Documentation ¶
Overview ¶
Package authkit provides high-level helpers and basic objects for authN/authZ.
Index ¶
- Constants
- Variables
- func GetBearerTokenFromContext(ctx context.Context) string
- func GetBearerTokenFromRequest(r *http.Request) string
- func GetJWTClaimsFromContext(ctx context.Context) *jwt.Claims
- func JWTAuthMiddleware(errorDomain string, jwtParser JWTParser, opts ...JWTAuthMiddlewareOption) func(next http.Handler) http.Handler
- func NewContextWithBearerToken(ctx context.Context, token string) context.Context
- func NewContextWithJWTClaims(ctx context.Context, jwtClaims *jwt.Claims) context.Context
- func NewTokenIntrospector(cfg *Config, tokenProvider idptoken.IntrospectionTokenProvider, ...) (*idptoken.Introspector, error)
- func NewVerifyAccessByRolesInJWT(roles ...Role) func(r *http.Request, claims *jwt.Claims) bool
- func NewVerifyAccessByRolesInJWTMaker(namespace string) func(roleNames ...string) func(r *http.Request, claims *jwt.Claims) bool
- type CachingJWTParser
- type ClaimsCacheConfig
- type Config
- type GRPCClientConfig
- type GRPCTLSConfig
- type HTTPClientConfig
- type IntrospectionCacheConfig
- type IntrospectionConfig
- type IntrospectionGRPCConfig
- type JWKSConfig
- type JWTAuthMiddlewareOption
- type JWTConfig
- type JWTParser
- type JWTParserOption
- type Role
- type TokenIntrospector
- type TokenIntrospectorOption
Constants ¶
const HeaderAuthorization = "Authorization"
HeaderAuthorization contains the name of HTTP header with data that is used for authentication and authorization.
Variables ¶
var ( ErrCodeBearerTokenMissing = "bearerTokenMissing" ErrCodeAuthenticationFailed = "authenticationFailed" ErrCodeAuthorizationFailed = "authorizationFailed" )
Authentication and authorization error codes. We are using "var" here because some services may want to use different error codes.
var ( ErrMessageBearerTokenMissing = "Authorization bearer token is missing." ErrMessageAuthenticationFailed = "Authentication is failed." ErrMessageAuthorizationFailed = "Authorization is failed." )
Authentication error messages. We are using "var" here because some services may want to use different error messages.
Functions ¶
func GetBearerTokenFromContext ¶
GetBearerTokenFromContext extracts token from the context.
func GetBearerTokenFromRequest ¶
GetBearerTokenFromRequest extracts jwt token from request headers.
func GetJWTClaimsFromContext ¶
GetJWTClaimsFromContext extracts JWT claims from the context.
func JWTAuthMiddleware ¶
func JWTAuthMiddleware(errorDomain string, jwtParser JWTParser, opts ...JWTAuthMiddlewareOption) func(next http.Handler) http.Handler
JWTAuthMiddleware is a middleware that does authentication by Access Token from the "Authorization" HTTP header of incoming request. errorDomain is used for error responses. It is usually the name of the service that uses the middleware, and its goal is distinguishing errors from different services. It helps to understand where the error occurred and what service caused it. For example, if the "Authorization" HTTP header is missing, the middleware will return 401 with the following response body:
{"error": {"domain": "MyService", "code": "bearerTokenMissing", "message": "Authorization bearer token is missing."}}
func NewContextWithBearerToken ¶
NewContextWithBearerToken creates a new context with token.
func NewContextWithJWTClaims ¶
NewContextWithJWTClaims creates a new context with JWT claims.
func NewTokenIntrospector ¶
func NewTokenIntrospector( cfg *Config, tokenProvider idptoken.IntrospectionTokenProvider, scopeFilter []idptoken.IntrospectionScopeFilterAccessPolicy, opts ...TokenIntrospectorOption, ) (*idptoken.Introspector, error)
NewTokenIntrospector creates a new TokenIntrospector with the given configuration, token provider and scope filter. If cfg.Introspection.ClaimsCache.Enabled or cfg.Introspection.NegativeCache.Enabled is true, then idptoken.CachingIntrospector created, otherwise - idptoken.Introspector. Please note that the tokenProvider should be able to provide access token with the policy for introspection. scopeFilter is a list of filters that will be applied to the introspected token.
func NewVerifyAccessByRolesInJWT ¶
NewVerifyAccessByRolesInJWT creates a new function which may be used for verifying access by roles in JWT scope.
func NewVerifyAccessByRolesInJWTMaker ¶
func NewVerifyAccessByRolesInJWTMaker(namespace string) func(roleNames ...string) func(r *http.Request, claims *jwt.Claims) bool
NewVerifyAccessByRolesInJWTMaker creates a new function which may be used for verifying access by roles in JWT scope given a namespace.
Types ¶
type CachingJWTParser ¶
CachingJWTParser does the same as JWTParser but stores parsed JWT claims in cache.
type ClaimsCacheConfig ¶
ClaimsCacheConfig is a configuration of how claims cache will be used.
type Config ¶
type Config struct { HTTPClient HTTPClientConfig GRPCClient GRPCClientConfig JWT JWTConfig JWKS JWKSConfig Introspection IntrospectionConfig // contains filtered or unexported fields }
Config represents a set of configuration parameters for authentication and authorization.
func NewConfigWithKeyPrefix ¶
NewConfigWithKeyPrefix creates a new instance of the Config. Allows specifying key prefix which will be used for parsing configuration parameters.
func (*Config) KeyPrefix ¶
KeyPrefix returns a key prefix with which all configuration parameters should be presented.
func (*Config) Set ¶
func (c *Config) Set(dp config.DataProvider) error
Set sets auth configuration values from config.DataProvider.
func (*Config) SetProviderDefaults ¶
func (c *Config) SetProviderDefaults(dp config.DataProvider)
SetProviderDefaults sets default configuration values for auth in config.DataProvider.
type GRPCClientConfig ¶
type GRPCTLSConfig ¶
GRPCTLSConfig is a configuration of how gRPC connection will be secured.
type HTTPClientConfig ¶
type IntrospectionCacheConfig ¶
IntrospectionCacheConfig is a configuration of how claims cache will be used for introspection.
type IntrospectionConfig ¶
type IntrospectionConfig struct { Enabled bool Endpoint string AccessTokenScope []string ClaimsCache IntrospectionCacheConfig NegativeCache IntrospectionCacheConfig GRPC IntrospectionGRPCConfig }
IntrospectionConfig is a configuration of how token introspection will be used.
type IntrospectionGRPCConfig ¶
type IntrospectionGRPCConfig struct { Endpoint string RequestTimeout time.Duration TLS GRPCTLSConfig }
IntrospectionGRPCConfig is a configuration of how token will be introspected via gRPC.
type JWKSConfig ¶
JWKSConfig is configuration of how JWKS will be used.
type JWTAuthMiddlewareOption ¶
type JWTAuthMiddlewareOption func(options *jwtAuthMiddlewareOpts)
JWTAuthMiddlewareOption is an option for JWTAuthMiddleware.
func WithJWTAuthMiddlewareTokenIntrospector ¶
func WithJWTAuthMiddlewareTokenIntrospector(tokenIntrospector TokenIntrospector) JWTAuthMiddlewareOption
WithJWTAuthMiddlewareTokenIntrospector is an option to set a token introspector for JWTAuthMiddleware.
func WithJWTAuthMiddlewareVerifyAccess ¶
func WithJWTAuthMiddlewareVerifyAccess(verifyAccess func(r *http.Request, claims *jwt.Claims) bool) JWTAuthMiddlewareOption
WithJWTAuthMiddlewareVerifyAccess is an option to set a function that verifies access for JWTAuthMiddleware.
type JWTConfig ¶
type JWTConfig struct { TrustedIssuers map[string]string TrustedIssuerURLs []string RequireAudience bool ExpectedAudience []string ClaimsCache ClaimsCacheConfig }
JWTConfig is configuration of how JWT will be verified.
type JWTParser ¶
JWTParser is an interface for parsing string representation of JWT.
func NewJWTParser ¶
func NewJWTParser(cfg *Config, opts ...JWTParserOption) (JWTParser, error)
NewJWTParser creates a new JWTParser with the given configuration. If cfg.JWT.ClaimsCache.Enabled is true, then jwt.CachingParser created, otherwise - jwt.Parser.
type JWTParserOption ¶
type JWTParserOption func(options *jwtParserOptions)
JWTParserOption is an option for creating JWTParser.
func WithJWTParserLogger ¶
func WithJWTParserLogger(logger log.FieldLogger) JWTParserOption
WithJWTParserLogger sets the logger for JWTParser.
func WithJWTParserPrometheusLibInstanceLabel ¶
func WithJWTParserPrometheusLibInstanceLabel(label string) JWTParserOption
WithJWTParserPrometheusLibInstanceLabel sets the Prometheus lib instance label for JWTParser.
func WithJWTParserTrustedIssuerNotFoundFallback ¶
func WithJWTParserTrustedIssuerNotFoundFallback(fallback jwt.TrustedIssNotFoundFallback) JWTParserOption
WithJWTParserTrustedIssuerNotFoundFallback sets the fallback for JWTParser when trusted issuer is not found.
type TokenIntrospector ¶
type TokenIntrospector interface {
IntrospectToken(ctx context.Context, token string) (idptoken.IntrospectionResult, error)
}
TokenIntrospector is an interface for introspecting tokens.
type TokenIntrospectorOption ¶
type TokenIntrospectorOption func(options *tokenIntrospectorOptions)
TokenIntrospectorOption is an option for creating TokenIntrospector.
func WithTokenIntrospectorLogger ¶
func WithTokenIntrospectorLogger(logger log.FieldLogger) TokenIntrospectorOption
WithTokenIntrospectorLogger sets the logger for TokenIntrospector.
func WithTokenIntrospectorPrometheusLibInstanceLabel ¶
func WithTokenIntrospectorPrometheusLibInstanceLabel(label string) TokenIntrospectorOption
WithTokenIntrospectorPrometheusLibInstanceLabel sets the Prometheus lib instance label for TokenIntrospector.
func WithTokenIntrospectorTrustedIssuerNotFoundFallback ¶
func WithTokenIntrospectorTrustedIssuerNotFoundFallback( fallback idptoken.TrustedIssNotFoundFallback, ) TokenIntrospectorOption
WithTokenIntrospectorTrustedIssuerNotFoundFallback sets the fallback for TokenIntrospector when trusted issuer is not found.
Directories ¶
Path | Synopsis |
---|---|
examples
|
|
Package idptest provides helper primitives and functions required for testing signing and key generation and a simple HTTP server with JWKS, issuer and IDP configuration endpoints.
|
Package idptest provides helper primitives and functions required for testing signing and key generation and a simple HTTP server with JWKS, issuer and IDP configuration endpoints. |
Package idptoken provides a robust way to request access tokens from IDP.
|
Package idptoken provides a robust way to request access tokens from IDP. |
internal
|
|
idputil
Package idputil provides utilities for working with identity providers.
|
Package idputil provides utilities for working with identity providers. |
libinfo
Package libinfo provides helpers for working with the library information.
|
Package libinfo provides helpers for working with the library information. |
metrics
Package metrics provides helpers for working with the library metrics.
|
Package metrics provides helpers for working with the library metrics. |
testing
Package testing provides internal testing utilities.
|
Package testing provides internal testing utilities. |
Package jwks contains clients for getting public keys from JWKS.
|
Package jwks contains clients for getting public keys from JWKS. |
Package jwt provides primitives for working with JWT (Parser, Claims, and so on).
|
Package jwt provides primitives for working with JWT (Parser, Claims, and so on). |