string, err error)

                              TODO: Separate refresh token from access token, remove named returns, and use stdlib errors.

                              func (CookieManager) SetTokenCookies

                              func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error

                              type HTTPRequestToMetadataAnnotator

                              type HTTPRequestToMetadataAnnotator func(ctx context.Context, request *http.Request) metadata.MD

                              func GetHTTPMetadataTaggingHandler

                              func GetHTTPMetadataTaggingHandler(authContext interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator

                                Intercepts the incoming HTTP requests and marks it as such so that the downstream code can use it to enforce auth. See the enforceHTTP/Grpc options for more information.

                                func GetHTTPRequestCookieToMetadataHandler

                                func GetHTTPRequestCookieToMetadataHandler(authContext interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator

                                  This is effectively middleware for the grpc gateway, it allows us to modify the translation between HTTP request and gRPC request. There are two potential sources for bearer tokens, it can come from an authorization header (not yet implemented), or encrypted cookies. Note that when deploying behind Envoy, you have the option to look for a configurable, non-standard header name. The token is extracted and turned into a metadata object which is then attached to the request, from which the token is extracted later for verification.

                                  type UserInfoResponse

                                  type UserInfoResponse struct {
                                  	Sub               string `json:"sub"`
                                  	Name              string `json:"name"`
                                  	PreferredUsername string `json:"preferred_username"`
                                  	GivenName         string `json:"given_name"`
                                  	FamilyName        string `json:"family_name"`
                                  	Email             string `json:"email"`
                                  	Picture           string `json:"picture"`

                                    This struct represents what should be returned by an IDP according to the specification at


                                    Keep in mind that not all fields are necessarily populated, and additional fields may be present as well. This is a sample response object returned from Okta for instance

                                      "sub": "abc123",
                                      "name": "John Smith",
                                      "locale": "US",
                                      "preferred_username": "",
                                      "given_name": "John",
                                      "family_name": "Smith",
                                      "zoneinfo": "America/Los_Angeles",
                                      "updated_at": 1568750854


                                    Path Synopsis