Documentation ¶
Overview ¶
Package authkit provides high-level helpers and basic objects for authN/authZ.
Index ¶
- Constants
- Variables
- func GetBearerTokenFromContext(ctx context.Context) string
- func GetBearerTokenFromRequest(r *http.Request) string
- func GetJWTClaimsFromContext(ctx context.Context) jwt.Claims
- func JWTAuthMiddleware(errorDomain string, jwtParser JWTParser, opts ...JWTAuthMiddlewareOption) func(next http.Handler) http.Handler
- func NewContextWithBearerToken(ctx context.Context, token string) context.Context
- func NewContextWithJWTClaims(ctx context.Context, jwtClaims jwt.Claims) context.Context
- func NewTokenIntrospector(cfg *Config, tokenProvider idptoken.IntrospectionTokenProvider, ...) (*idptoken.Introspector, error)
- func NewVerifyAccessByRolesInJWT(roles ...Role) func(r *http.Request, claims jwt.Claims) bool
- func NewVerifyAccessByRolesInJWTMaker(namespace string) func(roleNames ...string) func(r *http.Request, claims jwt.Claims) bool
- func SetDefaultLogger(logger log.FieldLogger)
- type CachingJWTParser
- type ClaimsCacheConfig
- type Config
- type GRPCClientConfig
- type GRPCTLSConfig
- type HTTPClientConfig
- type IntrospectionCacheConfig
- type IntrospectionConfig
- type IntrospectionGRPCConfig
- type JWKSConfig
- type JWTAuthMiddlewareOption
- func WithJWTAuthMiddlewareLoggerProvider(loggerProvider func(ctx context.Context) log.FieldLogger) JWTAuthMiddlewareOption
- func WithJWTAuthMiddlewarePrometheusLibInstanceLabel(label string) JWTAuthMiddlewareOption
- func WithJWTAuthMiddlewareTokenIntrospector(tokenIntrospector TokenIntrospector) JWTAuthMiddlewareOption
- func WithJWTAuthMiddlewareVerifyAccess(verifyAccess func(r *http.Request, claims jwt.Claims) bool) JWTAuthMiddlewareOption
- type JWTConfig
- type JWTParser
- type JWTParserOption
- func WithJWTParserClaimsTemplate(claimsTemplate jwt.Claims) JWTParserOption
- func WithJWTParserLoggerProvider(loggerProvider func(ctx context.Context) log.FieldLogger) JWTParserOption
- func WithJWTParserPrometheusLibInstanceLabel(label string) JWTParserOption
- func WithJWTParserScopeFilter(scopeFilter jwt.ScopeFilter) JWTParserOption
- func WithJWTParserTrustedIssuerNotFoundFallback(fallback jwt.TrustedIssNotFoundFallback) JWTParserOption
- type Role
- type TokenIntrospector
- type TokenIntrospectorOption
- func WithTokenIntrospectorLoggerProvider(loggerProvider func(ctx context.Context) log.FieldLogger) TokenIntrospectorOption
- func WithTokenIntrospectorPrometheusLibInstanceLabel(label string) TokenIntrospectorOption
- func WithTokenIntrospectorResultTemplate(resultTemplate idptoken.IntrospectionResult) TokenIntrospectorOption
- func WithTokenIntrospectorTrustedIssuerNotFoundFallback(fallback idptoken.TrustedIssNotFoundFallback) TokenIntrospectorOption
Constants ¶
const HeaderAuthorization = "Authorization"
HeaderAuthorization contains the name of HTTP header with data that is used for authentication and authorization.
Variables ¶
var ( ErrCodeBearerTokenMissing = "bearerTokenMissing" ErrCodeAuthenticationFailed = "authenticationFailed" ErrCodeAuthorizationFailed = "authorizationFailed" )
Authentication and authorization error codes. We are using "var" here because some services may want to use different error codes.
var ( ErrMessageBearerTokenMissing = "Authorization bearer token is missing." ErrMessageAuthenticationFailed = "Authentication is failed." ErrMessageAuthorizationFailed = "Authorization is failed." )
Authentication error messages. We are using "var" here because some services may want to use different error messages.
Functions ¶
func GetBearerTokenFromContext ¶
GetBearerTokenFromContext extracts token from the context.
func GetBearerTokenFromRequest ¶
GetBearerTokenFromRequest extracts jwt token from request headers.
func GetJWTClaimsFromContext ¶
GetJWTClaimsFromContext extracts JWT claims from the context.
func JWTAuthMiddleware ¶
func JWTAuthMiddleware(errorDomain string, jwtParser JWTParser, opts ...JWTAuthMiddlewareOption) func(next http.Handler) http.Handler
JWTAuthMiddleware is a middleware that does authentication by Access Token from the "Authorization" HTTP header of incoming request. errorDomain is used for error responses. It is usually the name of the service that uses the middleware, and its goal is distinguishing errors from different services. It helps to understand where the error occurred and what service caused it. For example, if the "Authorization" HTTP header is missing, the middleware will return 401 with the following response body:
{"error": {"domain": "MyService", "code": "bearerTokenMissing", "message": "Authorization bearer token is missing."}}
func NewContextWithBearerToken ¶
NewContextWithBearerToken creates a new context with token.
func NewContextWithJWTClaims ¶
NewContextWithJWTClaims creates a new context with JWT claims.
func NewTokenIntrospector ¶
func NewTokenIntrospector( cfg *Config, tokenProvider idptoken.IntrospectionTokenProvider, scopeFilter jwt.ScopeFilter, opts ...TokenIntrospectorOption, ) (*idptoken.Introspector, error)
NewTokenIntrospector creates a new TokenIntrospector with the given configuration, token provider and scope filter. If cfg.Introspection.ClaimsCache.Enabled or cfg.Introspection.NegativeCache.Enabled is true, then idptoken.CachingIntrospector created, otherwise - idptoken.Introspector. Please note that the tokenProvider should be able to provide access token with the policy for introspection. scopeFilter is a list of filters that will be applied to the introspected token.
func NewVerifyAccessByRolesInJWT ¶
NewVerifyAccessByRolesInJWT creates a new function which may be used for verifying access by roles in JWT scope.
func NewVerifyAccessByRolesInJWTMaker ¶
func NewVerifyAccessByRolesInJWTMaker(namespace string) func(roleNames ...string) func(r *http.Request, claims jwt.Claims) bool
NewVerifyAccessByRolesInJWTMaker creates a new function which may be used for verifying access by roles in JWT scope given a namespace.
func SetDefaultLogger ¶ added in v0.7.0
func SetDefaultLogger(logger log.FieldLogger)
SetDefaultLogger sets the default logger for the library.
Types ¶
type CachingJWTParser ¶
CachingJWTParser does the same as JWTParser but stores parsed JWT claims in cache.
type ClaimsCacheConfig ¶
ClaimsCacheConfig is a configuration of how claims cache will be used.
type Config ¶
type Config struct { HTTPClient HTTPClientConfig GRPCClient GRPCClientConfig JWT JWTConfig JWKS JWKSConfig Introspection IntrospectionConfig // contains filtered or unexported fields }
Config represents a set of configuration parameters for authentication and authorization.
func NewConfigWithKeyPrefix ¶
NewConfigWithKeyPrefix creates a new instance of the Config. Allows specifying key prefix which will be used for parsing configuration parameters.
func (*Config) KeyPrefix ¶
KeyPrefix returns a key prefix with which all configuration parameters should be presented.
func (*Config) Set ¶
func (c *Config) Set(dp config.DataProvider) error
Set sets auth configuration values from config.DataProvider.
func (*Config) SetProviderDefaults ¶
func (c *Config) SetProviderDefaults(dp config.DataProvider)
SetProviderDefaults sets default configuration values for auth in config.DataProvider.
type GRPCClientConfig ¶
type GRPCTLSConfig ¶
GRPCTLSConfig is a configuration of how gRPC connection will be secured.
type HTTPClientConfig ¶
type IntrospectionCacheConfig ¶
IntrospectionCacheConfig is a configuration of how claims cache will be used for introspection.
type IntrospectionConfig ¶
type IntrospectionConfig struct { Enabled bool Endpoint string AccessTokenScope []string ClaimsCache IntrospectionCacheConfig NegativeCache IntrospectionCacheConfig EndpointDiscoveryCache IntrospectionCacheConfig GRPC IntrospectionGRPCConfig }
IntrospectionConfig is a configuration of how token introspection will be used.
type IntrospectionGRPCConfig ¶
type IntrospectionGRPCConfig struct { Endpoint string RequestTimeout time.Duration TLS GRPCTLSConfig }
IntrospectionGRPCConfig is a configuration of how token will be introspected via gRPC.
type JWKSConfig ¶
JWKSConfig is configuration of how JWKS will be used.
type JWTAuthMiddlewareOption ¶
type JWTAuthMiddlewareOption func(options *jwtAuthMiddlewareOpts)
JWTAuthMiddlewareOption is an option for JWTAuthMiddleware.
func WithJWTAuthMiddlewareLoggerProvider ¶ added in v0.7.0
func WithJWTAuthMiddlewareLoggerProvider(loggerProvider func(ctx context.Context) log.FieldLogger) JWTAuthMiddlewareOption
WithJWTAuthMiddlewareLoggerProvider is an option to set a logger provider for JWTAuthMiddleware.
func WithJWTAuthMiddlewarePrometheusLibInstanceLabel ¶ added in v0.12.0
func WithJWTAuthMiddlewarePrometheusLibInstanceLabel(label string) JWTAuthMiddlewareOption
WithJWTAuthMiddlewarePrometheusLibInstanceLabel is an option to set a label for Prometheus metrics that are used by JWTAuthMiddleware.
func WithJWTAuthMiddlewareTokenIntrospector ¶
func WithJWTAuthMiddlewareTokenIntrospector(tokenIntrospector TokenIntrospector) JWTAuthMiddlewareOption
WithJWTAuthMiddlewareTokenIntrospector is an option to set a token introspector for JWTAuthMiddleware.
func WithJWTAuthMiddlewareVerifyAccess ¶
func WithJWTAuthMiddlewareVerifyAccess(verifyAccess func(r *http.Request, claims jwt.Claims) bool) JWTAuthMiddlewareOption
WithJWTAuthMiddlewareVerifyAccess is an option to set a function that verifies access for JWTAuthMiddleware.
type JWTConfig ¶
type JWTConfig struct { TrustedIssuers map[string]string TrustedIssuerURLs []string RequireAudience bool ExpectedAudience []string ClaimsCache ClaimsCacheConfig }
JWTConfig is configuration of how JWT will be verified.
type JWTParser ¶
JWTParser is an interface for parsing string representation of JWT.
func NewJWTParser ¶
func NewJWTParser(cfg *Config, opts ...JWTParserOption) (JWTParser, error)
NewJWTParser creates a new JWTParser with the given configuration. If cfg.JWT.ClaimsCache.Enabled is true, then jwt.CachingParser created, otherwise - jwt.Parser.
type JWTParserOption ¶
type JWTParserOption func(options *jwtParserOptions)
JWTParserOption is an option for creating JWTParser.
func WithJWTParserClaimsTemplate ¶ added in v0.10.0
func WithJWTParserClaimsTemplate(claimsTemplate jwt.Claims) JWTParserOption
WithJWTParserClaimsTemplate sets the claims template for JWTParser.
func WithJWTParserLoggerProvider ¶ added in v0.7.0
func WithJWTParserLoggerProvider(loggerProvider func(ctx context.Context) log.FieldLogger) JWTParserOption
WithJWTParserLoggerProvider sets the logger provider for JWTParser.
func WithJWTParserPrometheusLibInstanceLabel ¶
func WithJWTParserPrometheusLibInstanceLabel(label string) JWTParserOption
WithJWTParserPrometheusLibInstanceLabel sets the Prometheus lib instance label for JWTParser.
func WithJWTParserScopeFilter ¶ added in v0.13.0
func WithJWTParserScopeFilter(scopeFilter jwt.ScopeFilter) JWTParserOption
WithJWTParserScopeFilter sets the scope filter for JWTParser. If it's used, then only access policies in scope that match at least one of the filtering policies will be returned. It's useful when the claims cache is used (cfg.JWT.ClaimsCache.Enabled is true), and we want to store only some of the access policies in the cache to reduce memory usage.
func WithJWTParserTrustedIssuerNotFoundFallback ¶
func WithJWTParserTrustedIssuerNotFoundFallback(fallback jwt.TrustedIssNotFoundFallback) JWTParserOption
WithJWTParserTrustedIssuerNotFoundFallback sets the fallback for JWTParser when trusted issuer is not found.
type TokenIntrospector ¶
type TokenIntrospector interface {
IntrospectToken(ctx context.Context, token string) (idptoken.IntrospectionResult, error)
}
TokenIntrospector is an interface for introspecting tokens.
type TokenIntrospectorOption ¶
type TokenIntrospectorOption func(options *tokenIntrospectorOptions)
TokenIntrospectorOption is an option for creating TokenIntrospector.
func WithTokenIntrospectorLoggerProvider ¶ added in v0.7.0
func WithTokenIntrospectorLoggerProvider(loggerProvider func(ctx context.Context) log.FieldLogger) TokenIntrospectorOption
WithTokenIntrospectorLoggerProvider sets the logger provider for TokenIntrospector.
func WithTokenIntrospectorPrometheusLibInstanceLabel ¶
func WithTokenIntrospectorPrometheusLibInstanceLabel(label string) TokenIntrospectorOption
WithTokenIntrospectorPrometheusLibInstanceLabel sets the Prometheus lib instance label for TokenIntrospector.
func WithTokenIntrospectorResultTemplate ¶ added in v0.10.0
func WithTokenIntrospectorResultTemplate(resultTemplate idptoken.IntrospectionResult) TokenIntrospectorOption
WithTokenIntrospectorResultTemplate sets the result template for TokenIntrospector.
func WithTokenIntrospectorTrustedIssuerNotFoundFallback ¶
func WithTokenIntrospectorTrustedIssuerNotFoundFallback( fallback idptoken.TrustedIssNotFoundFallback, ) TokenIntrospectorOption
WithTokenIntrospectorTrustedIssuerNotFoundFallback sets the fallback for TokenIntrospector when trusted issuer is not found.
Directories ¶
Path | Synopsis |
---|---|
examples
|
|
Package idptest provides helper primitives and functions required for testing signing and key generation and a simple HTTP server with JWKS, issuer and IDP configuration endpoints.
|
Package idptest provides helper primitives and functions required for testing signing and key generation and a simple HTTP server with JWKS, issuer and IDP configuration endpoints. |
Package idptoken provides a robust way to request access tokens from IDP.
|
Package idptoken provides a robust way to request access tokens from IDP. |
internal
|
|
idputil
Package idputil provides utilities for working with identity providers.
|
Package idputil provides utilities for working with identity providers. |
libinfo
Package libinfo provides helpers for working with the library information.
|
Package libinfo provides helpers for working with the library information. |
metrics
Package metrics provides helpers for working with the library metrics.
|
Package metrics provides helpers for working with the library metrics. |
testing
Package testing provides internal testing utilities.
|
Package testing provides internal testing utilities. |
Package jwks contains clients for getting public keys from JWKS.
|
Package jwks contains clients for getting public keys from JWKS. |
Package jwt provides primitives for working with JWT (Parser, Claims, and so on).
|
Package jwt provides primitives for working with JWT (Parser, Claims, and so on). |