Affected by 
Documentation
¶
Index ¶
- Constants
- Variables
- func DeleteAccessToken(ctx context.Context, provider string, token string) error
- func GetUserClaimFromContext[T any](ctx context.Context, claim string) (T, bool)
- func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
- func GetUserSubjectFromContext(ctx context.Context) string
- func NewOAuthConfig(provider string, cli bool) (*oauth2.Config, error)
- func NewProviderHttpClient(provider string) *http.Client
- func RegisterOAuthFlags(v *viper.Viper, flags *pflag.FlagSet) error
- func ValidateProviderToken(_ context.Context, provider string, token string) error
- func WithAuthTokenContext(ctx context.Context, token openid.Token) context.Context
- type Identity
- type IdentityClient
- type IdentityProvider
- type JwkSetJwtValidator
- type JwtValidator
- type KeySetCache
- type KeySetFetcher
- type Resolver
Constants ¶
const ( // Google OAuth2 provider Google = "google" // Github OAuth2 provider Github = "github" // GitHubApp provider GitHubApp = "github-app" )
Variables ¶
var OAuthSuccessHtml []byte
OAuthSuccessHtml is the html page sent to the client upon successful enrollment via CLI
Functions ¶
func DeleteAccessToken ¶
DeleteAccessToken deletes the access token for a given provider
func GetUserClaimFromContext ¶ added in v0.0.35
GetUserClaimFromContext returns the specified claim from the user subject in the context if found and of the correct type
func GetUserForGitHubId ¶ added in v0.0.39
func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
GetUserForGitHubId looks up a user in Keycloak by their GitHub ID. This is a temporary implementation until we have a proper interface in front of IDP implementations.
If the user is found, it returns their subject _in Keycloak_, suitable for use in the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may return a user of "" with no error if no users were found matching the GitHub ID.
func GetUserSubjectFromContext ¶ added in v0.0.24
GetUserSubjectFromContext returns the user subject from the context, or nil
func NewOAuthConfig ¶
NewOAuthConfig creates a new OAuth2 config for the given provider and whether the client is a CLI or web client
func NewProviderHttpClient ¶
NewProviderHttpClient creates a new http client for the given provider
func RegisterOAuthFlags ¶
RegisterOAuthFlags registers client ID and secret file flags for all known providers. This is pretty tied into the internal of the auth module, so it lives here, but it would be nice if we have a consistent registration pattern (database flags are registered in the config module).
func ValidateProviderToken ¶
ValidateProviderToken validates the given token for the given provider
Types ¶
type Identity ¶ added in v0.0.48
type Identity struct {
// UserID is a stable unique identifier for the user. This may be a large
// integer or a UUID, rather than something human-readable.
//
// For KeyCloak, this is `sub`.
UserID string
// HumanName is a human-readable name. Because humans are fickle, these may
// not be unique or stable over time, though they should be unique at any
// particular time. For example, Alex may change their handle from
// "alexsmith" to "alexawesome" after a life change, and someone else might
// enroll the "alexsmith" handle. If you are storing data, you want UserID,
// not HumanName. If you are presenting data, you probably want HumanName.
//
// For KeyCloak, this is `preferred_username`. For some other providers,
// this might be an email address.
HumanName string
// Provider is the identity provider that vended this identity. Note that
// UserID and HumanName are only unique within the context of a single
// identity provider.
Provider IdentityProvider
}
Identity represents a particular user's identity in a particular trust domain (represented by an IdentityProvider).
type IdentityClient ¶ added in v0.0.48
type IdentityClient struct {
// contains filtered or unexported fields
}
IdentityClient supports the ability to look up identities in one or more IdentityProviders.
func NewIdentityClient ¶ added in v0.0.48
func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)
NewIdentityClient creates a new IdentityClient with the supplied providers.
func (*IdentityClient) Register ¶ added in v0.0.48
func (c *IdentityClient) Register(p IdentityProvider) error
Register registers a new identity provider with the client.
type IdentityProvider ¶ added in v0.0.48
type IdentityProvider interface {
Resolver
// String returns the name of the identity provider. This should be a short
// one-word string suitable for presentation. As a special case, a _single_
// provider may use the empty string as its name to act as a default / fallback
// provider.
String() string
// URL returns the `iss` URL of the identity provider.
URL() url.URL
}
IdentityProvider provides an abstract interface for looking up identities in a remote identity provider.
type JwkSetJwtValidator ¶
type JwkSetJwtValidator struct {
// contains filtered or unexported fields
}
JwkSetJwtValidator is a JWT validator that uses a JWK set URL to validate the tokens
func (*JwkSetJwtValidator) ParseAndValidate ¶
func (j *JwkSetJwtValidator) ParseAndValidate(tokenString string) (openid.Token, error)
ParseAndValidate validates a token string and returns an openID token, or an error if the token is invalid
type JwtValidator ¶
JwtValidator provides the functions to validate a JWT
func NewJwtValidator ¶
func NewJwtValidator(ctx context.Context, jwksUrl string) (JwtValidator, error)
NewJwtValidator creates a new JWT validator that uses a JWK set URL to validate the tokens
type KeySetCache ¶
type KeySetCache struct {
// contains filtered or unexported fields
}
KeySetCache is a KeySetFetcher that fetches the JWK set from a cache
type KeySetFetcher ¶
KeySetFetcher provides the functions to fetch a JWK set
type Resolver ¶ added in v0.0.48
type Resolver interface {
// Validate validates a token and returns an underlying identity representation
// suitable for use in authz calls. This _probably_ reads data from the token,
// but could fetch from an external provider.
Validate(ctx context.Context, token jwt.Token) (*Identity, error)
// Resolve takes either a human-readable identifier or a stable identifier and
// returns the underlying identity. This may involve looking up or defining
// the identity in the remote identity provider.
//
// For Keycloak + GitHub, this may define a new user in Keycloak based on
// GitHub user data if the user is not already known to Keycloak.
Resolve(ctx context.Context, id string) (*Identity, error)
}
Resolver is an interface for resolving human-readable or stable identifiers from either JWTs or stored strings
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package keycloak provides an implementation of the Keycloak IdentityProvider.
|
Package keycloak provides an implementation of the Keycloak IdentityProvider. |
|
client
Package client provides primitives to interact with the openapi HTTP API.
|
Package client provides primitives to interact with the openapi HTTP API. |
|
Package mock_auth is a generated GoMock package.
|
Package mock_auth is a generated GoMock package. |
|
Package noop provides a no-op implementation of the JwtValidator interface
|
Package noop provides a no-op implementation of the JwtValidator interface |