README

Authentication configuration for receivers

This module allows server types, such as gRPC and HTTP, to be configured to perform authentication for requests and/or RPCs. Each server type is responsible for getting the request/RPC metadata and passing down to the authenticator. Currently, only bearer token authentication is supported, although the module is ready to accept new authenticators.

Examples:

receivers:
  somereceiver:
    grpc:
      authentication:
        attribute: authorization
        oidc:
          issuer_url: https://auth.example.com/
          issuer_ca_path: /etc/pki/tls/cert.pem
          client_id: my-oidc-client
          username_claim: email

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GroupsFromContext

func GroupsFromContext(ctx context.Context) ([]string, bool)

    GroupsFromContext returns a list of groups the subject in the context belongs to

    func SubjectFromContext

    func SubjectFromContext(ctx context.Context) (string, bool)

      SubjectFromContext returns a list of groups the subject in the context belongs to

      Types

      type Authentication

      type Authentication struct {
      	// The attribute (header name) to look for auth data. Optional, default value: "authentication".
      	Attribute string `mapstructure:"attribute"`
      
      	// OIDC configures this receiver to use the given OIDC provider as the backend for the authentication mechanism.
      	// Required.
      	OIDC *OIDC `mapstructure:"oidc"`
      }

        Authentication defines the auth settings for the receiver

        func (*Authentication) ToServerOptions

        func (a *Authentication) ToServerOptions() ([]grpc.ServerOption, error)

          ToServerOptions builds a set of server options ready to be used by the gRPC server

          type Authenticator

          type Authenticator interface {
          	io.Closer
          
          	// Authenticate checks whether the given context contains valid auth data. Successfully authenticated calls will always return a nil error and a context with the auth data.
          	Authenticate(context.Context, map[string][]string) (context.Context, error)
          
          	// Start will
          	Start(context.Context) error
          
          	// UnaryInterceptor is a helper method to provide a gRPC-compatible UnaryInterceptor, typically calling the authenticator's Authenticate method.
          	UnaryInterceptor(context.Context, interface{}, *grpc.UnaryServerInfo, grpc.UnaryHandler) (interface{}, error)
          
          	// StreamInterceptor is a helper method to provide a gRPC-compatible StreamInterceptor, typically calling the authenticator's Authenticate method.
          	StreamInterceptor(interface{}, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error
          }

            Authenticator will authenticate the incoming request/RPC

            func NewAuthenticator

            func NewAuthenticator(cfg Authentication) (Authenticator, error)

              NewAuthenticator creates an authenticator based on the given configuration

              type OIDC

              type OIDC struct {
              	// IssuerURL is the base URL for the OIDC provider.
              	// Required.
              	IssuerURL string `mapstructure:"issuer_url"`
              
              	// Audience of the token, used during the verification.
              	// For example: "https://accounts.google.com" or "https://login.salesforce.com".
              	// Required.
              	Audience string `mapstructure:"audience"`
              
              	// The local path for the issuer CA's TLS server cert.
              	// Optional.
              	IssuerCAPath string `mapstructure:"issuer_ca_path"`
              
              	// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
              	// Optional.
              	UsernameClaim string `mapstructure:"username_claim"`
              
              	// The claim that holds the subject's group membership information.
              	// Optional.
              	GroupsClaim string `mapstructure:"groups_claim"`
              }

                OIDC defines the OpenID Connect properties for this processor