Documentation
¶
Overview ¶
Package oidc implements logging in through OpenID Connect providers.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Issuer string `json:"issuer"`
// Some offspec providers like Azure, Oracle IDCS have oidc discovery url
// different from issuer url which causes issuerValidation to fail
// IssuerAlias provides a way to override the Issuer url
// from the .well-known/openid-configuration issuer
IssuerAlias string `json:"issuerAlias"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
RedirectURI string `json:"redirectURI"`
// The section to override options discovered automatically from
// the providers' discovery URL (.well-known/openid-configuration).
ProviderDiscoveryOverrides ProviderDiscoveryOverrides `json:"providerDiscoveryOverrides"`
// Causes client_secret to be passed as POST parameters instead of basic
// auth. This is specifically "NOT RECOMMENDED" by the OAuth2 RFC, but some
// providers require it.
//
// https://tools.ietf.org/html/rfc6749#section-2.3.1
BasicAuthUnsupported *bool `json:"basicAuthUnsupported"`
Scopes []string `json:"scopes"` // defaults to "profile" and "email"
// HostedDomains was an optional list of whitelisted domains when using the OIDC connector with Google.
// Only users from a whitelisted domain were allowed to log in.
// Support for this option was removed from the OIDC connector.
// Consider switching to the Google connector which supports this option.
//
// Deprecated: will be removed in future releases.
HostedDomains []string `json:"hostedDomains"`
// Certificates for SSL validation
RootCAs []string `json:"rootCAs"`
// Override the value of email_verified to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"`
AllowedGroups []string `json:"allowedGroups"`
// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
// within the Authentication Request that the Authorization Server is being requested to use for
// processing requests from this Client, with the values appearing in order of preference.
AcrValues []string `json:"acrValues"`
// Disable certificate verification
InsecureSkipVerify bool `json:"insecureSkipVerify"`
// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
GetUserInfo bool `json:"getUserInfo"`
UserIDKey string `json:"userIDKey"`
UserNameKey string `json:"userNameKey"`
// PromptType will be used for the prompt parameter (when offline_access, by default prompt=consent)
PromptType *string `json:"promptType"`
// OverrideClaimMapping will be used to override the options defined in claimMappings.
// i.e. if there are 'email' and `preferred_email` claims available, by default Dex will always use the `email` claim independent of the ClaimMapping.EmailKey.
// This setting allows you to override the default behavior of Dex and enforce the mappings defined in `claimMapping`.
OverrideClaimMapping bool `json:"overrideClaimMapping"` // defaults to false
ClaimMapping struct {
// Configurable key which contains the preferred username claims
PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
// Configurable key which contains the email claims
EmailKey string `json:"email"` // defaults to "email"
// Configurable key which contains the groups claims
GroupsKey string `json:"groups"` // defaults to "groups"
} `json:"claimMapping"`
// ClaimMutations holds all claim mutations options
ClaimMutations struct {
NewGroupFromClaims []NewGroupFromClaims `json:"newGroupFromClaims"`
FilterGroupClaims FilterGroupClaims `json:"filterGroupClaims"`
} `json:"claimModifications"`
}
Config holds configuration options for OpenID Connect logins.
type FilterGroupClaims ¶ added in v1.9.0
type FilterGroupClaims struct {
GroupsFilter string `json:"groupsFilter"`
}
FilterGroupClaims is a regex filter for to keep only the matching groups. This is useful when the groups list is too large to fit within an HTTP header.
type NewGroupFromClaims ¶ added in v1.9.0
type NewGroupFromClaims struct {
// List of claim to join together
Claims []string `json:"claims"`
// String to separate the claims
Delimiter string `json:"delimiter"`
// Should Dex remove the Delimiter string from claim values
// This is done to keep resulting claim structure in full control of the Dex operator
ClearDelimiter bool `json:"clearDelimiter"`
// String to place before the first claim
Prefix string `json:"prefix"`
}
NewGroupFromClaims creates a new group from a list of claims and appends it to the list of existing groups.
type ProviderDiscoveryOverrides ¶ added in v1.9.0
type ProviderDiscoveryOverrides struct {
// TokenURL provides a way to user overwrite the Token URL
// from the .well-known/openid-configuration token_endpoint
TokenURL string `json:"tokenURL"`
// AuthURL provides a way to user overwrite the Auth URL
// from the .well-known/openid-configuration authorization_endpoint
AuthURL string `json:"authURL"`
// JWKSURL provides a way to user overwrite the JWKS URL
// from the .well-known/openid-configuration jwks_uri
JWKSURL string `json:"jwksURL"`
}
func (*ProviderDiscoveryOverrides) Empty ¶ added in v1.9.0
func (o *ProviderDiscoveryOverrides) Empty() bool
Source Files
Click to show internal directories.
Click to hide internal directories.