Documentation
¶
Index ¶
- Constants
- Variables
- func GetEmailFromContext(ctx context.Context) (string, bool)
- func GetPrincipalNameAndTitle(principal *Principal) (name, title string)
- func GetSecretFromContext(ctx context.Context) (string, bool)
- func GetSuperUserFromContext(ctx context.Context) (bool, bool)
- func GetTokenFromContext(ctx context.Context) (string, bool)
- func SetContextWithEmail(ctx context.Context, email string) context.Context
- func SetContextWithPrincipal(ctx context.Context, p *Principal) context.Context
- func SetSuperUserInContext(ctx context.Context, isSuperUser bool) context.Context
- type AuthMethod
- type ClientAssertion
- type Config
- type Flow
- type FlowRepository
- type MailLinkConfig
- type MailOTPConfig
- type OIDCConfig
- type PassKeyConfig
- type Principal
- type RegistrationFinishRequest
- type RegistrationFinishResponse
- type RegistrationStartRequest
- type RegistrationStartResponse
- type Service
- func (s Service) BuildToken(ctx context.Context, principal Principal, metadata map[string]string) ([]byte, error)
- func (s Service) Close() error
- func (s Service) FinishFlow(ctx context.Context, request RegistrationFinishRequest) (*RegistrationFinishResponse, error)
- func (s Service) GetPrincipal(ctx context.Context, assertions ...ClientAssertion) (Principal, error)
- func (s Service) InitFlows(ctx context.Context) error
- func (s Service) JWKs(ctx context.Context) jwk.Set
- func (s Service) SanitizeCallbackURL(url string) string
- func (s Service) SanitizeReturnToURL(url string) string
- func (s Service) StartFlow(ctx context.Context, request RegistrationStartRequest) (*RegistrationStartResponse, error)
- func (s Service) SupportedStrategies() []string
- type ServiceUserService
- type SessionConfig
- type SessionMetadataHeaders
- type SessionService
- type TokenClaimConfig
- type TokenConfig
- type TokenService
- type UserService
Constants ¶
View Source
const ( MailOTPAuthMethod = AuthMethod(strategy.MailOTPAuthMethod) MailLinkAuthMethod = AuthMethod(strategy.MailLinkAuthMethod) PassKeyAuthMethod = AuthMethod(strategy.PasskeyAuthMethod) )
Variables ¶
View Source
var ( ErrStrategyNotApplicable = errors.New("strategy not applicable") ErrUnsupportedMethod = errors.New("unsupported authentication method") ErrInvalidMailOTP = errors.New("invalid mail otp") ErrMissingOIDCCode = errors.New("OIDC code is missing") ErrInvalidOIDCState = errors.New("invalid auth state") ErrFlowInvalid = errors.New("invalid flow or expired") )
View Source
var APIAssertions = []ClientAssertion{ SessionClientAssertion, AccessTokenClientAssertion, OpaqueTokenClientAssertion, JWTGrantClientAssertion, ClientCredentialsClientAssertion, PassthroughHeaderClientAssertion, }
View Source
var (
ErrInvalidID = errors.New("user id is invalid")
)
Functions ¶
func GetEmailFromContext ¶
GetEmailFromContext returns email from context Deprecated
func GetPrincipalNameAndTitle ¶ added in v0.79.0
GetPrincipalNameAndTitle extracts name and title from a principal
func GetSuperUserFromContext ¶ added in v0.76.0
GetSuperUserFromContext returns the superuser flag from context
func SetContextWithEmail ¶
SetContextWithEmail sets email in context Deprecated
func SetContextWithPrincipal ¶
Types ¶
type AuthMethod ¶
type AuthMethod string
func (AuthMethod) String ¶
func (m AuthMethod) String() string
type ClientAssertion ¶
type ClientAssertion string
const ( // SessionClientAssertion is used to authenticate using session cookie SessionClientAssertion ClientAssertion = "session" // AccessTokenClientAssertion is used to authenticate using access token generated // by the system for the user AccessTokenClientAssertion ClientAssertion = "access_token" // OpaqueTokenClientAssertion is used to authenticate using opaque token generated // for API clients OpaqueTokenClientAssertion ClientAssertion = "opaque" // JWTGrantClientAssertion is used to authenticate using JWT token generated // using public/private key pair that provides access token for the client JWTGrantClientAssertion ClientAssertion = "jwt_grant" // ClientCredentialsClientAssertion is used to authenticate using client_id and client_secret // that provides access token for the client ClientCredentialsClientAssertion ClientAssertion = "client_credentials" // PassthroughHeaderClientAssertion is used to authenticate using headers passed by the client // this is non secure way of authenticating client in test environments PassthroughHeaderClientAssertion ClientAssertion = "passthrough_header" )
func (ClientAssertion) String ¶
func (a ClientAssertion) String() string
type Config ¶
type Config struct {
// CallbackURLs is external host used for redirect uri
// host specified at 0th index will be used as default
CallbackURLs []string `yaml:"callback_urls" mapstructure:"callback_urls" default:"[http://localhost:7400/v1beta1/auth/callback]"`
AuthorizedRedirectURLs []string `yaml:"authorized_redirect_urls" mapstructure:"authorized_redirect_urls" `
OIDCConfig map[string]OIDCConfig `yaml:"oidc_config" mapstructure:"oidc_config"`
Session SessionConfig `yaml:"session" mapstructure:"session"`
Token TokenConfig `yaml:"token" mapstructure:"token"`
MailOTP MailOTPConfig `yaml:"mail_otp" mapstructure:"mail_otp"`
MailLink MailLinkConfig `yaml:"mail_link" mapstructure:"mail_link"`
PassKey PassKeyConfig `yaml:"passkey" mapstructure:"passkey"`
TestUsers testusers.Config `yaml:"test_users" mapstructure:"test_users"`
}
type Flow ¶
type Flow struct {
ID uuid.UUID
// authentication flow type
Method string
// Email is the email of the user
Email string
// StartURL is where flow should start from for verification
StartURL string
// FinishURL is where flow should end to after successful verification
FinishURL string
// Nonce is a once time use random string
Nonce string
Metadata metadata.Metadata
// CreatedAt will be used to clean-up dead auth flows
CreatedAt time.Time
// ExpiresAt is the time when the flow will expire
ExpiresAt time.Time
}
Flow is a temporary state used to finish login/registration flows
type FlowRepository ¶
type MailLinkConfig ¶ added in v0.7.2
type MailOTPConfig ¶
type OIDCConfig ¶
type OIDCConfig struct {
ClientID string `yaml:"client_id" mapstructure:"client_id"`
ClientSecret string `yaml:"client_secret" mapstructure:"client_secret"`
IssuerUrl string `yaml:"issuer_url" mapstructure:"issuer_url"`
Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"15m"`
}
type PassKeyConfig ¶ added in v0.7.14
type PassKeyConfig struct {
// RPDisplayName configures the display name for the Relying Party Server. This can be any string.
RPDisplayName string `yaml:"rpdisplayname" mapstructure:"rpdisplayname"`
// RPID configures the Relying Party Server ID. This should generally be the origin without a scheme and port.
RPID string `yaml:"rpid" mapstructure:"rpid"`
// RPOrigins configures the list of Relying Party Server Origins that are permitted. These should be fully
// qualified origins.
RPOrigins []string `yaml:"rporigins" mapstructure:"rporigins"`
}
type Principal ¶
type Principal struct {
// ID is the unique identifier of principal
ID string
// Type is the namespace of principal
// E.g. app/user, app/serviceuser
Type string
User *user.User
ServiceUser *serviceuser.ServiceUser
}
type RegistrationStartRequest ¶
type RegistrationStartRequest struct {
Method string
// ReturnToURL is where flow should end to after successful verification
ReturnToURL string
Email string
// callback_url will be used by strategy as last step to finish authentication flow
// in OIDC this host will receive "state" and "code" query params, in case of magic links
// this will be the url where user is redirected after clicking on magic link.
// For most cases it could be host of frontier but in case of proxies, this will be proxy public endpoint.
// callback_url should be one of the allowed urls configured at instance level
CallbackUrl string
}
type Service ¶
func NewService ¶
func NewService(logger log.Logger, config Config, flowRepo FlowRepository, mailDialer mailer.Dialer, tokenService TokenService, sessionService SessionService, userService UserService, serviceUserService ServiceUserService, webAuthConfig *webauthn.WebAuthn) *Service
func (Service) BuildToken ¶
func (s Service) BuildToken(ctx context.Context, principal Principal, metadata map[string]string) ([]byte, error)
BuildToken creates an access token for the given subjectID
func (Service) FinishFlow ¶
func (s Service) FinishFlow(ctx context.Context, request RegistrationFinishRequest) (*RegistrationFinishResponse, error)
func (Service) GetPrincipal ¶
func (Service) SanitizeCallbackURL ¶ added in v0.7.2
SanitizeCallbackURL allows only callback host to white listed domains from config
func (Service) SanitizeReturnToURL ¶ added in v0.7.2
SanitizeReturnToURL allows only redirect to white listed domains from config to avoid https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
func (Service) StartFlow ¶
func (s Service) StartFlow(ctx context.Context, request RegistrationStartRequest) (*RegistrationStartResponse, error)
func (Service) SupportedStrategies ¶
type ServiceUserService ¶
type ServiceUserService interface {
Get(ctx context.Context, id string) (serviceuser.ServiceUser, error)
GetByJWT(ctx context.Context, token string) (serviceuser.ServiceUser, error)
GetBySecret(ctx context.Context, clientID, clientSecret string) (serviceuser.ServiceUser, error)
}
type SessionConfig ¶
type SessionConfig struct {
HashSecretKey string `mapstructure:"hash_secret_key" yaml:"hash_secret_key" default:"hash-secret-should-be-32-chars--"`
BlockSecretKey string `mapstructure:"block_secret_key" yaml:"block_secret_key" default:"block-secret-should-be-32-chars-"`
Domain string `mapstructure:"domain" yaml:"domain" default:""`
// SameSite can be set to "default", "lax", "strict" or "none"
SameSite string `mapstructure:"same_site" yaml:"same_site" default:"lax"`
// Validity is the duration for which the session is valid
Validity time.Duration `mapstructure:"validity" yaml:"validity" default:"720h"`
Secure bool `mapstructure:"secure" yaml:"secure" default:"false"`
// Headers configuration for session metadata collection
Headers SessionMetadataHeaders `yaml:"headers" mapstructure:"headers"`
}
type SessionMetadataHeaders ¶ added in v0.75.0
type SessionMetadataHeaders struct {
ClientIP string `yaml:"client_ip" mapstructure:"client_ip" default:"x-forwarded-for"`
ClientCountry string `yaml:"client_country" mapstructure:"client_country" default:"x-frontier-country"`
ClientCity string `yaml:"client_city" mapstructure:"client_city" default:"x-frontier-city"`
ClientLatitude string `yaml:"client_latitude" mapstructure:"client_latitude" default:"x-frontier-latitude"`
ClientLongitude string `yaml:"client_longitude" mapstructure:"client_longitude" default:"x-frontier-longitude"`
ClientUserAgent string `yaml:"client_user_agent" mapstructure:"client_user_agent" default:"User-Agent"`
}
type SessionService ¶
type TokenClaimConfig ¶ added in v0.8.0
type TokenConfig ¶
type TokenConfig struct {
// Path to rsa key file, it can contain more than one key as a json array
// jwt will be signed by first key, but will be tried to be decoded by all matching key ids, this helps in key rotation.
// If not provided, access token will not be generated
RSAPath string `yaml:"rsa_path" mapstructure:"rsa_path"`
// RSABase64 is base64 encoded rsa key, it can contain more than one key as a json array
RSABase64 string `yaml:"rsa_base64" mapstructure:"rsa_base64"`
// Issuer uniquely identifies the service that issued the token
// a good example could be fully qualified domain name
Issuer string `yaml:"iss" mapstructure:"iss" default:"frontier"`
// Validity is the duration for which the token is valid
Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"1h"`
Claims TokenClaimConfig `yaml:"claims" mapstructure:"claims"`
}
type TokenService ¶ added in v0.31.0
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.