Documentation ¶
Index ¶
- Constants
- func GetRequestTokens(r *http.Request) (string, string, error)
- type Claims
- type TokenAuth
- func (t *TokenAuth) AuthorizeRequestPermissions(claims *Claims, request *http.Request) error
- func (t *TokenAuth) AuthorizeRequestScope(claims *Claims, request *http.Request) error
- func (t *TokenAuth) CheckRequestTokens(r *http.Request) (*Claims, error)
- func (t *TokenAuth) CheckToken(token string, purpose string) (*Claims, error)
- func (t *TokenAuth) SetBlacklistSize(size int)
- func (t *TokenAuth) ValidateCsrfTokenClaims(accessClaims *Claims, csrfClaims *Claims) error
- func (t *TokenAuth) ValidatePermissionsClaim(claims *Claims, requiredPermissions []string) error
- func (t *TokenAuth) ValidateScopeClaim(claims *Claims, requiredScope string) error
Constants ¶
const (
AudRokwire string = "rokwire"
)
Variables ¶
This section is empty.
Functions ¶
func GetRequestTokens ¶
GetRequestTokens retrieves tokens from the request headers and/or cookies Mobile Clients/Secure Servers: Access tokens must be provided as a Bearer token
in the "Authorization" header
Web Clients: Access tokens must be provided in the "rokwire-access-token" cookie
and CSRF tokens must be provided in the "CSRF" header
Types ¶
type Claims ¶
type Claims struct { // Required Standard Claims: sub, aud, exp, iat jwt.StandardClaims OrgID string `json:"org_id" validate:"required"` AppID string `json:"app_id"` Purpose string `json:"purpose" validate:"required"` AuthType string `json:"auth_type" validate:"required"` Permissions string `json:"permissions"` Scope string `json:"scope"` Anonymous bool `json:"anonymous"` //TODO: Once the new user ID scheme has been adopted across all services these claims should be removed UID string `json:"uid,omitempty"` Email string `json:"email,omitempty"` Phone string `json:"phone,omitempty"` }
Claims represents the standard claims included in access tokens
type TokenAuth ¶
type TokenAuth struct {
// contains filtered or unexported fields
}
TokenAuth contains configurations and helper functions required to validate tokens
func NewTokenAuth ¶
func NewTokenAuth(acceptRokwireTokens bool, authService *authservice.AuthService, permissionAuth authorization.Authorization, scopeAuth authorization.Authorization) (*TokenAuth, error)
NewTokenAuth creates and configures a new TokenAuth instance authorization maybe nil if performing manual authorization
func (*TokenAuth) AuthorizeRequestPermissions ¶ added in v0.1.12
AuthorizeRequestPermissions will authorize the request if the permissions claim passes the permissionsAuth
Returns nil on success and error on failure.
func (*TokenAuth) AuthorizeRequestScope ¶ added in v0.1.12
AuthorizeRequestScope will authorize the request if the scope claim passes the scopeAuth
Returns nil on success and error on failure.
func (*TokenAuth) CheckRequestTokens ¶
CheckRequestTokens is a convenience function which retrieves and checks any tokens included in a request and returns the access token claims Mobile Clients/Secure Servers: Access tokens must be provided as a Bearer token
in the "Authorization" header
Web Clients: Access tokens must be provided in the "rokwire-access-token" cookie
and CSRF tokens must be provided in the "CSRF" header
func (*TokenAuth) CheckToken ¶
CheckToken validates the provided token and returns the token claims
func (*TokenAuth) SetBlacklistSize ¶ added in v0.1.11
SetBlacklistSize sets the maximum size of the token blacklist queue
The default value is 1024
func (*TokenAuth) ValidateCsrfTokenClaims ¶
ValidateCsrfTokenClaims will validate that the CSRF token claims appropriately match the access token claims
Returns nil on success and error on failure.
func (*TokenAuth) ValidatePermissionsClaim ¶
ValidatePermissionsClaim will validate that the provided token claims contain one or more of the required permissions
Returns nil on success and error on failure.
func (*TokenAuth) ValidateScopeClaim ¶
ValidateScopeClaim will validate that the provided token claims contain the required scope
If an empty required scope is provided, the claims must contain a valid global scope such as 'all' or '{service}:all' Returns nil on success and error on failure.