Documentation

Index

Constants

View Source
const (
	JwksURL     = "jwks_url"
	ConfigURL   = "config_url"
	ClaimName   = "claim_name"
	ClaimPrefix = "claim_prefix"
	ClientID    = "client_id"
	Scopes      = "scopes"

	EnvIdentityOpenIDClientID    = "MINIO_IDENTITY_OPENID_CLIENT_ID"
	EnvIdentityOpenIDJWKSURL     = "MINIO_IDENTITY_OPENID_JWKS_URL"
	EnvIdentityOpenIDURL         = "MINIO_IDENTITY_OPENID_CONFIG_URL"
	EnvIdentityOpenIDClaimName   = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
	EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
	EnvIdentityOpenIDScopes      = "MINIO_IDENTITY_OPENID_SCOPES"
)

    OpenID keys and envs.

    View Source
    const (
    	EnvIamJwksURL = "MINIO_IAM_JWKS_URL"
    )

      Legacy envs

      Variables

      View Source
      var (
      	SigningMethodES3256 *jwt.SigningMethodECDSA
      	SigningMethodES3384 *jwt.SigningMethodECDSA
      	SigningMethodES3512 *jwt.SigningMethodECDSA
      )

        Specific instances for EC256 and company

        View Source
        var (
        	SigningMethodRS3256 *jwt.SigningMethodRSA
        	SigningMethodRS3384 *jwt.SigningMethodRSA
        	SigningMethodRS3512 *jwt.SigningMethodRSA
        )

          Specific instances for RS256 and company

          View Source
          var (
          	DefaultKVS = config.KVS{
          		config.KV{
          			Key:   ConfigURL,
          			Value: "",
          		},
          		config.KV{
          			Key:   ClientID,
          			Value: "",
          		},
          		config.KV{
          			Key:   ClaimName,
          			Value: iampolicy.PolicyName,
          		},
          		config.KV{
          			Key:   ClaimPrefix,
          			Value: "",
          		},
          		config.KV{
          			Key:   Scopes,
          			Value: "",
          		},
          		config.KV{
          			Key:   JwksURL,
          			Value: "",
          		},
          	}
          )

            DefaultKVS - default config for OpenID config

            View Source
            var (
            	ErrTokenExpired = errors.New("token expired")
            )

              ErrTokenExpired - error token expired

              View Source
              var (
              	Help = config.HelpKVS{
              		config.HelpKV{
              			Key:         ConfigURL,
              			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"`,
              			Type:        "url",
              		},
              		config.HelpKV{
              			Key:         ClientID,
              			Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"`,
              			Type:        "string",
              			Optional:    true,
              		},
              		config.HelpKV{
              			Key:         ClaimName,
              			Description: `JWT canned policy claim name, defaults to "policy"`,
              			Optional:    true,
              			Type:        "string",
              		},
              		config.HelpKV{
              			Key:         ClaimPrefix,
              			Description: `JWT claim namespace prefix e.g. "customer1/"`,
              			Optional:    true,
              			Type:        "string",
              		},
              		config.HelpKV{
              			Key:         Scopes,
              			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
              			Optional:    true,
              			Type:        "csv",
              		},
              		config.HelpKV{
              			Key:         config.Comment,
              			Description: config.DefaultComment,
              			Optional:    true,
              			Type:        "sentence",
              		},
              	}
              )

                Help template for OpenID identity feature.

                Functions

                func Enabled

                func Enabled(kvs config.KVS) bool

                  Enabled returns if jwks is enabled.

                  func GetDefaultExpiration

                  func GetDefaultExpiration(dsecs string) (time.Duration, error)

                    GetDefaultExpiration - returns the expiration seconds expected.

                    func SetIdentityOpenID

                    func SetIdentityOpenID(s config.Config, cfg Config)

                      SetIdentityOpenID - One time migration code needed, for migrating from older config to new for OpenIDConfig.

                      Types

                      type Config

                      type Config struct {
                      	JWKS struct {
                      		URL *xnet.URL `json:"url"`
                      	} `json:"jwks"`
                      	URL          *xnet.URL `json:"url,omitempty"`
                      	ClaimPrefix  string    `json:"claimPrefix,omitempty"`
                      	ClaimName    string    `json:"claimName,omitempty"`
                      	DiscoveryDoc DiscoveryDoc
                      	ClientID     string
                      	// contains filtered or unexported fields
                      }

                        Config - OpenID Config RSA authentication target arguments

                        func LookupConfig

                        func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (c Config, err error)

                          LookupConfig lookup jwks from config, override with any ENVs.

                          func (*Config) PopulatePublicKey

                          func (r *Config) PopulatePublicKey() error

                            PopulatePublicKey - populates a new publickey from the JWKS URL.

                            func (*Config) UnmarshalJSON

                            func (r *Config) UnmarshalJSON(data []byte) error

                              UnmarshalJSON - decodes JSON data.

                              type DiscoveryDoc

                              type DiscoveryDoc struct {
                              	Issuer                           string   `json:"issuer,omitempty"`
                              	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
                              	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
                              	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
                              	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
                              	JwksURI                          string   `json:"jwks_uri,omitempty"`
                              	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
                              	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
                              	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
                              	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
                              	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
                              	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
                              	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
                              }

                                DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration

                                type ID

                                type ID string

                                  ID - holds identification name authentication validator target.

                                  type JWKS

                                  type JWKS struct {
                                  	Keys []*JWKS `json:"keys,omitempty"`
                                  
                                  	Kty string `json:"kty"`
                                  	Use string `json:"use,omitempty"`
                                  	Kid string `json:"kid,omitempty"`
                                  	Alg string `json:"alg,omitempty"`
                                  
                                  	Crv string `json:"crv,omitempty"`
                                  	X   string `json:"x,omitempty"`
                                  	Y   string `json:"y,omitempty"`
                                  	D   string `json:"d,omitempty"`
                                  	N   string `json:"n,omitempty"`
                                  	E   string `json:"e,omitempty"`
                                  	K   string `json:"k,omitempty"`
                                  }

                                    JWKS - https://tools.ietf.org/html/rfc7517

                                    func (*JWKS) DecodePublicKey

                                    func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error)

                                      DecodePublicKey - decodes JSON Web Key (JWK) as public key

                                      type JWT

                                      type JWT struct {
                                      	Config
                                      }

                                        JWT - rs client grants provider details.

                                        func NewJWT

                                        func NewJWT(c Config) *JWT

                                          NewJWT - initialize new jwt authenticator.

                                          func (*JWT) ID

                                          func (p *JWT) ID() ID

                                            ID returns the provider name and authentication type.

                                            func (*JWT) Validate

                                            func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error)

                                              Validate - validates the access token.

                                              type Validator

                                              type Validator interface {
                                              	// Validate is a custom validator function for this provider,
                                              	// each validation is authenticationType or provider specific.
                                              	Validate(token string, duration string) (map[string]interface{}, error)
                                              
                                              	// ID returns provider name of this provider.
                                              	ID() ID
                                              }

                                                Validator interface describes basic implementation requirements of various authentication providers.

                                                type Validators

                                                type Validators struct {
                                                	sync.RWMutex
                                                	// contains filtered or unexported fields
                                                }

                                                  Validators - holds list of providers indexed by provider id.

                                                  func NewValidators

                                                  func NewValidators() *Validators

                                                    NewValidators - creates Validators.

                                                    func (*Validators) Add

                                                    func (list *Validators) Add(provider Validator) error

                                                      Add - adds unique provider to provider list.

                                                      func (*Validators) Get

                                                      func (list *Validators) Get(id ID) (p Validator, err error)

                                                        Get - returns the provider for the given providerID, if not found returns an error.

                                                        func (*Validators) List

                                                        func (list *Validators) List() []ID

                                                          List - returns available provider IDs.