Documentation ¶
Index ¶
- Constants
- func AccessTokenEndpoint(serviceURL string) string
- func HTTPMiddleware(jwks *JWKS, next http.Handler, annotate AnnotationFunc) http.Handler
- func ImasJWKSEndpoint(serviceURL string) string
- func NewHTTPClient() *http.Client
- func NewTwirpAuthHook(_ *slog.Logger, jwks *JWKS, annotate AnnotationFunc) *twirp.ServerHooks
- func SetAuth(ctx context.Context, auth AuthInfo, err error) context.Context
- func TwirpAuthenticate(ctx context.Context, jwks *JWKS, annotate AnnotationFunc) (context.Context, error)
- type AccessTokenResponse
- type AccessTokenService
- type AccessTokenServiceOption
- type AnnotationFunc
- type AuthInfo
- type Claims
- type ErrNoToken
- type JWKS
- type JWKSOption
- type MockServer
- type MockServerOptions
- type MockService
- type PermissionsClaim
- type Transport
- type Userinfo
Examples ¶
Constants ¶
const ( TokenTypeAccessToken = "access_token" TokenTypeIDToken = "id_token" )
Known token types.
Variables ¶
This section is empty.
Functions ¶
func AccessTokenEndpoint ¶
ImasJWKSEndpoint is a helper function that returns the v1 token endpoint URL given an URL that points to the access token service.
func HTTPMiddleware ¶
HTTPMiddleware populates the request context with NavigaID authentication information. If there's an XRay segment on the context it will be decorated with the sub claim as the user and an "imid_org" annotation.
It is the responsibility of the individual handlers to act on authentication errors by calling GetAuth() and inspecting the error.
func ImasJWKSEndpoint ¶
ImasJWKSEndpoint is a helper function that returns the v1 JWKS endpoint URL given an URL that points to the IMAS service.
func NewHTTPClient ¶
func NewTwirpAuthHook ¶
func NewTwirpAuthHook(_ *slog.Logger, jwks *JWKS, annotate AnnotationFunc) *twirp.ServerHooks
NewTwirpAuthHook creates a twirp server hook that requires a valid NavigaID access token and adds the authentication result to the request context.
func TwirpAuthenticate ¶
func TwirpAuthenticate(ctx context.Context, jwks *JWKS, annotate AnnotationFunc) (context.Context, error)
TwirpAuthenticate verifies that there is a valid access token and adds the authentication result to the request context.
Types ¶
type AccessTokenResponse ¶
type AccessTokenResponse struct { AccessToken string `json:"access_token"` //nolint:tagliatelle TokenType string `json:"token_type"` //nolint:tagliatelle ExpiresIn int `json:"expires_in"` //nolint:tagliatelle }
AccessTokenResponse is the response retrieved from navigaID.
type AccessTokenService ¶
type AccessTokenService struct {
// contains filtered or unexported fields
}
AccessTokenService can validate access tokens and create access tokens from naviga-id tokens.
Example ¶
package main import ( "fmt" "github.com/dimelords/panurge/navigaid" ) func main() { service := navigaid.New( "https://access-token.stage.imid.infomaker.io/v1/token", ) jwks := navigaid.NewJWKS( navigaid.ImasJWKSEndpoint("https://imas.stage.imid.infomaker.io"), ) navigaIDToken := "..." at, err := service.NewAccessToken(navigaIDToken) if err != nil { fmt.Println(err) } claims, err := jwks.Validate(at.AccessToken) if err != nil { fmt.Println(err) } fmt.Printf("%#v\n", claims) }
Output:
func New ¶
func New(tokenEndpoint string, options ...AccessTokenServiceOption) *AccessTokenService
New creates a new access token service with given options.
func (*AccessTokenService) NewAccessToken ¶
func (ats *AccessTokenService) NewAccessToken(navigaIDToken string) (*AccessTokenResponse, error)
NewAccessToken takes an navigaID token and returns an access token.
type AccessTokenServiceOption ¶
type AccessTokenServiceOption func(ats *AccessTokenService)
func WithAccessTokenClient ¶
func WithAccessTokenClient(client *http.Client) AccessTokenServiceOption
WithAccessTokenClient sets the HTTP client that should be used for access token requests.
type AnnotationFunc ¶
AnnotationFunc is used to add authentication annotations to the context.
type Claims ¶
type Claims struct { jwt.RegisteredClaims Org string `json:"org"` Groups []string `json:"groups"` Userinfo Userinfo `json:"userinfo"` TokenType string `json:"ntt"` Permissions PermissionsClaim `json:"permissions"` }
Claims contains information regarding what org and groups (and more), that the claim belongs to.
func (Claims) HasPermissionsInOrganisation ¶
HasPermissionsInOrganisation checks if the holder has a set of permissions in the organisation.
func (Claims) HasPermissionsInUnit ¶
HasPermissionsInUnit checks if the holder has a set of permissions in a unit, either directly, or inherited from the organisation.
type ErrNoToken ¶
type ErrNoToken struct{}
ErrNoToken is used to communicate that no bearer token was included in the request.
func (ErrNoToken) Error ¶
func (err ErrNoToken) Error() string
type JWKS ¶
type JWKS struct {
// contains filtered or unexported fields
}
JWKS can validate access tokens using published JWKS.
func NewJWKS ¶
func NewJWKS(jwksEndpoint string, options ...JWKSOption) *JWKS
New creates a new access token validator.
type JWKSOption ¶
type JWKSOption func(j *JWKS)
JWKSOption is a function that controls the JWKS configuration.
func WithJwksClient ¶
func WithJwksClient(client *http.Client) JWKSOption
WithJwksClient sets the HTTP client that should be used for requests.
func WithJwksTTL ¶
func WithJwksTTL(ttl time.Duration) JWKSOption
WithJwksTTL can be used to change the default JWKS refresh rate.
type MockServer ¶
type MockServer struct { Server *httptest.Server PrivateKey *rsa.PrivateKey PrivateKeyID string Client *http.Client }
func NewMockServer ¶
func NewMockServer(opts MockServerOptions) (*MockServer, error)
This mock server mocks two endpoints, one for creating new access tokens and another one for providing keys.
type MockServerOptions ¶
type MockService ¶
type MockService struct { Mux *http.ServeMux PrivateKey *rsa.PrivateKey // contains filtered or unexported fields }
func NewMockService ¶
func NewMockService(opts MockServerOptions) (MockService, error)
This mock service mocks two endpoints, one for creating new access tokens and another one for providing keys.
func (MockService) ServeHTTP ¶
func (ms MockService) ServeHTTP(rw http.ResponseWriter, r *http.Request)
type PermissionsClaim ¶
PermissionsClaim describes the permissions the holder has in an organisation-wide and per-unit context.
func (PermissionsClaim) PermissionsInOrganisation ¶
func (p PermissionsClaim) PermissionsInOrganisation() map[string]bool
HasPermissionsInOrganisation returns the permissions the holder has in the organisation.
func (PermissionsClaim) PermissionsInUnit ¶
func (p PermissionsClaim) PermissionsInUnit(unit string) map[string]bool
HasPermissionsInUnit returns the permissions the holder has in a unit, either directly, or inherited from the organisation.
type Transport ¶
type Transport struct { // Base is the base RoundTripper used to make HTTP requests. // If nil, http.DefaultTransport is used. Base http.RoundTripper }
Transport is an http.RoundTripper that makes OAuth 2.0 HTTP requests based of the incoming NavigaID context.