authenticate

package

v0.6.0-rc2 Latest Latest Go to latest Published: Jan 8, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/apache/dubbo-go-pixiu

Documentation ¶

Index ¶

Constants
type ClientCertAuthenticator
type JwtAuthenticator
- func NewJwtAuthenticator(jwtRule *v1beta1.JWTRule, trustDomain string) (*JwtAuthenticator, error)
type JwtPayload

Constants ¶

View Source

const (
	ClientCertAuthenticatorType = "ClientCertAuthenticator"
)

View Source

const (
	IDTokenAuthenticatorType = "IDTokenAuthenticator"
)

View Source

const (
	// IdentityTemplate is the SPIFFE format template of the identity.
	IdentityTemplate = "spiffe://%s/ns/%s/sa/%s"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ClientCertAuthenticator ¶

type ClientCertAuthenticator struct{}

ClientCertAuthenticator extracts identities from client certificate.

func (*ClientCertAuthenticator) Authenticate ¶

func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*security.Caller, error)

Authenticate extracts identities from presented client certificates. This method assumes that certificate chain has been properly validated before this method is called. In other words, this method does not do certificate chain validation itself.

func (*ClientCertAuthenticator) AuthenticateRequest ¶

func (cca *ClientCertAuthenticator) AuthenticateRequest(req *http.Request) (*security.Caller, error)

AuthenticateRequest performs mTLS authentication for http requests. Requires having the endpoints on a listener with proper TLS configuration.

func (*ClientCertAuthenticator) AuthenticatorType ¶

func (cca *ClientCertAuthenticator) AuthenticatorType() string

type JwtAuthenticator ¶

type JwtAuthenticator struct {
	// contains filtered or unexported fields
}

func NewJwtAuthenticator ¶

func NewJwtAuthenticator(jwtRule *v1beta1.JWTRule, trustDomain string) (*JwtAuthenticator, error)

newJwtAuthenticator is used when running istiod outside of a cluster, to validate the tokens using OIDC K8S is created with --service-account-issuer, service-account-signing-key-file and service-account-api-audiences which enable OIDC.

func (*JwtAuthenticator) Authenticate ¶

func (j *JwtAuthenticator) Authenticate(ctx context.Context) (*security.Caller, error)

Authenticate - based on the old OIDC authenticator for mesh expansion.

func (*JwtAuthenticator) AuthenticateRequest ¶

func (j *JwtAuthenticator) AuthenticateRequest(req *http.Request) (*security.Caller, error)

func (JwtAuthenticator) AuthenticatorType ¶

func (j JwtAuthenticator) AuthenticatorType() string

type JwtPayload ¶

type JwtPayload struct {
	// Aud is the expected audience, defaults to istio-ca - but is based on istiod.yaml configuration.
	// If set to a different value - use the value defined by istiod.yaml. Env variable can
	// still override
	Aud []string `json:"aud"`

	// Exp is not currently used - we don't use the token for authn, just to determine k8s settings
	Exp int `json:"exp"`

	// Issuer - configured by K8S admin for projected tokens. Will be used to verify all tokens.
	Iss string `json:"iss"`

	Sub string `json:"sub"`
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
kubeauth

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL