Documentation
¶
Index ¶
- func HEARTScopesHandler(resourceName string) gin.HandlerFunc
- func OAuthIntrospectionHandler(clientID, clientSecret, endpoint string) gin.HandlerFunc
- func OIDCAuthenticationHandler(config oauth2.Config) gin.HandlerFunc
- func RedirectHandler(config oauth2.Config, successfulAuthRedirectURL, userInfoURL string) gin.HandlerFunc
- type Config
- type Method
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HEARTScopesHandler ¶
func HEARTScopesHandler(resourceName string) gin.HandlerFunc
HEARTScopesHandler middleware provides authorization checking aginst the scopes described in the Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes http://openid.bitbucket.org/HEART/openid-heart-fhir-oauth2.html and the SMART App Authorization Guide http://docs.smarthealthit.org/authorization/
The assumption is that gin handlers run before this one will take care of handling the OAuth 2.0 token introspection or OpenID Connect authentication. This handler looks at the scopes provided in the gin.Context to see if they are appropriate for accessing the resource.
func OAuthIntrospectionHandler ¶
func OAuthIntrospectionHandler(clientID, clientSecret, endpoint string) gin.HandlerFunc
OAuthIntrospectionHandler creates a gin.HandlerFunc that can be used to introspect OAuth 2.0 tokens provided in the request.
This middleware will abort any requests that do not have an Authorization header. It will also halt requests if the provided bearer token is inactive or expired.
If a valid token is provided, the gin.Context is augmented by setting the following variables: scopes will be a []string containing all scopes valid for the provided token. subject will be an identifier for the user who delegated the authority represented by the token. clientID will contain the identifier for the client issuing the request.
clientID is the identifier for the OAuth 2.0 client allowed to access the token introspection endpoint clientSecret is the secret for the registered client endpoint is the URL for the token introspection endpoint at the OAuth 2.0 authorization server.
This is for performing token introspection using a "plain" OAuth 2.0 client. For HEART profiled OAuth 2.0 see:
https://github.com/mitre/heart/blob/master/middleware.go
func OIDCAuthenticationHandler ¶
func OIDCAuthenticationHandler(config oauth2.Config) gin.HandlerFunc
OIDCAuthenticationHandler is a middleware that will check for the presence of a session with a UserInfo value set. If it exists, it will assume that the has logged in at some point. It will then check the session for a token. If the token has not expired, it will set the UserInfo in a UserInfo value on the gin Context.
If there is no UserInfo value present in the session or if the OpenIDTokenResponse has expired, the user will be redirected to the provided redirectURI.
func RedirectHandler ¶
func RedirectHandler(config oauth2.Config, successfulAuthRedirectURL, userInfoURL string) gin.HandlerFunc
RedirectHandler provides a gin.HandlerFunc to process the authentication response from an Open ID Provider.
Types ¶
type Config ¶
type Config struct {
Method Method
ClientID string
ClientSecret string
AuthorizationURL string
TokenURL string
IntrospectionURL string
UserInfoURL string
JWKPath string
OPURL string
SessionSecret string
}
Config represents configuration information necessary to set up authentication and authorization for the FHIR server
func HEART ¶
HEART provides a server configuration that will act as a HEART profiled OpenID Connect relying party for authentication, and will perform HEART profiled OAuth 2.0 token introspection to the same server for authorization.
This configuration uses the HEART scopes for authorizing access to FHIR resources when using OAuth 2.0.
clientID is the registered ID at the OpenID Connect Provider (OP) jwkPath is the file location of the private key for this client in JWK format
it is expected that the corresponding public key has been registered at the OP
opURL the location of the OIDC OP. Discovery will be used to locate all of the
other necessary endpoints.
sessionSecret The secret that will be used to encrypt the session when it is
stored in a user's cookie
func None ¶
func None() Config
None provides a server config where no authorization or authentication will be provided
func OIDC ¶
func OIDC(clientID, clientSecret, authorizationURL, tokenURL, userInfoURL, introspectionURL, sessionSecret string) Config
OIDC provides a server configuration that will act as an OpenID Connect relying party for authentication, and will perform OAuth 2.0 token introspection to the same server for authorization.
This configuration still uses the HEART scopes for authorizing access to FHIR resources when using OAuth 2.0.
clientID is the registered ID at the OpenID Connect Provider (OP) clientSecret is the secret for the client (usually generated by the OP) authorizationURL Where to redirect users for authorization tokenURL Where to obtain OAuth 2.0 tokens userInfoURL The location of the OpenID Connect UserInfo endpoint sessionSecret The secret that will be used to encrypt the session when it is
stored in a user's cookie
Source Files