Documentation ¶
Index ¶
- Constants
- Variables
- func GetMSIVMEndpoint() (string, error)
- func SaveToken(path string, mode os.FileMode, token Token) error
- type DeviceCode
- type OAuthConfig
- type OAuthTokenProvider
- type Refresher
- type RefresherWithContext
- type SendDecorator
- type Sender
- type SenderFunc
- type ServicePrincipalAuthorizationCodeSecret
- type ServicePrincipalCertificateSecret
- func (secret ServicePrincipalCertificateSecret) MarshalJSON() ([]byte, error)
- func (secret *ServicePrincipalCertificateSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
- func (secret *ServicePrincipalCertificateSecret) SignJwt(spt *ServicePrincipalToken) (string, error)
- type ServicePrincipalMSISecret
- type ServicePrincipalNoSecret
- type ServicePrincipalSecret
- type ServicePrincipalToken
- func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret string, resource string, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromAuthorizationCode(oauthConfig OAuthConfig, clientID string, clientSecret string, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID string, certificate *x509.Certificate, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromMSI(msiEndpoint, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, resource string, userAssignedID string, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID string, resource string, token Token, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromManualTokenSecret(oauthConfig OAuthConfig, clientID string, resource string, token Token, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenFromUsernamePassword(oauthConfig OAuthConfig, clientID string, username string, password string, ...) (*ServicePrincipalToken, error)
- func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, resource string, ...) (*ServicePrincipalToken, error)
- func (spt *ServicePrincipalToken) EnsureFresh() error
- func (spt *ServicePrincipalToken) EnsureFreshWithContext(ctx context.Context) error
- func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error
- func (spt ServicePrincipalToken) MarshalJSON() ([]byte, error)
- func (spt ServicePrincipalToken) MarshalTokenJSON() ([]byte, error)
- func (spt *ServicePrincipalToken) OAuthToken() string
- func (spt *ServicePrincipalToken) Refresh() error
- func (spt *ServicePrincipalToken) RefreshExchange(resource string) error
- func (spt *ServicePrincipalToken) RefreshExchangeWithContext(ctx context.Context, resource string) error
- func (spt *ServicePrincipalToken) RefreshWithContext(ctx context.Context) error
- func (spt *ServicePrincipalToken) SetAutoRefresh(autoRefresh bool)
- func (spt *ServicePrincipalToken) SetRefreshCallbacks(callbacks []TokenRefreshCallback)
- func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration)
- func (spt *ServicePrincipalToken) SetSender(s Sender)
- func (spt *ServicePrincipalToken) Token() Token
- func (spt *ServicePrincipalToken) UnmarshalJSON(data []byte) error
- type ServicePrincipalTokenSecret
- type ServicePrincipalUsernamePasswordSecret
- type Token
- type TokenError
- type TokenRefreshCallback
- type TokenRefreshError
Constants ¶
const ( // OAuthGrantTypeDeviceCode is the "grant_type" identifier used in device flow OAuthGrantTypeDeviceCode = "device_code" // OAuthGrantTypeClientCredentials is the "grant_type" identifier used in credential flows OAuthGrantTypeClientCredentials = "client_credentials" // OAuthGrantTypeUserPass is the "grant_type" identifier used in username and password auth flows OAuthGrantTypeUserPass = "password" // OAuthGrantTypeRefreshToken is the "grant_type" identifier used in refresh token flows OAuthGrantTypeRefreshToken = "refresh_token" // OAuthGrantTypeAuthorizationCode is the "grant_type" identifier used in authorization code flows OAuthGrantTypeAuthorizationCode = "authorization_code" )
Variables ¶
var ( // ErrDeviceGeneric represents an unknown error from the token endpoint when using device flow ErrDeviceGeneric = fmt.Errorf("%s Error while retrieving OAuth token: Unknown Error", logPrefix) // ErrDeviceAccessDenied represents an access denied error from the token endpoint when using device flow ErrDeviceAccessDenied = fmt.Errorf("%s Error while retrieving OAuth token: Access Denied", logPrefix) // ErrDeviceAuthorizationPending represents the server waiting on the user to complete the device flow ErrDeviceAuthorizationPending = fmt.Errorf("%s Error while retrieving OAuth token: Authorization Pending", logPrefix) // ErrDeviceCodeExpired represents the server timing out and expiring the code during device flow ErrDeviceCodeExpired = fmt.Errorf("%s Error while retrieving OAuth token: Code Expired", logPrefix) // ErrDeviceSlowDown represents the service telling us we're polling too often during device flow ErrDeviceSlowDown = fmt.Errorf("%s Error while retrieving OAuth token: Slow Down", logPrefix) // ErrDeviceCodeEmpty represents an empty device code from the device endpoint while using device flow ErrDeviceCodeEmpty = fmt.Errorf("%s Error while retrieving device code: Device Code Empty", logPrefix) // ErrOAuthTokenEmpty represents an empty OAuth token from the token endpoint when using device flow ErrOAuthTokenEmpty = fmt.Errorf("%s Error while retrieving OAuth token: Token Empty", logPrefix) )
Functions ¶
func GetMSIVMEndpoint ¶
GetMSIVMEndpoint gets the MSI endpoint on Virtual Machines.
Types ¶
type DeviceCode ¶
type DeviceCode struct { DeviceCode *string `json:"device_code,omitempty"` UserCode *string `json:"user_code,omitempty"` VerificationURL *string `json:"verification_url,omitempty"` ExpiresIn *int64 `json:"expires_in,string,omitempty"` Interval *int64 `json:"interval,string,omitempty"` Message *string `json:"message"` // Azure specific Resource string // store the following, stored when initiating, used when exchanging OAuthConfig OAuthConfig ClientID string }
DeviceCode is the object returned by the device auth endpoint It contains information to instruct the user to complete the auth flow
func InitiateDeviceAuth ¶
func InitiateDeviceAuth(sender Sender, oauthConfig OAuthConfig, clientID, resource string) (*DeviceCode, error)
InitiateDeviceAuth initiates a device auth flow. It returns a DeviceCode that can be used with CheckForUserCompletion or WaitForUserCompletion.
type OAuthConfig ¶
type OAuthConfig struct { AuthorityEndpoint url.URL `json:"authorityEndpoint"` AuthorizeEndpoint url.URL `json:"authorizeEndpoint"` TokenEndpoint url.URL `json:"tokenEndpoint"` DeviceCodeEndpoint url.URL `json:"deviceCodeEndpoint"` }
OAuthConfig represents the endpoints needed in OAuth operations
func NewOAuthConfig ¶
func NewOAuthConfig(activeDirectoryEndpoint, tenantID string) (*OAuthConfig, error)
NewOAuthConfig returns an OAuthConfig with tenant specific urls
func (OAuthConfig) IsZero ¶
func (oac OAuthConfig) IsZero() bool
IsZero returns true if the OAuthConfig object is zero-initialized.
type OAuthTokenProvider ¶
type OAuthTokenProvider interface {
OAuthToken() string
}
OAuthTokenProvider is an interface which should be implemented by an access token retriever
type Refresher ¶
type Refresher interface { Refresh() error RefreshExchange(resource string) error EnsureFresh() error }
Refresher is an interface for token refresh functionality
type RefresherWithContext ¶
type RefresherWithContext interface { RefreshWithContext(ctx context.Context) error RefreshExchangeWithContext(ctx context.Context, resource string) error EnsureFreshWithContext(ctx context.Context) error }
RefresherWithContext is an interface for token refresh functionality
type SendDecorator ¶
SendDecorator takes and possibily decorates, by wrapping, a Sender. Decorators may affect the http.Request and pass it along or, first, pass the http.Request along then react to the http.Response result.
type Sender ¶
Sender is the interface that wraps the Do method to send HTTP requests.
The standard http.Client conforms to this interface.
func CreateSender ¶
func CreateSender(decorators ...SendDecorator) Sender
CreateSender creates, decorates, and returns, as a Sender, the default http.Client.
func DecorateSender ¶
func DecorateSender(s Sender, decorators ...SendDecorator) Sender
DecorateSender accepts a Sender and a, possibly empty, set of SendDecorators, which is applies to the Sender. Decorators are applied in the order received, but their affect upon the request depends on whether they are a pre-decorator (change the http.Request and then pass it along) or a post-decorator (pass the http.Request along and react to the results in http.Response).
type SenderFunc ¶
SenderFunc is a method that implements the Sender interface.
type ServicePrincipalAuthorizationCodeSecret ¶
type ServicePrincipalAuthorizationCodeSecret struct { ClientSecret string `json:"value"` AuthorizationCode string `json:"authCode"` RedirectURI string `json:"redirect"` }
ServicePrincipalAuthorizationCodeSecret implements ServicePrincipalSecret for authorization code auth.
func (ServicePrincipalAuthorizationCodeSecret) MarshalJSON ¶
func (secret ServicePrincipalAuthorizationCodeSecret) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*ServicePrincipalAuthorizationCodeSecret) SetAuthenticationValues ¶
func (secret *ServicePrincipalAuthorizationCodeSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
type ServicePrincipalCertificateSecret ¶
type ServicePrincipalCertificateSecret struct { Certificate *x509.Certificate PrivateKey *rsa.PrivateKey }
ServicePrincipalCertificateSecret implements ServicePrincipalSecret for generic RSA cert auth with signed JWTs.
func (ServicePrincipalCertificateSecret) MarshalJSON ¶
func (secret ServicePrincipalCertificateSecret) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*ServicePrincipalCertificateSecret) SetAuthenticationValues ¶
func (secret *ServicePrincipalCertificateSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret. It will populate the form submitted during oAuth Token Acquisition using a JWT signed with a certificate.
func (*ServicePrincipalCertificateSecret) SignJwt ¶
func (secret *ServicePrincipalCertificateSecret) SignJwt(spt *ServicePrincipalToken) (string, error)
SignJwt returns the JWT signed with the certificate's private key.
type ServicePrincipalMSISecret ¶
type ServicePrincipalMSISecret struct { }
ServicePrincipalMSISecret implements ServicePrincipalSecret for machines running the MSI Extension.
func (ServicePrincipalMSISecret) MarshalJSON ¶
func (msiSecret ServicePrincipalMSISecret) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*ServicePrincipalMSISecret) SetAuthenticationValues ¶
func (msiSecret *ServicePrincipalMSISecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
type ServicePrincipalNoSecret ¶
type ServicePrincipalNoSecret struct { }
ServicePrincipalNoSecret represents a secret type that contains no secret meaning it is not valid for fetching a fresh token. This is used by Manual
func (ServicePrincipalNoSecret) MarshalJSON ¶
func (noSecret ServicePrincipalNoSecret) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*ServicePrincipalNoSecret) SetAuthenticationValues ¶
func (noSecret *ServicePrincipalNoSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret It only returns an error for the ServicePrincipalNoSecret type
type ServicePrincipalSecret ¶
type ServicePrincipalSecret interface {
SetAuthenticationValues(spt *ServicePrincipalToken, values *url.Values) error
}
ServicePrincipalSecret is an interface that allows various secret mechanism to fill the form that is submitted when acquiring an oAuth token.
type ServicePrincipalToken ¶
type ServicePrincipalToken struct { // MaxMSIRefreshAttempts is the maximum number of attempts to refresh an MSI token. MaxMSIRefreshAttempts int // contains filtered or unexported fields }
ServicePrincipalToken encapsulates a Token created for a Service Principal.
func NewServicePrincipalToken ¶
func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalToken creates a ServicePrincipalToken from the supplied Service Principal credentials scoped to the named resource.
func NewServicePrincipalTokenFromAuthorizationCode ¶
func NewServicePrincipalTokenFromAuthorizationCode(oauthConfig OAuthConfig, clientID string, clientSecret string, authorizationCode string, redirectURI string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromAuthorizationCode creates a ServicePrincipalToken from the
func NewServicePrincipalTokenFromCertificate ¶
func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID string, certificate *x509.Certificate, privateKey *rsa.PrivateKey, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromCertificate creates a ServicePrincipalToken from the supplied pkcs12 bytes.
func NewServicePrincipalTokenFromMSI ¶
func NewServicePrincipalTokenFromMSI(msiEndpoint, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromMSI creates a ServicePrincipalToken via the MSI VM Extension. It will use the system assigned identity when creating the token.
func NewServicePrincipalTokenFromMSIWithUserAssignedID ¶
func NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, resource string, userAssignedID string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromMSIWithUserAssignedID creates a ServicePrincipalToken via the MSI VM Extension. It will use the specified user assigned identity when creating the token.
func NewServicePrincipalTokenFromManualToken ¶
func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID string, resource string, token Token, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromManualToken creates a ServicePrincipalToken using the supplied token
func NewServicePrincipalTokenFromManualTokenSecret ¶
func NewServicePrincipalTokenFromManualTokenSecret(oauthConfig OAuthConfig, clientID string, resource string, token Token, secret ServicePrincipalSecret, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromManualTokenSecret creates a ServicePrincipalToken using the supplied token and secret
func NewServicePrincipalTokenFromUsernamePassword ¶
func NewServicePrincipalTokenFromUsernamePassword(oauthConfig OAuthConfig, clientID string, username string, password string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenFromUsernamePassword creates a ServicePrincipalToken from the username and password.
func NewServicePrincipalTokenWithSecret ¶
func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, resource string, secret ServicePrincipalSecret, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error)
NewServicePrincipalTokenWithSecret create a ServicePrincipalToken using the supplied ServicePrincipalSecret implementation.
func (*ServicePrincipalToken) EnsureFresh ¶
func (spt *ServicePrincipalToken) EnsureFresh() error
EnsureFresh will refresh the token if it will expire within the refresh window (as set by RefreshWithin) and autoRefresh flag is on. This method is safe for concurrent use.
func (*ServicePrincipalToken) EnsureFreshWithContext ¶
func (spt *ServicePrincipalToken) EnsureFreshWithContext(ctx context.Context) error
EnsureFreshWithContext will refresh the token if it will expire within the refresh window (as set by RefreshWithin) and autoRefresh flag is on. This method is safe for concurrent use.
func (*ServicePrincipalToken) InvokeRefreshCallbacks ¶
func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error
InvokeRefreshCallbacks calls any TokenRefreshCallbacks that were added to the SPT during initialization
func (ServicePrincipalToken) MarshalJSON ¶
func (spt ServicePrincipalToken) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (ServicePrincipalToken) MarshalTokenJSON ¶
func (spt ServicePrincipalToken) MarshalTokenJSON() ([]byte, error)
MarshalTokenJSON returns the marshalled inner token.
func (*ServicePrincipalToken) OAuthToken ¶
func (spt *ServicePrincipalToken) OAuthToken() string
OAuthToken implements the OAuthTokenProvider interface. It returns the current access token.
func (*ServicePrincipalToken) Refresh ¶
func (spt *ServicePrincipalToken) Refresh() error
Refresh obtains a fresh token for the Service Principal. This method is not safe for concurrent use and should be syncrhonized.
func (*ServicePrincipalToken) RefreshExchange ¶
func (spt *ServicePrincipalToken) RefreshExchange(resource string) error
RefreshExchange refreshes the token, but for a different resource. This method is not safe for concurrent use and should be syncrhonized.
func (*ServicePrincipalToken) RefreshExchangeWithContext ¶
func (spt *ServicePrincipalToken) RefreshExchangeWithContext(ctx context.Context, resource string) error
RefreshExchangeWithContext refreshes the token, but for a different resource. This method is not safe for concurrent use and should be syncrhonized.
func (*ServicePrincipalToken) RefreshWithContext ¶
func (spt *ServicePrincipalToken) RefreshWithContext(ctx context.Context) error
RefreshWithContext obtains a fresh token for the Service Principal. This method is not safe for concurrent use and should be syncrhonized.
func (*ServicePrincipalToken) SetAutoRefresh ¶
func (spt *ServicePrincipalToken) SetAutoRefresh(autoRefresh bool)
SetAutoRefresh enables or disables automatic refreshing of stale tokens.
func (*ServicePrincipalToken) SetRefreshCallbacks ¶
func (spt *ServicePrincipalToken) SetRefreshCallbacks(callbacks []TokenRefreshCallback)
SetRefreshCallbacks replaces any existing refresh callbacks with the specified callbacks.
func (*ServicePrincipalToken) SetRefreshWithin ¶
func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration)
SetRefreshWithin sets the interval within which if the token will expire, EnsureFresh will refresh the token.
func (*ServicePrincipalToken) SetSender ¶
func (spt *ServicePrincipalToken) SetSender(s Sender)
SetSender sets the http.Client used when obtaining the Service Principal token. An undecorated http.Client is used by default.
func (*ServicePrincipalToken) Token ¶
func (spt *ServicePrincipalToken) Token() Token
Token returns a copy of the current token.
func (*ServicePrincipalToken) UnmarshalJSON ¶
func (spt *ServicePrincipalToken) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface.
type ServicePrincipalTokenSecret ¶
type ServicePrincipalTokenSecret struct {
ClientSecret string `json:"value"`
}
ServicePrincipalTokenSecret implements ServicePrincipalSecret for client_secret type authorization.
func (ServicePrincipalTokenSecret) MarshalJSON ¶
func (tokenSecret ServicePrincipalTokenSecret) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*ServicePrincipalTokenSecret) SetAuthenticationValues ¶
func (tokenSecret *ServicePrincipalTokenSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret. It will populate the form submitted during oAuth Token Acquisition using the client_secret.
type ServicePrincipalUsernamePasswordSecret ¶
type ServicePrincipalUsernamePasswordSecret struct { Username string `json:"username"` Password string `json:"password"` }
ServicePrincipalUsernamePasswordSecret implements ServicePrincipalSecret for username and password auth.
func (ServicePrincipalUsernamePasswordSecret) MarshalJSON ¶
func (secret ServicePrincipalUsernamePasswordSecret) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*ServicePrincipalUsernamePasswordSecret) SetAuthenticationValues ¶
func (secret *ServicePrincipalUsernamePasswordSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error
SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
type Token ¶
type Token struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` ExpiresIn string `json:"expires_in"` ExpiresOn string `json:"expires_on"` NotBefore string `json:"not_before"` Resource string `json:"resource"` Type string `json:"token_type"` }
Token encapsulates the access token used to authorize Azure requests.
func CheckForUserCompletion ¶
func CheckForUserCompletion(sender Sender, code *DeviceCode) (*Token, error)
CheckForUserCompletion takes a DeviceCode and checks with the Azure AD OAuth endpoint to see if the device flow has: been completed, timed out, or otherwise failed
func WaitForUserCompletion ¶
func WaitForUserCompletion(sender Sender, code *DeviceCode) (*Token, error)
WaitForUserCompletion calls CheckForUserCompletion repeatedly until a token is granted or an error state occurs. This prevents the user from looping and checking against 'ErrDeviceAuthorizationPending'.
func (*Token) OAuthToken ¶
OAuthToken return the current access token
type TokenError ¶
type TokenError struct { Error *string `json:"error,omitempty"` ErrorCodes []int `json:"error_codes,omitempty"` ErrorDescription *string `json:"error_description,omitempty"` Timestamp *string `json:"timestamp,omitempty"` TraceID *string `json:"trace_id,omitempty"` }
TokenError is the object returned by the token exchange endpoint when something is amiss
type TokenRefreshCallback ¶
TokenRefreshCallback is the type representing callbacks that will be called after a successful token refresh
type TokenRefreshError ¶
TokenRefreshError is an interface used by errors returned during token refresh.