authn

package

v0.0.0-...-2a6dfc0 Latest Latest Go to latest Published: Aug 3, 2024 License: Apache-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/costinm/meshauth

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuthnConfig ¶

type AuthnConfig struct {
	// Trusted issuers for auth.
	//
	Issuers []*TrustConfig `json:"trust,omitempty"`

	// Top level audiences. The rule may have a custom audience as well, if it matches this is
	// ignored.
	// If empty, the hostname is used as a default.
	Audiences []string `json:"aud,omitempty"`
}

AuthnConfig specifies trusted sources for incoming authentication.

Common case is as a global config, but may be specified per listener.

Unlike Istio, this also covers SSH and Cert public keys - treating all signed mechanisms the same.

type OIDCDiscDoc ¶

type OIDCDiscDoc struct {
	// Should match the one in the URL
	Issuer string `json:"issuer,omitempty"`

	// Same as the URI in the Istio config - contains the keys.
	// Example: "https://www.googleapis.com/oauth2/v3/certs"
	JWKSURL string `json:"jwks_uri,omitempty"`

	// Not used
	AuthURL       string `json:"authorization_endpoint,omitempty"`
	DeviceAuthURL string `json:"device_authorization_endpoint,omitempty"`
	TokenURL      string `json:"token_endpoint,omitempty"`
	UserInfoURL   string `json:"userinfo_endpoint,omitempty"`

	Algorithms []string `json:"id_token_signing_alg_values_supported,omitempty"`
}

WIP: discovery document returned when fetching the 'issuer' well known location

wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"

Example: curl -v https://accounts.google.com/.well-known/openid-configuration

type TrustConfig ¶

type TrustConfig struct {

	// Example: https://foobar.auth0.com
	// Example: 1234567-compute@developer.gserviceaccount.com (for tokens signed by a GSA)
	// In GKE, format is https://container.googleapis.com/v1/projects/$PROJECT/locations/$LOCATION/clusters/$CLUSTER
	// and the discovery doc is relative (i.e. standard).
	// The keys typically are $ISS/jwks - but OIDC document should be loaded.
	//
	// Must match the Issuer in the JWT token.
	// As 'converged' auth, this is also used to represent SSH or TLS CAs.
	Issuer string `json:"issuer,omitempty"`

	// URL of the provider's public key set to validate signature of the
	// JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
	//
	// Optional if the key set document can either (a) be retrieved from
	// [OpenID
	// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
	// the issuer or (b) inferred from the email domain of the issuer (e.g. a
	// Google service account).
	//
	// Example: `https://www.googleapis.com/oauth2/v1/certs`
	//
	//
	// Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
	JwksUri string `json:"jwks_uri,omitempty"`

	// JSON Web Key Set of public keys to validate signature of the JWT.
	// See https://auth0.com/docs/jwks.
	//
	// Note: In Istio, only one of jwks_uri and jwks should be used. jwks_uri
	// will be ignored if Jwks is present - but it doesn't seem right.
	//
	// TODO: mutating webhook to populate this field, controller JOB to rotate
	Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"`

	// PEM provides the set of public keys or certificates in-line.
	//
	// Not recommended - use pem_location instead so it can be reloaded, unless the trust config is reloaded itself.
	//
	// Extension to Istio JwtRule - specify the public key as PEM. This may include multiple
	// public keys or certificates. This will be populated by a mutating webhook and updated
	// by a job.
	PEM string `json:"pem,omitempty"`

	// Location of a PEM file providing the public keys or certificates of the trusted source.
	// Directory or URL. If provided, will be reloaded periodically or based on expiration time.
	PEMLocation string `json:"pem_location,omitempty"`

	// Extension to Isio JwtRule - cached subset of the OIDC discovery document
	OIDC *OIDCDiscDoc `json:"oidc,omitempty"`

	// Not stored - the actual keys or verifiers for this issuer.
	Key interface{} `json:-"`

	// KeysById is populated from the Jwks config or PEM
	KeysByKid map[string]interface{} `json:-`
	// contains filtered or unexported fields
}

Configure the settings for one trusted identity provider. This is primarily used for server side authenticating clients, but may also be used for clients authenticating servers - it defines what is trusted to provided identities.

Extended from Istio JWTRule - but unified with certificate providers.

Source Files ¶

View all Source files

authn.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL