Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewOAuthBlessingHandler ¶
func NewOAuthBlessingHandler(ctx *context.T, params OAuthBlesserParams, apps RegisteredAppMap) http.Handler
NewOAuthBlessingHandler returns an http.Handler that uses Google OAuth2 Access tokens to obtain the username of the requestor and reponds with blessings for that username.
The blessings are namespaced under the ClientID for the access token. In particular, the name of the granted blessing is of the form <idp>:<appID>:<email> where <idp> is the name of the default blessings used by the identity provider and <appID> is the name of the 'app' - either the OAuth ClientID or a registered alias.
Blessings generated by this service carry a third-party revocation caveat if a RevocationManager is specified by the params or they carry an ExpiryCaveat that expires after the duration specified by the params.
The handler expects the following request parameters:
- "public_key": Base64 DER encoded PKIX representation of the client's public key
- "caveats": Base64 VOM encoded list of caveats [OPTIONAL]
- "token": Google OAuth2 Access token
- "output_format": The encoding format for the returned blessings. The following formats are supported:
- "json": JSON-encoding of the wire format of Blessings.
- "base64vom": Base64URL encoding of VOM-encoded Blessings [DEFAULT]
The response consists of blessings encoded in the requested output format.
WARNINGS:
- There is no binding between the channel over which the access token was obtained and the channel used to make this request.
- There is no "proof of possession of private key" required by the server.
Thus, if Mallory (attacker) possesses the access token associated with Alice's account (victim), she may be able to obtain a blessing with Alice's name on it for any public key of her choice.
Types ¶
type BlessingRoot ¶
BlessingRoot is an http.Handler implementation that renders the server's blessing names and public key in a json string.
func (BlessingRoot) ServeHTTP ¶
func (b BlessingRoot) ServeHTTP(w http.ResponseWriter, r *http.Request)
type OAuthBlesserParams ¶
type OAuthBlesserParams struct {
// The OAuth provider that must have issued the access tokens accepted by ths service.
OAuthProvider oauth.OAuthProvider
// The object name of the discharger service. If this is empty then revocation caveats will not be granted.
DischargerLocation string
// The revocation manager that generates caveats and manages revocation.
RevocationManager revocation.RevocationManager
// The duration for which blessings will be valid. (Used iff RevocationManager is nil).
BlessingDuration time.Duration
}
OAuthBlesserParams represents all the parameters required for exchanging an OAuth token for blessings.
type RegisteredAppMap ¶
Map of client id -> blessing extension The blessing given for a token with ClientID 'id' is generated by extending the default blessing of this service's principal with the extension held in this map for 'id'. The string "{email}" in the Extension will be replaced by the email from the request's access token.
Source Files