Version: v1.19.1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jan 27, 2021 License: Apache-2.0 Imports: 15 Imported by: 0


Authentication configuration for receivers

This module allows server types, such as gRPC and HTTP, to be configured to perform authentication for requests and/or RPCs. Each server type is responsible for getting the request/RPC metadata and passing down to the authenticator. Currently, only bearer token authentication is supported, although the module is ready to accept new authenticators.


        attribute: authorization
          issuer_ca_path: /etc/pki/tls/cert.pem
          client_id: my-oidc-client
          username_claim: email




This section is empty.


This section is empty.


func GroupsFromContext

func GroupsFromContext(ctx context.Context) ([]string, bool)

GroupsFromContext returns a list of groups the subject in the context belongs to

func SubjectFromContext

func SubjectFromContext(ctx context.Context) (string, bool)

SubjectFromContext returns a list of groups the subject in the context belongs to


type Authentication

type Authentication struct {
	// The attribute (header name) to look for auth data. Optional, default value: "authentication".
	Attribute string `mapstructure:"attribute"`

	// OIDC configures this receiver to use the given OIDC provider as the backend for the authentication mechanism.
	// Required.
	OIDC *OIDC `mapstructure:"oidc"`

Authentication defines the auth settings for the receiver

func (*Authentication) ToServerOptions

func (a *Authentication) ToServerOptions() ([]grpc.ServerOption, error)

ToServerOptions builds a set of server options ready to be used by the gRPC server

type Authenticator

type Authenticator interface {

	// Authenticate checks whether the given context contains valid auth data. Successfully authenticated calls will always return a nil error and a context with the auth data.
	Authenticate(context.Context, map[string][]string) (context.Context, error)

	// Start will
	Start(context.Context) error

	// UnaryInterceptor is a helper method to provide a gRPC-compatible UnaryInterceptor, typically calling the authenticator's Authenticate method.
	UnaryInterceptor(context.Context, interface{}, *grpc.UnaryServerInfo, grpc.UnaryHandler) (interface{}, error)

	// StreamInterceptor is a helper method to provide a gRPC-compatible StreamInterceptor, typically calling the authenticator's Authenticate method.
	StreamInterceptor(interface{}, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error

Authenticator will authenticate the incoming request/RPC

func NewAuthenticator

func NewAuthenticator(cfg Authentication) (Authenticator, error)

NewAuthenticator creates an authenticator based on the given configuration

type OIDC

type OIDC struct {
	// IssuerURL is the base URL for the OIDC provider.
	// Required.
	IssuerURL string `mapstructure:"issuer_url"`

	// Audience of the token, used during the verification.
	// For example: "" or "".
	// Required.
	Audience string `mapstructure:"audience"`

	// The local path for the issuer CA's TLS server cert.
	// Optional.
	IssuerCAPath string `mapstructure:"issuer_ca_path"`

	// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
	// Optional.
	UsernameClaim string `mapstructure:"username_claim"`

	// The claim that holds the subject's group membership information.
	// Optional.
	GroupsClaim string `mapstructure:"groups_claim"`

OIDC defines the OpenID Connect properties for this processor

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL