Documentation ¶
Overview ¶
Package serviceaccount authenticates requests using Google Cloud service accounts, on both the client and server side.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrComputeEngineNotSupported = errors.New("serviceaccount: Can't sign tokens with Compute Engine credentials")
ErrComputeEngineNotSupported indicates the discovered credentials belong to a Compute Engine instance which is not supported.
var ErrUserCredentialsNotSupported = errors.New("serviceaccount: Can't sign tokens with user credentials")
ErrUserCredentialsNotSupported indicates the discovered credentials belong to a use account which is not supported.
Functions ¶
func NewSourceFromDefault ¶
NewSourceFromDefault returns a new token source from the Google application default credentials. The targetAudience must be set to the OAuth client ID for the identity-aware proxy, or any other string identifying the desired destination service. The credentials must be from a service account key, since a user account and the Compute Engine metadata service do not expose the private signing key. This returned source is cached using oauth2.ReuseTokenSource.
func TokenFromRequest ¶
TokenFromRequest returns the bearer token in r, if any is set. See https://tools.ietf.org/html/rfc6750
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator verifies JWTs for Google Service Accounts.
func NewAuthenticator ¶
func NewAuthenticator(audience string) *Authenticator
NewAuthenticator returns an Authenticator that requires audience to be set in the token.
func (*Authenticator) ValidateToken ¶
func (a *Authenticator) ValidateToken(jwt string) (string, error)
ValidateToken returns the identity that issued this token (sub), or an error if it is not valid.