providers

package
v7.0.0-...-1c7ecba Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 11, 2023 License: MIT Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CodeChallengeMethodPlain = "plain"
	CodeChallengeMethodS256  = "S256"
)

Variables

View Source 
var (
	// ErrNotImplemented is returned when a provider did not override a default
	// implementation method that doesn't have sensible defaults
	ErrNotImplemented = errors.New("not implemented")

	// ErrMissingCode is returned when a Redeem method is called with an empty
	// code
	ErrMissingCode = errors.New("missing code")

	// ErrMissingIDToken is returned when an oidc.Token does not contain the
	// extra `id_token` field for an IDToken.
	ErrMissingIDToken = errors.New("missing id_token")

	// ErrMissingOIDCVerifier is returned when a provider didn't set `Verifier`
	// but an attempt to call `Verifier.Verify` was about to be made.
	ErrMissingOIDCVerifier = errors.New("oidc verifier is not configured")
)

Functions

This section is empty.

Types

type ADFSProvider 

type ADFSProvider struct {
	*OIDCProvider
	// contains filtered or unexported fields
}

ADFSProvider represents an ADFS based Identity Provider

func NewADFSProvider 

func NewADFSProvider(p *ProviderData, opts options.ADFSOptions) *ADFSProvider

NewADFSProvider initiates a new ADFSProvider

func (*ADFSProvider) EnrichSession 

func (p *ADFSProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession calls the OIDC ProfileURL to backfill any fields missing from the claims. If Email is missing, falls back to ADFS `upn` claim.

func (*ADFSProvider) GetLoginURL 

func (p *ADFSProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL Override to double encode the state parameter. If not query params are lost More info here: https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-saml2-settings

func (*ADFSProvider) RefreshSession 

func (p *ADFSProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession refreshes via the OIDC implementation. If email is missing, falls back to ADFS `upn` claim.

type AzureProvider 

type AzureProvider struct {
	*ProviderData
	Tenant          string
	GraphGroupField string
	// contains filtered or unexported fields
}

AzureProvider represents an Azure based Identity Provider

func NewAzureProvider 

func NewAzureProvider(p *ProviderData, opts options.AzureOptions) *AzureProvider

NewAzureProvider initiates a new AzureProvider

func (*AzureProvider) EnrichSession 

func (p *AzureProvider) EnrichSession(ctx context.Context, session *sessions.SessionState) error

EnrichSession enriches the session state with userID, mail and groups

func (*AzureProvider) GetLoginURL 

func (p *AzureProvider) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

func (*AzureProvider) Redeem 

func (p *AzureProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*AzureProvider) RefreshSession 

func (p *AzureProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*AzureProvider) ValidateSession 

func (p *AzureProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type BitbucketProvider 

type BitbucketProvider struct {
	*ProviderData
	Team       string
	Repository string
}

BitbucketProvider represents an Bitbucket based Identity Provider

func NewBitbucketProvider 

func NewBitbucketProvider(p *ProviderData, opts options.BitbucketOptions) *BitbucketProvider

NewBitbucketProvider initiates a new BitbucketProvider

func (*BitbucketProvider) GetEmailAddress 

func (p *BitbucketProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the email of the authenticated user

type DigitalOceanProvider 

type DigitalOceanProvider struct {
	*ProviderData
}

DigitalOceanProvider represents a DigitalOcean based Identity Provider

func NewDigitalOceanProvider 

func NewDigitalOceanProvider(p *ProviderData) *DigitalOceanProvider

NewDigitalOceanProvider initiates a new DigitalOceanProvider

func (*DigitalOceanProvider) GetEmailAddress 

func (p *DigitalOceanProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*DigitalOceanProvider) ValidateSession 

func (p *DigitalOceanProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type FacebookProvider 

type FacebookProvider struct {
	*ProviderData
}

FacebookProvider represents an Facebook based Identity Provider

func NewFacebookProvider 

func NewFacebookProvider(p *ProviderData) *FacebookProvider

NewFacebookProvider initiates a new FacebookProvider

func (*FacebookProvider) GetEmailAddress 

func (p *FacebookProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*FacebookProvider) ValidateSession 

func (p *FacebookProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type GitHubProvider 

type GitHubProvider struct {
	*ProviderData
	Org   string
	Team  string
	Repo  string
	Token string
	Users []string
}

GitHubProvider represents an GitHub based Identity Provider

func NewGitHubProvider 

func NewGitHubProvider(p *ProviderData, opts options.GitHubOptions) *GitHubProvider

NewGitHubProvider initiates a new GitHubProvider

func (*GitHubProvider) EnrichSession 

func (p *GitHubProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession updates the User & Email after the initial Redeem

func (*GitHubProvider) ValidateSession 

func (p *GitHubProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type GitLabProvider 

type GitLabProvider struct {
	*OIDCProvider
	// contains filtered or unexported fields
}

GitLabProvider represents a GitLab based Identity Provider

func NewGitLabProvider 

func NewGitLabProvider(p *ProviderData, opts options.GitLabOptions) (*GitLabProvider, error)

NewGitLabProvider initiates a new GitLabProvider

func (*GitLabProvider) EnrichSession 

func (p *GitLabProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession enriches the session with the response from the userinfo API endpoint & projects API endpoint for allowed projects.

func (*GitLabProvider) RefreshSession 

func (p *GitLabProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession refreshes the session with the OIDCProvider implementation but preserves the custom GitLab projects added in the `EnrichSession` stage.

type GoogleProvider 

type GoogleProvider struct {
	*ProviderData

	RedeemRefreshURL *url.URL
	// contains filtered or unexported fields
}

GoogleProvider represents an Google based Identity Provider

func NewGoogleProvider 

func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProvider, error)

NewGoogleProvider initiates a new GoogleProvider

func (*GoogleProvider) EnrichSession 

func (p *GoogleProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error

EnrichSession checks the listed Google Groups configured and adds any that the user is a member of to session.Groups.

func (*GoogleProvider) Redeem 

func (p *GoogleProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*GoogleProvider) RefreshSession 

func (p *GoogleProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

type KeycloakOIDCProvider 

type KeycloakOIDCProvider struct {
	*OIDCProvider
}

KeycloakOIDCProvider creates a Keycloak provider based on OIDCProvider

func NewKeycloakOIDCProvider 

func NewKeycloakOIDCProvider(p *ProviderData, opts options.KeycloakOptions) *KeycloakOIDCProvider

NewKeycloakOIDCProvider makes a KeycloakOIDCProvider using the ProviderData

func (*KeycloakOIDCProvider) CreateSessionFromToken 

func (p *KeycloakOIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*KeycloakOIDCProvider) EnrichSession 

func (p *KeycloakOIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*KeycloakOIDCProvider) RefreshSession 

func (p *KeycloakOIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession adds role extraction logic to the refresh flow

type KeycloakProvider 

type KeycloakProvider struct {
	*ProviderData
}

func NewKeycloakProvider 

func NewKeycloakProvider(p *ProviderData, opts options.KeycloakOptions) *KeycloakProvider

NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData

func (*KeycloakProvider) EnrichSession 

func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession uses the Keycloak userinfo endpoint to populate the session's email and groups.

func (*KeycloakProvider) ValidateSession 

func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type LinkedInProvider 

type LinkedInProvider struct {
	*ProviderData
}

LinkedInProvider represents an LinkedIn based Identity Provider

func NewLinkedInProvider 

func NewLinkedInProvider(p *ProviderData) *LinkedInProvider

NewLinkedInProvider initiates a new LinkedInProvider

func (*LinkedInProvider) GetEmailAddress 

func (p *LinkedInProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address

func (*LinkedInProvider) ValidateSession 

func (p *LinkedInProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type LoginGovProvider 

type LoginGovProvider struct {
	*ProviderData

	// TODO (@timothy-spencer): Ideally, the nonce would be in the session state, but the session state
	// is created only upon code redemption, not during the auth, when this must be supplied.
	Nonce     string
	JWTKey    *rsa.PrivateKey
	PubJWKURL *url.URL
}

LoginGovProvider represents an OIDC based Identity Provider

func NewLoginGovProvider 

func NewLoginGovProvider(p *ProviderData, opts options.LoginGovOptions) (*LoginGovProvider, error)

NewLoginGovProvider initiates a new LoginGovProvider

func (*LoginGovProvider) GetLoginURL 

func (p *LoginGovProvider) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL overrides GetLoginURL to add login.gov parameters

func (*LoginGovProvider) Redeem 

func (p *LoginGovProvider) Redeem(ctx context.Context, _, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*LoginGovProvider) ValidateSession 

func (p *LoginGovProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type NextcloudProvider 

type NextcloudProvider struct {
	*ProviderData
}

NextcloudProvider represents an Nextcloud based Identity Provider

func NewNextcloudProvider 

func NewNextcloudProvider(p *ProviderData) *NextcloudProvider

NewNextcloudProvider initiates a new NextcloudProvider

func (*NextcloudProvider) EnrichSession 

func (p *NextcloudProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession uses the Nextcloud userinfo endpoint to populate the session's email, user, and groups.

func (*NextcloudProvider) ValidateSession 

func (p *NextcloudProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

type OIDCProvider 

type OIDCProvider struct {
	*ProviderData

	SkipNonce bool
}

OIDCProvider represents an OIDC based Identity Provider

func NewOIDCProvider 

func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider

NewOIDCProvider initiates a new OIDCProvider

func (*OIDCProvider) CreateSessionFromToken 

func (p *OIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*OIDCProvider) EnrichSession 

func (p *OIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*OIDCProvider) GetLoginURL 

func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL makes the LoginURL with optional nonce support

func (*OIDCProvider) Redeem 

func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem exchanges the OAuth2 authentication token for an ID token

func (*OIDCProvider) RefreshSession 

func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*OIDCProvider) ValidateSession 

func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession checks that the session's IDToken is still valid

type Provider 

type Provider interface {
	Data() *ProviderData
	GetLoginURL(redirectURI, finalRedirect, nonce string, extraParams url.Values) string
	Redeem(ctx context.Context, redirectURI, code, codeVerifier string) (*sessions.SessionState, error)
	// Deprecated: Migrate to EnrichSession
	GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)
	EnrichSession(ctx context.Context, s *sessions.SessionState) error
	Authorize(ctx context.Context, s *sessions.SessionState) (bool, error)
	ValidateSession(ctx context.Context, s *sessions.SessionState) bool
	RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error)
	CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)
}

Provider represents an upstream identity provider implementation

func NewProvider 

func NewProvider(providerConfig options.Provider) (Provider, error)

type ProviderData 

type ProviderData struct {
	ProviderName       string
	LoginURL           *url.URL
	RedeemURL          *url.URL
	ProfileURL         *url.URL
	ProtectedResource  *url.URL
	ValidateURL        *url.URL
	ValidateURLspecial *url.URL
	ClientID           string
	ClientSecret       string
	ClientSecretFile   string
	Scope              string
	// The picked CodeChallenge Method or empty if none.
	CodeChallengeMethod string
	// Code challenge methods supported by the Provider
	SupportedCodeChallengeMethods []string `json:"code_challenge_methods_supported,omitempty"`

	// Common OIDC options for any OIDC-based providers to consume
	AllowUnverifiedEmail bool
	UserClaim            string
	EmailClaim           string
	GroupsClaim          string
	Verifier             internaloidc.IDTokenVerifier

	// Universal Group authorization data structure
	// any provider can set to consume
	AllowedGroups map[string]struct{}
	// contains filtered or unexported fields
}

ProviderData contains information required to configure all implementations of OAuth2 providers

func (*ProviderData) Authorize 

func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error)

Authorize performs global authorization on an authenticated session. This is not used for fine-grained per route authorization rules.

func (*ProviderData) CreateSessionFromToken 

func (p *ProviderData) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error)

CreateSessionFromToken converts Bearer IDTokens into sessions

func (*ProviderData) Data 

func (p *ProviderData) Data() *ProviderData

Data returns the ProviderData

func (*ProviderData) EnrichSession 

func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*ProviderData) GetClientSecret 

func (p *ProviderData) GetClientSecret() (clientSecret string, err error)

func (*ProviderData) GetEmailAddress 

func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address Deprecated: Migrate to EnrichSession

func (*ProviderData) GetLoginURL 

func (p *ProviderData) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL with typical oauth parameters codeChallenge and codeChallengeMethod are the PKCE challenge and method to append to the URL params. they will be empty strings if no code challenge should be presented

func (*ProviderData) GetTokenValidateURL 

func (p *ProviderData) GetTokenValidateURL() *url.URL

func (*ProviderData) LoginURLParams 

func (p *ProviderData) LoginURLParams(overrides url.Values) url.Values

LoginURLParams returns the parameter values that should be passed to the IdP login URL. This is the default set of parameters configured for this provider, optionally overridden by the given overrides (typically from the URL of the /oauth2/start request) according to the configured rules for this provider.

func (*ProviderData) Redeem 

func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error)

Redeem provides a default implementation of the OAuth2 token redemption process The codeVerifier is set if a code_verifier parameter should be sent for PKCE

func (*ProviderData) RefreshSession 

func (p *ProviderData) RefreshSession(_ context.Context, _ *sessions.SessionState) (bool, error)

RefreshSession refreshes the user's session

func (*ProviderData) ValidateSession 

func (p *ProviderData) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.