oidc

package
v0.0.0-...-afa1830 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 13, 2021 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const JWTStaticSignature = "wedontmindaboutsigningfornow"

JWTStaticSignature is the key used to sign JWT internally, we don't mind having a secret one for now since the jwt goes only inside our internal & private network

Variables

This section is empty.

Functions

func GetSignedToken 

func GetSignedToken(ac AccessClaims) (string, error)

GetSignedToken transforms an AccessClaims structure into a JWT

func SetAccessClaimsJWT 

func SetAccessClaimsJWT(ctx context.Context, jwt string) context.Context

SetAccessClaimsJWT override current in-context access claims JWT value

func SetAccesses 

func SetAccesses(ctx context.Context, acc *AccessClaims) context.Context

SetAccesses returns ctx with AccessClaims set inside it using accessContextKey

func UsingTokenMode 

func UsingTokenMode() func(*PrivateKeyJWTAuthenticator)

UsingTokenMode sets tokenMode to true Token mode make the authenticator generating a bearer token for the client performing a concrete client_credentials flow, instead of just embedding private_key_jwt parameter in the body as it is necessary on an exchange token. The token is then used as a Bearer Token (Authorization Header), kept in memory with its expiry time and renewed when necessary.

Types

type AccessClaims 

type AccessClaims struct {
	Issuer    string   `json:"iss"` // Service which distributed the token
	Audiences []string `json:"aud"` // Audiences which should answer to the tooken
	ClientID  string   `json:"cli"` // SSO client ID which generated the token

	ExpiresAt int64 `json:"exp"` // Expiry time
	IssuedAt  int64 `json:"iat"` // Issuing time
	NotBefore int64 `json:"nbf"` // Time before use

	Subject string   `json:"sub"` // Subject (owner) bound to the token
	Scope   string   `json:"sco"` // Scope beared by the token
	ACR     ClassRef `json:"acr"` // Authentication Class Reference

	Token      string `json:"tok"` // Raw Access Token
	IdentityID string `json:"mid"` // Misakey ID - Identity bound to the token
	AccountID  string `json:"aid"` // Account bound to the token

	HasCrypto bool `json:"cry"`

	JWT string `json:"-"` // Raw JWT Token
}

AccessClaims declared to format our Access JWTs Implement https://godoc.org/github.com/dgrijalva/jwt-go#Claims interface

func GetAccesses 

func GetAccesses(ctx context.Context) *AccessClaims

GetAccesses returns AccessClaims found inside current context using defined accessContextKey It return a nil pointer if no claims have been found

func (*AccessClaims) SetRawJWT 

func (c *AccessClaims) SetRawJWT(jwt string)

SetRawJWT in the access claims

func (AccessClaims) Valid 

func (c AccessClaims) Valid() error

Valid : all required validation are today done on hydra side

func (AccessClaims) ValidAudience 

func (c AccessClaims) ValidAudience(expected string) error

ValidAudience : check if the client is part of the audience

type AppRole 

type AppRole struct {
	ApplicationID string
	RoleLabel     string
}

AppRole contains a role owned for a given application.

type BearerTokenAuthenticator 

type BearerTokenAuthenticator struct {
}

BearerTokenAuthenticator is the default authenticator of the http client

func (BearerTokenAuthenticator) Set 

func (BearerTokenAuthenticator) Set(ctx context.Context, req *http.Request)

Set an Authorization to Bearer + {jwt token} if the token is found in context Used to authorize intern calls between services

type ClassRef 

type ClassRef string

ClassRef Official Authentication Context Class Reference (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) enum used to store in the ID & Access Tokens the context class the authentication satisfied higher is the more secure 

const (
	// ACR0 ...
	ACR0 ClassRef = "0"
	// ACR1 ...
	ACR1 ClassRef = "1"
	// ACR2 ...
	ACR2 ClassRef = "2"
	// ACR3 ...
	ACR3 ClassRef = "3"
	// ACR4 ...
	ACR4 ClassRef = "4"
)

func ComputeACRSum 

func ComputeACRSum(amrs MethodRefs) ClassRef

ComputeACRSum ...

func (ClassRef) LessThan 

func (acr ClassRef) LessThan(minimum ClassRef) bool

LessThan ...

func (ClassRef) RememberFor 

func (acr ClassRef) RememberFor() int

RememberFor return an integer corresponding to seconds, according to the authentication context class

func (ClassRef) String 

func (acr ClassRef) String() string

String ...

type ClassRefs 

type ClassRefs []ClassRef

ClassRefs ...

func NewClassRefs 

func NewClassRefs(acr ClassRef) ClassRefs

NewClassRefs ...

func (ClassRefs) Get 

func (acrs ClassRefs) Get() ClassRef

Get the highest acr values

func (*ClassRefs) Set 

func (acrs *ClassRefs) Set(acr ClassRef)

Set ... Multiple ACRValues capability is ignored the full slice is replaced

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client implementing some Open ID Connect concepts as a Relying Party (a.k.a. Third Party).

func NewClient 

func NewClient(id, tokenURL, encodedJWK string) (*Client, error)

NewClient configured with a tokenURL and an encoded JWK: a base64 encoded string of the JSON Web Key (the public and private keypair) following https://tools.ietf.org/html/rfc7517 based on this string this constructor instantiates a JWK Signer to be able to sign client information in jwt.

func (*Client) Assert 

func (cli *Client) Assert(ctx context.Context) string

Assert claims created on the fly using the jwk signer and oidc client information

func (*Client) ID 

func (cli *Client) ID() string

ID returns the immutable client id

type Context 

type Context map[string]interface{}

Context format used to forward information to Open ID server

func NewContext 

func NewContext() Context

NewContext ...

func (Context) ACRValues 

func (ctx Context) ACRValues() ClassRefs

ACRValues return acr_values as an ClassRefs type

func (Context) AID 

func (ctx Context) AID() string

AID ...

func (Context) AMRs 

func (ctx Context) AMRs() MethodRefs

AMRs ...

func (Context) AddAMR 

func (ctx Context) AddAMR(amr MethodRef) Context

AddAMR ...

func (Context) LoginHint 

func (ctx Context) LoginHint() string

LoginHint ...

func (Context) MID 

func (ctx Context) MID() string

MID ...

func (Context) SetACRValue 

func (ctx Context) SetACRValue(acr ClassRef) Context

SetACRValue ...

func (Context) SetACRValues 

func (ctx Context) SetACRValues(acrs ClassRefs) Context

SetACRValues ...

func (Context) SetAID 

func (ctx Context) SetAID(accountID string) Context

SetAID ...

func (Context) SetAMRs 

func (ctx Context) SetAMRs(amrs MethodRefs) Context

SetAMRs ...

func (Context) SetLoginHint 

func (ctx Context) SetLoginHint(loginHint string) Context

SetLoginHint ...

func (Context) SetMID 

func (ctx Context) SetMID(identityID string) Context

SetMID ...

type MethodRef 

type MethodRef string

MethodRef ... Official Authentication Method Reference (https://tools.ietf.org/html/rfc8176) enum used to store in the ID Token authentication methods that have been used to authenticate the user 

const (
	// AMRBrowserCookie is the use of browser cookie to store an auth session
	AMRBrowserCookie MethodRef = "browser_cookie"

	// IDENTITY AMRS
	// AMREmailedCode is the entering of a code received by email
	AMREmailedCode MethodRef = "identity:emailed_code"
	// AMRPrehashedPassword is the entering of a password
	AMRPrehashedPassword MethodRef = "identity:prehashed_password"

	// TOTP AMRS
	// AMRTOTP is the use of a totp
	AMRTOTP MethodRef = "totp:totp"
	// AMRWebauthn is the use of totp recovery protocol
	AMRTOTPRecovery MethodRef = "totp:recovery"

	// WEBAUTHN AMRS
	// AMRWebauthn is the use of webauthn protocol
	AMRWebauthn MethodRef = "webauthn:webauthn"
	// AMRWebauthn is the use of webauthn recovery protocol
	AMRWebauthnRecovery MethodRef = "webauthn:recovery"
)

type MethodRefs 

type MethodRefs []MethodRef

MethodRefs ...

func BuildRemaining 

func BuildRemaining(performed MethodRefs, available MethodRefs) MethodRefs

BuildRemaining amrs that can be performed by eliminating amrs groupes already performed

func (*MethodRefs) Add 

func (amrs *MethodRefs) Add(method MethodRef)

Add ...

func (MethodRefs) Has 

func (amrs MethodRefs) Has(method MethodRef) bool

Has ...

func (MethodRefs) Includes 

func (amrs MethodRefs) Includes(methods ...MethodRef) bool

Includes all methods passed as parameters

func (MethodRefs) String 

func (amrs MethodRefs) String() string

String ...

type PrivateKeyJWTAuthenticator 

type PrivateKeyJWTAuthenticator struct {
	// contains filtered or unexported fields
}

PrivateKeyJWTAuthenticator allows the Client Authentication using private_key_jwt method: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication It has 2 possible mode described below.

func NewPrivateKeyJWTAuthenticator 

func NewPrivateKeyJWTAuthenticator(oidcCli *Client, options ...func(*PrivateKeyJWTAuthenticator)) *PrivateKeyJWTAuthenticator

NewPrivateKeyJWTAuthenticator returned, configured with the given OIDCClient

func (*PrivateKeyJWTAuthenticator) Set 

func (authenticator *PrivateKeyJWTAuthenticator) Set(ctx context.Context, req *http.Request)

Set client authentication considering used method is OIDC private_key_jwt: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.