Documentation ¶
Index ¶
- func Defaults() oauth.Modifier
- func FromFlags(f *Flags) (oauth.Modifier, error)
- func NewGetGroupsVerifier(conf *oauth2.Config) (oauth.Verifier, error)
- func NewGetUserInfoVerifier(conf *oauth2.Config) (oauth.Verifier, error)
- func NewOidJWTVerifier(conf *oauth2.Config) (oauth.Verifier, error)
- func SplitUsername(email, hd string) (string, string)
- type Flags
- type GetGroupsVerifier
- type GetUserInfoVerifier
- type OidJWTVerifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewGetUserInfoVerifier ¶
GetUserInfoVerifier tries to fetch the userinfo of a user to verify the validity of a token.
It performs an http request for every attempt to validate the token. If the request fails, either the token is invalid, or there is a problem with the API backend.
func NewOidJWTVerifier ¶
OidJWTVerifier fetches a google certificate over https once, and uses it to verify the signature in the JWT extra information attached to a returned token.
This only requires fetching a certificate at startup (and well... ideally, refreshing it every now and then), to then use simple crypto functions to verify the singature on every token.
func SplitUsername ¶
Types ¶
type Flags ¶
type Flags struct { // Use JWT certs or API calls to retrieve user info. // Valid values are jwt or api. FetchMethod string // Tri-state: // disabled: don't retrieve groups. // enabled: retrieve groups, but don't fail if there is an error. // enforced: retrieve groups, fail if there is an error. GroupsPolicy string }
func DefaultFlags ¶
func DefaultFlags() *Flags
type GetGroupsVerifier ¶
type GetGroupsVerifier struct { // Used mostly for testing, overrides the API endpoint if not empty. BasePath string // contains filtered or unexported fields }
GetGroupsVerifier retrieves the user membership in groups.
The groups are stored in the identity cookie of the user, and can optionally be used to deny (or allow) access.
The GetGroupsVerifier relies on the cloudidentity API, which is very poorly documented here:
https://pkg.go.dev/google.golang.org/api/cloudidentity/v1beta1#GroupsMembershipsService.SearchTransitiveGroups
... and was announced in this blog post:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
The API is the only "documented" API that allows to retrieve membership without having an admin key / admin privileges - relying solely on the credentials of the user.
The API is recursive/transitive: if user is member of group A, and group A is member of group B, then the user is member of both A and B. However, this API has one major flaw: if one of the groups is closed/configured such as the API cannot compute the transitive membership, the API fails entirely returning an error.
If any user of your org is part of an external/public google group, the API will most likely fail for that user.
The API allows specifying a query, but the the set of fields available for the query seems undocumented? We could not find any way to constrain the recursive search to only groups belonging to the domain.
However, the query can be constrained to the "kind of group" used. Specifically, it recognizes two kinds of groups: - traditional google groups (label "groups.discussion_forum") - security groups (label "groups.security") - ... a few more not relevant ...
From documentation, any traditional google group can be labeled to be a security group. Once labeled, a few more restrictions are enforced, including preventing external or non-security groups from joining.
GetGroupsVerifier will thus only return security groups.
To label a group as a security group, you can tag it via UI by visiting admin.google.com (groups.google.com does not expose the feature!) or by using `gcloud identity groups update --labels=...`. More details here:
https://support.google.com/a/answer/10607394?hl=en
func (*GetGroupsVerifier) Scopes ¶
func (ggv *GetGroupsVerifier) Scopes() []string
type GetUserInfoVerifier ¶
type GetUserInfoVerifier struct {
// contains filtered or unexported fields
}
func (*GetUserInfoVerifier) Scopes ¶
func (gui *GetUserInfoVerifier) Scopes() []string
type OidJWTVerifier ¶
type OidJWTVerifier struct {
// contains filtered or unexported fields
}
func (*OidJWTVerifier) Scopes ¶
func (ojt *OidJWTVerifier) Scopes() []string