providers

package
v7.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2024 License: MIT Imports: 40 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	CodeChallengeMethodPlain = "plain"
	CodeChallengeMethodS256  = "S256"
)

Variables

View Source 
var (
	// ErrNotImplemented is returned when a provider did not override a default
	// implementation method that doesn't have sensible defaults
	ErrNotImplemented = errors.New("not implemented")

	// ErrMissingCode is returned when a Redeem method is called with an empty
	// code
	ErrMissingCode = errors.New("missing code")

	// ErrMissingIDToken is returned when an oidc.Token does not contain the
	// extra `id_token` field for an IDToken.
	ErrMissingIDToken = errors.New("missing id_token")

	// ErrMissingOIDCVerifier is returned when a provider didn't set `Verifier`
	// but an attempt to call `Verifier.Verify` was about to be made.
	ErrMissingOIDCVerifier = errors.New("oidc verifier is not configured")
)

Functions

This section is empty.

Types

type ADFSProvider added in v7.2.0 

type ADFSProvider struct {
	*OIDCProvider
	// contains filtered or unexported fields
}

ADFSProvider represents an ADFS based Identity Provider

func NewADFSProvider added in v7.2.0 

func NewADFSProvider(p *ProviderData, opts options.Provider) *ADFSProvider

NewADFSProvider initiates a new ADFSProvider

func (*ADFSProvider) EnrichSession added in v7.2.0 

func (p *ADFSProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession calls the OIDC ProfileURL to backfill any fields missing from the claims. If Email is missing, falls back to ADFS `upn` claim.

func (*ADFSProvider) GetLoginURL added in v7.2.0 

func (p *ADFSProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL Override to double encode the state parameter. If not query params are lost More info here: https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-saml2-settings

func (*ADFSProvider) RefreshSession added in v7.2.1 

func (p *ADFSProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession refreshes via the OIDC implementation. If email is missing, falls back to ADFS `upn` claim.

type AzureProvider 

type AzureProvider struct {
	*ProviderData
	Tenant          string
	GraphGroupField string
	// contains filtered or unexported fields
}

AzureProvider represents an Azure based Identity Provider

func NewAzureProvider 

func NewAzureProvider(p *ProviderData, opts options.AzureOptions) *AzureProvider

NewAzureProvider initiates a new AzureProvider

func (*AzureProvider) EnrichSession added in v7.1.0 

func (p *AzureProvider) EnrichSession(ctx context.Context, session *sessions.SessionState) error

EnrichSession enriches the session state with userID, mail and groups

func (*AzureProvider) GetLoginURL 

func (p *AzureProvider) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

func (*AzureProvider) Redeem 

func (p *AzureProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*AzureProvider) RefreshSession added in v7.2.0 

func (p *AzureProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*AzureProvider) ValidateSession 

func (p *AzureProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type BitbucketProvider 

type BitbucketProvider struct {
	*ProviderData
	Team       string
	Repository string
}

BitbucketProvider represents an Bitbucket based Identity Provider

func NewBitbucketProvider 

func NewBitbucketProvider(p *ProviderData, opts options.BitbucketOptions) *BitbucketProvider

NewBitbucketProvider initiates a new BitbucketProvider

func (*BitbucketProvider) GetEmailAddress 

func (p *BitbucketProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the email of the authenticated user

type DigitalOceanProvider 

type DigitalOceanProvider struct {
	*ProviderData
}

DigitalOceanProvider represents a DigitalOcean based Identity Provider

func NewDigitalOceanProvider 

func NewDigitalOceanProvider(p *ProviderData) *DigitalOceanProvider

NewDigitalOceanProvider initiates a new DigitalOceanProvider

func (*DigitalOceanProvider) GetEmailAddress 

func (p *DigitalOceanProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*DigitalOceanProvider) ValidateSession 

func (p *DigitalOceanProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type FacebookProvider 

type FacebookProvider struct {
	*ProviderData
}

FacebookProvider represents an Facebook based Identity Provider

func NewFacebookProvider 

func NewFacebookProvider(p *ProviderData) *FacebookProvider

NewFacebookProvider initiates a new FacebookProvider

func (*FacebookProvider) GetEmailAddress 

func (p *FacebookProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*FacebookProvider) ValidateSession 

func (p *FacebookProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type GitHubProvider 

type GitHubProvider struct {
	*ProviderData
	Org   string
	Team  string
	Repo  string
	Token string
	Users []string
}

GitHubProvider represents an GitHub based Identity Provider

func NewGitHubProvider 

func NewGitHubProvider(p *ProviderData, opts options.GitHubOptions) *GitHubProvider

NewGitHubProvider initiates a new GitHubProvider

func (*GitHubProvider) EnrichSession 

func (p *GitHubProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession updates the User & Email after the initial Redeem

func (*GitHubProvider) ValidateSession 

func (p *GitHubProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type GitLabProvider 

type GitLabProvider struct {
	*OIDCProvider
	// contains filtered or unexported fields
}

GitLabProvider represents a GitLab based Identity Provider

func NewGitLabProvider 

func NewGitLabProvider(p *ProviderData, opts options.Provider) (*GitLabProvider, error)

NewGitLabProvider initiates a new GitLabProvider

func (*GitLabProvider) EnrichSession 

func (p *GitLabProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession enriches the session with the response from the userinfo API endpoint & projects API endpoint for allowed projects.

func (*GitLabProvider) RefreshSession added in v7.2.0 

func (p *GitLabProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession refreshes the session with the OIDCProvider implementation but preserves the custom GitLab projects added in the `EnrichSession` stage.

type GoogleProvider 

type GoogleProvider struct {
	*ProviderData

	RedeemRefreshURL *url.URL
	// contains filtered or unexported fields
}

GoogleProvider represents an Google based Identity Provider

func NewGoogleProvider 

func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProvider, error)

NewGoogleProvider initiates a new GoogleProvider

func (*GoogleProvider) EnrichSession 

func (p *GoogleProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error

EnrichSession checks the listed Google Groups configured and adds any that the user is a member of to session.Groups.

func (*GoogleProvider) Redeem 

func (p *GoogleProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*GoogleProvider) RefreshSession added in v7.2.0 

func (p *GoogleProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

type KeycloakOIDCProvider added in v7.2.0 

type KeycloakOIDCProvider struct {
	*OIDCProvider
}

KeycloakOIDCProvider creates a Keycloak provider based on OIDCProvider

func NewKeycloakOIDCProvider added in v7.2.0 

func NewKeycloakOIDCProvider(p *ProviderData, opts options.Provider) *KeycloakOIDCProvider

NewKeycloakOIDCProvider makes a KeycloakOIDCProvider using the ProviderData

func (*KeycloakOIDCProvider) CreateSessionFromToken added in v7.4.0 

func (p *KeycloakOIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*KeycloakOIDCProvider) EnrichSession added in v7.2.0 

func (p *KeycloakOIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*KeycloakOIDCProvider) RefreshSession added in v7.2.0 

func (p *KeycloakOIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession adds role extraction logic to the refresh flow

type KeycloakProvider 

type KeycloakProvider struct {
	*ProviderData
}

func NewKeycloakProvider 

func NewKeycloakProvider(p *ProviderData, opts options.KeycloakOptions) *KeycloakProvider

NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData

func (*KeycloakProvider) EnrichSession 

func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession uses the Keycloak userinfo endpoint to populate the session's email and groups.

func (*KeycloakProvider) ValidateSession added in v7.3.0 

func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type LinkedInProvider 

type LinkedInProvider struct {
	*ProviderData
}

LinkedInProvider represents an LinkedIn based Identity Provider

func NewLinkedInProvider 

func NewLinkedInProvider(p *ProviderData) *LinkedInProvider

NewLinkedInProvider initiates a new LinkedInProvider

func (*LinkedInProvider) GetEmailAddress 

func (p *LinkedInProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*LinkedInProvider) ValidateSession 

func (p *LinkedInProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type LoginGovProvider 

type LoginGovProvider struct {
	*ProviderData

	// TODO (@timothy-spencer): Ideally, the nonce would be in the session state, but the session state
	// is created only upon code redemption, not during the auth, when this must be supplied.
	Nonce     string
	JWTKey    *rsa.PrivateKey
	PubJWKURL *url.URL
}

LoginGovProvider represents an OIDC based Identity Provider

func NewLoginGovProvider 

func NewLoginGovProvider(p *ProviderData, opts options.LoginGovOptions) (*LoginGovProvider, error)

NewLoginGovProvider initiates a new LoginGovProvider

func (*LoginGovProvider) GetLoginURL 

func (p *LoginGovProvider) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL overrides GetLoginURL to add login.gov parameters

func (*LoginGovProvider) Redeem 

func (p *LoginGovProvider) Redeem(ctx context.Context, _, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*LoginGovProvider) ValidateSession added in v7.3.0 

func (p *LoginGovProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type NextcloudProvider 

type NextcloudProvider struct {
	*ProviderData
}

NextcloudProvider represents an Nextcloud based Identity Provider

func NewNextcloudProvider 

func NewNextcloudProvider(p *ProviderData) *NextcloudProvider

NewNextcloudProvider initiates a new NextcloudProvider

func (*NextcloudProvider) EnrichSession added in v7.4.0 

func (p *NextcloudProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession uses the Nextcloud userinfo endpoint to populate the session's email, user, and groups.

func (*NextcloudProvider) ValidateSession added in v7.4.0 

func (p *NextcloudProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type OIDCProvider 

type OIDCProvider struct {
	*ProviderData

	SkipNonce bool
}

OIDCProvider represents an OIDC based Identity Provider

func NewOIDCProvider 

func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider

NewOIDCProvider initiates a new OIDCProvider

func (*OIDCProvider) CreateSessionFromToken 

func (p *OIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*OIDCProvider) EnrichSession 

func (p *OIDCProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*OIDCProvider) GetLoginURL added in v7.1.3 

func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL makes the LoginURL with optional nonce support

func (*OIDCProvider) Redeem 

func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*OIDCProvider) RefreshSession added in v7.2.0 

func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*OIDCProvider) ValidateSession 

func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession checks that the session's IDToken is still valid

type Provider 

type Provider interface {
	Data() *ProviderData
	GetLoginURL(redirectURI, finalRedirect, nonce string, extraParams url.Values) string
	Redeem(ctx context.Context, redirectURI, code, codeVerifier string) (*sessions.SessionState, error)
	// Deprecated: Migrate to EnrichSession
	GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)
	EnrichSession(ctx context.Context, s *sessions.SessionState) error
	Authorize(ctx context.Context, s *sessions.SessionState) (bool, error)
	ValidateSession(ctx context.Context, s *sessions.SessionState) bool
	RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)
	CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)
}

Provider represents an upstream identity provider implementation

func NewProvider added in v7.3.0 

func NewProvider(providerConfig options.Provider) (Provider, error)

type ProviderData 

type ProviderData struct {
	ProviderName      string
	LoginURL          *url.URL
	RedeemURL         *url.URL
	ProfileURL        *url.URL
	ProtectedResource *url.URL
	ValidateURL       *url.URL
	ClientID          string
	ClientSecret      string
	ClientSecretFile  string
	Scope             string
	// The picked CodeChallenge Method or empty if none.
	CodeChallengeMethod string
	// Code challenge methods supported by the Provider
	SupportedCodeChallengeMethods []string `json:"code_challenge_methods_supported,omitempty"`

	// Common OIDC options for any OIDC-based providers to consume
	AllowUnverifiedEmail     bool
	UserClaim                string
	EmailClaim               string
	GroupsClaim              string
	Verifier                 internaloidc.IDTokenVerifier
	SkipClaimsFromProfileURL bool

	// Universal Group authorization data structure
	// any provider can set to consume
	AllowedGroups map[string]struct{}

	BackendLogoutURL string
	// contains filtered or unexported fields
}

ProviderData contains information required to configure all implementations of OAuth2 providers

func (*ProviderData) Authorize 

func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error)

Authorize performs global authorization on an authenticated session. This is not used for fine-grained per route authorization rules.

func (*ProviderData) CreateSessionFromToken 

func (p *ProviderData) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*ProviderData) Data 

func (p *ProviderData) Data() *ProviderData

Data returns the ProviderData

func (*ProviderData) EnrichSession 

func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*ProviderData) GetClientSecret 

func (p *ProviderData) GetClientSecret() (clientSecret string, err error)

func (*ProviderData) GetEmailAddress 

func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address Deprecated: Migrate to EnrichSession

func (*ProviderData) GetLoginURL 

func (p *ProviderData) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL with typical oauth parameters codeChallenge and codeChallengeMethod are the PKCE challenge and method to append to the URL params. they will be empty strings if no code challenge should be presented

func (*ProviderData) LoginURLParams added in v7.3.0 

func (p *ProviderData) LoginURLParams(overrides url.Values) url.Values

LoginURLParams returns the parameter values that should be passed to the IdP login URL. This is the default set of parameters configured for this provider, optionally overridden by the given overrides (typically from the URL of the /oauth2/start request) according to the configured rules for this provider.

func (*ProviderData) Redeem 

func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem provides a default implementation of the OAuth2 token redemption process The codeVerifier is set if a code_verifier parameter should be sent for PKCE

func (*ProviderData) RefreshSession added in v7.2.0 

func (p *ProviderData) RefreshSession(_ context.Context, _ *sessions.SessionState) (bool, error)

RefreshSession refreshes the user's session

func (*ProviderData) ValidateSession 

func (p *ProviderData) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.