Documentation
¶
Index ¶
Constants ¶
View Source
const ( // TenantIDKey defines the key representing the tenant id in the additional // information mapping table of the user information. TenantIDKey = "tenantid" )
Variables ¶
This section is empty.
Functions ¶
func NewIDTokenVerifier ¶
func NewIDTokenVerifier(ctx context.Context, issuer string, externalIssuer string, config *oidc.Config) (*oidc.IDTokenVerifier, error)
NewIDTokenVerifier uses the OpenID Connect discovery mechanism to construct a verifier manually from a issuer URL. The issuer is the URL identifier for the service. For example: "https://accounts.google.com" or "https://login.salesforce.com".
Types ¶
type Authenticator ¶
type Authenticator struct {
IssuerURL string
// contains filtered or unexported fields
}
Authenticator checks a string value against a backing authentication store and returns a Response or an error if the token could not be checked.
func New ¶
func New(opts *Options) (*Authenticator, error)
New to create the Authenticator object by give options.
func (*Authenticator) AuthenticateToken ¶
func (a *Authenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)
AuthenticateToken checks a string value against a backing authentication store and returns a Response or an error if the token could not be checked.
type Options ¶
type Options struct {
// IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
// field of all tokens produced by the provider and is used for configuration
// discovery.
//
// The URL is usually the provider's URL without a path, for example
// "https://accounts.google.com" or "https://login.salesforce.com".
//
// The provider must implement configuration discovery.
// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
IssuerURL string
// ExternalIssuerURL is the external URL the provider signs ID token as. This will be used to
// verify "iss" field of the token when the oidc provider need to provide internal or
// external access, it is usually then same as IssuerURL
ExternalIssuerURL string
// ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
// client to ensure the plugin can be used with public providers.
//
// The plugin supports the "authorized party" OpenID Connect claim, which allows
// specialized providers to issue tokens to a client for a different client.
// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
ClientID string
// APIAudiences are the audiences that the API server identitifes as. The
// (API audiences unioned with the ClientIDs) should have a non-empty
// intersection with the request's target audience. This preserves the
// behavior of the OIDC authenticator pre-introduction of API audiences.
APIAudiences authenticator.Audiences
// Path to a PEM encoded root certificate of the provider.
CAFile string
// UsernameClaim is the JWT field to use as the user's username.
UsernameClaim string
// UsernamePrefix, if specified, causes claims mapping to username to be prefix with
// the provided value. A value "oidc:" would result in usernames like "oidc:john".
UsernamePrefix string
// GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
// groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
// must be a string or list of strings.
GroupsClaim string
TenantIDClaim string
TenantIDPrefix string
// GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
// value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
GroupsPrefix string
// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
// can be used by the provider to sign tokens.
//
// https://tools.ietf.org/html/rfc7518#section-3.1
//
// This value defaults to RS256, the value recommended by the OpenID Connect
// spec:
//
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
SupportedSigningAlgs []string
// RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the
// required claims key value pairs are present in the ID Token.
RequiredClaims map[string]string
}
Options defines the configuration options needed to initialize OpenID Connect authentication.
type ProviderJSON ¶
type ProviderJSON struct {
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
JWKSURL string `json:"jwks_uri"`
UserInfoURL string `json:"userinfo_endpoint"`
}
ProviderJSON represents the OpenID Connect url configurations.
func GetProviderConfig ¶
func GetProviderConfig(ctx context.Context, issuer string) (*ProviderJSON, error)
GetProviderConfig gets the OpenID Connect configurations by using the discovery mechanism from a issuer URL. The issuer is the URL identifier for the service. For example: "https://accounts.google.com" or "https://login.salesforce.com".
Source Files
Click to show internal directories.
Click to hide internal directories.