Documentation
¶
Index ¶
- Constants
- func GetAssumableRolesFromSAML(resp *saml.Response) (saml.AssumableRoles, error)
- func GetFactorId(f *OktaUserAuthnFactor) (id string, err error)
- func GetNode(n *html.Node, name string) (val string, node *html.Node)
- func GetOktaDomain(region string) (string, error)
- func GetRole(roleList saml.AssumableRoles, profileARN string) (saml.AssumableRole, error)
- func GetRoleFromSAML(resp *saml.Response, profileARN string) (string, string, error)
- func NewConfigFromEnv() (config, error)
- func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error)
- func ParseSAML(body []byte, resp *SAMLAssertion) (err error)
- func Prompt(prompt string, sensitive bool) (string, error)
- func PromptWithOutput(prompt string, sensitive bool, output *os.File) (string, error)
- func SourceProfile(p string, from Profiles) string
- type DuoClient
- func (d *DuoClient) ChallengeU2f(verificationHost string) (err error)
- func (d *DuoClient) DoAuth(tx string, inputSid string, inputCertsURL string) (sid string, err error)
- func (d *DuoClient) DoCallback(auth string) (err error)
- func (d *DuoClient) DoPrompt(sid string) (txid string, err error)
- func (d *DuoClient) DoRedirect(url string, sid string) (string, error)
- func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp, err error)
- func (d *DuoClient) DoU2FPromptFinish(sid string, sessionID string, resp *u2fhost.AuthenticateResponse) (txid string, err error)
- type FacetResponse
- type MFAConfig
- type OktaClient
- func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error)
- func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration time.Duration, region string) (sts.Credentials, string, error)
- func (o *OktaClient) AuthenticateUser() error
- func (o *OktaClient) Get(method string, path string, data []byte, recv interface{}, format string) (err error)
- type OktaCreds
- type OktaProvider
- type OktaStateToken
- type OktaUser
- type OktaUserAuthn
- type OktaUserAuthnEmbedded
- type OktaUserAuthnFactor
- type OktaUserAuthnFactorEmbedded
- type OktaUserAuthnFactorEmbeddedChallenge
- type OktaUserAuthnFactorEmbeddedVerification
- type OktaUserAuthnFactorEmbeddedVerificationLinks
- type OktaUserAuthnFactorEmbeddedVerificationLinksComplete
- type OktaUserAuthnFactorProfile
- type Profiles
- type PromptResp
- type Provider
- type ProviderOptions
- type ResponseData
- type SAMLAssertion
- type SessionCacheInterface
- type StatusResp
Constants ¶
View Source
const ( OktaServerUs = "okta.com" OktaServerEmea = "okta-emea.com" OktaServerPreview = "oktapreview.com" OktaServerDefault = OktaServerUs // deprecated; use OktaServerUs OktaServer = OktaServerUs Timeout = time.Duration(60 * time.Second) )
Variables ¶
This section is empty.
Functions ¶
func GetAssumableRolesFromSAML ¶ added in v1.0.0
func GetAssumableRolesFromSAML(resp *saml.Response) (saml.AssumableRoles, error)
func GetFactorId ¶
func GetFactorId(f *OktaUserAuthnFactor) (id string, err error)
func GetOktaDomain ¶ added in v1.0.0
func GetRole ¶ added in v1.0.0
func GetRole(roleList saml.AssumableRoles, profileARN string) (saml.AssumableRole, error)
func GetRoleFromSAML ¶
func NewConfigFromEnv ¶
func NewConfigFromEnv() (config, error)
func OpenKeyring ¶
func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error)
func ParseSAML ¶
func ParseSAML(body []byte, resp *SAMLAssertion) (err error)
func PromptWithOutput ¶ added in v1.0.0
func SourceProfile ¶ added in v1.0.0
Types ¶
type DuoClient ¶
type DuoClient struct {
Host string
Signature string
Callback string
Device string
StateToken string
}
func NewDuoClient ¶
func (*DuoClient) ChallengeU2f ¶
ChallengeU2F performs multiple call against an obscure Duo API.
Normally you use an iframe to perform those calls but here the main idea is to fake Duo is order to use the CLI without any browser.
The function perform three successive calls to retry the challenge data. Wait for the user to perform the verification (Duo Push or Yubikey). And then call the callback url.
TODO: Use a Context to gracefully shutdown the thing and have a nice timeout
func (*DuoClient) DoAuth ¶
func (d *DuoClient) DoAuth(tx string, inputSid string, inputCertsURL string) (sid string, err error)
DoAuth sends a POST request to the Duo /frame/web/v1/auth endpoint. The request will not follow the redirect and retrieve the location from the HTTP header. From the Location we get the Duo Session ID (sid) required for the rest of the communication. In some integrations of Duo, an empty POST to the Duo /frame/web/v1/auth endpoint will return StatusOK with a form of hidden inputs. In that case, we redo the POST with data from the hidden inputs, which triggers the usual redirect/location flow and allows for a successful authentication.
The function will return the sid
func (*DuoClient) DoCallback ¶
DoCallback send a POST request to the Okta callback url defined in the DuoClient
The callback request requires the stateToken from Okta and a sig_response built from the precedent requests.
func (*DuoClient) DoPrompt ¶
DoPrompt sends a POST request to the Duo /frame/promt endpoint
The functions returns the Duo transaction ID which is different from the Okta transaction ID
func (*DuoClient) DoRedirect ¶
func (*DuoClient) DoStatus ¶
func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp, err error)
DoStatus sends a POST request against the Duo /frame/status endpoint
The function returns the auth string required for the Okta Callback if the request succeeded.
func (*DuoClient) DoU2FPromptFinish ¶ added in v1.0.0
func (d *DuoClient) DoU2FPromptFinish(sid string, sessionID string, resp *u2fhost.AuthenticateResponse) (txid string, err error)
DoPrompt sends a POST request to the Duo /frame/promt endpoint
The functions returns the Duo transaction ID which is different from the Okta transaction ID
type FacetResponse ¶ added in v1.0.0
type OktaClient ¶
type OktaClient struct {
// Organization will be deprecated in the future
Organization string
Username string
Password string
UserAuth *OktaUserAuthn
DuoClient *DuoClient
AccessKeyId string
SecretAccessKey string
SessionToken string
Expiration time.Time
OktaAwsSAMLUrl string
CookieJar http.CookieJar
BaseURL *url.URL
Domain string
MFAConfig MFAConfig
}
func NewOktaClient ¶
func (*OktaClient) AuthenticateProfile ¶
func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error)
func (*OktaClient) AuthenticateProfileWithRegion ¶ added in v1.0.0
func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration time.Duration, region string) (sts.Credentials, string, error)
func (*OktaClient) AuthenticateUser ¶
func (o *OktaClient) AuthenticateUser() error
type OktaCreds ¶
type OktaProvider ¶
type OktaProvider struct {
Keyring keyring.Keyring
ProfileARN string
SessionDuration time.Duration
OktaAwsSAMLUrl string
// OktaSessionCookieKey represents the name of the session cookie
// to be stored in the keyring.
OktaSessionCookieKey string
OktaAccountName string
MFAConfig MFAConfig
AwsRegion string
}
func (*OktaProvider) GetSAMLLoginURL ¶ added in v1.0.0
func (p *OktaProvider) GetSAMLLoginURL() (*url.URL, error)
func (*OktaProvider) Retrieve ¶
func (p *OktaProvider) Retrieve() (sts.Credentials, string, error)
type OktaStateToken ¶
type OktaUserAuthn ¶
type OktaUserAuthnEmbedded ¶
type OktaUserAuthnEmbedded struct {
Factors []OktaUserAuthnFactor `json:"factors"`
Factor OktaUserAuthnFactor `json:"factor"`
}
type OktaUserAuthnFactor ¶
type OktaUserAuthnFactor struct {
Id string `json:"id"`
FactorType string `json:"factorType"`
Provider string `json:"provider"`
Embedded OktaUserAuthnFactorEmbedded `json:"_embedded"`
Profile OktaUserAuthnFactorProfile `json:"profile"`
}
type OktaUserAuthnFactorEmbedded ¶
type OktaUserAuthnFactorEmbedded struct {
Verification OktaUserAuthnFactorEmbeddedVerification `json:"verification"`
Challenge OktaUserAuthnFactorEmbeddedChallenge `json:"challenge"`
}
type OktaUserAuthnFactorEmbeddedChallenge ¶ added in v1.0.0
type OktaUserAuthnFactorEmbeddedVerification ¶
type OktaUserAuthnFactorEmbeddedVerification struct {
Host string `json:"host"`
Signature string `json:"signature"`
FactorResult string `json:"factorResult"`
Links OktaUserAuthnFactorEmbeddedVerificationLinks `json:"_links"`
}
type OktaUserAuthnFactorEmbeddedVerificationLinks ¶
type OktaUserAuthnFactorEmbeddedVerificationLinks struct {
Complete OktaUserAuthnFactorEmbeddedVerificationLinksComplete `json:"complete"`
}
type OktaUserAuthnFactorEmbeddedVerificationLinksComplete ¶
type OktaUserAuthnFactorEmbeddedVerificationLinksComplete struct {
Href string `json:"href"`
}
type OktaUserAuthnFactorProfile ¶ added in v1.0.0
type PromptResp ¶
type Provider ¶
type Provider struct {
credentials.Expiry
ProviderOptions
// contains filtered or unexported fields
}
func NewProvider ¶
func (*Provider) GetExpiration ¶ added in v1.0.0
func (*Provider) GetRoleARN ¶ added in v1.0.0
GetRoleARN uses p to establish temporary credentials then calls lib.GetRoleARN with them to get the role's ARN. It is unused internally and is kept for backwards compatability.
func (*Provider) GetRoleARNWithRegion ¶ added in v1.0.0
func (p *Provider) GetRoleARNWithRegion(creds credentials.Value) (string, error)
GetRoleARN uses temporary credentials to call AWS's get-caller-identity and returns the assumed role's ARN
func (*Provider) GetSAMLLoginURL ¶ added in v1.0.0
type ProviderOptions ¶
type ProviderOptions struct {
SessionDuration time.Duration
AssumeRoleDuration time.Duration
ExpiryWindow time.Duration
Profiles Profiles
MFAConfig MFAConfig
AssumeRoleArn string
// if true, use store_singlekritem SessionCache (new)
// if false, use store_kritempersession SessionCache (old)
SessionCacheSingleItem bool
}
func (ProviderOptions) ApplyDefaults ¶
func (o ProviderOptions) ApplyDefaults() ProviderOptions
func (ProviderOptions) Validate ¶
func (o ProviderOptions) Validate() error
type ResponseData ¶ added in v1.0.0
type ResponseData struct {
ClientData string `json:"clientData"`
KeyHandle string `json:"keyHandle"`
SessionID string `json:"sessionId"`
SignatureData string `json:"signatureData"`
}
It's same as u2fhost.AuthenticateResponse but needs SessionID for Duo/Okta
type SAMLAssertion ¶
type SessionCacheInterface ¶ added in v1.0.0
type SessionCacheInterface interface {
Get(sessioncache.Key) (*sessioncache.Session, error)
Put(sessioncache.Key, *sessioncache.Session) error
}
type StatusResp ¶
type StatusResp struct {
Response struct {
U2FSignRequest []struct {
Version string `json:"version"`
Challenge string `json:"challenge"`
AppID string `json:"appId"`
KeyHandle string `json:"keyHandle"`
SessionID string `json:"sessionId"`
} `json:"u2f_sign_request"`
Status string `json:"status"`
StatusCode string `json:"status_code"`
Reason string `json:"reason"`
Parent string `json:"parent"`
Cookie string `json:"cookie"`
Result string `json:"result"`
ResultURL string `json:"result_url"`
} `json:"response"`
Stat string `json:"stat"`
}
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Client for making requests to Okta APIs
|
Client for making requests to Okta APIs |
|
manages auth sessions for Okta applications
|
manages auth sessions for Okta applications |
|
sessioncache caches sessions (sts.Credentials) sessioncache splits Stores (the way cache items are stored) from Keys (the way cache items are looked up/replaced)
|
sessioncache caches sessions (sts.Credentials) sessioncache splits Stores (the way cache items are stored) from Keys (the way cache items are looked up/replaced) |
Click to show internal directories.
Click to hide internal directories.