oidc

package

Documentation

Index

Constants

View Source
const (
	// TenantIDKey defines the key representing the tenant id in the additional
	// information mapping table of the user information.
	TenantIDKey = "tenantid"

	// DisplayNameKey defines the key representing the user display name in the additional
	// information mapping table of the user information.
	DisplayNameKey = "displayname"
)

Variables

This section is empty.

Functions

func NewIDTokenVerifier

func NewIDTokenVerifier(ctx context.Context, issuer string, externalIssuer string, config *oidc.Config) (*oidc.IDTokenVerifier, error)

NewIDTokenVerifier uses the OpenID Connect discovery mechanism to construct a verifier manually from a issuer URL. The issuer is the URL identifier for the service. For example: "https://accounts.google.com" or "https://login.salesforce.com".

Types

type Authenticator

type Authenticator struct {
	IssuerURL string
	// contains filtered or unexported fields
}

Authenticator checks a string value against a backing authentication store and returns a Response or an error if the token could not be checked.

func New

func New(opts *Options) (*Authenticator, error)

New to create the Authenticator object by give options.

func (*Authenticator) AuthenticateToken

func (a *Authenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)

AuthenticateToken checks a string value against a backing authentication store and returns a Response or an error if the token could not be checked.

type Options

type Options struct {
	// IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
	// field of all tokens produced by the provider and is used for configuration
	// discovery.
	//
	// The URL is usually the provider's URL without a path, for example
	// "https://accounts.google.com" or "https://login.salesforce.com".
	//
	// The provider must implement configuration discovery.
	// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
	IssuerURL string

	// ExternalIssuerURL is the external URL the provider signs ID token as. This will be used to
	// verify "iss" field of the token when the oidc provider need to provide internal or
	// external access, it is usually then same as IssuerURL
	ExternalIssuerURL string

	// ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
	// client to ensure the plugin can be used with public providers.
	//
	// The plugin supports the "authorized party" OpenID Connect claim, which allows
	// specialized providers to issue tokens to a client for a different client.
	// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
	ClientID string

	// APIAudiences are the audiences that the API server identitifes as. The
	// (API audiences unioned with the ClientIDs) should have a non-empty
	// intersection with the request's target audience. This preserves the
	// behavior of the OIDC authenticator pre-introduction of API audiences.
	APIAudiences authenticator.Audiences

	// Path to a PEM encoded root certificate of the provider.
	CAFile string

	// UsernameClaim is the JWT field to use as the user's username.
	UsernameClaim string

	// UsernamePrefix, if specified, causes claims mapping to username to be prefix with
	// the provided value. A value "oidc:" would result in usernames like "oidc:john".
	UsernamePrefix string

	// DisplayNameClaim is the JWT field to use as the user's display name.
	DisplayNameClaim string

	// GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
	// groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
	// must be a string or list of strings.
	GroupsClaim string

	TenantIDClaim  string
	TenantIDPrefix string

	// GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
	// value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
	GroupsPrefix string

	// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
	// can be used by the provider to sign tokens.
	//
	// https://tools.ietf.org/html/rfc7518#section-3.1
	//
	// This value defaults to RS256, the value recommended by the OpenID Connect
	// spec:
	//
	// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
	SupportedSigningAlgs []string

	// RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the
	// required claims key value pairs are present in the ID Token.
	RequiredClaims map[string]string
}

Options defines the configuration options needed to initialize OpenID Connect authentication.

type ProviderJSON

type ProviderJSON struct {
	Issuer      string `json:"issuer"`
	AuthURL     string `json:"authorization_endpoint"`
	TokenURL    string `json:"token_endpoint"`
	JWKSURL     string `json:"jwks_uri"`
	UserInfoURL string `json:"userinfo_endpoint"`
}

ProviderJSON represents the OpenID Connect url configurations.

func GetProviderConfig

func GetProviderConfig(ctx context.Context, issuer string) (*ProviderJSON, error)

GetProviderConfig gets the OpenID Connect configurations by using the discovery mechanism from a issuer URL. The issuer is the URL identifier for the service. For example: "https://accounts.google.com" or "https://login.salesforce.com".

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL