Documentation ¶
Index ¶
- Constants
- Variables
- func GetMSIVMEndpoint() (string, error)
- func SaveToken(path string, mode os.FileMode, token Token) error
- type DeviceCode
- type OAuthConfig
- type OAuthTokenProvider
- type Refresher
- type SendDecorator
- type Sender
- type SenderFunc
- type ServicePrincipalCertificateSecret
- type ServicePrincipalMSISecret
- type ServicePrincipalNoSecret
- type ServicePrincipalSecret
- type ServicePrincipalToken
- func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret string, resource string, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID string, certificate *x509.Certificate, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromMSI(msiEndpoint, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID string, resource string, token Token, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, resource string, ...) (*ServicePrincipalToken, error)
- func (spt *ServicePrincipalToken) EnsureFresh() error
- func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error
- func (spt *ServicePrincipalToken) Refresh() error
- func (spt *ServicePrincipalToken) RefreshExchange(resource string) error
- func (spt *ServicePrincipalToken) SetAutoRefresh(autoRefresh bool)
- func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration)
- func (spt *ServicePrincipalToken) SetSender(s Sender)
- type ServicePrincipalTokenSecret
- type Token
- type TokenError
- type TokenRefreshCallback
Constants ¶
const ( // OAuthGrantTypeDeviceCode is the "grant_type" identifier used in device flow OAuthGrantTypeDeviceCode = "device_code" // OAuthGrantTypeClientCredentials is the "grant_type" identifier used in credential flows OAuthGrantTypeClientCredentials = "client_credentials" // OAuthGrantTypeRefreshToken is the "grant_type" identifier used in refresh token flows OAuthGrantTypeRefreshToken = "refresh_token" )
Variables ¶
var ( // ErrDeviceGeneric represents an unknown error from the token endpoint when using device flow ErrDeviceGeneric = fmt.Errorf("%s Error while retrieving OAuth token: Unknown Error", logPrefix) // ErrDeviceAccessDenied represents an access denied error from the token endpoint when using device flow ErrDeviceAccessDenied = fmt.Errorf("%s Error while retrieving OAuth token: Access Denied", logPrefix) // ErrDeviceAuthorizationPending represents the server waiting on the user to complete the device flow ErrDeviceAuthorizationPending = fmt.Errorf("%s Error while retrieving OAuth token: Authorization Pending", logPrefix) // ErrDeviceCodeExpired represents the server timing out and expiring the code during device flow ErrDeviceCodeExpired = fmt.Errorf("%s Error while retrieving OAuth token: Code Expired", logPrefix) // ErrDeviceSlowDown represents the service telling us we're polling too often during device flow ErrDeviceSlowDown = fmt.Errorf("%s Error while retrieving OAuth token: Slow Down", logPrefix) // ErrDeviceCodeEmpty represents an empty device code from the device endpoint while using device flow ErrDeviceCodeEmpty = fmt.Errorf("%s Error while retrieving device code: Device Code Empty", logPrefix) // ErrOAuthTokenEmpty represents an empty OAuth token from the token endpoint when using device flow ErrOAuthTokenEmpty = fmt.Errorf("%s Error while retrieving OAuth token: Token Empty", logPrefix) )
Functions ¶
func GetMSIVMEndpoint ¶
GetMSIVMEndpoint gets the MSI endpoint on Virtual Machines.
Types ¶
type DeviceCode ¶
type DeviceCode struct { DeviceCode *string `json:"device_code,omitempty"` UserCode *string `json:"user_code,omitempty"` VerificationURL *string `json:"verification_url,omitempty"` ExpiresIn *int64 `json:"expires_in,string,omitempty"` Interval *int64 `json:"interval,string,omitempty"` Message *string `json:"message"` // Azure specific Resource string // store the following, stored when initiating, used when exchanging OAuthConfig OAuthConfig ClientID string }
DeviceCode is the object returned by the device auth endpoint It contains information to instruct the user to complete the auth flow
func InitiateDeviceAuth ¶
func InitiateDeviceAuth(sender Sender, oauthConfig OAuthConfig, clientID, resource string) (*DeviceCode, error)
InitiateDeviceAuth initiates a device auth flow. It returns a DeviceCode that can be used with CheckForUserCompletion or WaitForUserCompletion.
type OAuthConfig ¶
type OAuthConfig struct { AuthorityEndpoint url.URL AuthorizeEndpoint url.URL TokenEndpoint url.URL DeviceCodeEndpoint url.URL }
OAuthConfig represents the endpoints needed in OAuth operations
func NewOAuthConfig ¶
func NewOAuthConfig(activeDirectoryEndpoint, tenantID string) (*OAuthConfig, error)
NewOAuthConfig returns an OAuthConfig with tenant specific urls
type OAuthTokenProvider ¶
type OAuthTokenProvider interface {
OAuthToken() string
}
OAuthTokenProvider is an interface which should be implemented by an access token retriever
type Refresher ¶
type Refresher interface { Refresh() error RefreshExchange(resource string) error EnsureFresh() error }
Refresher is an interface for token refresh functionality
type SendDecorator ¶
SendDecorator takes and possibily decorates, by wrapping, a Sender. Decorators may affect the http.Request and pass it along or, first, pass the http.Request along then react to the http.Response result.
type Sender ¶
Sender is the interface that wraps the Do method to send HTTP requests.
The standard http.Client conforms to this interface.
func CreateSender ¶
func CreateSender(decorators ...SendDecorator) Sender
CreateSender creates, decorates, and returns, as a Sender, the default http.Client.
func DecorateSender ¶
func DecorateSender(s Sender, decorators ...SendDecorator) Sender
DecorateSender accepts a Sender and a, possibly empty, set of SendDecorators, which is applies to the Sender. Decorators are applied in the order received, but their affect upon the request depends on whether they are a pre-decorator (change the http.Request and then pass it along) or a post-decorator (pass the http.Request along and react to the results in http.Response).
type SenderFunc ¶
SenderFunc is a method that implements the Sender interface.
type ServicePrincipalCertificateSecret ¶
type ServicePrincipalCertificateSecret struct { Certificate *x509.Certificate PrivateKey *rsa.PrivateKey }
ServicePrincipalCertificateSecret implements ServicePrincipalSecret for generic RSA cert auth with signed JWTs.
func (*ServicePrincipalCertificateSecret) SetAuthenticationValues ¶
func (secret *ServicePrincipalCertificateSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret. It will populate the form submitted during oAuth Token Acquisition using a JWT signed with a certificate.
func (*ServicePrincipalCertificateSecret) SignJwt ¶
func (secret *ServicePrincipalCertificateSecret) SignJwt(spt *ServicePrincipalToken) (string, error)
SignJwt returns the JWT signed with the certificate's private key.
type ServicePrincipalMSISecret ¶
type ServicePrincipalMSISecret struct { }
ServicePrincipalMSISecret implements ServicePrincipalSecret for machines running the MSI Extension.
func (*ServicePrincipalMSISecret) SetAuthenticationValues ¶
func (msiSecret *ServicePrincipalMSISecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
type ServicePrincipalNoSecret ¶
type ServicePrincipalNoSecret struct { }
ServicePrincipalNoSecret represents a secret type that contains no secret meaning it is not valid for fetching a fresh token. This is used by Manual
func (*ServicePrincipalNoSecret) SetAuthenticationValues ¶
func (noSecret *ServicePrincipalNoSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret It only returns an error for the ServicePrincipalNoSecret type
type ServicePrincipalSecret ¶
type ServicePrincipalSecret interface {
SetAuthenticationValues(spt *ServicePrincipalToken, values *url.Values) error
}
ServicePrincipalSecret is an interface that allows various secret mechanism to fill the form that is submitted when acquiring an oAuth token.
type ServicePrincipalToken ¶
type ServicePrincipalToken struct { Token // contains filtered or unexported fields }
ServicePrincipalToken encapsulates a Token created for a Service Principal.
func NewServicePrincipalToken ¶
func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalToken creates a ServicePrincipalToken from the supplied Service Principal credentials scoped to the named resource.
func NewServicePrincipalTokenFromCertificate ¶
func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID string, certificate *x509.Certificate, privateKey *rsa.PrivateKey, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromCertificate create a ServicePrincipalToken from the supplied pkcs12 bytes.
func NewServicePrincipalTokenFromMSI ¶
func NewServicePrincipalTokenFromMSI(msiEndpoint, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromMSI creates a ServicePrincipalToken via the MSI VM Extension.
func NewServicePrincipalTokenFromManualToken ¶
func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID string, resource string, token Token, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromManualToken creates a ServicePrincipalToken using the supplied token
func NewServicePrincipalTokenWithSecret ¶
func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, resource string, secret ServicePrincipalSecret, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenWithSecret create a ServicePrincipalToken using the supplied ServicePrincipalSecret implementation.
func (*ServicePrincipalToken) EnsureFresh ¶
func (spt *ServicePrincipalToken) EnsureFresh() error
EnsureFresh will refresh the token if it will expire within the refresh window (as set by RefreshWithin) and autoRefresh flag is on.
func (*ServicePrincipalToken) InvokeRefreshCallbacks ¶
func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error
InvokeRefreshCallbacks calls any TokenRefreshCallbacks that were added to the SPT during initialization
func (*ServicePrincipalToken) Refresh ¶
func (spt *ServicePrincipalToken) Refresh() error
Refresh obtains a fresh token for the Service Principal.
func (*ServicePrincipalToken) RefreshExchange ¶
func (spt *ServicePrincipalToken) RefreshExchange(resource string) error
RefreshExchange refreshes the token, but for a different resource.
func (*ServicePrincipalToken) SetAutoRefresh ¶
func (spt *ServicePrincipalToken) SetAutoRefresh(autoRefresh bool)
SetAutoRefresh enables or disables automatic refreshing of stale tokens.
func (*ServicePrincipalToken) SetRefreshWithin ¶
func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration)
SetRefreshWithin sets the interval within which if the token will expire, EnsureFresh will refresh the token.
func (*ServicePrincipalToken) SetSender ¶
func (spt *ServicePrincipalToken) SetSender(s Sender)
SetSender sets the http.Client used when obtaining the Service Principal token. An undecorated http.Client is used by default.
type ServicePrincipalTokenSecret ¶
type ServicePrincipalTokenSecret struct {
ClientSecret string
}
ServicePrincipalTokenSecret implements ServicePrincipalSecret for client_secret type authorization.
func (*ServicePrincipalTokenSecret) SetAuthenticationValues ¶
func (tokenSecret *ServicePrincipalTokenSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret. It will populate the form submitted during oAuth Token Acquisition using the client_secret.
type Token ¶
type Token struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` ExpiresIn string `json:"expires_in"` ExpiresOn string `json:"expires_on"` NotBefore string `json:"not_before"` Resource string `json:"resource"` Type string `json:"token_type"` }
Token encapsulates the access token used to authorize Azure requests.
func CheckForUserCompletion ¶
func CheckForUserCompletion(sender Sender, code *DeviceCode) (*Token, error)
CheckForUserCompletion takes a DeviceCode and checks with the Azure AD OAuth endpoint to see if the device flow has: been completed, timed out, or otherwise failed
func WaitForUserCompletion ¶
func WaitForUserCompletion(sender Sender, code *DeviceCode) (*Token, error)
WaitForUserCompletion calls CheckForUserCompletion repeatedly until a token is granted or an error state occurs. This prevents the user from looping and checking against 'ErrDeviceAuthorizationPending'.
func (*Token) OAuthToken ¶
OAuthToken return the current access token
type TokenError ¶
type TokenError struct { Error *string `json:"error,omitempty"` ErrorCodes []int `json:"error_codes,omitempty"` ErrorDescription *string `json:"error_description,omitempty"` Timestamp *string `json:"timestamp,omitempty"` TraceID *string `json:"trace_id,omitempty"` }
TokenError is the object returned by the token exchange endpoint when something is amiss
type TokenRefreshCallback ¶
TokenRefreshCallback is the type representing callbacks that will be called after a successful token refresh