Documentation
¶
Overview ¶
Package auth provides authentication and authorization utilities.
Package auth provides authentication and authorization utilities.
Package auth provides authentication and authorization utilities.
Package auth provides authentication and authorization utilities.
Index ¶
- Constants
- Variables
- func AnonymousMiddleware(next http.Handler) http.Handler
- func CreateMiddleware(config *types.MiddlewareConfig, runner types.MiddlewareRunner) error
- func EscapeQuotes(s string) string
- func GetAuthenticationMiddleware(ctx context.Context, oidcConfig *TokenValidatorConfig) (func(http.Handler) http.Handler, http.Handler, error)
- func GetClaimsFromContext(ctx context.Context) (jwt.MapClaims, bool)
- func LocalUserMiddleware(username string) func(http.Handler) http.Handler
- func NewAuthInfoHandler(issuer, jwksURL, resourceURL string, scopes []string) http.Handler
- type ClaimsContextKey
- type Middleware
- type MiddlewareParams
- type OIDCDiscoveryDocument
- type RFC9728AuthInfo
- type TokenValidator
- type TokenValidatorConfig
Constants ¶
const (
MiddlewareType = "auth"
)
Middleware type constant
Variables ¶
var ( ErrNoToken = errors.New("no token provided") ErrInvalidToken = errors.New("invalid token") ErrTokenExpired = errors.New("token expired") ErrInvalidIssuer = errors.New("invalid issuer") ErrInvalidAudience = errors.New("invalid audience") ErrMissingJWKSURL = errors.New("missing JWKS URL") ErrFailedToFetchJWKS = errors.New("failed to fetch JWKS") ErrFailedToDiscoverOIDC = errors.New("failed to discover OIDC configuration") ErrMissingIssuerAndJWKSURL = errors.New("either issuer or JWKS URL must be provided") )
Common errors
Functions ¶
func AnonymousMiddleware ¶ added in v0.0.38
AnonymousMiddleware creates an HTTP middleware that sets up anonymous claims. This is useful for testing and local environments where authorization policies need to work without requiring actual authentication.
The middleware sets up basic anonymous claims that can be used by authorization policies, allowing them to function even when authentication is disabled. This is heavily discouraged in production settings but is handy for testing and local development environments.
func CreateMiddleware ¶ added in v0.2.8
func CreateMiddleware(config *types.MiddlewareConfig, runner types.MiddlewareRunner) error
CreateMiddleware factory function for authentication middleware
func EscapeQuotes ¶ added in v0.2.13
EscapeQuotes escapes quotes in a string for use in a quoted-string context.
func GetAuthenticationMiddleware ¶ added in v0.0.38
func GetAuthenticationMiddleware(ctx context.Context, oidcConfig *TokenValidatorConfig, ) (func(http.Handler) http.Handler, http.Handler, error)
GetAuthenticationMiddleware returns the appropriate authentication middleware based on the configuration. If OIDC config is provided, it returns JWT middleware. Otherwise, it returns local user middleware.
func GetClaimsFromContext ¶ added in v0.0.38
GetClaimsFromContext retrieves the claims from the request context. This is a helper function that can be used by authorization policies to access the claims regardless of which middleware was used (JWT, anonymous, or local).
Returns the claims and a boolean indicating whether claims were found.
func LocalUserMiddleware ¶ added in v0.0.38
LocalUserMiddleware creates an HTTP middleware that sets up local user claims. This allows specifying a local username while still bypassing authentication.
This middleware is useful for development and testing scenarios where you want to simulate a specific user without going through the full authentication flow. Like AnonymousMiddleware, this is heavily discouraged in production settings.
Types ¶
type ClaimsContextKey ¶
type ClaimsContextKey struct{}
ClaimsContextKey is the key used to store claims in the request context.
type Middleware ¶ added in v0.2.8
type Middleware struct {
// contains filtered or unexported fields
}
Middleware wraps authentication middleware functionality
func (*Middleware) AuthInfoHandler ¶ added in v0.2.8
func (m *Middleware) AuthInfoHandler() http.Handler
AuthInfoHandler returns the authentication info handler.
func (*Middleware) Close ¶ added in v0.2.8
func (*Middleware) Close() error
Close cleans up any resources used by the middleware.
func (*Middleware) Handler ¶ added in v0.2.8
func (m *Middleware) Handler() types.MiddlewareFunction
Handler returns the middleware function used by the proxy.
type MiddlewareParams ¶ added in v0.2.8
type MiddlewareParams struct {
OIDCConfig *TokenValidatorConfig `json:"oidc_config,omitempty"`
}
MiddlewareParams represents the parameters for authentication middleware
type OIDCDiscoveryDocument ¶ added in v0.0.39
type OIDCDiscoveryDocument struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
JWKSURI string `json:"jwks_uri"`
IntrospectionEndpoint string `json:"introspection_endpoint"`
}
OIDCDiscoveryDocument represents the OIDC discovery document structure
type RFC9728AuthInfo ¶ added in v0.2.4
type RFC9728AuthInfo struct {
Resource string `json:"resource"`
AuthorizationServers []string `json:"authorization_servers"`
BearerMethodsSupported []string `json:"bearer_methods_supported"`
JWKSURI string `json:"jwks_uri"`
ScopesSupported []string `json:"scopes_supported"`
}
RFC9728AuthInfo represents the OAuth Protected Resource metadata as defined in RFC 9728
type TokenValidator ¶ added in v0.1.3
type TokenValidator struct {
// contains filtered or unexported fields
}
TokenValidator validates JWT or opaque tokens using OIDC configuration.
func NewTokenValidator ¶ added in v0.1.3
func NewTokenValidator(ctx context.Context, config TokenValidatorConfig) (*TokenValidator, error)
NewTokenValidator creates a new token validator.
func (*TokenValidator) Middleware ¶ added in v0.1.3
func (v *TokenValidator) Middleware(next http.Handler) http.Handler
Middleware creates an HTTP middleware that validates JWT tokens.
func (*TokenValidator) ValidateToken ¶ added in v0.1.3
func (v *TokenValidator) ValidateToken(ctx context.Context, tokenString string) (jwt.MapClaims, error)
ValidateToken validates a token.
type TokenValidatorConfig ¶ added in v0.1.3
type TokenValidatorConfig struct {
// Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)
Issuer string
// Audience is the expected audience for the token
Audience string
// JWKSURL is the URL to fetch the JWKS from
JWKSURL string
// ClientID is the OIDC client ID
ClientID string
// ClientSecret is the optional OIDC client secret for introspection
ClientSecret string
// CACertPath is the path to the CA certificate bundle for HTTPS requests
CACertPath string
// AuthTokenFile is the path to file containing bearer token for authentication
AuthTokenFile string
// AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses
AllowPrivateIP bool
// IntrospectionURL is the optional introspection endpoint for validating tokens
IntrospectionURL string
// ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)
ResourceURL string
// contains filtered or unexported fields
}
TokenValidatorConfig contains configuration for the token validator.
func NewTokenValidatorConfig ¶ added in v0.1.3
func NewTokenValidatorConfig(issuer, audience, jwksURL, clientID string, clientSecret string) *TokenValidatorConfig
NewTokenValidatorConfig creates a new TokenValidatorConfig with the provided parameters
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package discovery provides authentication discovery utilities for detecting authentication requirements from remote servers.
|
Package discovery provides authentication discovery utilities for detecting authentication requirements from remote servers. |
|
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
|
Package oauth provides OAuth 2.0 and OIDC authentication functionality. |