oidc

package
Version: v0.0.0-...-afa1830 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 13, 2021 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const JWTStaticSignature = "wedontmindaboutsigningfornow"

JWTStaticSignature is the key used to sign JWT internally, we don't mind having a secret one for now since the jwt goes only inside our internal & private network

Variables

This section is empty.

Functions

func GetSignedToken

func GetSignedToken(ac AccessClaims) (string, error)

GetSignedToken transforms an AccessClaims structure into a JWT

func SetAccessClaimsJWT

func SetAccessClaimsJWT(ctx context.Context, jwt string) context.Context

SetAccessClaimsJWT override current in-context access claims JWT value

func SetAccesses

func SetAccesses(ctx context.Context, acc *AccessClaims) context.Context

SetAccesses returns ctx with AccessClaims set inside it using accessContextKey

func UsingTokenMode

func UsingTokenMode() func(*PrivateKeyJWTAuthenticator)

UsingTokenMode sets tokenMode to true Token mode make the authenticator generating a bearer token for the client performing a concrete client_credentials flow, instead of just embedding private_key_jwt parameter in the body as it is necessary on an exchange token. The token is then used as a Bearer Token (Authorization Header), kept in memory with its expiry time and renewed when necessary.

Types

type AccessClaims

type AccessClaims struct {
	Issuer    string   `json:"iss"` // Service which distributed the token
	Audiences []string `json:"aud"` // Audiences which should answer to the tooken
	ClientID  string   `json:"cli"` // SSO client ID which generated the token

	ExpiresAt int64 `json:"exp"` // Expiry time
	IssuedAt  int64 `json:"iat"` // Issuing time
	NotBefore int64 `json:"nbf"` // Time before use

	Subject string   `json:"sub"` // Subject (owner) bound to the token
	Scope   string   `json:"sco"` // Scope beared by the token
	ACR     ClassRef `json:"acr"` // Authentication Class Reference

	Token      string `json:"tok"` // Raw Access Token
	IdentityID string `json:"mid"` // Misakey ID - Identity bound to the token
	AccountID  string `json:"aid"` // Account bound to the token

	HasCrypto bool `json:"cry"`

	JWT string `json:"-"` // Raw JWT Token
}

AccessClaims declared to format our Access JWTs Implement https://godoc.org/github.com/dgrijalva/jwt-go#Claims interface

func GetAccesses

func GetAccesses(ctx context.Context) *AccessClaims

GetAccesses returns AccessClaims found inside current context using defined accessContextKey It return a nil pointer if no claims have been found

func (*AccessClaims) SetRawJWT

func (c *AccessClaims) SetRawJWT(jwt string)

SetRawJWT in the access claims

func (AccessClaims) Valid

func (c AccessClaims) Valid() error

Valid : all required validation are today done on hydra side

func (AccessClaims) ValidAudience

func (c AccessClaims) ValidAudience(expected string) error

ValidAudience : check if the client is part of the audience

type AppRole

type AppRole struct {
	ApplicationID string
	RoleLabel     string
}

AppRole contains a role owned for a given application.

type BearerTokenAuthenticator

type BearerTokenAuthenticator struct {
}

BearerTokenAuthenticator is the default authenticator of the http client

func (BearerTokenAuthenticator) Set

Set an Authorization to Bearer + {jwt token} if the token is found in context Used to authorize intern calls between services

type ClassRef

type ClassRef string

ClassRef Official Authentication Context Class Reference (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) enum used to store in the ID & Access Tokens the context class the authentication satisfied higher is the more secure

const (
	// ACR0 ...
	ACR0 ClassRef = "0"
	// ACR1 ...
	ACR1 ClassRef = "1"
	// ACR2 ...
	ACR2 ClassRef = "2"
	// ACR3 ...
	ACR3 ClassRef = "3"
	// ACR4 ...
	ACR4 ClassRef = "4"
)

func ComputeACRSum

func ComputeACRSum(amrs MethodRefs) ClassRef

ComputeACRSum ...

func (ClassRef) LessThan

func (acr ClassRef) LessThan(minimum ClassRef) bool

LessThan ...

func (ClassRef) RememberFor

func (acr ClassRef) RememberFor() int

RememberFor return an integer corresponding to seconds, according to the authentication context class

func (ClassRef) String

func (acr ClassRef) String() string

String ...

type ClassRefs

type ClassRefs []ClassRef

ClassRefs ...

func NewClassRefs

func NewClassRefs(acr ClassRef) ClassRefs

NewClassRefs ...

func (ClassRefs) Get

func (acrs ClassRefs) Get() ClassRef

Get the highest acr values

func (*ClassRefs) Set

func (acrs *ClassRefs) Set(acr ClassRef)

Set ... Multiple ACRValues capability is ignored the full slice is replaced

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client implementing some Open ID Connect concepts as a Relying Party (a.k.a. Third Party).

func NewClient

func NewClient(id, tokenURL, encodedJWK string) (*Client, error)

NewClient configured with a tokenURL and an encoded JWK: a base64 encoded string of the JSON Web Key (the public and private keypair) following https://tools.ietf.org/html/rfc7517 based on this string this constructor instantiates a JWK Signer to be able to sign client information in jwt.

func (*Client) Assert

func (cli *Client) Assert(ctx context.Context) string

Assert claims created on the fly using the jwk signer and oidc client information

func (*Client) ID

func (cli *Client) ID() string

ID returns the immutable client id

type Context

type Context map[string]interface{}

Context format used to forward information to Open ID server

func NewContext

func NewContext() Context

NewContext ...

func (Context) ACRValues

func (ctx Context) ACRValues() ClassRefs

ACRValues return acr_values as an ClassRefs type

func (Context) AID

func (ctx Context) AID() string

AID ...

func (Context) AMRs

func (ctx Context) AMRs() MethodRefs

AMRs ...

func (Context) AddAMR

func (ctx Context) AddAMR(amr MethodRef) Context

AddAMR ...

func (Context) LoginHint

func (ctx Context) LoginHint() string

LoginHint ...

func (Context) MID

func (ctx Context) MID() string

MID ...

func (Context) SetACRValue

func (ctx Context) SetACRValue(acr ClassRef) Context

SetACRValue ...

func (Context) SetACRValues

func (ctx Context) SetACRValues(acrs ClassRefs) Context

SetACRValues ...

func (Context) SetAID

func (ctx Context) SetAID(accountID string) Context

SetAID ...

func (Context) SetAMRs

func (ctx Context) SetAMRs(amrs MethodRefs) Context

SetAMRs ...

func (Context) SetLoginHint

func (ctx Context) SetLoginHint(loginHint string) Context

SetLoginHint ...

func (Context) SetMID

func (ctx Context) SetMID(identityID string) Context

SetMID ...

type MethodRef

type MethodRef string

MethodRef ... Official Authentication Method Reference (https://tools.ietf.org/html/rfc8176) enum used to store in the ID Token authentication methods that have been used to authenticate the user

const (
	// AMRBrowserCookie is the use of browser cookie to store an auth session
	AMRBrowserCookie MethodRef = "browser_cookie"

	// IDENTITY AMRS
	// AMREmailedCode is the entering of a code received by email
	AMREmailedCode MethodRef = "identity:emailed_code"
	// AMRPrehashedPassword is the entering of a password
	AMRPrehashedPassword MethodRef = "identity:prehashed_password"

	// TOTP AMRS
	// AMRTOTP is the use of a totp
	AMRTOTP MethodRef = "totp:totp"
	// AMRWebauthn is the use of totp recovery protocol
	AMRTOTPRecovery MethodRef = "totp:recovery"

	// WEBAUTHN AMRS
	// AMRWebauthn is the use of webauthn protocol
	AMRWebauthn MethodRef = "webauthn:webauthn"
	// AMRWebauthn is the use of webauthn recovery protocol
	AMRWebauthnRecovery MethodRef = "webauthn:recovery"
)

type MethodRefs

type MethodRefs []MethodRef

MethodRefs ...

func BuildRemaining

func BuildRemaining(performed MethodRefs, available MethodRefs) MethodRefs

BuildRemaining amrs that can be performed by eliminating amrs groupes already performed

func (*MethodRefs) Add

func (amrs *MethodRefs) Add(method MethodRef)

Add ...

func (MethodRefs) Has

func (amrs MethodRefs) Has(method MethodRef) bool

Has ...

func (MethodRefs) Includes

func (amrs MethodRefs) Includes(methods ...MethodRef) bool

Includes all methods passed as parameters

func (MethodRefs) String

func (amrs MethodRefs) String() string

String ...

type PrivateKeyJWTAuthenticator

type PrivateKeyJWTAuthenticator struct {
	// contains filtered or unexported fields
}

PrivateKeyJWTAuthenticator allows the Client Authentication using private_key_jwt method: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication It has 2 possible mode described below.

func NewPrivateKeyJWTAuthenticator

func NewPrivateKeyJWTAuthenticator(oidcCli *Client, options ...func(*PrivateKeyJWTAuthenticator)) *PrivateKeyJWTAuthenticator

NewPrivateKeyJWTAuthenticator returned, configured with the given OIDCClient

func (*PrivateKeyJWTAuthenticator) Set

func (authenticator *PrivateKeyJWTAuthenticator) Set(ctx context.Context, req *http.Request)

Set client authentication considering used method is OIDC private_key_jwt: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL