README
¶
Login
Login package provides tokenSource that is able to cache, reuse and obtain OIDC token.
Usage:
package main
import (
"context"
"log"
"os"
"github.com/bwplotka/oidc/login"
"github.com/bwplotka/oidc/login/diskcache"
)
func main() {
oidcConfig := login.OIDCConfig{
ClientID: "client1",
ClientSecret: "secret1",
Provider: "https://issuer-oidc.org",
// Make sure you ask for offline_access if you want to use refresh tokens!
Scopes: []string{"openid", "email", "profile", "offline_access"},
}
sourceConfig := login.Config{
BindAddress: "http://127.0.0.1:8883",
NonceCheck: true,
DisableLogin: false,
}
cache := disk.NewCache(".super_cache", oidcConfig) // see also other caches e.g k8s.NewCache.
source, err := login.NewOIDCTokenSource(context.Background(), log.New(os.Stdout, "", 0), sourceConfig, cache)
if err != nil {
// handle err...
}
token, err := source.OIDCToken(context.Background())
if err != nil {
// handle err...
}
// Use your token!
token.AccessToken
token.IDToken,
token.RefreshToken
}
OIDCToken method will make sure you retrieve valid token. If token is in cache but expired it will try to refresh it using
refresh token (if present). If cache is empty, or refresh token is wrong it will perform full OIDC login to obtain token.
NOTE: For login purposes and since it implements code OIDC flow, it requires browser to be available - it will not work on headless systems.
If you wish to fail on expired/not valid refresh token - set login.Config.DisableLogin to true.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrCallbackResponse = func(w http.ResponseWriter, _ *http.Request, _ error) { w.WriteHeader(http.StatusOK) w.Write([]byte("OIDC authentication flow is completed. You can close browser tab.")) }
ErrCallbackResponse is package wide function variable that returns HTTP response on failed OIDC `code` flow. Note that, by default we don't want user to see anything wrong on browser side. All errors are propagated to command. If it is required otherwise, override this function.
var OKCallbackResponse = func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte("OIDC authentication flow is completed. You can close browser tab.")) }
OKCallbackResponse is package wide function variable that returns HTTP response on successful OIDC `code` flow.
Functions ¶
func NewOIDCTokenSource ¶
func NewOIDCTokenSource(ctx context.Context, logger *log.Logger, cfg Config, cache Cache, callbackSrv *CallbackServer) (src oidc.TokenSource, clearIDToken func() error, err error)
NewOIDCTokenSource constructs OIDCTokenSource. Note that OIDC configuration can be passed only from cache. This is due the fact that configuration can be stored in cache as well. If the loginServer is nil, login is disabled. We are making OIDC Connect request in constructor (with context ctx) to make sure oidc works.
Types ¶
type Cache ¶
type Cache interface {
SaveToken(token *oidc.Token) error
Token() (*oidc.Token, error)
Config() OIDCConfig
}
Cache is a Open ID Connect Token caching structure for token and configuration. (These are usually stored in the same place.)
type CallbackServer ¶
type CallbackServer struct {
// contains filtered or unexported fields
}
CallbackServer carries a callback handler for OIDC auth code flow. NOTE: This is not thread-safe in terms of multiple logins in the same time.
func NewReuseServer ¶
func NewReuseServer(pattern string, listenAddress string, mux *http.ServeMux) *CallbackServer
NewReuseServer creates HTTP server with OIDC callback registered on given HTTP mux. Server constructed in such way is not responsible for serving the callback. This is responsibility of the caller.
func NewServer ¶
func NewServer(bindAddress string) (srv *CallbackServer, closeSrv func(), err error)
NewServer creates HTTP server with OIDC callback on the bindAddress an argument. BindAddress is the ultimately a redirectURL that all clients MUST register first on the OIDC server. It can (and is recommended) to point to localhost. Bind Address must include port. You can specify 0 if your OIDC provider support wildcard on port (almost all server does NOT).
func (*CallbackServer) Callback ¶
func (s *CallbackServer) Callback() <-chan *callbackResponse
func (*CallbackServer) ExpectCallback ¶
func (s *CallbackServer) ExpectCallback(callbackReq *callbackRequest)
func (*CallbackServer) RedirectURL ¶
func (s *CallbackServer) RedirectURL() string
type Config ¶
type Config struct {
NonceCheck bool `json:"include_nonce"`
}
Config is a login configuration. It does not contain oidc configuration.
func ConfigFromYaml ¶
ConfigFromYaml parses config from yaml file.
type MockCache ¶
MockCache is an autogenerated mock type for the Cache type
func (*MockCache) Config ¶
func (_m *MockCache) Config() OIDCConfig
Config provides a mock function with given fields:
type OIDCConfig ¶
type OIDCConfig struct {
// Canonical URL for Provider that will be the target issuer that this server authenticate End Users against.
Provider string `json:"provider"`
ClientID string `json:"client_id"`
ClientSecret string `json:"secret"`
Scopes []string `json:"scopes"`
}
func OIDCConfigFromYaml ¶
func OIDCConfigFromYaml(yamlContent []byte) (OIDCConfig, error)
OIDCConfigFromYaml parses config from yaml file.
type OIDCTokenSource ¶
type OIDCTokenSource struct {
// contains filtered or unexported fields
}
OIDCTokenSource implements `oidc.TokenSource` interface to perform oidc-browser-dance. It caches fetched tokens in provided TokenCache e.g on disk or in k8s config.
func (*OIDCTokenSource) OIDCToken ¶
OIDCToken is used to obtain new OIDC Token (which includes e.g access token, refresh token and id token). It does that by using a Refresh Token to obtain new Tokens. If the cached one is still valid it returns it immediately.
func (*OIDCTokenSource) Verifier ¶
func (s *OIDCTokenSource) Verifier() oidc.Verifier
Verifier returns verifier for tokens.
Source Files
Directories