Documentation ¶
Index ¶
- Constants
- func GetSignedToken(ac AccessClaims) (string, error)
- func SetAccessClaimsJWT(ctx context.Context, jwt string) context.Context
- func SetAccesses(ctx context.Context, acc *AccessClaims) context.Context
- func UsingTokenMode() func(*PrivateKeyJWTAuthenticator)
- type AccessClaims
- type AppRole
- type BearerTokenAuthenticator
- type ClassRef
- type ClassRefs
- type Client
- type Context
- func (ctx Context) ACRValues() ClassRefs
- func (ctx Context) AID() string
- func (ctx Context) AMRs() MethodRefs
- func (ctx Context) AddAMR(amr MethodRef) Context
- func (ctx Context) LoginHint() string
- func (ctx Context) MID() string
- func (ctx Context) SetACRValue(acr ClassRef) Context
- func (ctx Context) SetACRValues(acrs ClassRefs) Context
- func (ctx Context) SetAID(accountID string) Context
- func (ctx Context) SetAMRs(amrs MethodRefs) Context
- func (ctx Context) SetLoginHint(loginHint string) Context
- func (ctx Context) SetMID(identityID string) Context
- type MethodRef
- type MethodRefs
- type PrivateKeyJWTAuthenticator
Constants ¶
const JWTStaticSignature = "wedontmindaboutsigningfornow"
JWTStaticSignature is the key used to sign JWT internally, we don't mind having a secret one for now since the jwt goes only inside our internal & private network
Variables ¶
This section is empty.
Functions ¶
func GetSignedToken ¶
func GetSignedToken(ac AccessClaims) (string, error)
GetSignedToken transforms an AccessClaims structure into a JWT
func SetAccessClaimsJWT ¶
SetAccessClaimsJWT override current in-context access claims JWT value
func SetAccesses ¶
func SetAccesses(ctx context.Context, acc *AccessClaims) context.Context
SetAccesses returns ctx with AccessClaims set inside it using accessContextKey
func UsingTokenMode ¶
func UsingTokenMode() func(*PrivateKeyJWTAuthenticator)
UsingTokenMode sets tokenMode to true Token mode make the authenticator generating a bearer token for the client performing a concrete client_credentials flow, instead of just embedding private_key_jwt parameter in the body as it is necessary on an exchange token. The token is then used as a Bearer Token (Authorization Header), kept in memory with its expiry time and renewed when necessary.
Types ¶
type AccessClaims ¶
type AccessClaims struct { Issuer string `json:"iss"` // Service which distributed the token Audiences []string `json:"aud"` // Audiences which should answer to the tooken ClientID string `json:"cli"` // SSO client ID which generated the token ExpiresAt int64 `json:"exp"` // Expiry time IssuedAt int64 `json:"iat"` // Issuing time NotBefore int64 `json:"nbf"` // Time before use Subject string `json:"sub"` // Subject (owner) bound to the token Scope string `json:"sco"` // Scope beared by the token ACR ClassRef `json:"acr"` // Authentication Class Reference Token string `json:"tok"` // Raw Access Token IdentityID string `json:"mid"` // Misakey ID - Identity bound to the token AccountID string `json:"aid"` // Account bound to the token HasCrypto bool `json:"cry"` JWT string `json:"-"` // Raw JWT Token }
AccessClaims declared to format our Access JWTs Implement https://godoc.org/github.com/dgrijalva/jwt-go#Claims interface
func GetAccesses ¶
func GetAccesses(ctx context.Context) *AccessClaims
GetAccesses returns AccessClaims found inside current context using defined accessContextKey It return a nil pointer if no claims have been found
func (*AccessClaims) SetRawJWT ¶
func (c *AccessClaims) SetRawJWT(jwt string)
SetRawJWT in the access claims
func (AccessClaims) Valid ¶
func (c AccessClaims) Valid() error
Valid : all required validation are today done on hydra side
func (AccessClaims) ValidAudience ¶
func (c AccessClaims) ValidAudience(expected string) error
ValidAudience : check if the client is part of the audience
type AppRole ¶
AppRole contains a role owned for a given application.
type BearerTokenAuthenticator ¶
type BearerTokenAuthenticator struct { }
BearerTokenAuthenticator is the default authenticator of the http client
type ClassRef ¶
type ClassRef string
ClassRef Official Authentication Context Class Reference (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) enum used to store in the ID & Access Tokens the context class the authentication satisfied higher is the more secure
func (ClassRef) RememberFor ¶
RememberFor return an integer corresponding to seconds, according to the authentication context class
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client implementing some Open ID Connect concepts as a Relying Party (a.k.a. Third Party).
func NewClient ¶
NewClient configured with a tokenURL and an encoded JWK: a base64 encoded string of the JSON Web Key (the public and private keypair) following https://tools.ietf.org/html/rfc7517 based on this string this constructor instantiates a JWK Signer to be able to sign client information in jwt.
func (*Client) Assert ¶
Assert claims created on the fly using the jwk signer and oidc client information
type Context ¶
type Context map[string]interface{}
Context format used to forward information to Open ID server
func (Context) ACRValues ¶
ACRValues return acr_values as an ClassRefs type
func (Context) SetACRValues ¶
SetACRValues ...
func (Context) SetLoginHint ¶
SetLoginHint ...
type MethodRef ¶
type MethodRef string
MethodRef ... Official Authentication Method Reference (https://tools.ietf.org/html/rfc8176) enum used to store in the ID Token authentication methods that have been used to authenticate the user
const ( // AMRBrowserCookie is the use of browser cookie to store an auth session AMRBrowserCookie MethodRef = "browser_cookie" // IDENTITY AMRS // AMREmailedCode is the entering of a code received by email AMREmailedCode MethodRef = "identity:emailed_code" // AMRPrehashedPassword is the entering of a password AMRPrehashedPassword MethodRef = "identity:prehashed_password" // TOTP AMRS // AMRTOTP is the use of a totp AMRTOTP MethodRef = "totp:totp" // AMRWebauthn is the use of totp recovery protocol AMRTOTPRecovery MethodRef = "totp:recovery" // WEBAUTHN AMRS // AMRWebauthn is the use of webauthn protocol AMRWebauthn MethodRef = "webauthn:webauthn" // AMRWebauthn is the use of webauthn recovery protocol AMRWebauthnRecovery MethodRef = "webauthn:recovery" )
type MethodRefs ¶
type MethodRefs []MethodRef
MethodRefs ...
func BuildRemaining ¶
func BuildRemaining(performed MethodRefs, available MethodRefs) MethodRefs
BuildRemaining amrs that can be performed by eliminating amrs groupes already performed
func (MethodRefs) Includes ¶
func (amrs MethodRefs) Includes(methods ...MethodRef) bool
Includes all methods passed as parameters
type PrivateKeyJWTAuthenticator ¶
type PrivateKeyJWTAuthenticator struct {
// contains filtered or unexported fields
}
PrivateKeyJWTAuthenticator allows the Client Authentication using private_key_jwt method: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication It has 2 possible mode described below.
func NewPrivateKeyJWTAuthenticator ¶
func NewPrivateKeyJWTAuthenticator(oidcCli *Client, options ...func(*PrivateKeyJWTAuthenticator)) *PrivateKeyJWTAuthenticator
NewPrivateKeyJWTAuthenticator returned, configured with the given OIDCClient
func (*PrivateKeyJWTAuthenticator) Set ¶
func (authenticator *PrivateKeyJWTAuthenticator) Set(ctx context.Context, req *http.Request)
Set client authentication considering used method is OIDC private_key_jwt: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication