auth

package

v1.0.0 Latest Latest Go to latest Published: Mar 12, 2021 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

dev.azure.com/fmonod/Bot-Builder/_git/msbotbuilder-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth provides authentication properties and functionalities for the connector service.

TokenValidator provides the functionality for authenticating a JWT token in a received request. Others provide the basic structures needed.

Index ¶

Constants
Variables
type Claim
- func NewClaim(tpe, val string) Claim
type ClaimsIdentity
- func NewClaimIdentity(claims map[string]interface{}, isAuth bool) ClaimsIdentity
type CredentialProvider
type DefaultClaim
type DefaultClaimIdentity
- func (ci DefaultClaimIdentity) GetClaimValue(cType string) string
- func (ci DefaultClaimIdentity) IsAuthenticated() bool
type JwtTokenValidator
- func (jv *JwtTokenValidator) AuthenticateRequest(ctx context.Context, activity schema.Activity, authHeader string, ...) (ClaimsIdentity, error)
type SimpleCredentialProvider
type TokenValidator
- func NewJwtTokenValidator() TokenValidator

Constants ¶

View Source

const (
	// ToChannelFromBotLoginURLPrefix : Login URL prefix
	ToChannelFromBotLoginURLPrefix = "https://login.microsoftonline.com/"

	// ToChannelFromBotTokenEndpointPathTOCHANNELFROMBOTTOKENENDPOINTPATH : Login URL token endpoint path
	ToChannelFromBotTokenEndpointPathTOCHANNELFROMBOTTOKENENDPOINTPATH = "/oauth2/v2.0/token"

	// DefaultChannelAuthTenant : Default tenant from which to obtain a token for bot to channel communication
	DefaultChannelAuthTenant = "botframework.com"

	// ToChannelFromBotOauthScope : OAuth scope to request
	ToChannelFromBotOauthScope = "https://api.botframework.com/.default"

	// ToBotFromChannelTokenIssuer : Token issuer
	ToBotFromChannelTokenIssuer = "https://api.botframework.com"

	// BotOpenIDMetadataKey : Application Setting Key for the OpenIdMetadataURL value.
	BotOpenIDMetadataKey = "BotOpenIdMetadata"

	// ChannelService : Application Setting Key for the ChannelService value.
	ChannelService = "ChannelService"

	// OauthURLKey Application Setting Key for the OAuthURL value.
	OauthURLKey = "OAuthApiEndpoint"

	// EmulateOauthCardsKey : Application Settings Key for whether to emulate OAuthCards when using the emulator.
	EmulateOauthCardsKey = "EmulateOAuthCards"

	// AuthorizedParty "azp" Claim.
	//Authorized party - the party to which the ID Token was issued.
	//This claim follows the general format set forth in the OpenID Spec.
	//    http://openid.net/specs/openid-connect-core-10.html#IDToken
	AuthorizedParty = "azp"

	/*AudienceClaim From RFC 7519.
	      https://tools.ietf.org/html/rfc7519#section-4.1.3
	  The "aud" (audience) claim identifies the recipients that the JWT is
	  intended for.  Each principal intended to process the JWT MUST
	  identify itself with a value in the audience claim.If the principal
	  processing the claim does not identify itself with a value in the
	  "aud" claim when this claim is present, then the JWT MUST be
	  rejected.In the general case, the "aud" value is an array of case-
	  sensitive strings, each containing a StringOrURI value.In the
	  special case when the JWT has one audience, the "aud" value MAY be a
	  single case-sensitive string containing a StringOrURI value.The
	  interpretation of audience values is generally application specific.
	  Use of this claim is OPTIONAL.
	*/
	AudienceClaim = "aud"

	/*IssuerClaim  From RFC 7519.
	      https://tools.ietf.org/html/rfc7519#section-4.1.1
	  The "iss" (issuer) claim identifies the principal that issued the
	  JWT.  The processing of this claim is generally application specific.
	  The "iss" value is a case-sensitive string containing a StringOrURI
	  value.  Use of this claim is OPTIONAL.
	*/
	IssuerClaim = "iss"

	/*KeyIDHeader From RFC 7515
	      https://tools.ietf.org/html/rfc7515#section-4.1.4
	  The "kid" (key ID) Header Parameter is a hint indicating which key
	  was used to secure the JWS. This parameter allows originators to
	  explicitly signal a change of key to recipients. The structure of
	  the "kid" value is unspecified. Its value MUST be a case-sensitive
	  string. Use of this Header Parameter is OPTIONAL.
	  When used with a JWK, the "kid" value is used to match a JWK "kid"
	  parameter value.
	*/
	KeyIDHeader = "kid"

	// VersionClaim Token version claim name. As used in Microsoft AAD tokens.
	VersionClaim = "ver"

	// AppIDClaim App ID claim name. As used in Microsoft AAD 1.0 tokens.
	AppIDClaim = "appid"

	// ServiceURLClaim Service URL claim name. As used in Microsoft Bot Framework v3.1 auth.
	ServiceURLClaim = "serviceurl"
)

Variables ¶

View Source

var (
	// ToChannelFromBotLoginURL : Login URL
	//
	//DEPRECATED: DO NOT USE
	ToChannelFromBotLoginURL = []string{
		"https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token",
	}

	// ToBotFromChannelOpenIDMetadataURL : OpenID metadata document for tokens coming from MSA
	ToBotFromChannelOpenIDMetadataURL = []string{
		"https://login.botframework.com/v1/.well-known/openidconfiguration",
	}

	// ToBotFromEnterpriseChannelOpenIDMetadataURLFormat : OpenID metadata document for tokens coming from MSA
	ToBotFromEnterpriseChannelOpenIDMetadataURLFormat = []string{
		"https://{channelService}.enterprisechannel.botframework.com",
		"/v1/.well-known/openidconfiguration",
	}

	// ToBotFromEmulatorOpenIDMetadataURL : OpenID metadata document for tokens coming from MSA
	ToBotFromEmulatorOpenIDMetadataURL = []string{
		"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
	}

	// AllowedSigningAlgorithms : Tokens come from channels to the bot. The code
	//that uses this also supports tokens coming from the emulator.
	AllowedSigningAlgorithms = []string{"RS256", "RS384", "RS512"}
)

Functions ¶

This section is empty.

Types ¶

type Claim ¶

type Claim interface{}

Claim represents a claim in a JWT token.

func NewClaim ¶

func NewClaim(tpe, val string) Claim

NewClaim contructs and returns a new Claim value.

type ClaimsIdentity ¶

type ClaimsIdentity interface {
	GetClaimValue(string) string
	IsAuthenticated() bool
}

ClaimsIdentity is the interface to process claims in a JWT token.

func NewClaimIdentity ¶

func NewClaimIdentity(claims map[string]interface{}, isAuth bool) ClaimsIdentity

NewClaimIdentity creates and returns a new ClaimsIdentity value.

type CredentialProvider ¶

type CredentialProvider interface {
	IsValidAppID(appID string) bool
	GetAppPassword() string
	GetAppID() string
	IsAuthenticationDisabled() bool
}

CredentialProvider represents and provides functionality for a type of Credential.

type DefaultClaim ¶

type DefaultClaim struct {
	Type  string
	Value string
}

DefaultClaim is the default implementation fo Claim.

type DefaultClaimIdentity ¶

type DefaultClaimIdentity struct {
	// contains filtered or unexported fields
}

DefaultClaimIdentity implements ClaimsIdentity to create and process Claim values.

func (DefaultClaimIdentity) GetClaimValue ¶

func (ci DefaultClaimIdentity) GetClaimValue(cType string) string

GetClaimValue returns value for a specified property of a claim.

func (DefaultClaimIdentity) IsAuthenticated ¶

func (ci DefaultClaimIdentity) IsAuthenticated() bool

IsAuthenticated returns if the Claim is authenticated.

type JwtTokenValidator ¶

type JwtTokenValidator struct {
	cache.AuthCache
}

JwtTokenValidator is the default implementation of TokenValidator.

func (*JwtTokenValidator) AuthenticateRequest ¶

func (jv *JwtTokenValidator) AuthenticateRequest(ctx context.Context, activity schema.Activity, authHeader string, credentials CredentialProvider, channelService string) (ClaimsIdentity, error)

AuthenticateRequest autheticates received request from connector service.

The Bearer token is validated for the correct issuer, audience, serviceURL expiry and the signature is verified using the public JWK fetched from BotFramework API.

type SimpleCredentialProvider ¶

type SimpleCredentialProvider struct {
	AppID    string
	Password string
}

SimpleCredentialProvider can be used for authentication to the connector service using AppID and Password.

func (SimpleCredentialProvider) GetAppID ¶

func (sp SimpleCredentialProvider) GetAppID() string

GetAppID returns the AppID of the credential.

func (SimpleCredentialProvider) GetAppPassword ¶

func (sp SimpleCredentialProvider) GetAppPassword() string

GetAppPassword returns the Password of the credential.

func (SimpleCredentialProvider) IsAuthenticationDisabled ¶

func (sp SimpleCredentialProvider) IsAuthenticationDisabled() bool

IsAuthenticationDisabled checks if no authentication is to be performed.

func (SimpleCredentialProvider) IsValidAppID ¶

func (sp SimpleCredentialProvider) IsValidAppID(appID string) bool

IsValidAppID returns if the specified appID is valid.

type TokenValidator ¶

type TokenValidator interface {
	AuthenticateRequest(ctx context.Context, activity schema.Activity, authHeader string, credentials CredentialProvider, channelService string) (ClaimsIdentity, error)
}

TokenValidator provides functionanlity to authenticate a request from the connector service.

func NewJwtTokenValidator ¶

func NewJwtTokenValidator() TokenValidator

NewJwtTokenValidator returns a new TokenValidator value with an empty cache

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL