Documentation
¶
Index ¶
Constants ¶
View Source
const ( // ScopeOpenID Verify that a scope parameter is present and contains the openid scope value. // If no openid scope value is present, the request may still be a valid OAuth 2.0 request, // but is not an OpenID Connect request. ScopeOpenID = "openid" // ScopeEmail This scope value requests access to the email and email_verified Claims. ScopeEmail = "email" // ScopeProfile This scope value requests access to the End-User's default profile Claims, // which are: name, family_name, given_name, middle_name, nickname, preferred_username, // profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at. ScopeProfile = "profile" // ScopePhone This scope value requests access to the phone_number and phone_number_verified Claims. ScopePhone = "phone" // ScopeAddress This scope value requests access to the address Claim. ScopeAddress = "address" ResponseCode = "code" ResponseIDToken = "id_token" ResponseToken = "token" )
View Source
const ( // GrantHandlerAuto auto-approves client authorization grant requests GrantHandlerAuto GrantHandlerType = "auto" // GrantHandlerPrompt prompts the user to approve new client authorization grant requests GrantHandlerPrompt GrantHandlerType = "prompt" // GrantHandlerDeny auto-denies client authorization grant requests GrantHandlerDeny GrantHandlerType = "deny" // MappingMethodAuto The default value. // The user will automatically create and mapping when login successful. // Fails if a user with that username is already mapped to another identity. MappingMethodAuto MappingMethod = "auto" // MappingMethodLookup Looks up an existing identity, user identity mapping, and user, but does not automatically // provision users or identities. Using this method requires you to manually provision users. MappingMethodLookup MappingMethod = "lookup" // MappingMethodMixed A user entity can be mapped with multiple identifyProvider. // not supported yet. MappingMethodMixed MappingMethod = "mixed" DefaultIssuer string = "kubesphere" )
Variables ¶
View Source
var ( // ErrorInvalidClient // Client authentication failed (e.g., unknown client, no // client authentication included, or unsupported // authentication method). The authorization server MAY // return an HTTP 401 (Unauthorized) status code to indicate // which HTTP authentication schemes are supported. If the // client attempted to authenticate via the "Authorization" // request header field, the authorization server MUST // respond with an HTTP 401 (Unauthorized) status code and // include the "WWW-Authenticate" response header field // matching the authentication scheme used by the client. ErrorInvalidClient = Error{Type: "invalid_client"} // ErrorInvalidRequest The request is missing a required parameter, // includes an unsupported parameter value (other than grant type), // repeats a parameter, includes multiple credentials, // utilizes more than one mechanism for authenticating the client, // or is otherwise malformed. ErrorInvalidRequest = Error{Type: "invalid_request"} // ErrorInvalidGrant // The provided authorization grant (e.g., authorization code, // resource owner credentials) or refresh token is invalid, expired, revoked, // does not match the redirection URI used in the authorization request, // or was issued to another client. ErrorInvalidGrant = Error{Type: "invalid_grant"} // ErrorUnsupportedGrantType // The authorization grant type is not supported by the authorization server. ErrorUnsupportedGrantType = Error{Type: "unsupported_grant_type"} ErrorUnsupportedResponseType = Error{Type: "unsupported_response_type"} // The authenticated client is not authorized to use this authorization grant type. ErrorUnauthorizedClient = Error{Type: "unauthorized_client"} // ErrorInvalidScope The requested scope is invalid, unknown, malformed, // or exceeds the scope granted by the resource owner. ErrorInvalidScope = Error{Type: "invalid_scope"} // ErrorLoginRequired The Authorization Server requires End-User authentication. // This error MAY be returned when the prompt parameter value in the Authentication Request is none, // but the Authentication Request cannot be completed without displaying a user interface // for End-User authentication. ErrorLoginRequired = Error{Type: "login_required"} // ErrorServerError // The authorization server encountered an unexpected // condition that prevented it from fulfilling the request. // (This error code is needed because a 500 Internal Server // Error HTTP status code cannot be returned to the client // via an HTTP redirect.) ErrorServerError = Error{Type: "server_error"} )
The following error type is defined in https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
View Source
var ( ErrorClientNotFound = errors.New("the OAuth client was not found") ErrorProviderNotFound = errors.New("the identity provider was not found") ErrorRedirectURLNotAllowed = errors.New("redirect URL is not allowed") )
View Source
var (
// AllowAllRedirectURI Allow any redirect URI if the redirectURI is defined in request
AllowAllRedirectURI = "*"
)
View Source
var ValidResponseTypes = []string{ResponseCode, ResponseIDToken, ResponseToken}
View Source
var ValidScopes = []string{ScopeOpenID, ScopeEmail, ScopeProfile}
Functions ¶
func IsValidResponseTypes ¶
func IsValidScopes ¶
Types ¶
type Client ¶
type Client struct {
// The name of the OAuth client is used as the client_id parameter when making requests to <master>/oauth/authorize
// and <master>/oauth/token.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Secret is the unique secret associated with a client
Secret string `json:"-" yaml:"secret,omitempty"`
// RespondWithChallenges indicates whether the client wants authentication needed responses made
// in the form of challenges instead of redirects
RespondWithChallenges bool `json:"respondWithChallenges,omitempty" yaml:"respondWithChallenges,omitempty"`
// RedirectURIs is the valid redirection URIs associated with a client
RedirectURIs []string `json:"redirectURIs,omitempty" yaml:"redirectURIs,omitempty"`
// GrantMethod determines how to handle grants for this client. If no method is provided, the
// cluster default grant handling method will be used. Valid grant handling methods are:
// - auto: always approves grant requests, useful for trusted clients
// - prompt: prompts the end user for approval of grant requests, useful for third-party clients
// - deny: always denies grant requests, useful for black-listed clients
GrantMethod GrantHandlerType `json:"grantMethod,omitempty" yaml:"grantMethod,omitempty"`
// ScopeRestrictions describes which scopes this client can request. Each requested scope
// is checked against each restriction. If any restriction matches, then the scope is allowed.
// If no restriction matches, then the scope is denied.
ScopeRestrictions []string `json:"scopeRestrictions,omitempty" yaml:"scopeRestrictions,omitempty"`
// AccessTokenMaxAge overrides the default access token max age for tokens granted to this client.
AccessTokenMaxAge *time.Duration `json:"accessTokenMaxAge,omitempty" yaml:"accessTokenMaxAge,omitempty"`
// AccessTokenInactivityTimeout overrides the default token
// inactivity timeout for tokens granted to this client.
AccessTokenInactivityTimeout *time.Duration `json:"accessTokenInactivityTimeout,omitempty" yaml:"accessTokenInactivityTimeout,omitempty"`
}
type Error ¶
type Error struct {
// Type REQUIRED
// A single ASCII [USASCII] error code from the following:
// Values for the "error" parameter MUST NOT include characters
// outside the set %x20-21 / %x23-5B / %x5D-7E.
Type string `json:"error"`
// Description OPTIONAL. Human-readable ASCII [USASCII] text providing
// additional information, used to assist the client developer in
// understanding the error that occurred.
// Values for the "error_description" parameter MUST NOT include
// characters outside the set %x20-21 / %x23-5B / %x5D-7E.
Description string `json:"error_description,omitempty"`
}
Error wrapped OAuth error Response, for more details: https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 The authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise) and includes the following parameters with the response:
func NewInvalidClient ¶
func NewInvalidGrant ¶
func NewInvalidRequest ¶
func NewInvalidScope ¶
func NewServerError ¶
type GrantHandlerType ¶
type GrantHandlerType string
type IdentityProviderOptions ¶
type IdentityProviderOptions struct {
// The provider name.
Name string `json:"name" yaml:"name"`
// Defines how new identities are mapped to users when they login. Allowed values are:
// - auto: The default value.The user will automatically create and mapping when login successful.
// Fails if a user with that user name is already mapped to another identity.
// - lookup: Looks up an existing identity, user identity mapping, and user, but does not automatically
// provision users or identities. Using this method requires you to manually provision users.
// - mixed: A user entity can be mapped with multiple identifyProvider.
MappingMethod MappingMethod `json:"mappingMethod" yaml:"mappingMethod"`
// DisableLoginConfirmation means that when the user login successfully,
// reconfirm the account information is not required.
// Username from IDP must math [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
DisableLoginConfirmation bool `json:"disableLoginConfirmation" yaml:"disableLoginConfirmation"`
// The type of identify provider
// OpenIDIdentityProvider LDAPIdentityProvider GitHubIdentityProvider
Type string `json:"type" yaml:"type"`
// The options of identify provider
Provider options.DynamicOptions `json:"provider" yaml:"provider"`
}
type IdentityProviderType ¶
type IdentityProviderType string
type MappingMethod ¶
type MappingMethod string
type Options ¶
type Options struct {
// An Issuer Identifier is a case-sensitive URL using the https scheme that contains scheme,
// host, and optionally, port number and path components and no query or fragment components.
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
// RSA private key file used to sign the id token
SignKey string `json:"signKey,omitempty" yaml:"signKey,omitempty"`
// Raw RSA private key. Base64 encoded PEM file
SignKeyData string `json:"-,omitempty" yaml:"signKeyData,omitempty"`
// Register identity providers.
IdentityProviders []IdentityProviderOptions `json:"identityProviders,omitempty" yaml:"identityProviders,omitempty"`
// Register additional OAuth clients.
Clients []Client `json:"clients,omitempty" yaml:"clients,omitempty"`
// AccessTokenMaxAgeSeconds control the lifetime of access tokens. The default lifetime is 24 hours.
// 0 means no expiration.
AccessTokenMaxAge time.Duration `json:"accessTokenMaxAge" yaml:"accessTokenMaxAge"`
// Inactivity timeout for tokens
// The value represents the maximum amount of time that can occur between
// consecutive uses of the token. Tokens become invalid if they are not
// used within this temporal window. The user will need to acquire a new
// token to regain access once a token times out.
// This value needs to be set only if the default set in configuration is
// not appropriate for this client. Valid values are:
// - 0: Tokens for this client never time out
// - X: Tokens time out if there is no activity
// The current minimum allowed value for X is 5 minutes
AccessTokenInactivityTimeout time.Duration `json:"accessTokenInactivityTimeout" yaml:"accessTokenInactivityTimeout"`
}
func NewOptions ¶
func NewOptions() *Options
func (*Options) IdentityProviderOptions ¶
func (o *Options) IdentityProviderOptions(name string) (*IdentityProviderOptions, error)
type Token ¶
type Token struct {
// AccessToken is the token that authorizes and authenticates
// the requests.
AccessToken string `json:"access_token"`
// TokenType is the type of token.
// The Type method returns either this or "Bearer", the default.
TokenType string `json:"token_type,omitempty"`
// RefreshToken is a token that's used by the application
// (as opposed to the user) to refresh the access token
// if it expires.
RefreshToken string `json:"refresh_token,omitempty"`
// ID Token value associated with the authenticated session.
IDToken string `json:"id_token,omitempty"`
// ExpiresIn is the optional expiration second of the access token.
ExpiresIn int `json:"expires_in,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.