Documentation
¶
Index ¶
- Constants
- func TrustedHost(host string) bool
- type AuthParams
- type AuthenticationScheme
- type AuthorizeType
- type BearerAuthenticationScheme
- type Client
- func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (InstanceDiscoveryResponse, error)
- func (c Client) GetTenantDiscoveryResponse(ctx context.Context, openIDConfigurationEndpoint string) (TenantDiscoveryResponse, error)
- func (c Client) UserRealm(ctx context.Context, authParams AuthParams) (UserRealm, error)
- type ClientCapabilities
- type Endpoints
- type Info
- type InstanceDiscoveryMetadata
- type InstanceDiscoveryResponse
- type OAuthResponseBase
- type TenantDiscoveryResponse
- type UserRealm
- type UserRealmAccountType
Constants ¶
const ( AAD = "MSSTS" ADFS = "ADFS" DSTS = "DSTS" )
These are all authority types
const (
AccessTokenTypeBearer = "Bearer"
)
const DSTSTenant = "7a433bfc-2514-4697-b467-e0933190487f"
DSTSTenant is referenced throughout multiple files, let us use a const in case we ever need to change it.
Variables ¶
This section is empty.
Functions ¶
func TrustedHost ¶
TrustedHost checks if an AAD host is trusted/valid.
Types ¶
type AuthParams ¶
type AuthParams struct {
AuthorityInfo Info
CorrelationID string
Endpoints Endpoints
ClientID string
// Redirecturi is used for auth flows that specify a redirect URI (e.g. local server for interactive auth flow).
Redirecturi string
HomeAccountID string
// Username is the user-name portion for username/password auth flow.
Username string
// Password is the password portion for username/password auth flow.
Password string
// Scopes is the list of scopes the user consents to.
Scopes []string
// AuthorizationType specifies the auth flow being used.
AuthorizationType AuthorizeType
// State is a random value used to prevent cross-site request forgery attacks.
State string
// CodeChallenge is derived from a code verifier and is sent in the auth request.
CodeChallenge string
// CodeChallengeMethod describes the method used to create the CodeChallenge.
CodeChallengeMethod string
// Prompt specifies the user prompt type during interactive auth.
Prompt string
// IsConfidentialClient specifies if it is a confidential client.
IsConfidentialClient bool
// SendX5C specifies if x5c claim(public key of the certificate) should be sent to STS.
SendX5C bool
// UserAssertion is the access token used to acquire token on behalf of user
UserAssertion string
// Capabilities the client will include with each token request, for example "CP1".
// Call [NewClientCapabilities] to construct a value for this field.
Capabilities ClientCapabilities
// Claims required for an access token to satisfy a conditional access policy
Claims string
// KnownAuthorityHosts don't require metadata discovery because they're known to the user
KnownAuthorityHosts []string
// LoginHint is a username with which to pre-populate account selection during interactive auth
LoginHint string
// DomainHint is a directive that can be used to accelerate the user to their federated IdP sign-in page
DomainHint string
// AuthnScheme is an optional scheme for formatting access tokens
AuthnScheme AuthenticationScheme
}
AuthParams represents the parameters used for authorization for token acquisition.
func NewAuthParams ¶
func NewAuthParams(clientID string, authorityInfo Info) AuthParams
NewAuthParams creates an authorization parameters object.
func (*AuthParams) AppKey ¶
func (a *AuthParams) AppKey() string
func (*AuthParams) AssertionHash ¶ added in v0.4.0
func (a *AuthParams) AssertionHash() string
func (*AuthParams) CacheKey ¶
func (a *AuthParams) CacheKey(isAppCache bool) string
func (AuthParams) MergeCapabilitiesAndClaims ¶ added in v0.8.0
func (p AuthParams) MergeCapabilitiesAndClaims() (string, error)
MergeCapabilitiesAndClaims combines client capabilities and challenge claims into a value suitable for an authentication request's "claims" parameter.
func (AuthParams) WithTenant ¶ added in v0.8.0
func (p AuthParams) WithTenant(ID string) (AuthParams, error)
WithTenant returns a copy of the AuthParams having the specified tenant ID. If the given ID is empty, the copy is identical to the original. This function returns an error in several cases:
- ID isn't specific (for example, it's "common")
- ID is non-empty and the authority doesn't support tenants (for example, it's an ADFS authority)
- the client is configured to authenticate only Microsoft accounts via the "consumers" endpoint
- the resulting authority URL is invalid
type AuthenticationScheme ¶ added in v1.2.0
type AuthenticationScheme interface {
// Extra parameters that are added to the request to the /token endpoint.
TokenRequestParams() map[string]string
// Key ID of the public / private key pair used by the encryption algorithm, if any.
// Tokens obtained by authentication schemes that use this are bound to the KeyId, i.e.
// if a different kid is presented, the access token cannot be used.
KeyID() string
// Creates the access token that goes into an Authorization HTTP header.
FormatAccessToken(accessToken string) (string, error)
//Expected to match the token_type parameter returned by ESTS. Used to disambiguate
// between ATs of different types (e.g. Bearer and PoP) when loading from cache etc.
AccessTokenType() string
}
AuthenticationScheme is an extensibility mechanism designed to be used only by Azure Arc for proof of possession access tokens.
type AuthorizeType ¶
type AuthorizeType int
AuthorizeType represents the type of token flow.
const ( ATUnknown AuthorizeType = iota ATUsernamePassword ATWindowsIntegrated ATAuthCode ATInteractive ATClientCredentials ATDeviceCode ATRefreshToken AccountByID ATOnBehalfOf )
These are all the types of token flows.
func (AuthorizeType) String ¶
func (i AuthorizeType) String() string
type BearerAuthenticationScheme ¶ added in v1.2.0
type BearerAuthenticationScheme struct{}
default authn scheme realizing AuthenticationScheme for "Bearer" tokens
func (*BearerAuthenticationScheme) AccessTokenType ¶ added in v1.2.0
func (ba *BearerAuthenticationScheme) AccessTokenType() string
func (*BearerAuthenticationScheme) FormatAccessToken ¶ added in v1.2.0
func (ba *BearerAuthenticationScheme) FormatAccessToken(accessToken string) (string, error)
func (*BearerAuthenticationScheme) KeyID ¶ added in v1.2.0
func (ba *BearerAuthenticationScheme) KeyID() string
func (*BearerAuthenticationScheme) TokenRequestParams ¶ added in v1.2.0
func (ba *BearerAuthenticationScheme) TokenRequestParams() map[string]string
type Client ¶
type Client struct {
// Comm provides the HTTP transport client.
Comm jsonCaller // *comm.Client
}
Client represents the REST calls to authority backends.
func (Client) AADInstanceDiscovery ¶
func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (InstanceDiscoveryResponse, error)
AADInstanceDiscovery attempts to discover a tenant endpoint (used in OIDC auth with an authorization endpoint). This is done by AAD which allows for aliasing of tenants (windows.sts.net is the same as login.windows.com).
func (Client) GetTenantDiscoveryResponse ¶
type ClientCapabilities ¶ added in v0.8.0
type ClientCapabilities struct {
// contains filtered or unexported fields
}
ClientCapabilities stores capabilities in the formats used by AuthParams.MergeCapabilitiesAndClaims. NewClientCapabilities precomputes these representations because capabilities are static for the lifetime of a client and are included with every authentication request i.e., these computations always have the same result and would otherwise have to be repeated for every request.
func NewClientCapabilities ¶ added in v0.8.0
func NewClientCapabilities(capabilities []string) (ClientCapabilities, error)
type Endpoints ¶
type Endpoints struct {
AuthorizationEndpoint string
TokenEndpoint string
// contains filtered or unexported fields
}
Endpoints consists of the endpoints from the tenant discovery response.
type Info ¶
type Info struct {
Host string
CanonicalAuthorityURI string
AuthorityType string
ValidateAuthority bool
Tenant string
Region string
InstanceDiscoveryDisabled bool
}
Info consists of information about the authority.
type InstanceDiscoveryResponse ¶
type InstanceDiscoveryResponse struct {
TenantDiscoveryEndpoint string `json:"tenant_discovery_endpoint"`
Metadata []InstanceDiscoveryMetadata `json:"metadata"`
AdditionalFields map[string]interface{}
}
type OAuthResponseBase ¶
type OAuthResponseBase struct {
Error string `json:"error"`
SubError string `json:"suberror"`
ErrorDescription string `json:"error_description"`
ErrorCodes []int `json:"error_codes"`
CorrelationID string `json:"correlation_id"`
Claims string `json:"claims"`
}
OAuthResponseBase is the base JSON return message for an OAuth call. This is embedded in other calls to get the base fields from every response.
type TenantDiscoveryResponse ¶
type TenantDiscoveryResponse struct {
OAuthResponseBase
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
Issuer string `json:"issuer"`
AdditionalFields map[string]interface{}
}
TenantDiscoveryResponse is the tenant endpoints from the OpenID configuration endpoint.
func (*TenantDiscoveryResponse) Validate ¶
func (r *TenantDiscoveryResponse) Validate() error
Validate validates that the response had the correct values required.
type UserRealm ¶
type UserRealm struct {
AccountType UserRealmAccountType `json:"account_type"`
DomainName string `json:"domain_name"`
CloudInstanceName string `json:"cloud_instance_name"`
CloudAudienceURN string `json:"cloud_audience_urn"`
// required if accountType is Federated
FederationProtocol string `json:"federation_protocol"`
FederationMetadataURL string `json:"federation_metadata_url"`
AdditionalFields map[string]interface{}
}
UserRealm is used for the username password request to determine user type
type UserRealmAccountType ¶
type UserRealmAccountType string
UserRealmAccountType refers to the type of user realm.
const ( Unknown UserRealmAccountType = "" Federated UserRealmAccountType = "Federated" Managed UserRealmAccountType = "Managed" )
These are the different types of user realms.
Source Files