auth

package
v0.0.0-...-87586f8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 15, 2024 License: MIT Imports: 39 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrNoCurrentUser = errors.New("not logged in, run `azd auth login` to login")

ErrNoCurrentUser indicates that the current user is not logged in. This is typically determined by inspecting the stored auth information and credentials on the machine. If the auth information or credentials are not found or invalid, the user is considered not to be logged in.

Functions

func EnsureLoggedInCredential

func EnsureLoggedInCredential(
	ctx context.Context,
	credential azcore.TokenCredential,
	cloud *cloud.Cloud,
) (*azcore.AccessToken, error)

EnsureLoggedInCredential uses the credential's GetToken method to ensure an access token can be fetched. On success, the token we fetched is returned.

func GetOidFromAccessToken

func GetOidFromAccessToken(token string) (string, error)

GetOidFromAccessToken extracts a string claim with the name "oid" from an access token. Access Tokens are JWT and the middle component is a base64 encoded string of a JSON object with claims.

func GetTenantIdFromToken

func GetTenantIdFromToken(token string) (string, error)

func LoginScopes

func LoginScopes(cloud *cloud.Cloud) []string

LoginScopes returns the scopes that we request an access token for when checking if a user is signed in.

Types

type AadErrorResponse

type AadErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
	ErrorCodes       []int  `json:"error_codes"`
	Timestamp        string `json:"timestamp"`
	TraceId          string `json:"trace_id"`
	CorrelationId    string `json:"correlation_id"`
	ErrorUri         string `json:"error_uri"`
}

An error response from Azure Active Directory.

See https://www.rfc-editor.org/rfc/rfc6749#section-5.2 for OAuth 2.0 spec See https://learn.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes for AAD error codes

type AuthFailedError

type AuthFailedError struct {
	// The HTTP response motivating the error, if available
	RawResp *http.Response
	// The unmarshaled error response, if available
	Parsed *AadErrorResponse
	// contains filtered or unexported fields
}

AuthFailedError indicates an authentication request has failed. This serves as a wrapper around MSAL related errors.

func (*AuthFailedError) Error

func (e *AuthFailedError) Error() string

func (*AuthFailedError) Unwrap

func (e *AuthFailedError) Unwrap() error

type Cache

type Cache interface {
	Read(key string) ([]byte, error)
	Set(key string, value []byte) error
}

type ClaimsForCurrentUserOptions

type ClaimsForCurrentUserOptions = CredentialForCurrentUserOptions

type CloudShellCredential

type CloudShellCredential struct {
	// contains filtered or unexported fields
}

func NewCloudShellCredential

func NewCloudShellCredential(transporter policy.Transporter) *CloudShellCredential

func (CloudShellCredential) GetToken

type CredentialForCurrentUserOptions

type CredentialForCurrentUserOptions struct {
	// NoPrompt controls whether the credential may prompt for user interaction.
	NoPrompt bool
	// The tenant ID to use when constructing the credential, instead of the default tenant.
	TenantID string
}

type ExternalAuthConfiguration

type ExternalAuthConfiguration struct {
	Endpoint    string
	Key         string
	Transporter policy.Transporter
}

type HttpClient

type HttpClient interface {
	// Do sends an HTTP request and returns an HTTP response.
	Do(*http.Request) (*http.Response, error)

	// CloseIdleConnections closes any idle connections in a "keep-alive" state.
	CloseIdleConnections()
}

HttpClient interface as required by MSAL library.

type LoggedInGuard

type LoggedInGuard struct{}

LoggedInGuard doesn't hold anything. It simply represents a type that can be used to expressed the logged in constraint.

func NewLoggedInGuard

func NewLoggedInGuard(manager *Manager, ctx context.Context) (LoggedInGuard, error)

NewLoggedInGuard checks if the user is logged in. An error is returned if the user is not logged in.

type LoginInteractiveOptions

type LoginInteractiveOptions struct {
	TenantID     string
	RedirectPort int
	WithOpenUrl  WithOpenUrl
}

LoginInteractiveOptions holds the optional inputs for interactive login.

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager manages the authentication system of azd. It allows a user to log in, either as a user principal or service principal. Manager stores information so that the user can stay logged in across invocations of the CLI. When logged in as a user (either interactively or via a device code flow), we provide a durable cache to MSAL which is used to cache information to allow silent logins across process runs. This cache is stored inside the user's home directory, ACL'd such that it can only be read by the current user. In addition, on Windows, this cache is encrypted, using CryptProtectData. The home account id of the signed in user is stored as a property under [cCurrentUserKey]. This behavior matches the AZ CLI.

When logged in as a service principal, the same cache strategy that backed the MSAL cache is used to store the private key or secret and the public components (the client ID and tenant ID) are stored under [cCurrentUserKey].

Logging out removes this cached authentication data.

You can configure azd to ignore its native credential system and instead delegate to AZ CLI (useful for cases where azd does not yet support your preferred method of authentication by setting [cUseLegacyAzCliAuthKey] in config to true.

func NewManager

func NewManager(
	configManager config.FileConfigManager,
	userConfigManager config.UserConfigManager,
	cloud *cloud.Cloud,
	httpClient HttpClient,
	console input.Console,
	externalAuthCfg ExternalAuthConfiguration,
) (*Manager, error)

func (*Manager) ClaimsForCurrentUser

func (m *Manager) ClaimsForCurrentUser(ctx context.Context, options *ClaimsForCurrentUserOptions) (TokenClaims, error)

ClaimsForCurrentUser returns claims for the currently logged in user.

func (*Manager) CredentialForCurrentUser

func (m *Manager) CredentialForCurrentUser(
	ctx context.Context,
	options *CredentialForCurrentUserOptions,
) (azcore.TokenCredential, error)

CredentialForCurrentUser returns a TokenCredential instance for the current user. If `auth.useLegacyAzCliAuth` is set to a truthy value in config, an instance of azidentity.AzureCLICredential is returned instead. To accept the default options, pass nil.

func (*Manager) GetLoggedInServicePrincipalTenantID

func (m *Manager) GetLoggedInServicePrincipalTenantID(ctx context.Context) (*string, error)

GetLoggedInServicePrincipalTenantID returns the stored service principal's tenant ID.

Service principals are fixed to a particular tenant.

This can be used to determine if the tenant is fixed, and if so short circuit performance intensive tenant-switching for service principals.

func (*Manager) LoginInteractive

func (m *Manager) LoginInteractive(
	ctx context.Context,
	scopes []string,
	options *LoginInteractiveOptions) (azcore.TokenCredential, error)

LoginInteractive opens a browser for authenticate the user.

func (*Manager) LoginScopes

func (m *Manager) LoginScopes() []string

func (*Manager) LoginWithAzurePipelinesFederatedTokenProvider

func (m *Manager) LoginWithAzurePipelinesFederatedTokenProvider(
	ctx context.Context, tenantID string, clientID string, serviceConnectionID string,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithBrokerAccount

func (m *Manager) LoginWithBrokerAccount() error

LoginWithBrokerAccount logs in an account provided by the system authentication broker via OneAuth. For example, it will log in the user currently signed in to Windows. This method never prompts for user interaction and returns an error when the broker doesn't provide an account.

func (*Manager) LoginWithDeviceCode

func (m *Manager) LoginWithDeviceCode(
	ctx context.Context, tenantID string, scopes []string, withOpenUrl WithOpenUrl) (azcore.TokenCredential, error)

func (*Manager) LoginWithGitHubFederatedTokenProvider

func (m *Manager) LoginWithGitHubFederatedTokenProvider(
	ctx context.Context, tenantId, clientId string,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithManagedIdentity

func (m *Manager) LoginWithManagedIdentity(ctx context.Context, clientID string) (azcore.TokenCredential, error)

func (*Manager) LoginWithOneAuth

func (m *Manager) LoginWithOneAuth(ctx context.Context, tenantID string, scopes []string) error

LoginWithOneAuth starts OneAuth's interactive login flow.

func (*Manager) LoginWithServicePrincipalCertificate

func (m *Manager) LoginWithServicePrincipalCertificate(
	ctx context.Context, tenantId, clientId string, certData []byte,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithServicePrincipalSecret

func (m *Manager) LoginWithServicePrincipalSecret(
	ctx context.Context, tenantId, clientId, clientSecret string,
) (azcore.TokenCredential, error)

func (*Manager) Logout

func (m *Manager) Logout(ctx context.Context) error

Logout signs out the current user and removes any cached authentication information

func (*Manager) UseExternalAuth

func (m *Manager) UseExternalAuth() bool

type MultiTenantCredentialProvider

type MultiTenantCredentialProvider interface {
	// Gets an authenticated token credential for the given tenant. If tenantId is empty, uses the default home tenant.
	GetTokenCredential(ctx context.Context, tenantId string) (azcore.TokenCredential, error)
}

MultiTenantCredentialProvider provides token credentials for different tenants.

Only use this if you need to perform multi-tenant operations.

func NewMultiTenantCredentialProvider

func NewMultiTenantCredentialProvider(auth *Manager) MultiTenantCredentialProvider

type ReLoginRequiredError

type ReLoginRequiredError struct {
	// contains filtered or unexported fields
}

ReLoginRequiredError indicates that the logged in user needs to perform a log in to reauthenticate. This typically means that while the credentials stored on the machine are valid, the server has rejected the credentials due to expired credentials, or additional challenges being required.

func (*ReLoginRequiredError) Error

func (e *ReLoginRequiredError) Error() string

type RemoteCredential

type RemoteCredential struct {
	// contains filtered or unexported fields
}

RemoteCredential implements azcore.TokenCredential by using the remote credential protocol.

func (*RemoteCredential) GetToken

GetToken implements azcore.TokenCredential.

type TokenClaims

type TokenClaims struct {
	PreferredUsername string `json:"preferred_username,omitempty"`
	UniqueName        string `json:"unique_name,omitempty"`
	GivenName         string `json:"given_name,omitempty"`
	FamilyName        string `json:"family_name,omitempty"`
	MiddleName        string `json:"middle_name,omitempty"`
	Name              string `json:"name,omitempty"`
	Oid               string `json:"oid,omitempty"`
	TenantId          string `json:"tid,omitempty"`
	Subject           string `json:"sub,omitempty"`
	Upn               string `json:"upn,omitempty"`
	Email             string `json:"email,omitempty"`
	AlternativeId     string `json:"alternative_id,omitempty"`
	Issuer            string `json:"iss,omitempty"`
	Audience          string `json:"aud,omitempty"`
	ExpirationTime    int64  `json:"exp,omitempty"`
	IssuedAt          int64  `json:"iat,omitempty"`
	NotBefore         int64  `json:"nbf,omitempty"`
}

TokenClaims contains claims about a user from an access token. https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference.

func GetClaimsFromAccessToken

func GetClaimsFromAccessToken(token string) (TokenClaims, error)

GetClaimsFromAccessToken extracts claims from an access token. Access Tokens are JWT and the middle component is a base64 encoded string of a JSON object with claims.

func (*TokenClaims) DisplayUsername

func (tc *TokenClaims) DisplayUsername() string

Returns a display name for the account.

func (*TokenClaims) LocalAccountId

func (tc *TokenClaims) LocalAccountId() string

Returns an ID associated with the account. This ID is suitable for local use, and not for any server authorization use.

type TokenFromCloudShell

type TokenFromCloudShell struct {
	AccessToken  string      `json:"access_token"`
	RefreshToken string      `json:"refresh_token"`
	ExpiresIn    json.Number `json:"expires_in"    type:"integer"`
	ExpiresOn    json.Number `json:"expires_on"    type:"integer"`
	NotBefore    json.Number `json:"not_before"    type:"integer"`
	Resource     string      `json:"resource"`
	TokenType    string      `json:"token_type"`
}

type WithOpenUrl

type WithOpenUrl func(url string) error

WithOpenUrl defines a custom strategy for browsing to the url.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL