Documentation

Overview

    Package encryptedcookies implements authentication using encrypted cookies.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var ModuleName = module.RegisterName("go.chromium.org/luci/server/encryptedcookies")

      ModuleName can be used to refer to this module when declaring dependencies.

      Functions

      func NewModule

      func NewModule(opts *ModuleOptions) module.Module

        NewModule returns a server module that configures an authentication method based on encrypted cookies.

        func NewModuleFromFlags

        func NewModuleFromFlags() module.Module

          NewModuleFromFlags is a variant of NewModule that initializes options through command line flags.

          Calling this function registers flags in flag.CommandLine. They are usually parsed in server.Main(...).

          Types

          type AuthMethod

          type AuthMethod struct {
          	// Configuration returns OpenID Connect configuration parameters.
          	//
          	// Required.
          	OpenIDConfig func(ctx context.Context) (*OpenIDConfig, error)
          
          	// AEADProvider returns an implementation of Authenticated Encryption with
          	// Additional Authenticated primitive used to encrypt the cookies and other
          	// sensitive state.
          	AEADProvider func(ctx context.Context) tink.AEAD
          
          	// Sessions keeps user sessions in some permanent storage.
          	//
          	// Required.
          	Sessions session.Store
          
          	// Insecure is true to allow http:// URLs and non-https cookies. Useful for
          	// local development.
          	Insecure bool
          
          	// IncompatibleCookies is a list of cookies to remove when setting or clearing
          	// the session cookie. It is useful to get rid of cookies from previously used
          	// authentication methods.
          	IncompatibleCookies []string
          }

            Method is an auth.Method implementation that uses encrypted cookies.

            Uses OpenID Connect to establish sessions and refresh tokens to verify OpenID identity provider still knows about the user.

            func (*AuthMethod) Authenticate

            func (m *AuthMethod) Authenticate(ctx context.Context, r *http.Request) (*auth.User, auth.Session, error)

              Authenticate authenticates the request.

              Implements auth.Method.

              func (*AuthMethod) InstallHandlers

              func (m *AuthMethod) InstallHandlers(r *router.Router, base router.MiddlewareChain)

                InstallHandlers installs HTTP handlers used in the login protocol.

                Implements auth.HasHandlers.

                func (*AuthMethod) LoginURL

                func (m *AuthMethod) LoginURL(ctx context.Context, dest string) (string, error)

                  LoginURL returns a URL that, when visited, prompts the user to sign in, then redirects the user to the URL specified by dest.

                  Implements auth.UsersAPI.

                  func (*AuthMethod) LogoutURL

                  func (m *AuthMethod) LogoutURL(ctx context.Context, dest string) (string, error)

                    LogoutURL returns a URL that, when visited, signs the user out, then redirects the user to the URL specified by dest.

                    Implements auth.UsersAPI.

                    func (*AuthMethod) Warmup

                    func (m *AuthMethod) Warmup(ctx context.Context) error

                      Warmup prepares local caches.

                      Implements auth.Warmable.

                      type ModuleOptions

                      type ModuleOptions struct {
                      	// TinkAEADKey is a "sm://..." reference to a Tink AEAD keyset.
                      	TinkAEADKey string
                      	// DiscoveryURL is an URL of the discovery document with provider's config.
                      	DiscoveryURL string
                      	// ClientID identifies OAuth2 Web client representing the application.
                      	ClientID string
                      	// ClientSecret is a "sm://..." reference to OAuth2 client secret.
                      	ClientSecret string
                      	// RedirectURL must be `https://<host>/auth/openid/callback`.
                      	RedirectURL string
                      	// SessionStoreKind can be used to pick a concrete implementation of a store.
                      	SessionStoreKind string
                      	// SessionStoreNamespace can be used to namespace sessions in the store.
                      	SessionStoreNamespace string
                      }

                        ModuleOptions contain configuration of the encryptedcookies server module.

                        func (*ModuleOptions) Register

                        func (o *ModuleOptions) Register(f *flag.FlagSet)

                          Register registers the command line flags.

                          type OpenIDConfig

                          type OpenIDConfig struct {
                          	// DiscoveryURL is where to grab discovery document with provider's config.
                          	DiscoveryURL string
                          
                          	// ClientID identifies OAuth2 Web client representing the application.
                          	//
                          	// Can be obtained by registering the OAuth2 client with the identity
                          	// provider.
                          	ClientID string
                          
                          	// ClientSecret is a secret associated with ClientID.
                          	//
                          	// Can be obtained by registering the OAuth2 client with the identity
                          	// provider.
                          	ClientSecret string
                          
                          	// RedirectURI must be `https://<host>/auth/openid/callback`.
                          	//
                          	// The OAuth2 client should be configured to allow this redirect URL.
                          	RedirectURI string
                          }

                            OpenIDConfig is a configuration related to OpenID Connect provider.

                            All parameters are required.

                            Directories

                            Path Synopsis
                            Package session defines API for the session storage.
                            Package session defines API for the session storage.
                            datastore
                            Package datastore implements session storage over Cloud Datastore.
                            Package datastore implements session storage over Cloud Datastore.
                            fakecookies
                            Package fakecookies implements a cookie-based fake authentication method.
                            Package fakecookies implements a cookie-based fake authentication method.