Documentation
¶
Overview ¶
Package openid implements OpenID Connect Login protocol (client side).
Tested only with Google's implementation of the protocol.
See https://developers.google.com/identity/protocols/OpenIDConnect.
Index ¶
- Constants
- Variables
- type AuthMethod
- func (m *AuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error)
- func (m *AuthMethod) InstallHandlers(r *router.Router, base router.MiddlewareChain)
- func (m *AuthMethod) LoginURL(c context.Context, dest string) (string, error)
- func (m *AuthMethod) LogoutURL(c context.Context, dest string) (string, error)
- func (m *AuthMethod) Warmup(c context.Context) (err error)
- type IDToken
- type JSONWebKeySet
- type JSONWebKeySetStruct
- type JSONWebKeyStruct
- type Settings
Constants ¶
const SettingsKey = "openid_auth"
SettingsKey is key for OpenID settings (described by Settings struct) in settings store. See go.chromium.org/luci/server/settings.
Variables ¶
var ( // ErrNotConfigured is returned by various functions if OpenID settings are // not properly configured. ErrNotConfigured = errors.New("openid: not configured") )
Functions ¶
This section is empty.
Types ¶
type AuthMethod ¶
type AuthMethod struct {
// SessionStore keeps user sessions in some permanent storage. Must be set,
// otherwise all methods return ErrNotConfigured.
SessionStore auth.SessionStore
// Insecure is true to allow http:// URLs and non-https cookies. Useful for
// local development.
Insecure bool
// IncompatibleCookies is a list of cookies to remove when setting or clearing
// session cookie. It is useful to get rid of GAE cookies when OpenID cookies
// are being used. Having both is very confusing.
IncompatibleCookies []string
}
AuthMethod implements auth.Method and auth.UsersAPI and can be used as one of authentication method in auth.Authenticator. It is using OpenID for login flow, stores session ID in cookies, and session itself in supplied SessionStore.
It requires some routes to be added to the router. Use exact same instance of AuthMethod in auth.Authenticator and when adding routes via InstallHandlers.
func (*AuthMethod) Authenticate ¶
Authenticate extracts peer's identity from the incoming request. It is part of auth.Method interface.
func (*AuthMethod) InstallHandlers ¶
func (m *AuthMethod) InstallHandlers(r *router.Router, base router.MiddlewareChain)
InstallHandlers installs HTTP handlers used in OpenID protocol. Must be installed in server HTTP router for OpenID authentication flow to work.
func (*AuthMethod) LoginURL ¶
LoginURL returns a URL that, when visited, prompts the user to sign in, then redirects the user to the URL specified by dest. It is part of auth.UsersAPI interface.
type IDToken ¶
type IDToken struct {
Iss string `json:"iss"`
AtHash string `json:"at_hash"`
EmailVerified bool `json:"email_verified"`
Sub string `json:"sub"`
Azp string `json:"azp"`
Email string `json:"email"`
Profile string `json:"profile"`
Picture string `json:"picture"`
Name string `json:"name"`
Aud string `json:"aud"`
Iat int64 `json:"iat"`
Exp int64 `json:"exp"`
Nonce string `json:"nonce"`
Hd string `json:"hd"`
}
IDToken is verified deserialized ID token.
See https://developers.google.com/identity/protocols/OpenIDConnect.
func VerifyIDToken ¶
func VerifyIDToken(c context.Context, token string, keys *JSONWebKeySet, issuer, audience string) (*IDToken, error)
VerifyIDToken deserializes and verifies the ID token.
This is a fast local operation.
type JSONWebKeySet ¶
type JSONWebKeySet struct {
// contains filtered or unexported fields
}
JSONWebKeySet implements subset of functionality described in RFC7517.
It currently supports only RSA keys and RS256 alg. It's intended to be used to represent keys fetched from https://www.googleapis.com/oauth2/v3/certs.
It's used to verify ID token signatures.
func NewJSONWebKeySet ¶
func NewJSONWebKeySet(parsed *JSONWebKeySetStruct) (*JSONWebKeySet, error)
NewJSONWebKeySet makes the keyset from raw JSON Web Key set struct.
type JSONWebKeySetStruct ¶
type JSONWebKeySetStruct struct {
Keys []JSONWebKeyStruct `json:"keys"`
}
JSONWebKeySetStruct defines the JSON structure of JSONWebKeySet.
Read it from the wire and pass to NewJSONWebKeySet to get a usable object.
See https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters. We care only about RSA public keys (thus use 'n' and 'e').
type JSONWebKeyStruct ¶
type JSONWebKeyStruct struct {
Kty string `json:"kty"`
Alg string `json:"alg"`
Use string `json:"use"`
Kid string `json:"kid"`
N string `json:"n"` // raw URL-safe base64, NOT standard base64
E string `json:"e"` // same
}
JSONWebKeyStruct defines the JSON structure of a single key in the key set.
type Settings ¶
type Settings struct {
// DiscoveryURL is where to grab discovery document with provider's config.
// Use `https://accounts.google.com/.well-known/openid-configuration` for
// Google OpenID Connect provider.
DiscoveryURL string `json:"discovery_url"`
// ClientID identifies OAuth2 Web client representing the application. Create
// one in Cloud Console if using Google OpenID Connect provider.
ClientID string `json:"client_id"`
// ClientSecret is a secret associated with ClientID.
ClientSecret string `json:"client_secret"`
// RedirectURI must be `https://<apphost>/auth/openid/callback`. It is stored
// in config explicitly to remind admin that OAuth2 client in Cloud Console
// must be configured accordingly.
RedirectURI string `json:"redirect_uri"`
}
Settings contain parameters of OpenID protocol. They are stored in app settings store under SettingsKey key.
Source Files