auth

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 26 Imported by: 0

README

OAuth2 Auth Server

List of Grants

Grant Name Suitable for Public Client
Client Credential No
Password No
Authorization Code Yes
Refresh Token Yes
Switch Tenant Yes
Switch User Yes

Public clients are clients that are considered not able to keep a secret (such as javascript code executing in the browser.) The grants listed that are suitable for public clients relies on user authentication in addition to client authentication. You should consider the client authentication for public clients to be untrusted because the client cannot store secrets reliably.

Client Credential

This grant allows a client to authenticate itself using its clientId and client secret. The authorization server would return an access token upon authentication. The request can include an optional tenant id parameter to select the tenant for the resulting security context. If no tenant id is provided, the resulting tenancy for the security context would be based on the calculation for default tenant. If the client only have one assigned tenant, it will be used as the default. If the client have multiple assigned tenant, the security context will not have any tenancy. In that case, the caller must specify the tenant id to select a tenant if tenancy is desired.

Fields
Field Value Note
Method POST
Target /v2/token
grant_type client_credentials url values
tenant_id tenant id optional url values
Content-Type application/x-www-form-urlencoded request header
Accept application/json request header
Authorization Use the basic auth clientID:Secret in base64
Curl Example
curl --location --request POST 'http://localhost:8900/auth/v2/token?grant_type=client_credentials' \
--header 'Authorization: Basic {base64_encode(clientId:clientSecret}'

Password

This grant allows client to authenticate both the client and the user by issuing both the client id client secret and username and password. The optional tenant id parameter will select the current tenant for the resulting security context. The tenants this authentication context can switch to is based on the intersection of the user's assigned tenants and the client's assigned tenants. This grant requires the authorization server to be able to authenticate user using its password. It's not applicable if the user is authenticated via an SSO protocol (such as SAML).

Fields
Field Value Note
Method POST
Target /v2/token
grant_type password url values
username username url values
password password url values
tenant_id tenant id optional url values
Content-Type application/x-www-form-urlencoded request header
Accept application/json request header
Authorization Use the basic auth clientID:Secret in base64
Curl Example
curl --location --request POST 'http://localhost:8900/auth/v2/token' \
--header 'Authorization: Basic {base64_encode(clientId:clientSecret}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={username}' \
--data-urlencode 'password={password}' \
--data-urlencode 'tenant_id={tenant-id}'

Authorization Code

This grant allows client to authenticate both the client and user. Unlike the password grant, it doesn't need the user to provide their credentials to the client. The authorization request returns an auth code. The client needs to call the token API with the auth code to get the access token. In the token request, the tenant id parameter is an optional parameter to select the tenant for the resulting security context. The tenants this authentication context can switch to is based on the intersection of the user's assigned tenants and the client's assigned tenants.

Authorize Request Fields

See OAuth2 Spec for definition of corresponding fields

Field Value Note
Method GET
Target /v2/authorize
response_type code url values
client_id client id url values
redirect_uri redirect uri url values
state state url values
Example Request Issued from Browser
GET /auth/v2/authorize?response_type=code&client_id={client_id}}&redirect_uri={redirect_uri}&state={state} HTTP/1.1
Host: localhost:8900
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: SESSION=785e280f-4b1e-490d-b447-581ee357ddeb
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Token Request Fields

The response for this grant can also include a refresh token. See oauth2 spec on how to use the refresh token.

Field Value Note
Method POST
Target /v2/token
grant_type authorization_code url values
code username url values
client_id client_id url values
redirect_uri redirect_uri url values
tenant_id tenant id optional url values
Content-Type application/x-www-form-urlencoded request header
Accept application/json request header
Authorization Use the basic auth clientID:Secret in base64
Curl Example
curl --location --request POST 'http://localhost:8900/auth/v2/token' \
--header 'Authorization: Basic {base64_encode(clientId:clientSecret}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code={code}' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'redirect_uri={redirect_uri}'

Switch User

Use an access token to switch to a different user, resulting in a new access token. The current user must be granted the permission to switch user.

Fields
Field Value Note
Method POST
Target /v2/token
grant_type urn:cisco:nfv:oauth:grant-type:switch-user url values
access_token access token value url values
switch_username target user name url values
switch_user_id target user id url values
tenant_id tenant id url values
Content-Type application/x-www-form-urlencoded request header
Accept application/json request header
Authorization Use the basic auth clientID:Secret in base64
Curl Example
curl --location --request POST 'http://localhost:8900/auth/v2/token' \
--header 'Authorization: Basic {base64_encode(clientId:clientSecret}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'grant_type=urn:cisco:nfv:oauth:grant-type:switch-user' \
--data-urlencode 'access_token={access_token}' \
--data-urlencode `switch_user_id={switch_user_id}` \
--data-urlencode 'tenant_id={tenant-id}'

Switch Tenant

Use an access token to switch to a different tenant, resulting in a new access token. The current user must be granted the permission to switch tenant.

Fields
Field Value Note
Method POST
Target /v2/token
grant_type urn:cisco:nfv:oauth:grant-type:switch-tenant url values
access_token access token value url values
tenant_id tenant id url values
Content-Type application/x-www-form-urlencoded request header
Accept application/json request header
Authorization Use the basic auth clientID:Secret in base64

Note that tenant external ID is deprecated. Please use tenantID for the field/value

Curl Example
curl --location --request POST 'http://localhost:8900/auth/v2/token' \
--header 'Authorization: Basic {base64_encode(clientId:clientSecret}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'grant_type=urn:cisco:nfv:oauth:grant-type:switch-tenant' \
--data-urlencode 'access_token={access_token}' \
--data-urlencode 'tenant_id={tenant-id}'

Client Scopes

Scope Usage
read not used
write not used
openid Client needs this scope to engage OIDC in addition to OAuth2
profile OIDC scope to get user profile related claims in user info and id token
email OIDC scope to get user email related claims in user info and id token
address OIDC scope to get user address related claims in user info and id token
phone OIDC scope to get user phone related claims in user info and id token
token_details allows client to get token details from check_token API
tenant_hierarchy allows client to use the tenant_hierarchy API

Client Registration Consideration

Client registration should be implemented in by application. It is not implemented in the framework. It is the service implementation's responsibility to restrict grant types and scopes to clients as appropriate.

For grant types, client registration should require the client to have a client secret before allowing giving it a grant type that's not suitable for public clients. In addition, the switch tenant grant may not be suitable for a client that is supposed to work under only one tenant.

Grant Name Suitable for Public Client Suitable for Self Registered Client
Client Credential No Yes
Password No Yes
Authorization Code Yes Yes
Refresh Token Yes Yes
Switch Tenant Yes Depends on if client is supposed to be per tenant
Switch User Yes Yes

For scopes, client registration should consider whether a scope is suitable to be given to a customer created client. The tenant_hierarchy and cross_tenant scope should not be given to customer registered client that is supposed to work only within the context of a single tenant.

The token_details scope should not be given to a customer registered client because it's related to the introspection API (the check_token API), and this API is meant to be used by resource owners. In most cases self registered clients are not resource owners.

Client registration should also consider whether a scope should be given to a public client. The token_details and tenant_hierarchy scope should not be given to any public client because they can't be trusted with keeping client secret.

Scope Suitable for Public Client Suitable for Self Registered Client
read Yes Yes
write Yes Yes
openid Yes Yes
profile Yes Yes
email Yes Yes
address Yes Yes
phone Yes Yes
token_details No No
tenant_hierarchy No No (assuming self registered client is isolated to tenant)

Check Token

This API allows a client to check a given token's validity. In addition, a client with the token_details scope can get the security context details represented by this token by specifying no_details=false

Fields
Field Value Note
Method POST
Target /v2/check_token
token token value url values
tenant_type_hint access_token or refresh_token url values
Content-Type application/x-www-form-urlencoded request header
Accept application/json request header
Authorization Use the basic auth clientID:Secret in base64
Curl Example
curl --location --request POST 'http://localhost:8900/auth/v2/check_token' \
--header 'Authorization: Basic {base64_encode(clientId:clientSecret}=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token={access_token}' \
--data-urlencode 'token_type_hint=access_token' \
--data-urlencode 'no_details=true'

Documentation

Index

Constants

View Source 
const (
	ApprovalModelKeyAuthRequest = "AuthRequest"
	ApprovalModelKeyApprovalUrl = "ApprovalUrl"
)
View Source 
const (
	TokenEnhancerOrderExpiry
	TokenEnhancerOrderBasicClaims
	TokenEnhancerOrderDetailsClaims
	TokenEnhancerOrderResourceIdClaims
	TokenEnhancerOrderTokenDetails
	TokenEnhancerOrderRefreshToken
)

Variables

This section is empty.

Functions

func ConvertToOAuthUserAuthentication 

func ConvertToOAuthUserAuthentication(userAuth security.Authentication, options ...ConvertOption) oauth2.UserAuthentication

ConvertToOAuthUserAuthentication takes any type of authentication and convert it into oauth2.Authentication

func IsSubSet 

func IsSubSet(_ context.Context, superset utils.StringSet, subset utils.StringSet) (ok bool, invalid string)

func LoadAndValidateClientId 

func LoadAndValidateClientId(c context.Context, clientId string, clientStore oauth2.OAuth2ClientStore) (oauth2.OAuth2Client, error)

func NewJwtTokenStore 

func NewJwtTokenStore(opts ...JTSOptions) *jwtTokenStore

func NewWildcardUrlMatcher 

func NewWildcardUrlMatcher(pattern string) (*wildcardUrlMatcher, error)

NewWildcardUrlMatcher construct a wildcard URL matcher with given pattern The pattern should be escaped for URL endoding

func ResolveRedirectUri 

func ResolveRedirectUri(_ context.Context, redirectUri string, client oauth2.OAuth2Client) (string, error)

func RetrieveAuthenticatedClient 

func RetrieveAuthenticatedClient(c context.Context) oauth2.OAuth2Client

func RetrieveFullyAuthenticatedClient 

func RetrieveFullyAuthenticatedClient(c context.Context) (oauth2.OAuth2Client, error)

func ValidateAllAutoApprovalScopes 

func ValidateAllAutoApprovalScopes(c context.Context, client oauth2.OAuth2Client, scopes utils.StringSet) error

func ValidateAllScopes 

func ValidateAllScopes(c context.Context, client oauth2.OAuth2Client, scopes utils.StringSet) error

func ValidateApproval 

func ValidateApproval(c context.Context, approval map[string]bool, client oauth2.OAuth2Client, scopes utils.StringSet) error

ValidateApproval approval param is a map with scope as keys and approval status as values

func ValidateGrant 

func ValidateGrant(_ context.Context, client oauth2.OAuth2Client, grantType string) error

func ValidateResponseTypes 

func ValidateResponseTypes(ctx context.Context, request *AuthorizeRequest, supported utils.StringSet) error

func ValidateScope 

func ValidateScope(c context.Context, client oauth2.OAuth2Client, scopes ...string) error

Types

type AccessRevoker 

type AccessRevoker interface {
	RevokeWithSessionId(ctx context.Context, sessionId string, sessionName string) error
	RevokeWithUsername(ctx context.Context, username string, revokeRefreshToken bool) error
	RevokeWithClientId(ctx context.Context, clientId string, revokeRefreshToken bool) error
	RevokeWithTokenValue(ctx context.Context, tokenValue string, hint RevokerTokenHint) error
}

type AuthHandlerOption 

type AuthHandlerOption struct {
	Extensions       []AuthorizeHandler
	ApprovalPageTmpl string
	ApprovalUrl      string
	AuthService      AuthorizationService
	AuthCodeStore    AuthorizationCodeStore
}

type AuthHandlerOptions 

type AuthHandlerOptions func(opt *AuthHandlerOption)

type AuthorizationCodeStore 

type AuthorizationCodeStore interface {
	GenerateAuthorizationCode(ctx context.Context, r *AuthorizeRequest, user security.Authentication) (string, error)
	ConsumeAuthorizationCode(ctx context.Context, authCode string, onetime bool) (oauth2.Authentication, error)
}

type AuthorizationRegistry 

type AuthorizationRegistry interface {
	// Register
	RegisterRefreshToken(ctx context.Context, token oauth2.RefreshToken, oauth oauth2.Authentication) error
	RegisterAccessToken(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) error

	// Read
	ReadStoredAuthorization(ctx context.Context, token oauth2.RefreshToken) (oauth2.Authentication, error)
	FindSessionId(ctx context.Context, token oauth2.Token) (string, error)

	// Revoke
	RevokeRefreshToken(ctx context.Context, token oauth2.RefreshToken) error
	RevokeAccessToken(ctx context.Context, token oauth2.AccessToken) error
	RevokeAllAccessTokens(ctx context.Context, token oauth2.RefreshToken) error
	RevokeUserAccess(ctx context.Context, username string, revokeRefreshToken bool) error
	RevokeClientAccess(ctx context.Context, clientId string, revokeRefreshToken bool) error
	RevokeSessionAccess(ctx context.Context, sessionId string, revokeRefreshToken bool) error
}

AuthorizationRegistry is responsible to keep track of refresh token and relationships between tokens, clients, users, sessions

type AuthorizationService 

type AuthorizationService interface {
	CreateAuthentication(ctx context.Context, request oauth2.OAuth2Request, userAuth security.Authentication) (oauth2.Authentication, error)
	SwitchAuthentication(ctx context.Context, request oauth2.OAuth2Request, userAuth security.Authentication, src oauth2.Authentication) (oauth2.Authentication, error)
	CreateAccessToken(ctx context.Context, oauth oauth2.Authentication) (oauth2.AccessToken, error)
	RefreshAccessToken(ctx context.Context, oauth oauth2.Authentication, refreshToken oauth2.RefreshToken) (oauth2.AccessToken, error)
}

type AuthorizeHandler 

type AuthorizeHandler interface {
	// HandleApproved makes various ResponseHandlerFunc of authorization based on
	// 	- response_type
	// 	- scope
	// 	- other parameters
	// if the implementation decide to not to handle the AuthorizeRequest, returns nil, nil.
	// e.g. OIDC impl don't handle non OIDC request and don't handle "code" response type because it's identical from default oauth2 impl
	HandleApproved(ctx context.Context, r *AuthorizeRequest, user security.Authentication) (ResponseHandlerFunc, error)

	// HandleApprovalPage create ResponseHandlerFunc for user approval page
	HandleApprovalPage(ctx context.Context, r *AuthorizeRequest, user security.Authentication) (ResponseHandlerFunc, error)
}

type AuthorizeRequest 

type AuthorizeRequest struct {
	Parameters    map[string]string
	ClientId      string
	ResponseTypes utils.StringSet
	Scopes        utils.StringSet
	RedirectUri   string
	State         string
	Extensions    map[string]interface{}
	Approved      bool
	// contains filtered or unexported fields
}

func NewAuthorizeRequest 

func NewAuthorizeRequest(opts ...func(req *AuthorizeRequest)) *AuthorizeRequest

func ParseAuthorizeRequest 

func ParseAuthorizeRequest(req *http.Request) (*AuthorizeRequest, error)

func ParseAuthorizeRequestWithKVs 

func ParseAuthorizeRequestWithKVs(ctx context.Context, values map[string]interface{}) (*AuthorizeRequest, error)

func (*AuthorizeRequest) Context 

func (r *AuthorizeRequest) Context() utils.MutableContext

func (*AuthorizeRequest) OAuth2Request 

func (r *AuthorizeRequest) OAuth2Request() oauth2.OAuth2Request

func (*AuthorizeRequest) String 

func (r *AuthorizeRequest) String() string

func (*AuthorizeRequest) WithContext 

func (r *AuthorizeRequest) WithContext(ctx context.Context) *AuthorizeRequest

type AuthorizeRequestProcessChain 

type AuthorizeRequestProcessChain interface {
	Next(ctx context.Context, request *AuthorizeRequest) (processed *AuthorizeRequest, err error)
}

AuthorizeRequestProcessChain invoke index processor in the processing chain

type AuthorizeRequestProcessor 

type AuthorizeRequestProcessor interface {
	Process(ctx context.Context, request *AuthorizeRequest) (processed *AuthorizeRequest, err error)
}

AuthorizeRequestProcessor validate and process incoming request AuthorizeRequestProcessor is the entry point interface for other components to use

func NewAuthorizeRequestProcessor 

func NewAuthorizeRequestProcessor(delegates ...ChainedAuthorizeRequestProcessor) AuthorizeRequestProcessor

type BasicClaimsTokenEnhancer 

type BasicClaimsTokenEnhancer struct {
	// contains filtered or unexported fields
}

BasicClaimsTokenEnhancer impelments order.Ordered and TokenEnhancer

func (*BasicClaimsTokenEnhancer) Enhance 

func (te *BasicClaimsTokenEnhancer) Enhance(_ context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*BasicClaimsTokenEnhancer) Order 

func (te *BasicClaimsTokenEnhancer) Order() int

type ChainedAuthorizeRequestProcessor 

type ChainedAuthorizeRequestProcessor interface {
	Process(ctx context.Context, request *AuthorizeRequest, chain AuthorizeRequestProcessChain) (validated *AuthorizeRequest, err error)
}

ChainedAuthorizeRequestProcessor validate and process incoming request and manually invoke index processor in the chain.

type ClientDetails 

type ClientDetails struct {
	ClientId             string
	Secret               string
	GrantTypes           utils.StringSet
	RedirectUris         utils.StringSet
	Scopes               utils.StringSet
	AutoApproveScopes    utils.StringSet
	AccessTokenValidity  time.Duration
	RefreshTokenValidity time.Duration
	UseSessionTimeout    bool
	AssignedTenantIds    utils.StringSet
	ResourceIds          utils.StringSet
}

type CompositeTokenEnhancer 

type CompositeTokenEnhancer struct {
	// contains filtered or unexported fields
}

func NewCompositeTokenEnhancer 

func NewCompositeTokenEnhancer(delegates ...TokenEnhancer) *CompositeTokenEnhancer

func (*CompositeTokenEnhancer) Add 

func (e *CompositeTokenEnhancer) Add(enhancers ...TokenEnhancer)

func (*CompositeTokenEnhancer) Enhance 

func (e *CompositeTokenEnhancer) Enhance(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*CompositeTokenEnhancer) Remove 

func (e *CompositeTokenEnhancer) Remove(enhancer TokenEnhancer)

type CompositeTokenGranter 

type CompositeTokenGranter struct {
	// contains filtered or unexported fields
}

CompositeTokenGranter implements TokenGranter

func NewCompositeTokenGranter 

func NewCompositeTokenGranter(delegates ...TokenGranter) *CompositeTokenGranter

func (*CompositeTokenGranter) Add 

func (g *CompositeTokenGranter) Add(granter TokenGranter) *CompositeTokenGranter

func (*CompositeTokenGranter) Delegates 

func (g *CompositeTokenGranter) Delegates() []TokenGranter

func (*CompositeTokenGranter) Grant 

func (g *CompositeTokenGranter) Grant(ctx context.Context, request *TokenRequest) (oauth2.AccessToken, error)

type ConvertOption 

type ConvertOption func(option *ConvertOptions)

func ConvertWithSkipTypeCheck 

func ConvertWithSkipTypeCheck(skipTypeCheck bool) ConvertOption

type ConvertOptions 

type ConvertOptions struct {
	SkipTypeCheck bool
	// contains filtered or unexported fields
}

func (*ConvertOptions) AppendUserAuthOptions 

func (c *ConvertOptions) AppendUserAuthOptions(option OverrideAuthOptions)

type DASOption 

type DASOption struct {
	DetailsFactory     *common.ContextDetailsFactory
	ClientStore        oauth2.OAuth2ClientStore
	AccountStore       security.AccountStore
	TenantStore        security.TenantStore
	ProviderStore      security.ProviderStore
	Issuer             security.Issuer
	TokenStore         TokenStore
	TokenEnhancers     []TokenEnhancer
	PostTokenEnhancers []TokenEnhancer
}

type DASOptions 

type DASOptions func(*DASOption)

type DefaultAuthorizationService 

type DefaultAuthorizationService struct {
	// contains filtered or unexported fields
}

DefaultAuthorizationService implements AuthorizationService

func NewDefaultAuthorizationService 

func NewDefaultAuthorizationService(opts ...DASOptions) *DefaultAuthorizationService

func (*DefaultAuthorizationService) CreateAccessToken 

func (s *DefaultAuthorizationService) CreateAccessToken(c context.Context, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*DefaultAuthorizationService) CreateAuthentication 

func (s *DefaultAuthorizationService) CreateAuthentication(ctx context.Context,
	request oauth2.OAuth2Request, user security.Authentication) (oauth oauth2.Authentication, err error)

func (*DefaultAuthorizationService) RefreshAccessToken 

func (s *DefaultAuthorizationService) RefreshAccessToken(c context.Context, oauth oauth2.Authentication, refreshToken oauth2.RefreshToken) (oauth2.AccessToken, error)

func (*DefaultAuthorizationService) SwitchAuthentication 

func (s *DefaultAuthorizationService) SwitchAuthentication(ctx context.Context,
	request oauth2.OAuth2Request, user security.Authentication,
	src oauth2.Authentication) (oauth oauth2.Authentication, err error)

type DefaultAuthorizeHandler 

type DefaultAuthorizeHandler struct {
	// contains filtered or unexported fields
}

DefaultAuthorizeHandler implements AuthorizeHandler it implement standard OAuth2 responses and keep a list of extensions for additional protocols such as OpenID Connect

func NewAuthorizeHandler 

func NewAuthorizeHandler(opts ...AuthHandlerOptions) *DefaultAuthorizeHandler

func (*DefaultAuthorizeHandler) Extend 

func (h *DefaultAuthorizeHandler) Extend(makers ...AuthorizeHandler) *DefaultAuthorizeHandler

func (*DefaultAuthorizeHandler) HandleApprovalPage 

func (h *DefaultAuthorizeHandler) HandleApprovalPage(ctx context.Context, r *AuthorizeRequest, user security.Authentication) (ResponseHandlerFunc, error)

func (*DefaultAuthorizeHandler) HandleApproved 

func (h *DefaultAuthorizeHandler) HandleApproved(ctx context.Context, r *AuthorizeRequest, user security.Authentication) (ResponseHandlerFunc, error)

func (*DefaultAuthorizeHandler) MakeAuthCodeResponse 

func (h *DefaultAuthorizeHandler) MakeAuthCodeResponse(ctx context.Context, r *AuthorizeRequest, user oauth2.UserAuthentication) (ResponseHandlerFunc, error)

func (*DefaultAuthorizeHandler) MakeImplicitResponse 

func (h *DefaultAuthorizeHandler) MakeImplicitResponse(ctx context.Context, r *AuthorizeRequest, user oauth2.UserAuthentication) (ResponseHandlerFunc, error)

type DefaultOAuth2Client 

type DefaultOAuth2Client struct {
	ClientDetails
}

DefaultOAuth2Client implements security.Account & OAuth2Client

func NewClient 

func NewClient() *DefaultOAuth2Client

deja vu

func NewClientWithDetails 

func NewClientWithDetails(clientDetails ClientDetails) *DefaultOAuth2Client

func (*DefaultOAuth2Client) AccessTokenValidity 

func (c *DefaultOAuth2Client) AccessTokenValidity() time.Duration

func (*DefaultOAuth2Client) AssignedTenantIds 

func (c *DefaultOAuth2Client) AssignedTenantIds() utils.StringSet

func (*DefaultOAuth2Client) AutoApproveScopes 

func (c *DefaultOAuth2Client) AutoApproveScopes() utils.StringSet

func (*DefaultOAuth2Client) CacheableCopy 

func (c *DefaultOAuth2Client) CacheableCopy() security.Account

func (*DefaultOAuth2Client) ClientId 

func (c *DefaultOAuth2Client) ClientId() string

* OAuth2Client *

func (*DefaultOAuth2Client) Credentials 

func (c *DefaultOAuth2Client) Credentials() interface{}

func (*DefaultOAuth2Client) Disabled 

func (c *DefaultOAuth2Client) Disabled() bool

func (*DefaultOAuth2Client) GrantTypes 

func (c *DefaultOAuth2Client) GrantTypes() utils.StringSet

func (*DefaultOAuth2Client) ID 

func (c *DefaultOAuth2Client) ID() interface{}

func (*DefaultOAuth2Client) Locked 

func (c *DefaultOAuth2Client) Locked() bool

func (*DefaultOAuth2Client) MaxTokensPerUser 

func (c *DefaultOAuth2Client) MaxTokensPerUser() int

func (*DefaultOAuth2Client) Permissions 

func (c *DefaultOAuth2Client) Permissions() []string

func (*DefaultOAuth2Client) RedirectUris 

func (c *DefaultOAuth2Client) RedirectUris() utils.StringSet

func (*DefaultOAuth2Client) RefreshTokenValidity 

func (c *DefaultOAuth2Client) RefreshTokenValidity() time.Duration

func (*DefaultOAuth2Client) ResourceIDs 

func (c *DefaultOAuth2Client) ResourceIDs() utils.StringSet

func (*DefaultOAuth2Client) Scopes 

func (c *DefaultOAuth2Client) Scopes() utils.StringSet

func (*DefaultOAuth2Client) Secret 

func (c *DefaultOAuth2Client) Secret() string

func (*DefaultOAuth2Client) SecretRequired 

func (c *DefaultOAuth2Client) SecretRequired() bool

func (*DefaultOAuth2Client) Type 

func (c *DefaultOAuth2Client) Type() security.AccountType

func (*DefaultOAuth2Client) UseMFA 

func (c *DefaultOAuth2Client) UseMFA() bool

func (*DefaultOAuth2Client) UseSessionTimeout 

func (c *DefaultOAuth2Client) UseSessionTimeout() bool

func (*DefaultOAuth2Client) Username 

func (c *DefaultOAuth2Client) Username() string

type DetailsTokenEnhancer 

type DetailsTokenEnhancer struct{}

DetailsTokenEnhancer implements order.Ordered and TokenEnhancer it populate token's additional metadata other than claims, issue/expiry time

func (*DetailsTokenEnhancer) Enhance 

func (e *DetailsTokenEnhancer) Enhance(_ context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*DetailsTokenEnhancer) Order 

func (e *DetailsTokenEnhancer) Order() int

type ExpiryTokenEnhancer 

type ExpiryTokenEnhancer struct{}

ExpiryTokenEnhancer implements order.Ordered and TokenEnhancer

func (*ExpiryTokenEnhancer) Enhance 

func (e *ExpiryTokenEnhancer) Enhance(_ context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*ExpiryTokenEnhancer) Order 

func (e *ExpiryTokenEnhancer) Order() int

type JTSOption 

type JTSOption struct {
	Reader       oauth2.TokenStoreReader
	DetailsStore security.ContextDetailsStore
	Encoder      jwt.JwtEncoder
	Decoder      jwt.JwtDecoder
	AuthRegistry AuthorizationRegistry
}

type JTSOptions 

type JTSOptions func(opt *JTSOption)

type LegacyTokenEnhancer 

type LegacyTokenEnhancer struct{}

LegacyTokenEnhancer implements order.Ordered and TokenEnhancer LegacyTokenEnhancer add legacy claims and response fields that was supported by Java version of IDM but deprecated in Go version

func (*LegacyTokenEnhancer) Enhance 

func (te *LegacyTokenEnhancer) Enhance(_ context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*LegacyTokenEnhancer) Order 

func (te *LegacyTokenEnhancer) Order() int

type OAuth2ClientAccountStore 

type OAuth2ClientAccountStore struct {
	oauth2.OAuth2ClientStore
}

OAuth2ClientAccountStore wraps an delegate and implement both security.AccountStore and client oauth2.OAuth2ClientStore

func WrapOAuth2ClientStore 

func WrapOAuth2ClientStore(clientStore oauth2.OAuth2ClientStore) *OAuth2ClientAccountStore

func (*OAuth2ClientAccountStore) LoadAccountById 

func (s *OAuth2ClientAccountStore) LoadAccountById(ctx context.Context, id interface{}) (security.Account, error)

security.AccountStore

func (*OAuth2ClientAccountStore) LoadAccountByUsername 

func (s *OAuth2ClientAccountStore) LoadAccountByUsername(ctx context.Context, username string) (security.Account, error)

security.AccountStore

func (*OAuth2ClientAccountStore) LoadLockingRules 

func (s *OAuth2ClientAccountStore) LoadLockingRules(ctx context.Context, acct security.Account) (security.AccountLockingRule, error)

security.AccountStore

func (*OAuth2ClientAccountStore) LoadPwdAgingRules 

func (s *OAuth2ClientAccountStore) LoadPwdAgingRules(ctx context.Context, acct security.Account) (security.AccountPwdAgingRule, error)

security.AccountStore

func (*OAuth2ClientAccountStore) Save 

func (s *OAuth2ClientAccountStore) Save(ctx context.Context, acct security.Account) error

security.AccountStore

type OAuth2ErrorHandler 

type OAuth2ErrorHandler struct{}

OAuth2ErrorHandler implements security.ErrorHandler It's responsible to handle all oauth2 errors

func NewOAuth2ErrorHandler 

func NewOAuth2ErrorHandler() *OAuth2ErrorHandler

func (*OAuth2ErrorHandler) HandleError 

func (h *OAuth2ErrorHandler) HandleError(c context.Context, r *http.Request, rw http.ResponseWriter, err error)

HandleError implements security.ErrorHandler

type OverrideAuthOptions 

type OverrideAuthOptions func(userAuth security.Authentication) oauth2.UserAuthOptions

OverrideAuthOptions allows the oauth2.UserAuthOptions to be overridden during the conversion when creating and returning a new user authentication.

type RedisAuthorizationCodeStore 

type RedisAuthorizationCodeStore struct {
	// contains filtered or unexported fields
}

RedisAuthorizationCodeStore store authorization code in Redis

func NewRedisAuthorizationCodeStore 

func NewRedisAuthorizationCodeStore(ctx context.Context, cf redis.ClientFactory, dbIndex int) *RedisAuthorizationCodeStore

func (*RedisAuthorizationCodeStore) ConsumeAuthorizationCode 

func (s *RedisAuthorizationCodeStore) ConsumeAuthorizationCode(ctx context.Context, authCode string, onetime bool) (oauth2.Authentication, error)

func (*RedisAuthorizationCodeStore) GenerateAuthorizationCode 

func (s *RedisAuthorizationCodeStore) GenerateAuthorizationCode(ctx context.Context, r *AuthorizeRequest, user security.Authentication) (string, error)

type RefreshTokenEnhancer 

type RefreshTokenEnhancer struct {
	// contains filtered or unexported fields
}

RefreshTokenEnhancer implements order.Ordered and TokenEnhancer RefreshTokenEnhancer is responsible to create refresh token and associate it with the given access token

func (*RefreshTokenEnhancer) Enhance 

func (te *RefreshTokenEnhancer) Enhance(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*RefreshTokenEnhancer) Order 

func (te *RefreshTokenEnhancer) Order() int

type ResourceIdTokenEnhancer 

type ResourceIdTokenEnhancer struct {
}

ResourceIdTokenEnhancer impelments order.Ordered and TokenEnhancer spring-security-oauth2 based java implementation expecting "aud" claims to be the resource ID

func (*ResourceIdTokenEnhancer) Enhance 

func (te *ResourceIdTokenEnhancer) Enhance(c context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

func (*ResourceIdTokenEnhancer) Order 

func (te *ResourceIdTokenEnhancer) Order() int

type ResponseHandlerFunc 

type ResponseHandlerFunc func(ctx *gin.Context)

type RevokerTokenHint 

type RevokerTokenHint string
const (
	RevokerHintAccessToken  RevokerTokenHint = "access_token"
	RevokerHintRefreshToken RevokerTokenHint = "refresh_token"
)

type StandardAuthorizeRequestProcessor 

type StandardAuthorizeRequestProcessor struct {
	// contains filtered or unexported fields
}

StandardAuthorizeRequestProcessor implements ChainedAuthorizeRequestProcessor and order.Ordered it validate auth request against standard oauth2 specs

func NewStandardAuthorizeRequestProcessor 

func NewStandardAuthorizeRequestProcessor(opts ...StdARPOptions) *StandardAuthorizeRequestProcessor

func (*StandardAuthorizeRequestProcessor) Process 

func (p *StandardAuthorizeRequestProcessor) Process(ctx context.Context, request *AuthorizeRequest, chain AuthorizeRequestProcessChain) (validated *AuthorizeRequest, err error)

type StdARPOption 

type StdARPOption struct {
	ClientStore  oauth2.OAuth2ClientStore
	AccountStore security.AccountStore
}

type StdARPOptions 

type StdARPOptions func(*StdARPOption)

type TokenEnhancer 

type TokenEnhancer interface {
	Enhance(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)
}

TokenEnhancer modify given oauth2.AccessToken or return a new token based on given context and auth Most TokenEnhancer responsible to add/modify claims of given access token But it's not limited to do so. e.g. TokenEnhancer could be responsible to install refresh token Usually if given token is not mutable, the returned token would be different instance

type TokenGranter 

type TokenGranter interface {
	// Grant create oauth2.AccessToken based on given TokenRequest
	// returns
	// 	- (nil, nil) if the TokenGranter doesn't support given request
	// 	- (non-nil, nil) if the TokenGranter support given request and created a token without error
	// 	- (nil, non-nil) if the TokenGranter support given request but rejected the request
	Grant(ctx context.Context, request *TokenRequest) (oauth2.AccessToken, error)
}

type TokenRequest 

type TokenRequest struct {
	Parameters map[string]string
	ClientId   string
	Scopes     utils.StringSet
	GrantType  string
	Extensions map[string]interface{}
	// contains filtered or unexported fields
}

func NewTokenRequest 

func NewTokenRequest() *TokenRequest

func ParseTokenRequest 

func ParseTokenRequest(req *http.Request) (*TokenRequest, error)

func (*TokenRequest) Context 

func (r *TokenRequest) Context() utils.MutableContext

func (*TokenRequest) OAuth2Request 

func (r *TokenRequest) OAuth2Request(client oauth2.OAuth2Client) oauth2.OAuth2Request

func (*TokenRequest) String 

func (r *TokenRequest) String() string

func (*TokenRequest) WithContext 

func (r *TokenRequest) WithContext(ctx context.Context) *TokenRequest

type TokenStore 

type TokenStore interface {
	oauth2.TokenStoreReader

	// ReusableAccessToken finds access token that currently associated with given oauth2.Authentication
	// and can be reused
	ReusableAccessToken(ctx context.Context, oauth oauth2.Authentication) (oauth2.AccessToken, error)

	// SaveAccessToken associate given oauth2.Authentication with the to-be-saved oauth2.AccessToken.
	// It returns the saved oauth2.AccessToken or error.
	// The saved oauth2.AccessToken may be different from given oauth2.AccessToken (e.g. JWT encoded token)
	SaveAccessToken(ctx context.Context, token oauth2.AccessToken, oauth oauth2.Authentication) (oauth2.AccessToken, error)

	// SaveRefreshToken associate given oauth2.Authentication with the to-be-saved oauth2.RefreshToken.
	// It returns the saved oauth2.RefreshToken or error.
	// The saved oauth2.RefreshToken may be different from given oauth2.RefreshToken (e.g. JWT encoded token)
	SaveRefreshToken(ctx context.Context, token oauth2.RefreshToken, oauth oauth2.Authentication) (oauth2.RefreshToken, error)

	// RemoveAccessToken remove oauth2.AccessToken using given token value.
	// Token can be oauth2.AccessToken or oauth2.RefreshToken
	RemoveAccessToken(ctx context.Context, token oauth2.Token) error

	// RemoveRefreshToken remove given oauth2.RefreshToken
	RemoveRefreshToken(ctx context.Context, token oauth2.RefreshToken) error
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.