stsd

package

v0.0.0-...-068faf5 Latest Latest Go to latest Published: Feb 29, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/costinm/meshauth

Links

Open Source Insights

Documentation ¶

Index ¶

type TokenExchangeD
- func (s *TokenExchangeD) ServeHTTP(w http.ResponseWriter, req *http.Request)
type TokenExchangeRequest

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type TokenExchangeD ¶

type TokenExchangeD struct {
	Authn    *meshauth.Authn
	Generate func(context.Context, *meshauth.JWT, string) (string, error)
}

TokenExchangeD is an OAuth2 token exchange server, RFC8694 -(extending RFC6749 which covers OAuth2)

This is also called "Secure Token Service" - the source of trust is a "security token" - a K8S JWT with a special audience or a JWT from a different provider.

It currently accepts grant_type 'token-exchange', with a 'jwt' subject token.

It can returns access_token and JWT tokens.

func (*TokenExchangeD) ServeHTTP ¶

func (s *TokenExchangeD) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServeStsRequests handles STS requests and sends exchanged token in responses. RFC8693 - token exchange

This is intended for localhost use with Envoy - it matches the protocol used by envoy. Envoy does send a JWT loaded from a file - this is ignored since we trust localhost in sidecar cases.

It can also be used as a service, with proper Authz prior to ¶

ex. for GCP: https://cloud.google.com/iam/docs/reference/sts/rest/v1beta/TopLevel/token https://cloud.google.com/iam/docs/reference/credentials/rest

Should be mapped to /v1/token (but other paths are possible)

type TokenExchangeRequest ¶

type TokenExchangeRequest struct {
	// REQUIRED. The value "urn:ietf:params:oauth:grant-type:token-exchange"
	// indicates that a token exchange is being performed.
	//
	// Other values: refresh_token, authorization_code, client_credentials
	//
	GrantType string `json:"grantType"`

	// REQUIRED. A security token that represents the identity of the party on
	// behalf of whom the request is being made.
	SubjectToken string `json:"subjectToken"`

	// REQUIRED. An identifier, that indicates the type of the security token in
	// the "subject_token" parameter.
	SubjectTokenType string `json:"subjectTokenType"`

	// OPTIONAL. An identifier, for the type of the requested security token.
	RequestedTokenType string `json:"requestedTokenType"`

	// OPTIONAL in RFC, required by GCP.
	// The logical name of the target service where the client intends
	// to use the requested security token.
	Audience string `json:"audience"`

	// OPTIONAL, required in GCP. A list of space-delimited, case-sensitive strings, that allow
	// the client to specify the desired Scope of the requested security token in the
	// context of the service or Resource where the token will be used.
	Scope string `json:"scope"`

	// OPTIONAL. Indicates the location of the target service or resource where
	// the client intends to use the requested security token.
	Resource string `json:"resource"`

	// OPTIONAL. A security token that represents the identity of the acting party.
	ActorToken string

	// An identifier, that indicates the type of the security token in the
	// "actor_token" parameter.
	ActorTokenType string
}

TokenExchangeRequest stores all STS request attributes defined in https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16#section-2.1

Source Files ¶

View all Source files

stsd.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL