oauthflow

package
Version: v1.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 21, 2022 License: Apache-2.0 Imports: 20 Imported by: 9

Documentation

Overview

Package oauthflow implements OAuth/OIDC support for device and token flows

Package oauthflow contains utilities to obtain OAuth2/OIDC tokens.

Index

Constants

View Source
const (
	// SigstoreDeviceURL specifies the Device Code endpoint for the public good Sigstore service
	/* #nosec */
	// Deprecated: this constant (while correct) should not be used
	SigstoreDeviceURL = "https://oauth2.sigstore.dev/auth/device/code"
	// SigstoreTokenURL specifies the Token endpoint for the public good Sigstore service
	/* #nosec */
	// Deprecated: this constant (while correct) should not be used
	SigstoreTokenURL = "https://oauth2.sigstore.dev/auth/device/token"
)
View Source
const (
	// PublicInstanceGithubAuthSubURL Default connector ids used by `oauth2.sigstore.dev` for Github
	PublicInstanceGithubAuthSubURL = "https://github.com/login/oauth"
	// PublicInstanceGoogleAuthSubURL Default connector ids used by `oauth2.sigstore.dev` for Google
	PublicInstanceGoogleAuthSubURL = "https://accounts.google.com"
	// PublicInstanceMicrosoftAuthSubURL Default connector ids used by `oauth2.sigstore.dev` for Microsoft
	PublicInstanceMicrosoftAuthSubURL = "https://login.microsoftonline.com"
)
View Source
const (
	// PKCES256 is the SHA256 option required by the PKCE RFC
	PKCES256 = "S256"
)

Variables

View Source
var DefaultIDTokenGetter = &InteractiveIDTokenGetter{
	HTMLPage: soauth.InteractiveSuccessHTML,
}

DefaultIDTokenGetter is the default implementation. The HTML page and message printed to the terminal can be customized.

View Source
var PublicInstanceGithubIDTokenGetter = &InteractiveIDTokenGetter{
	HTMLPage:           DefaultIDTokenGetter.HTMLPage,
	ExtraAuthURLParams: []oauth2.AuthCodeOption{ConnectorIDOpt(PublicInstanceGithubAuthSubURL)},
}

PublicInstanceGithubIDTokenGetter is a `oauth2.sigstore.dev` flow selecting github as an Idp Flow is based on `DefaultIDTokenGetter` fields

View Source
var PublicInstanceGoogleIDTokenGetter = &InteractiveIDTokenGetter{
	HTMLPage:           DefaultIDTokenGetter.HTMLPage,
	ExtraAuthURLParams: []oauth2.AuthCodeOption{ConnectorIDOpt(PublicInstanceGoogleAuthSubURL)},
}

PublicInstanceGoogleIDTokenGetter is a `oauth2.sigstore.dev` flow selecting github as an Idp Flow is based on `DefaultIDTokenGetter` fields

View Source
var PublicInstanceMicrosoftIDTokenGetter = &InteractiveIDTokenGetter{
	HTMLPage:           DefaultIDTokenGetter.HTMLPage,
	ExtraAuthURLParams: []oauth2.AuthCodeOption{ConnectorIDOpt(PublicInstanceMicrosoftAuthSubURL)},
}

PublicInstanceMicrosoftIDTokenGetter is a `oauth2.sigstore.dev` flow selecting microsoft as an Idp Flow is based on `DefaultIDTokenGetter` fields

Functions

func ConnectorIDOpt added in v1.1.0

func ConnectorIDOpt(prov string) oauth2.AuthCodeOption

ConnectorIDOpt requests the value of prov as a the connector_id (either on URL or in form body) on the initial request; this is used by Dex

func SubjectFromToken

func SubjectFromToken(tok *oidc.IDToken) (string, error)

SubjectFromToken extracts the subject claim from an OIDC Identity Token

Types

type DeviceFlowTokenGetter

type DeviceFlowTokenGetter struct {
	MessagePrinter func(string)
	Sleeper        func(time.Duration)
	Issuer         string
	// contains filtered or unexported fields
}

DeviceFlowTokenGetter fetches an OIDC Identity token using the Device Code Grant flow as specified in RFC8628

func NewDeviceFlowTokenGetter

func NewDeviceFlowTokenGetter(issuer, codeURL, _ string) *DeviceFlowTokenGetter

NewDeviceFlowTokenGetter creates a new DeviceFlowTokenGetter that retrieves an OIDC Identity Token using a Device Code Grant Deprecated: NewDeviceFlowTokenGetter is deprecated; use NewDeviceFlowTokenGetterForIssuer() instead

func NewDeviceFlowTokenGetterForIssuer added in v1.4.0

func NewDeviceFlowTokenGetterForIssuer(issuer string) *DeviceFlowTokenGetter

NewDeviceFlowTokenGetterForIssuer creates a new DeviceFlowTokenGetter that retrieves an OIDC Identity Token using a Device Code Grant

func (*DeviceFlowTokenGetter) CodeURL

func (d *DeviceFlowTokenGetter) CodeURL() (string, error)

CodeURL fetches the device authorization endpoint URL from the provider's well-known configuration endpoint

func (*DeviceFlowTokenGetter) GetIDToken

func (d *DeviceFlowTokenGetter) GetIDToken(p *oidc.Provider, cfg oauth2.Config) (*OIDCIDToken, error)

GetIDToken gets an OIDC ID Token from the specified provider using the device code grant flow

type InteractiveIDTokenGetter

type InteractiveIDTokenGetter struct {
	HTMLPage           string
	ExtraAuthURLParams []oauth2.AuthCodeOption
	Input              io.Reader
	Output             io.Writer
}

InteractiveIDTokenGetter is a type to get ID tokens for oauth flows

func (*InteractiveIDTokenGetter) GetIDToken

GetIDToken gets an OIDC ID Token from the specified provider using an interactive browser session

func (*InteractiveIDTokenGetter) GetInput added in v1.3.0

func (i *InteractiveIDTokenGetter) GetInput() io.Reader

GetInput returns the input reader for the token getter. If one is not set, it defaults to stdin.

func (*InteractiveIDTokenGetter) GetOutput added in v1.3.0

func (i *InteractiveIDTokenGetter) GetOutput() io.Writer

GetOutput returns the output writer for the token getter. If one is not set, it defaults to stderr.

type OIDCIDToken

type OIDCIDToken struct {
	RawString string // RawString provides the raw token (a base64-encoded JWT) value
	Subject   string // Subject is the extracted subject from the raw token
}

OIDCIDToken represents an OIDC Identity Token

func OIDConnect

func OIDConnect(issuer, id, secret, redirectURL string, tg TokenGetter) (*OIDCIDToken, error)

OIDConnect requests an OIDC Identity Token from the specified issuer using the specified client credentials and TokenGetter NOTE: If the redirectURL is empty a listener on localhost:0 is configured with '/auth/callback' as default path.

type PKCE

type PKCE struct {
	Challenge string
	Method    string
	Value     string
}

PKCE specifies the challenge and value pair required to fulfill RFC7636

func NewPKCE

func NewPKCE(provider *oidc.Provider) (*PKCE, error)

NewPKCE creates a new PKCE challenge for the specified provider per its supported methods (obtained through OIDC discovery endpoint)

func (*PKCE) AuthURLOpts

func (p *PKCE) AuthURLOpts() []oauth2.AuthCodeOption

AuthURLOpts returns the set of request parameters required during the initial exchange of the OAuth2 flow

func (*PKCE) TokenURLOpts

func (p *PKCE) TokenURLOpts() []oauth2.AuthCodeOption

TokenURLOpts returns the set of request parameters required during the token request exchange flow

type StaticTokenGetter

type StaticTokenGetter struct {
	RawToken string
}

StaticTokenGetter is a token getter that works on a JWT that is already known

func (*StaticTokenGetter) GetIDToken

func (stg *StaticTokenGetter) GetIDToken(_ *oidc.Provider, _ oauth2.Config) (*OIDCIDToken, error)

GetIDToken extracts an OIDCIDToken from the raw token *without verification*

type TokenGetter

type TokenGetter interface {
	GetIDToken(provider *oidc.Provider, config oauth2.Config) (*OIDCIDToken, error)
}

TokenGetter provides a way to get an OIDC ID Token from an OIDC IdP

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL