README
¶
client-auth
Go auth package for client applications. go.getsip.ethz.ch/client-auth
Usage
The binary wrapper in cli-auth2 gives a good example on how to use the package.
How it works
Cli-auth first fetches the certificate from the server and generates a random nonce. Then it spawns a webserver locally which it uses to handle the keycloak callback (multiple ports should be provided to avoid conflicts with ports already in use locally). Then the keycloak URL is opened for the user to authenticate. If the user authenticates before a timeout occurs keycloak will redirect to the local callback server with the session token as a fragment in the URL. The callback server servers a javascript program to extract the session token from the fragment and send it to the server as a POST request. The server reads the session token and returns it. The id_token is then validated using the certificate and the nonce.
Documentation
¶
Index ¶
Constants ¶
const ( // ImplicitFlow represents the OAuth 2.0 flow in which all tokens are returned from the Authorization Endpoint // and neither the Token Endpoint nor an Authorization Code are used. ImplicitFlow Flow = iota // PKCECodeFlow represents the OAuth 2.0 flow in which an Authorization Code is returned from the // Authorization Endpoint and all tokens are returned from the Token Endpoint. This flow represents // the PKCE variant as specified in rfc7636. (Proof Key for Code Exchange by OAuth Public Clients) PKCECodeFlow // DefaultKeycloakDomain is the keycloakDomain which is used when none is specified DefaultKeycloakDomain = "https://auth.vseth.ethz.ch" // DefaultRealm is the realm that is used when none is specified DefaultRealm = "VSETH" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
Flow Flow // default: ImplicitFlow
Name string
Ports []int // localports to run the callback server
KeycloakDomain string // default: DefaultKeycloakDomain
Realm string // default: DefaultRealm
DisableDialog bool
Insecure bool
}
Client is an authenticator that is thought for applications that allow users to interact with a browser
func (*Client) Authenticate ¶
Authenticate the client - using either OIDC implicit flow or PKCE Code flow. This will start a webserver and open a browser. It should only be used for direct user authentication. Not for scripts and service accounts.
type Response ¶
type Response struct {
RefreshToken string `json:"refresh_token,omitempty"`
RefreshExpirationTime time.Time `json:"refresh_expiration_time,omitempty"`
AccessToken string `json:"access_token,omitempty"`
TokenExpirationTime time.Time `json:"expiration_time,omitempty"`
IDToken string `json:"id_token,omitempty"`
Claims map[string]interface{} `json:"claims"`
Scopes []string `json:"scopes"`
}
Response contains all the data that cli-auth was able to gather. Depending on the flow a refresh-token may or may not be set. If set it can be used to get a new response using the `Refresh` method.
type ServiceAccountClient ¶
type ServiceAccountClient struct {
Username string // Username of SA
Password string // Password of SA
KeycloakDomain string // default: DefaultKeycloakDomain
Realm string // default: DefaultRealm
Insecure bool
}
ServiceAccountClient implements the same authenticator interface as 'Client' but uses the Client Credentials Grant
func (*ServiceAccountClient) Authenticate ¶
func (sa *ServiceAccountClient) Authenticate(scopes ...string) (*Response, error)
Authenticate the service account using the Client Credentials Grant Note: As of writing this. Keycloak does not seem to support requesting certain scopes and will return all roles regardless of the requested scopes.
Source Files