server

package
v0.0.0-...-2476f0e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 28, 2024 License: Apache-2.0 Imports: 65 Imported by: 67

Documentation

Overview

Package server implements an OpenID Connect server with federated logins.

Index

Constants

View Source
const (
	RequestKeyRequestID logRequestKey = "request_id"
	RequestKeyRemoteIP  logRequestKey = "client_remote_addr"
)
View Source
const LocalConnector = "local"

LocalConnector is the local passwordDB connector which is an internal connector maintained by the server.

Variables

View Source
var ConnectorsConfig = map[string]func() ConnectorConfig{
	"keystone":        func() ConnectorConfig { return new(keystone.Config) },
	"mockCallback":    func() ConnectorConfig { return new(mock.CallbackConfig) },
	"mockPassword":    func() ConnectorConfig { return new(mock.PasswordConfig) },
	"ldap":            func() ConnectorConfig { return new(ldap.Config) },
	"gitea":           func() ConnectorConfig { return new(gitea.Config) },
	"github":          func() ConnectorConfig { return new(github.Config) },
	"gitlab":          func() ConnectorConfig { return new(gitlab.Config) },
	"google":          func() ConnectorConfig { return new(google.Config) },
	"oidc":            func() ConnectorConfig { return new(oidc.Config) },
	"oauth":           func() ConnectorConfig { return new(oauth.Config) },
	"saml":            func() ConnectorConfig { return new(saml.Config) },
	"authproxy":       func() ConnectorConfig { return new(authproxy.Config) },
	"linkedin":        func() ConnectorConfig { return new(linkedin.Config) },
	"microsoft":       func() ConnectorConfig { return new(microsoft.Config) },
	"bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) },
	"openshift":       func() ConnectorConfig { return new(openshift.Config) },
	"atlassian-crowd": func() ConnectorConfig { return new(atlassiancrowd.Config) },

	"samlExperimental": func() ConnectorConfig { return new(saml.Config) },
}

ConnectorsConfig variable provides an easy way to return a config struct depending on the connector type.

Functions

func NewAPI

func NewAPI(s storage.Storage, logger *slog.Logger, version string, server *Server) api.DexServer

NewAPI returns a server which implements the gRPC API interface.

func WithRemoteIP

func WithRemoteIP(ctx context.Context, ip string) context.Context

func WithRequestID

func WithRequestID(ctx context.Context) context.Context

Types

type Config

type Config struct {
	Issuer string

	// The backing persistence layer.
	Storage storage.Storage

	AllowedGrantTypes []string

	// Valid values are "code" to enable the code flow and "token" to enable the implicit
	// flow. If no response types are supplied this value defaults to "code".
	SupportedResponseTypes []string

	// Headers is a map of headers to be added to the all responses.
	Headers http.Header

	// Header to extract real ip from.
	RealIPHeader       string
	TrustedRealIPCIDRs []netip.Prefix

	// List of allowed origins for CORS requests on discovery, token and keys endpoint.
	// If none are indicated, CORS requests are disabled. Passing in "*" will allow any
	// domain.
	AllowedOrigins []string

	// List of allowed headers for CORS requests on discovery, token, and keys endpoint.
	AllowedHeaders []string

	// If enabled, the server won't prompt the user to approve authorization requests.
	// Logging in implies approval.
	SkipApprovalScreen bool

	// If enabled, the connectors selection page will always be shown even if there's only one
	AlwaysShowLoginScreen bool

	RotateKeysAfter        time.Duration // Defaults to 6 hours.
	IDTokensValidFor       time.Duration // Defaults to 24 hours
	AuthRequestsValidFor   time.Duration // Defaults to 24 hours
	DeviceRequestsValidFor time.Duration // Defaults to 5 minutes

	// Refresh token expiration settings
	RefreshTokenPolicy *RefreshTokenPolicy

	// If set, the server will use this connector to handle password grants
	PasswordConnector string

	GCFrequency time.Duration // Defaults to 5 minutes

	// If specified, the server will use this function for determining time.
	Now func() time.Time

	Web WebConfig

	Logger *slog.Logger

	PrometheusRegistry *prometheus.Registry

	HealthChecker gosundheit.Health
}

Config holds the server's configuration options.

Multiple servers using the same storage are expected to be configured identically.

type Connector

type Connector struct {
	ResourceVersion string
	Connector       connector.Connector
}

Connector is a connector with resource version metadata.

type ConnectorConfig

type ConnectorConfig interface {
	Open(id string, logger *slog.Logger) (connector.Connector, error)
}

ConnectorConfig is a configuration that can open a connector.

type Introspection

type Introspection struct {
	// Boolean indicator of whether or not the presented token
	// is currently active.  The specifics of a token's "active" state
	// will vary depending on the implementation of the authorization
	// server and the information it keeps about its tokens, but a "true"
	// value return for the "active" property will generally indicate
	// that a given token has been issued by this authorization server,
	// has not been revoked by the resource owner, and is within its
	// given time window of validity (e.g., after its issuance time and
	// before its expiration time).
	Active bool `json:"active"`

	// JSON string containing a space-separated list of
	// scopes associated with this token.
	Scope string `json:"scope,omitempty"`

	// Client identifier for the OAuth 2.0 client that
	// requested this token.
	ClientID string `json:"client_id"`

	// Subject of the token, as defined in JWT [RFC7519].
	// Usually a machine-readable identifier of the resource owner who
	// authorized this token.
	Subject string `json:"sub"`

	// Integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token will expire.
	Expiry int64 `json:"exp"`

	// Integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token was
	// originally issued.
	IssuedAt int64 `json:"iat"`

	// Integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token is not to be
	// used before.
	NotBefore int64 `json:"nbf"`

	// Human-readable identifier for the resource owner who
	// authorized this token.
	Username string `json:"username,omitempty"`

	// Service-specific string identifier or list of string
	// identifiers representing the intended audience for this token, as
	// defined in JWT
	Audience audience `json:"aud"`

	// String representing the issuer of this token, as
	// defined in JWT
	Issuer string `json:"iss"`

	// String identifier for the token, as defined in JWT [RFC7519].
	JwtTokenID string `json:"jti,omitempty"`

	// TokenType is the introspected token's type, typically `bearer`.
	TokenType string `json:"token_type"`

	// TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.
	TokenUse string `json:"token_use"`

	// Extra is arbitrary data set from the token claims.
	Extra IntrospectionExtra `json:"ext,omitempty"`
}

Introspection contains an access token's session data as specified by [IETF RFC 7662](https://tools.ietf.org/html/rfc7662)

type IntrospectionExtra

type IntrospectionExtra struct {
	AuthorizingParty string `json:"azp,omitempty"`

	Email         string `json:"email,omitempty"`
	EmailVerified *bool  `json:"email_verified,omitempty"`

	Groups []string `json:"groups,omitempty"`

	Name              string `json:"name,omitempty"`
	PreferredUsername string `json:"preferred_username,omitempty"`

	FederatedIDClaims *federatedIDClaims `json:"federated_claims,omitempty"`
}

type RefreshTokenPolicy

type RefreshTokenPolicy struct {
	// contains filtered or unexported fields
}

func NewRefreshTokenPolicy

func NewRefreshTokenPolicy(logger *slog.Logger, rotation bool, validIfNotUsedFor, absoluteLifetime, reuseInterval string) (*RefreshTokenPolicy, error)

func (*RefreshTokenPolicy) AllowedToReuse

func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool

func (*RefreshTokenPolicy) CompletelyExpired

func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool

func (*RefreshTokenPolicy) ExpiredBecauseUnused

func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool

func (*RefreshTokenPolicy) RotationEnabled

func (r *RefreshTokenPolicy) RotationEnabled() bool

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server is the top level object.

func NewServer

func NewServer(ctx context.Context, c Config) (*Server, error)

NewServer constructs a server from the provided config.

func NewServerWithKey

func NewServerWithKey(ctx context.Context, c Config, privateKey *rsa.PrivateKey) (*Server, error)

NewServerWithKey constructs a server from the provided config and a static signing key.

func (*Server) OpenConnector

func (s *Server) OpenConnector(conn storage.Connector) (Connector, error)

OpenConnector updates server connector map with specified connector object.

func (*Server) ServeHTTP

func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)

type TokenTypeEnum

type TokenTypeEnum int
const (
	AccessToken TokenTypeEnum = iota
	RefreshToken
)

func (TokenTypeEnum) String

func (t TokenTypeEnum) String() string

type WebConfig

type WebConfig struct {
	// A file path to static web assets.
	//
	// It is expected to contain the following directories:
	//
	//   * static - Static static served at "( issuer URL )/static".
	//   * templates - HTML templates controlled by dex.
	//   * themes/(theme) - Static static served at "( issuer URL )/theme".
	Dir string

	// Alternative way to programmatically configure static web assets.
	// If Dir is specified, WebFS is ignored.
	// It's expected to contain the same files and directories as mentioned above.
	//
	// Note: this is experimental. Might get removed without notice!
	WebFS fs.FS

	// Defaults to "( issuer URL )/theme/logo.png"
	LogoURL string

	// Defaults to "dex"
	Issuer string

	// Defaults to "light"
	Theme string

	// Map of extra values passed into the templates
	Extra map[string]string
}

WebConfig holds the server's frontend templates and asset configuration.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL