Documentation ¶
Overview ¶
Package auth provides authentication service.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // DefaultViews are the default views provided by this package. // You need to register the view for data to actually be collected. DefaultViews = []*view.View{ { Name: "go.chromium.org/goma/server/auth.auth_by_account", Description: "auth request count by account", TagKeys: []tag.Key{ accountKey, authErrKey, }, Measure: authRequests, Aggregation: view.Count(), }, } )
View Source
var ErrExpired = errors.New("expired")
ErrExpired represents expiration of access token.
View Source
var ErrInternal = errors.New("internal error")
ErrInternal represents internal error.
View Source
var ErrNoAuthHeader = errors.New("no Authorization header")
ErrNoAuthHeader represents authentication failure due to lack of Authorization header in an HTTP request.
View Source
var ErrOverQuota = errors.New("over quota")
ErrOverQuota represents the user used up the quota.
Functions ¶
This section is empty.
Types ¶
type Auth ¶
type Auth struct { Client authpb.AuthServiceClient Retry rpc.Retry // contains filtered or unexported fields }
type LocalClient ¶
type LocalClient struct {
*Service
}
type Service ¶
type Service struct { authpb.UnimplementedAuthServiceServer // CheckToken optionally checks access token with token info. // If it is not set, all access will be rejected. // If it returns grpc's codes.PermissionDenied error, // error message will be used as ErrorDescription for user. CheckToken func(context.Context, *oauth2.Token, *TokenInfo) (string, *oauth2.Token, error) // contains filtered or unexported fields }
Service implements goma auth service.
func (*Service) Auth ¶
Auth checks authorization header of incoming request, and replies end user information.
TODO: find answers to following questions.
- can auth server return expired token? (currently yes)
- should auth server refresh expired token? (currently no)
- should grpc status code represent status of request or access token?
- how error description should be handled? currently, it is stored in cache but not used by anybody.
- should auth server create go routine for each token to expire the entry? (currently yes)
- how do we implement quota?
- how do we integrate auth server with chrome-infra-auth?
type TokenInfo ¶
type TokenInfo struct { // Email is email address associated with the access token. Email string // Audience is OAuth2 client_id of the access token. Audience string // ExpiresAt is expirary timestamp of the access token. ExpiresAt time.Time // Err represents error of access token. Err error }
TokenInfo represents access token's info.
Directories ¶
Path | Synopsis |
---|---|
Package account manages service account.
|
Package account manages service account. |
Package acl performs access control with ACL.
|
Package acl performs access control with ACL. |
Package authdb provides access to authentication database.
|
Package authdb provides access to authentication database. |
Package enduser manages end user information with context.
|
Package enduser manages end user information with context. |
Click to show internal directories.
Click to hide internal directories.