Documentation
¶
Index ¶
- type ActiveDirectorySessionData
- type CustomSessionData
- type LDAPSessionData
- type OIDCSessionData
- type PinnipedSession
- func (s *PinnipedSession) Clone() fosite.Session
- func (s *PinnipedSession) GetExpiresAt(key fosite.TokenType) time.Time
- func (s *PinnipedSession) GetSubject() string
- func (s *PinnipedSession) GetUsername() string
- func (s *PinnipedSession) IDTokenClaims() *jwt.IDTokenClaims
- func (s *PinnipedSession) IDTokenHeaders() *jwt.Headers
- func (s *PinnipedSession) SetExpiresAt(key fosite.TokenType, exp time.Time)
- func (s *PinnipedSession) SetSubject(subject string)
- type ProviderType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ActiveDirectorySessionData ¶
type ActiveDirectorySessionData struct {
UserDN string `json:"userDN"`
ExtraRefreshAttributes map[string]string `json:"extraRefreshAttributes,omitempty"`
}
ActiveDirectorySessionData is the additional data needed by Pinniped when the upstream IDP is an Active Directory provider.
func (*ActiveDirectorySessionData) Clone ¶ added in v0.29.0
func (s *ActiveDirectorySessionData) Clone() *ActiveDirectorySessionData
type CustomSessionData ¶
type CustomSessionData struct {
// Username will contain the downstream username determined during initial authorization. We store this
// so that we can validate that it does not change upon refresh. This should normally never be empty, since
// all users must have a username.
Username string `json:"username"`
// UpstreamUsername is the username from the upstream identity provider during the user's initial login before
// identity transformations were applied. We store this so that we can still reapply identity transformations
// during refresh flows even when an upstream OIDC provider does not return the username again during the upstream
// refresh, and so we can validate that same untransformed username was found during an LDAP refresh.
UpstreamUsername string `json:"upstreamUsername"`
// UpstreamGroups is the groups list from the upstream identity provider during the user's initial login before
// identity transformations were applied. We store this so that we can still reapply identity transformations
// during refresh flows even when an OIDC provider does not return the groups again during the upstream
// refresh, and when the LDAP search was configured to skip group refreshes.
UpstreamGroups []string `json:"upstreamGroups"`
// The Kubernetes resource UID of the identity provider CRD for the upstream IDP used to start this session.
// This should be validated again upon downstream refresh to make sure that we are not refreshing against
// a different identity provider CRD which just happens to have the same name.
// This implies that when a user deletes an identity provider CRD, then the sessions that were started
// using that identity provider will not be able to perform any more downstream refreshes.
ProviderUID types.UID `json:"providerUID"`
// The Kubernetes resource name of the identity provider CRD for the upstream IDP used to start this session.
// Used during a downstream refresh to decide which upstream to refresh.
// Also used by the session storage garbage collector to decide which upstream to use for token revocation.
ProviderName string `json:"providerName"`
// The type of the identity provider for the upstream IDP used to start this session.
// Used during a downstream refresh to decide which upstream to refresh.
// Also used to decide which of the pointer types below should be used.
ProviderType ProviderType `json:"providerType"`
// Warnings that were encountered at some point during login that should be emitted to the client.
// These will be RFC 2616-formatted errors with error code 299.
Warnings []string `json:"warnings"`
// Only used when ProviderType == "oidc".
OIDC *OIDCSessionData `json:"oidc,omitempty"`
// Only used when ProviderType == "ldap".
LDAP *LDAPSessionData `json:"ldap,omitempty"`
// Only used when ProviderType == "activedirectory".
ActiveDirectory *ActiveDirectorySessionData `json:"activedirectory,omitempty"`
}
CustomSessionData is the custom session data needed by Pinniped. It should be treated as a union type, where the value of ProviderType decides which other fields to use.
type LDAPSessionData ¶
type LDAPSessionData struct {
UserDN string `json:"userDN"`
ExtraRefreshAttributes map[string]string `json:"extraRefreshAttributes,omitempty"`
}
LDAPSessionData is the additional data needed by Pinniped when the upstream IDP is an LDAP provider.
func (*LDAPSessionData) Clone ¶ added in v0.29.0
func (s *LDAPSessionData) Clone() *LDAPSessionData
type OIDCSessionData ¶
type OIDCSessionData struct {
// UpstreamRefreshToken will contain the refresh token from the upstream OIDC provider, if the upstream provider
// returned a refresh token during initial authorization. Otherwise, this field should be empty
// and the UpstreamAccessToken should be non-empty. We may not get a refresh token from the upstream provider,
// but we should always get an access token. However, when we do get a refresh token there is no need to
// also store the access token, since storing unnecessary tokens makes it possible for them to be leaked and
// creates more upstream revocation HTTP requests when it comes time to revoke the stored tokens.
UpstreamRefreshToken string `json:"upstreamRefreshToken"`
// UpstreamAccessToken will contain the access token returned by the upstream OIDC provider during initial
// authorization, but only when the provider did not also return a refresh token. When UpstreamRefreshToken is
// non-empty, then this field should be empty, indicating that we should use the upstream refresh token during
// downstream refresh.
UpstreamAccessToken string `json:"upstreamAccessToken"`
// UpstreamSubject is the "sub" claim from the upstream identity provider from the user's initial login. We store this
// so that we can validate that it does not change upon refresh.
UpstreamSubject string `json:"upstreamSubject"`
// UpstreamIssuer is the "iss" claim from the upstream identity provider from the user's initial login. We store this
// so that we can validate that it does not change upon refresh.
UpstreamIssuer string `json:"upstreamIssuer"`
}
OIDCSessionData is the additional data needed by Pinniped when the upstream IDP is an OIDC provider.
func (*OIDCSessionData) Clone ¶ added in v0.29.0
func (s *OIDCSessionData) Clone() *OIDCSessionData
type PinnipedSession ¶
type PinnipedSession struct {
// Delegate most things to the standard fosite OpenID JWT session.
Fosite *openid.DefaultSession `json:"fosite,omitempty"`
// Custom Pinniped extensions to the session data.
Custom *CustomSessionData `json:"custom,omitempty"`
}
PinnipedSession is a session container which includes the fosite standard stuff plus custom Pinniped stuff.
func NewPinnipedSession ¶
func NewPinnipedSession() *PinnipedSession
NewPinnipedSession returns a new empty session.
func (*PinnipedSession) Clone ¶
func (s *PinnipedSession) Clone() fosite.Session
func (*PinnipedSession) GetExpiresAt ¶
func (s *PinnipedSession) GetExpiresAt(key fosite.TokenType) time.Time
func (*PinnipedSession) GetSubject ¶
func (s *PinnipedSession) GetSubject() string
func (*PinnipedSession) GetUsername ¶
func (s *PinnipedSession) GetUsername() string
func (*PinnipedSession) IDTokenClaims ¶
func (s *PinnipedSession) IDTokenClaims() *jwt.IDTokenClaims
func (*PinnipedSession) IDTokenHeaders ¶
func (s *PinnipedSession) IDTokenHeaders() *jwt.Headers
func (*PinnipedSession) SetExpiresAt ¶
func (s *PinnipedSession) SetExpiresAt(key fosite.TokenType, exp time.Time)
func (*PinnipedSession) SetSubject ¶
func (s *PinnipedSession) SetSubject(subject string)
type ProviderType ¶
type ProviderType string
const ( ProviderTypeOIDC ProviderType = "oidc" ProviderTypeLDAP ProviderType = "ldap" ProviderTypeActiveDirectory ProviderType = "activedirectory" )
Source Files
Click to show internal directories.
Click to hide internal directories.