provider

package
Version: v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 26, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type DynamicTLSCertProvider

type DynamicTLSCertProvider interface {
	SetIssuerHostToTLSCertMap(issuerToJWKSMap map[string]*tls.Certificate)
	SetDefaultTLSCert(certificate *tls.Certificate)
	GetTLSCert(lowercaseIssuerHostName string) *tls.Certificate
	GetDefaultTLSCert() *tls.Certificate
}

func NewDynamicTLSCertProvider

func NewDynamicTLSCertProvider() DynamicTLSCertProvider

type DynamicUpstreamIDPProvider added in v0.3.0

type DynamicUpstreamIDPProvider interface {
	SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI)
	GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI
	SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI)
	GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI
	SetActiveDirectoryIdentityProviders(adIDPs []UpstreamLDAPIdentityProviderI)
	GetActiveDirectoryIdentityProviders() []UpstreamLDAPIdentityProviderI
}

func NewDynamicUpstreamIDPProvider added in v0.3.0

func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider

type FederationDomainIssuer added in v0.3.0

type FederationDomainIssuer struct {
	// contains filtered or unexported fields
}

FederationDomainIssuer represents all of the settings and state for a downstream OIDC provider as defined by a FederationDomain.

func NewFederationDomainIssuer added in v0.3.0

func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error)

func (*FederationDomainIssuer) Issuer added in v0.3.0

func (p *FederationDomainIssuer) Issuer() string

func (*FederationDomainIssuer) IssuerHost added in v0.3.0

func (p *FederationDomainIssuer) IssuerHost() string

func (*FederationDomainIssuer) IssuerPath added in v0.3.0

func (p *FederationDomainIssuer) IssuerPath() string

type RetryableRevocationError added in v0.13.0

type RetryableRevocationError struct {
	// contains filtered or unexported fields
}

func NewRetryableRevocationError added in v0.13.0

func NewRetryableRevocationError(wrapped error) RetryableRevocationError

func (RetryableRevocationError) Error added in v0.13.0

func (e RetryableRevocationError) Error() string

func (RetryableRevocationError) Unwrap added in v0.13.0

func (e RetryableRevocationError) Unwrap() error

type RevocableTokenType added in v0.13.0

type RevocableTokenType string
const (
	RefreshTokenType RevocableTokenType = "refresh_token"
	AccessTokenType  RevocableTokenType = "access_token"
)

These strings correspond to the token types defined by https://datatracker.ietf.org/doc/html/rfc7009#section-2.1

type StoredRefreshAttributes added in v0.13.0

type StoredRefreshAttributes struct {
	Username             string
	Subject              string
	DN                   string
	Groups               []string
	AdditionalAttributes map[string]string
}

type UpstreamLDAPIdentityProviderI added in v0.9.0

type UpstreamLDAPIdentityProviderI interface {
	// GetName returns a name for this upstream provider.
	GetName() string

	// GetURL returns a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234".
	// This URL is not used for connecting to the provider, but rather is used for creating a globally unique user
	// identifier by being combined with the user's UID, since user UIDs are only unique within one provider.
	GetURL() *url.URL

	// GetResourceUID returns the Kubernetes resource ID
	GetResourceUID() types.UID

	// UserAuthenticator adds an interface method for performing user authentication against the upstream LDAP provider.
	authenticators.UserAuthenticator

	// PerformRefresh performs a refresh against the upstream LDAP identity provider
	PerformRefresh(ctx context.Context, storedRefreshAttributes StoredRefreshAttributes) (groups []string, err error)
}

type UpstreamOIDCIdentityProviderI added in v0.3.0

type UpstreamOIDCIdentityProviderI interface {
	// GetName returns a name for this upstream provider, which will be used as a component of the path for the
	// callback endpoint hosted by the Supervisor.
	GetName() string

	// GetClientID returns the OAuth client ID registered with the upstream provider to be used in the authorization code flow.
	GetClientID() string

	// GetResourceUID returns the Kubernetes resource ID
	GetResourceUID() types.UID

	// GetAuthorizationURL returns the Authorization Endpoint fetched from discovery.
	GetAuthorizationURL() *url.URL

	// HasUserInfoURL returns whether there is a non-empty value for userinfo_endpoint fetched from discovery.
	HasUserInfoURL() bool

	// GetScopes returns the scopes to request in authorization (authcode or password grant) flow.
	GetScopes() []string

	// GetUsernameClaim returns the ID Token username claim name. May return empty string, in which case we
	// will use some reasonable defaults.
	GetUsernameClaim() string

	// GetGroupsClaim returns the ID Token groups claim name. May return empty string, in which case we won't
	// try to read groups from the upstream provider.
	GetGroupsClaim() string

	// AllowsPasswordGrant returns true if a client should be allowed to use the resource owner password credentials grant
	// flow with this upstream provider. When false, it should not be allowed.
	AllowsPasswordGrant() bool

	// GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests.
	GetAdditionalAuthcodeParams() map[string]string

	// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
	// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
	PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)

	// ExchangeAuthcodeAndValidateTokens performs upstream OIDC authorization code exchange and token validation.
	// Returns the validated raw tokens as well as the parsed claims of the ID token.
	ExchangeAuthcodeAndValidateTokens(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
		redirectURI string,
	) (*oidctypes.Token, error)

	// PerformRefresh will call the provider's token endpoint to perform a refresh grant. The provider may or may not
	// return a new ID or refresh token in the response. If it returns an ID token, then use ValidateToken to
	// validate the ID token.
	PerformRefresh(ctx context.Context, refreshToken string) (*oauth2.Token, error)

	// RevokeToken will attempt to revoke the given token, if the provider has a revocation endpoint.
	// It may return an error wrapped by a RetryableRevocationError, which is an error indicating that it may
	// be worth trying to revoke the same token again later. Any other error returned should be assumed to
	// represent an error such that it is not worth retrying revocation later, even though revocation failed.
	RevokeToken(ctx context.Context, token string, tokenType RevocableTokenType) error

	// ValidateTokenAndMergeWithUserInfo will validate the ID token. It will also merge the claims from the userinfo endpoint response
	// into the ID token's claims, if the provider offers the userinfo endpoint. It returns the validated/updated
	// tokens, or an error.
	ValidateTokenAndMergeWithUserInfo(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce, requireIDToken bool, requireUserInfo bool) (*oidctypes.Token, error)
}

Directories

Path Synopsis
Package csp defines helpers related to HTML Content Security Policies.
Package csp defines helpers related to HTML Content Security Policies.
Package formposthtml defines HTML templates used by the Supervisor.
Package formposthtml defines HTML templates used by the Supervisor.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL