README
¶
Authentication configuration for receivers
This module allows server types, such as gRPC and HTTP, to be configured to perform authentication for requests and/or RPCs. Each server type is responsible for getting the request/RPC metadata and passing down to the authenticator. Currently, only bearer token authentication is supported, although the module is ready to accept new authenticators.
Examples:
receivers:
somereceiver:
grpc:
authentication:
attribute: authorization
oidc:
issuer_url: https://auth.example.com/
issuer_ca_path: /etc/pki/tls/cert.pem
client_id: my-oidc-client
username_claim: email
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GroupsFromContext ¶ added in v0.12.0
GroupsFromContext returns a list of groups the subject in the context belongs to
Types ¶
type Authentication ¶
type Authentication struct {
// The attribute (header name) to look for auth data. Optional, default value: "authentication".
Attribute string `mapstructure:"attribute"`
// OIDC configures this receiver to use the given OIDC provider as the backend for the authentication mechanism.
// Required.
OIDC *OIDC `mapstructure:"oidc"`
}
Authentication defines the auth settings for the receiver
func (*Authentication) ToServerOptions ¶ added in v0.12.0
func (a *Authentication) ToServerOptions() ([]grpc.ServerOption, error)
ToServerOptions builds a set of server options ready to be used by the gRPC server
type Authenticator ¶ added in v0.12.0
type Authenticator interface {
io.Closer
// Authenticate checks whether the given context contains valid auth data. Successfully authenticated calls will always return a nil error and a context with the auth data.
Authenticate(context.Context, map[string][]string) (context.Context, error)
// Start will
Start(context.Context) error
// UnaryInterceptor is a helper method to provide a gRPC-compatible UnaryInterceptor, typically calling the authenticator's Authenticate method.
UnaryInterceptor(context.Context, interface{}, *grpc.UnaryServerInfo, grpc.UnaryHandler) (interface{}, error)
// StreamInterceptor is a helper method to provide a gRPC-compatible StreamInterceptor, typically calling the authenticator's Authenticate method.
StreamInterceptor(interface{}, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error
}
Authenticator will authenticate the incoming request/RPC
func NewAuthenticator ¶ added in v0.12.0
func NewAuthenticator(cfg Authentication) (Authenticator, error)
NewAuthenticator creates an authenticator based on the given configuration
type OIDC ¶
type OIDC struct {
// IssuerURL is the base URL for the OIDC provider.
// Required.
IssuerURL string `mapstructure:"issuer_url"`
// Audience of the token, used during the verification.
// For example: "https://accounts.google.com" or "https://login.salesforce.com".
// Required.
Audience string `mapstructure:"audience"`
// The local path for the issuer CA's TLS server cert.
// Optional.
IssuerCAPath string `mapstructure:"issuer_ca_path"`
// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
// Optional.
UsernameClaim string `mapstructure:"username_claim"`
// The claim that holds the subject's group membership information.
// Optional.
GroupsClaim string `mapstructure:"groups_claim"`
}
OIDC defines the OpenID Connect properties for this processor
Source Files