Authentication configuration for receivers

This module allows server types, such as gRPC and HTTP, to be configured to perform authentication for requests and/or RPCs. Each server type is responsible for getting the request/RPC metadata and passing down to the authenticator. Currently, only bearer token authentication is supported, although the module is ready to accept new authenticators.


        attribute: authorization
          issuer_ca_path: /etc/pki/tls/cert.pem
          client_id: my-oidc-client
          username_claim: email
Expand ▾ Collapse ▴




This section is empty.


This section is empty.


func GroupsFromContext

func GroupsFromContext(ctx context.Context) ([]string, bool)

    GroupsFromContext returns a list of groups the subject in the context belongs to

    func SubjectFromContext

    func SubjectFromContext(ctx context.Context) (string, bool)

      SubjectFromContext returns a list of groups the subject in the context belongs to


      type Authentication

      type Authentication struct {
      	// The attribute (header name) to look for auth data. Optional, default value: "authentication".
      	Attribute string `mapstructure:"attribute"`
      	// OIDC configures this receiver to use the given OIDC provider as the backend for the authentication mechanism.
      	// Required.
      	OIDC *OIDC `mapstructure:"oidc"`

        Authentication defines the auth settings for the receiver

        func (*Authentication) ToServerOptions

        func (a *Authentication) ToServerOptions() ([]grpc.ServerOption, error)

          ToServerOptions builds a set of server options ready to be used by the gRPC server

          type Authenticator

          type Authenticator interface {
          	// Authenticate checks whether the given context contains valid auth data. Successfully authenticated calls will always return a nil error and a context with the auth data.
          	Authenticate(context.Context, map[string][]string) (context.Context, error)
          	// Start will
          	Start(context.Context) error
          	// UnaryInterceptor is a helper method to provide a gRPC-compatible UnaryInterceptor, typically calling the authenticator's Authenticate method.
          	UnaryInterceptor(context.Context, interface{}, *grpc.UnaryServerInfo, grpc.UnaryHandler) (interface{}, error)
          	// StreamInterceptor is a helper method to provide a gRPC-compatible StreamInterceptor, typically calling the authenticator's Authenticate method.
          	StreamInterceptor(interface{}, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error

            Authenticator will authenticate the incoming request/RPC

            func NewAuthenticator

            func NewAuthenticator(cfg Authentication) (Authenticator, error)

              NewAuthenticator creates an authenticator based on the given configuration

              type OIDC

              type OIDC struct {
              	// IssuerURL is the base URL for the OIDC provider.
              	// Required.
              	IssuerURL string `mapstructure:"issuer_url"`
              	// Audience of the token, used during the verification.
              	// For example: "" or "".
              	// Required.
              	Audience string `mapstructure:"audience"`
              	// The local path for the issuer CA's TLS server cert.
              	// Optional.
              	IssuerCAPath string `mapstructure:"issuer_ca_path"`
              	// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
              	// Optional.
              	UsernameClaim string `mapstructure:"username_claim"`
              	// The claim that holds the subject's group membership information.
              	// Optional.
              	GroupsClaim string `mapstructure:"groups_claim"`

                OIDC defines the OpenID Connect properties for this processor