auth

package
v0.0.0-...-ddafa38 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 12, 2024 License: MIT Imports: 39 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrNoCurrentUser = errors.New("not logged in, run `azd auth login` to login")

ErrNoCurrentUser indicates that the current user is not logged in. This is typically determined by inspecting the stored auth information and credentials on the machine. If the auth information or credentials are not found or invalid, the user is considered not to be logged in.

Functions

func EnsureLoggedInCredential 

func EnsureLoggedInCredential(
	ctx context.Context,
	credential azcore.TokenCredential,
	cloud *cloud.Cloud,
) (*azcore.AccessToken, error)

EnsureLoggedInCredential uses the credential's GetToken method to ensure an access token can be fetched. On success, the token we fetched is returned.

func GetOidFromAccessToken 

func GetOidFromAccessToken(token string) (string, error)

GetOidFromAccessToken extracts a string claim with the name "oid" from an access token. Access Tokens are JWT and the middle component is a base64 encoded string of a JSON object with claims.

func GetTenantIdFromToken 

func GetTenantIdFromToken(token string) (string, error)

func LoginScopes 

func LoginScopes(cloud *cloud.Cloud) []string

LoginScopes returns the scopes that we request an access token for when checking if a user is signed in.

Types

type AadErrorResponse 

type AadErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
	ErrorCodes       []int  `json:"error_codes"`
	Timestamp        string `json:"timestamp"`
	TraceId          string `json:"trace_id"`
	CorrelationId    string `json:"correlation_id"`
	ErrorUri         string `json:"error_uri"`
}

An error response from Azure Active Directory.

See https://www.rfc-editor.org/rfc/rfc6749#section-5.2 for OAuth 2.0 spec See https://learn.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes for AAD error codes

type AuthFailedError 

type AuthFailedError struct {
	// The HTTP response motivating the error, if available
	RawResp *http.Response
	// The unmarshaled error response, if available
	Parsed *AadErrorResponse
	// contains filtered or unexported fields
}

AuthFailedError indicates an authentication request has failed. This serves as a wrapper around MSAL related errors.

func (*AuthFailedError) Error 

func (e *AuthFailedError) Error() string

func (*AuthFailedError) Unwrap 

func (e *AuthFailedError) Unwrap() error

type Cache 

type Cache interface {
	Read(key string) ([]byte, error)
	Set(key string, value []byte) error
}

type ClaimsForCurrentUserOptions 

type ClaimsForCurrentUserOptions = CredentialForCurrentUserOptions

type CloudShellCredential 

type CloudShellCredential struct {
	// contains filtered or unexported fields
}

func NewCloudShellCredential 

func NewCloudShellCredential(transporter policy.Transporter) *CloudShellCredential

func (CloudShellCredential) GetToken 

func (t CloudShellCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)

type CredentialForCurrentUserOptions 

type CredentialForCurrentUserOptions struct {
	// NoPrompt controls whether the credential may prompt for user interaction.
	NoPrompt bool
	// The tenant ID to use when constructing the credential, instead of the default tenant.
	TenantID string
}

type ExternalAuthConfiguration 

type ExternalAuthConfiguration struct {
	Endpoint    string
	Key         string
	Transporter policy.Transporter
}

type HttpClient 

type HttpClient interface {
	// Do sends an HTTP request and returns an HTTP response.
	Do(*http.Request) (*http.Response, error)

	// CloseIdleConnections closes any idle connections in a "keep-alive" state.
	CloseIdleConnections()
}

HttpClient interface as required by MSAL library.

type LoggedInGuard 

type LoggedInGuard struct{}

LoggedInGuard doesn't hold anything. It simply represents a type that can be used to expressed the logged in constraint.

func NewLoggedInGuard 

func NewLoggedInGuard(manager *Manager, ctx context.Context) (LoggedInGuard, error)

NewLoggedInGuard checks if the user is logged in. An error is returned if the user is not logged in.

type LoginInteractiveOptions 

type LoginInteractiveOptions struct {
	TenantID     string
	RedirectPort int
	WithOpenUrl  WithOpenUrl
}

LoginInteractiveOptions holds the optional inputs for interactive login.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager manages the authentication system of azd. It allows a user to log in, either as a user principal or service principal. Manager stores information so that the user can stay logged in across invocations of the CLI. When logged in as a user (either interactively or via a device code flow), we provide a durable cache to MSAL which is used to cache information to allow silent logins across process runs. This cache is stored inside the user's home directory, ACL'd such that it can only be read by the current user. In addition, on Windows, this cache is encrypted, using CryptProtectData. The home account id of the signed in user is stored as a property under [cCurrentUserKey]. This behavior matches the AZ CLI.

When logged in as a service principal, the same cache strategy that backed the MSAL cache is used to store the private key or secret and the public components (the client ID and tenant ID) are stored under [cCurrentUserKey].

Logging out removes this cached authentication data.

You can configure azd to ignore its native credential system and instead delegate to AZ CLI (useful for cases where azd does not yet support your preferred method of authentication by setting [cUseLegacyAzCliAuthKey] in config to true.

func NewManager 

func NewManager(
	configManager config.FileConfigManager,
	userConfigManager config.UserConfigManager,
	cloud *cloud.Cloud,
	httpClient HttpClient,
	console input.Console,
	externalAuthCfg ExternalAuthConfiguration,
) (*Manager, error)

func (*Manager) ClaimsForCurrentUser 

func (m *Manager) ClaimsForCurrentUser(ctx context.Context, options *ClaimsForCurrentUserOptions) (TokenClaims, error)

ClaimsForCurrentUser returns claims for the currently logged in user.

func (*Manager) CredentialForCurrentUser 

func (m *Manager) CredentialForCurrentUser(
	ctx context.Context,
	options *CredentialForCurrentUserOptions,
) (azcore.TokenCredential, error)

CredentialForCurrentUser returns a TokenCredential instance for the current user. If `auth.useLegacyAzCliAuth` is set to a truthy value in config, an instance of azidentity.AzureCLICredential is returned instead. To accept the default options, pass nil.

func (*Manager) GetLoggedInServicePrincipalTenantID 

func (m *Manager) GetLoggedInServicePrincipalTenantID(ctx context.Context) (*string, error)

GetLoggedInServicePrincipalTenantID returns the stored service principal's tenant ID.

Service principals are fixed to a particular tenant.

This can be used to determine if the tenant is fixed, and if so short circuit performance intensive tenant-switching for service principals.

func (*Manager) LoginInteractive 

func (m *Manager) LoginInteractive(
	ctx context.Context,
	scopes []string,
	options *LoginInteractiveOptions) (azcore.TokenCredential, error)

LoginInteractive opens a browser for authenticate the user.

func (*Manager) LoginScopes 

func (m *Manager) LoginScopes() []string

func (*Manager) LoginWithAzurePipelinesFederatedTokenProvider 

func (m *Manager) LoginWithAzurePipelinesFederatedTokenProvider(
	ctx context.Context, tenantID string, clientID string, serviceConnectionID string,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithBrokerAccount 

func (m *Manager) LoginWithBrokerAccount() error

LoginWithBrokerAccount logs in an account provided by the system authentication broker via OneAuth. For example, it will log in the user currently signed in to Windows. This method never prompts for user interaction and returns an error when the broker doesn't provide an account.

func (*Manager) LoginWithDeviceCode 

func (m *Manager) LoginWithDeviceCode(
	ctx context.Context, tenantID string, scopes []string, withOpenUrl WithOpenUrl) (azcore.TokenCredential, error)

func (*Manager) LoginWithGitHubFederatedTokenProvider 

func (m *Manager) LoginWithGitHubFederatedTokenProvider(
	ctx context.Context, tenantId, clientId string,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithManagedIdentity 

func (m *Manager) LoginWithManagedIdentity(ctx context.Context, clientID string) (azcore.TokenCredential, error)

func (*Manager) LoginWithOneAuth 

func (m *Manager) LoginWithOneAuth(ctx context.Context, tenantID string, scopes []string) error

LoginWithOneAuth starts OneAuth's interactive login flow.

func (*Manager) LoginWithServicePrincipalCertificate 

func (m *Manager) LoginWithServicePrincipalCertificate(
	ctx context.Context, tenantId, clientId string, certData []byte,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithServicePrincipalSecret 

func (m *Manager) LoginWithServicePrincipalSecret(
	ctx context.Context, tenantId, clientId, clientSecret string,
) (azcore.TokenCredential, error)

func (*Manager) Logout 

func (m *Manager) Logout(ctx context.Context) error

Logout signs out the current user and removes any cached authentication information

func (*Manager) UseExternalAuth 

func (m *Manager) UseExternalAuth() bool

type MultiTenantCredentialProvider 

type MultiTenantCredentialProvider interface {
	// Gets an authenticated token credential for the given tenant. If tenantId is empty, uses the default home tenant.
	GetTokenCredential(ctx context.Context, tenantId string) (azcore.TokenCredential, error)
}

MultiTenantCredentialProvider provides token credentials for different tenants.

Only use this if you need to perform multi-tenant operations.

func NewMultiTenantCredentialProvider 

func NewMultiTenantCredentialProvider(auth *Manager) MultiTenantCredentialProvider

type ReLoginRequiredError 

type ReLoginRequiredError struct {
	// contains filtered or unexported fields
}

ReLoginRequiredError indicates that the logged in user needs to perform a log in to reauthenticate. This typically means that while the credentials stored on the machine are valid, the server has rejected the credentials due to expired credentials, or additional challenges being required.

func (*ReLoginRequiredError) Error 

func (e *ReLoginRequiredError) Error() string

type RemoteCredential 

type RemoteCredential struct {
	// contains filtered or unexported fields
}

RemoteCredential implements azcore.TokenCredential by using the remote credential protocol.

func (*RemoteCredential) GetToken 

func (rc *RemoteCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken implements azcore.TokenCredential.

type TokenClaims 

type TokenClaims struct {
	PreferredUsername string `json:"preferred_username,omitempty"`
	UniqueName        string `json:"unique_name,omitempty"`
	GivenName         string `json:"given_name,omitempty"`
	FamilyName        string `json:"family_name,omitempty"`
	MiddleName        string `json:"middle_name,omitempty"`
	Name              string `json:"name,omitempty"`
	Oid               string `json:"oid,omitempty"`
	TenantId          string `json:"tid,omitempty"`
	Subject           string `json:"sub,omitempty"`
	Upn               string `json:"upn,omitempty"`
	Email             string `json:"email,omitempty"`
	AlternativeId     string `json:"alternative_id,omitempty"`
	Issuer            string `json:"iss,omitempty"`
	Audience          string `json:"aud,omitempty"`
	ExpirationTime    int64  `json:"exp,omitempty"`
	IssuedAt          int64  `json:"iat,omitempty"`
	NotBefore         int64  `json:"nbf,omitempty"`
}

TokenClaims contains claims about a user from an access token. https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference.

func GetClaimsFromAccessToken 

func GetClaimsFromAccessToken(token string) (TokenClaims, error)

GetClaimsFromAccessToken extracts claims from an access token. Access Tokens are JWT and the middle component is a base64 encoded string of a JSON object with claims.

func (*TokenClaims) DisplayUsername 

func (tc *TokenClaims) DisplayUsername() string

Returns a display name for the account.

func (*TokenClaims) LocalAccountId 

func (tc *TokenClaims) LocalAccountId() string

Returns an ID associated with the account. This ID is suitable for local use, and not for any server authorization use.

type TokenFromCloudShell 

type TokenFromCloudShell struct {
	AccessToken  string      `json:"access_token"`
	RefreshToken string      `json:"refresh_token"`
	ExpiresIn    json.Number `json:"expires_in"    type:"integer"`
	ExpiresOn    json.Number `json:"expires_on"    type:"integer"`
	NotBefore    json.Number `json:"not_before"    type:"integer"`
	Resource     string      `json:"resource"`
	TokenType    string      `json:"token_type"`
}

type WithOpenUrl 

type WithOpenUrl func(url string) error

WithOpenUrl defines a custom strategy for browsing to the url.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.