Documentation ¶
Overview ¶
Contains types needed to start up a standalone OAuth2 Authorization Server or delegate authentication to an external provider. It supports OpenId connect for user authentication.
Index ¶
- Constants
- Variables
- func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, ...) (interface{}, error)
- func BlanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, ...) (resp interface{}, err error)
- func ExecutionUserIdentifierInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, ...) (resp interface{}, err error)
- func FirstURL(urls ...*url.URL) *url.URL
- func GRPCGetIdentityFromAccessToken(ctx context.Context, authCtx interfaces.AuthenticationContext) (interfaces.IdentityContext, error)
- func GRPCGetIdentityFromIDToken(ctx context.Context, clientID string, provider *oidc.Provider) (interfaces.IdentityContext, error)
- func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor
- func GetAuthenticationInterceptor(authCtx interfaces.AuthenticationContext) func(context.Context) (context.Context, error)
- func GetCallbackHandler(ctx context.Context, authCtx interfaces.AuthenticationContext, ...) http.HandlerFunc
- func GetCreateSecretsCommand() *cobra.Command
- func GetInitSecretsCommand() *cobra.Command
- func GetLoginHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetOAuth2ClientConfig(ctx context.Context, options config.OpenIDOptions, ...) (cfg oauth2.Config, err error)
- func GetOIdCMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetPublicURL(ctx context.Context, req *http.Request, cfg *config.Config) *url.URL
- func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)
- func HashCsrfState(csrf string) string
- func IdentityContextFromIDTokenToken(ctx context.Context, tokenStr, clientID string, provider *oidc.Provider, ...) (interfaces.IdentityContext, error)
- func IdentityContextFromRequest(ctx context.Context, req *http.Request, ...) (interfaces.IdentityContext, error)
- func NewCsrfCookie() http.Cookie
- func NewCsrfToken(seed int64) string
- func NewRedirectCookie(ctx context.Context, redirectURL string) *http.Cookie
- func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte, domain string, ...) (http.Cookie, error)
- func ParseIDTokenAndValidate(ctx context.Context, clientID, rawIDToken string, provider *oidc.Provider) (*oidc.IDToken, error)
- func QueryUserInfo(ctx context.Context, identityContext interfaces.IdentityContext, ...) (*service.UserInfoResponse, error)
- func QueryUserInfoUsingAccessToken(ctx context.Context, originalRequest *http.Request, ...) (*service.UserInfoResponse, error)
- func ReadSecureCookie(ctx context.Context, cookie http.Cookie, hashKey, blockKey []byte) (string, error)
- func RefreshTokensIfExists(ctx context.Context, authCtx interfaces.AuthenticationContext, ...) http.HandlerFunc
- func RegisterHandlers(ctx context.Context, handler interfaces.HandlerRegisterer, ...)
- func SetContextForIdentity(ctx context.Context, identityContext interfaces.IdentityContext) context.Context
- func URLFromContext(ctx context.Context) *url.URL
- func URLFromRequest(req *http.Request) *url.URL
- func VerifyCsrfCookie(ctx context.Context, request *http.Request) error
- func WithAuditFields(ctx context.Context, subject string, clientIds []string, ...) context.Context
- func WithUserEmail(ctx context.Context, email string) context.Context
- type AuthenticatedClientMeta
- type Context
- func (c Context) AuthMetadataService() service.AuthMetadataServiceServer
- func (c Context) CookieManager() interfaces.CookieHandler
- func (c Context) GetHTTPClient() *http.Client
- func (c Context) GetOAuth2MetadataURL() *url.URL
- func (c Context) GetOIdCMetadataURL() *url.URL
- func (c Context) GetUserInfoURL() *url.URL
- func (c Context) IdentityService() service.IdentityServiceServer
- func (c Context) OAuth2ClientConfig(requestURL *url.URL) *oauth2.Config
- func (c Context) OAuth2Provider() interfaces.OAuth2Provider
- func (c Context) OAuth2ResourceServer() interfaces.OAuth2ResourceServer
- func (c Context) OidcProvider() *oidc.Provider
- func (c Context) Options() *config.Config
- type CookieManager
- func (c CookieManager) DeleteCookies(ctx context.Context, writer http.ResponseWriter)
- func (c CookieManager) RetrieveAuthCodeRequest(ctx context.Context, request *http.Request) (authRequestURL string, err error)
- func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (idToken, accessToken, refreshToken string, err error)
- func (c CookieManager) RetrieveUserInfo(ctx context.Context, request *http.Request) (*service.UserInfoResponse, error)
- func (c CookieManager) SetAuthCodeCookie(ctx context.Context, writer http.ResponseWriter, authRequestURL string) error
- func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error
- func (c CookieManager) SetUserInfoCookie(ctx context.Context, writer http.ResponseWriter, ...) error
- type HTTPRequestToMetadataAnnotator
- type IdentityContext
- func (c IdentityContext) AppID() string
- func (c IdentityContext) Audience() string
- func (c IdentityContext) AuthenticatedAt() time.Time
- func (c IdentityContext) Claims() map[string]interface{}
- func (c IdentityContext) ExecutionIdentity() string
- func (c IdentityContext) IsEmpty() bool
- func (c IdentityContext) Scopes() sets.String
- func (c IdentityContext) UserID() string
- func (c IdentityContext) UserInfo() *service.UserInfoResponse
- func (c IdentityContext) WithContext(ctx context.Context) context.Context
- func (c IdentityContext) WithExecutionUserIdentifier(euid string) IdentityContext
- type PreRedirectHookError
- type PreRedirectHookFunc
- type SecretsSet
- type UserInfoForwardResponseHandler
- type UserInfoProvider
Constants ¶
const ( IdpConnectionTimeout = 10 * time.Second ErrauthCtx errors.ErrorCode = "AUTH_CONTEXT_SETUP_FAILED" ErrConfigFileRead errors.ErrorCode = "CONFIG_OPTION_FILE_READ_FAILED" )
const ( // OAuth2 Parameters CsrfFormKey = "state" AuthorizationResponseCodeType = "code" DefaultAuthorizationHeader = "authorization" BearerScheme = "Bearer" IDTokenScheme = "IDToken" // Add the -bin suffix so that the header value is automatically base64 encoded UserInfoMDKey = "UserInfo-bin" // https://tools.ietf.org/html/rfc8414 // This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path OAuth2MetadataEndpoint = ".well-known/oauth-authorization-server" // https://openid.net/specs/openid-connect-discovery-1_0.html // This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path OIdCMetadataEndpoint = ".well-known/openid-configuration" ContextKeyIdentityContext = contextutils.Key("identity_context") ScopeAll = "all" )
const ( ErrSecureCookie errors.ErrorCode = "SECURE_COOKIE_ERROR" // #nosec ErrInvalidCsrfToken errors.ErrorCode = "CSRF_TOKEN_VALIDATION_FAILED" )
const ( ErrB64Decoding errors.ErrorCode = "BINARY_DECODING_FAILED" // #nosec ErrTokenNil errors.ErrorCode = "EMPTY_OAUTH_TOKEN" // #nosec ErrNoIDToken errors.ErrorCode = "NO_ID_TOKEN_IN_RESPONSE" )
const ( RedirectURLParameter = "redirect_url" FromHTTPKey = "from_http" FromHTTPVal = "true" )
const ( SymmetricKeyLength = 32 CookieHashKeyLength = 64 CookieBlockKeyLength = 32 )
const ( ErrRefreshingToken errors.ErrorCode = "TOKEN_REFRESH_FAILURE" ErrTokenExpired errors.ErrorCode = "JWT_EXPIRED" ErrJwtValidation errors.ErrorCode = "JWT_VERIFICATION_FAILED" )
const (
PodNamespaceEnvVar = "POD_NAMESPACE"
)
Variables ¶
var AllowedChars = []rune("abcdefghijklmnopqrstuvwxyz1234567890")
Functions ¶
func AuthenticationLoggingInterceptor ¶
func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
func BlanketAuthorization ¶ added in v1.1.6
func BlanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) ( resp interface{}, err error)
func ExecutionUserIdentifierInterceptor ¶ added in v1.1.96
func ExecutionUserIdentifierInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) ( resp interface{}, err error)
ExecutionUserIdentifierInterceptor injects identityContext.UserID() to identityContext.executionIdentity
func GRPCGetIdentityFromAccessToken ¶
func GRPCGetIdentityFromAccessToken(ctx context.Context, authCtx interfaces.AuthenticationContext) ( interfaces.IdentityContext, error)
GRPCGetIdentityFromAccessToken attempts to extract a token from the context, and will then call the validation function, passing up any errors.
func GRPCGetIdentityFromIDToken ¶
func GRPCGetIdentityFromIDToken(ctx context.Context, clientID string, provider *oidc.Provider) ( interfaces.IdentityContext, error)
GRPCGetIdentityFromIDToken attempts to extract a token from the context, and will then call the validation function, passing up any errors.
func GetAuthenticationCustomMetadataInterceptor ¶
func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor
GetAuthenticationCustomMetadataInterceptor produces a gRPC middleware interceptor intended to be used when running authentication with non-default gRPC headers (metadata). Because the default `authorization` header is reserved for use by Envoy, clients wishing to pass tokens to Admin will need to use a different string, specified in this package's Config object. This interceptor will scan for that arbitrary string, and then rename it to the default string, which the downstream auth/auditing interceptors will detect and validate.
func GetAuthenticationInterceptor ¶
func GetAuthenticationInterceptor(authCtx interfaces.AuthenticationContext) func(context.Context) (context.Context, error)
GetAuthenticationInterceptor chooses to enforce or not enforce authentication. It will attempt to get the token from the incoming context, validate it, and decide whether or not to let the request through.
func GetCallbackHandler ¶
func GetCallbackHandler(ctx context.Context, authCtx interfaces.AuthenticationContext, pluginRegistry *plugins.Registry) http.HandlerFunc
GetCallbackHandler returns a handler that is called by the OIdC provider with the authorization code to complete the user authentication flow.
func GetCreateSecretsCommand ¶ added in v1.1.65
func GetInitSecretsCommand ¶
GetInitSecretsCommand creates a command to issue secrets to be used for Auth settings. It writes the secrets to the working directory. The expectation is that they are put in a location and made available to the serve command later. To configure where the serve command looks for secrets, update this config:
secrets: secrets-prefix: <my custom path>
func GetLoginHandler ¶
func GetLoginHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
GetLoginHandler builds an http handler that handles authentication calls. Before redirecting to the authentication provider, it saves a cookie that contains the redirect url for after the authentication flow is done.
func GetLogoutEndpointHandler ¶
func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
func GetOAuth2ClientConfig ¶
func GetOAuth2ClientConfig(ctx context.Context, options config.OpenIDOptions, providerEndpoints oauth2.Endpoint, sm core.SecretManager) (cfg oauth2.Config, err error)
This creates a oauth2 library config object, with values from the Flyte Admin config
func GetOIdCMetadataEndpointRedirectHandler ¶
func GetOIdCMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
This returns a handler that will redirect (303) to the well-known metadata endpoint for the OAuth2 authorization server See https://tools.ietf.org/html/rfc8414 for more information.
func GetPublicURL ¶
GetPublicURL attempts to retrieve the public url of the service. If httpPublicUri is set in the config, it takes precedence. If the request is not nil and has a host set, it comes second and lastly it attempts to retrieve the url from context if set (e.g. by gRPC gateway).
func GetRefreshedToken ¶
func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)
Refresh a JWT
func HashCsrfState ¶
func IdentityContextFromIDTokenToken ¶
func IdentityContextFromIDTokenToken(ctx context.Context, tokenStr, clientID string, provider *oidc.Provider, userInfo *service.UserInfoResponse) (interfaces.IdentityContext, error)
func IdentityContextFromRequest ¶
func IdentityContextFromRequest(ctx context.Context, req *http.Request, authCtx interfaces.AuthenticationContext) ( interfaces.IdentityContext, error)
func NewCsrfCookie ¶
func NewCsrfToken ¶
func NewRedirectCookie ¶
This function takes in a string and returns a cookie that's used to keep track of where to send the user after the OAuth2 login flow is complete.
func NewSecureCookie ¶
func ParseIDTokenAndValidate ¶
func QueryUserInfo ¶
func QueryUserInfo(ctx context.Context, identityContext interfaces.IdentityContext, request *http.Request, authCtx interfaces.AuthenticationContext) (*service.UserInfoResponse, error)
func QueryUserInfoUsingAccessToken ¶
func QueryUserInfoUsingAccessToken(ctx context.Context, originalRequest *http.Request, authCtx interfaces.AuthenticationContext, accessToken string) ( *service.UserInfoResponse, error)
Extract User info from access token for HTTP request
func ReadSecureCookie ¶
func RefreshTokensIfExists ¶
func RefreshTokensIfExists(ctx context.Context, authCtx interfaces.AuthenticationContext, authHandler http.HandlerFunc) http.HandlerFunc
Look for access token and refresh token, if both are present and the access token is expired, then attempt to refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to the landing page.
func RegisterHandlers ¶
func RegisterHandlers(ctx context.Context, handler interfaces.HandlerRegisterer, authCtx interfaces.AuthenticationContext, pluginRegistry *plugins.Registry)
func SetContextForIdentity ¶
func SetContextForIdentity(ctx context.Context, identityContext interfaces.IdentityContext) context.Context
func URLFromContext ¶
URLFromContext attempts to retrieve the original url from context. gRPC gateway sets metadata in context that refers to the original host. Or nil if metadata isn't set.
func URLFromRequest ¶
URLFromRequest attempts to reconstruct the url from the request object. Or nil if not possible
func WithAuditFields ¶
Types ¶
type AuthenticatedClientMeta ¶ added in v0.6.114
type Context ¶
type Context struct {
// contains filtered or unexported fields
}
Please see the comment on the corresponding AuthenticationContext for more information.
func NewAuthenticationContext ¶
func NewAuthenticationContext(ctx context.Context, sm core.SecretManager, oauth2Provider interfaces.OAuth2Provider, oauth2ResourceServer interfaces.OAuth2ResourceServer, authMetadataService service.AuthMetadataServiceServer, identityService service.IdentityServiceServer, options *config.Config) (Context, error)
func (Context) AuthMetadataService ¶
func (c Context) AuthMetadataService() service.AuthMetadataServiceServer
func (Context) CookieManager ¶
func (c Context) CookieManager() interfaces.CookieHandler
func (Context) GetHTTPClient ¶
func (Context) GetOAuth2MetadataURL ¶
func (Context) GetOIdCMetadataURL ¶
func (Context) GetUserInfoURL ¶
func (Context) IdentityService ¶
func (c Context) IdentityService() service.IdentityServiceServer
func (Context) OAuth2ClientConfig ¶
func (Context) OAuth2Provider ¶
func (c Context) OAuth2Provider() interfaces.OAuth2Provider
func (Context) OAuth2ResourceServer ¶
func (c Context) OAuth2ResourceServer() interfaces.OAuth2ResourceServer
func (Context) OidcProvider ¶
func (c Context) OidcProvider() *oidc.Provider
type CookieManager ¶
type CookieManager struct {
// contains filtered or unexported fields
}
func NewCookieManager ¶
func NewCookieManager(ctx context.Context, hashKeyEncoded, blockKeyEncoded string, cookieSettings config.CookieSettings) (CookieManager, error)
func (CookieManager) DeleteCookies ¶
func (c CookieManager) DeleteCookies(ctx context.Context, writer http.ResponseWriter)
func (CookieManager) RetrieveAuthCodeRequest ¶
func (CookieManager) RetrieveTokenValues ¶
func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (idToken, accessToken, refreshToken string, err error)
TODO: Separate refresh token from access token, remove named returns, and use stdlib errors. RetrieveTokenValues retrieves id, access and refresh tokens from cookies if they exist. The existence of a refresh token in a cookie is optional and hence failure to find or read that cookie is tolerated. An error is returned in case of failure to retrieve and read either the id or the access tokens.
func (CookieManager) RetrieveUserInfo ¶
func (c CookieManager) RetrieveUserInfo(ctx context.Context, request *http.Request) (*service.UserInfoResponse, error)
func (CookieManager) SetAuthCodeCookie ¶
func (c CookieManager) SetAuthCodeCookie(ctx context.Context, writer http.ResponseWriter, authRequestURL string) error
func (CookieManager) SetTokenCookies ¶
func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error
func (CookieManager) SetUserInfoCookie ¶
func (c CookieManager) SetUserInfoCookie(ctx context.Context, writer http.ResponseWriter, userInfo *service.UserInfoResponse) error
type HTTPRequestToMetadataAnnotator ¶
func GetHTTPMetadataTaggingHandler ¶
func GetHTTPMetadataTaggingHandler() HTTPRequestToMetadataAnnotator
Intercepts the incoming HTTP requests and marks it as such so that the downstream code can use it to enforce auth. See the enforceHTTP/Grpc options for more information.
func GetHTTPRequestCookieToMetadataHandler ¶
func GetHTTPRequestCookieToMetadataHandler(authCtx interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator
This is effectively middleware for the grpc gateway, it allows us to modify the translation between HTTP request and gRPC request. There are two potential sources for bearer tokens, it can come from an authorization header (not yet implemented), or encrypted cookies. Note that when deploying behind Envoy, you have the option to look for a configurable, non-standard header name. The token is extracted and turned into a metadata object which is then attached to the request, from which the token is extracted later for verification.
type IdentityContext ¶
type IdentityContext struct {
// contains filtered or unexported fields
}
IdentityContext is an abstract entity to enclose the authenticated identity of the user/app. Both gRPC and HTTP servers have interceptors to set the IdentityContext on the context.Context. To retrieve the current IdentityContext call auth.IdentityContextFromContext(ctx). To check whether there is an identity set, call auth.IdentityContextFromContext(ctx).IsEmpty()
func IdentityContextFromContext ¶
func IdentityContextFromContext(ctx context.Context) IdentityContext
IdentityContextFromContext retrieves the authenticated identity from context.Context.
func NewIdentityContext ¶
func NewIdentityContext(audience, userID, appID string, authenticatedAt time.Time, scopes sets.String, userInfo *service.UserInfoResponse, claims map[string]interface{}) ( IdentityContext, error)
NewIdentityContext creates a new IdentityContext.
func (IdentityContext) AppID ¶
func (c IdentityContext) AppID() string
func (IdentityContext) Audience ¶
func (c IdentityContext) Audience() string
func (IdentityContext) AuthenticatedAt ¶
func (c IdentityContext) AuthenticatedAt() time.Time
func (IdentityContext) Claims ¶ added in v1.1.25
func (c IdentityContext) Claims() map[string]interface{}
func (IdentityContext) ExecutionIdentity ¶ added in v1.1.96
func (c IdentityContext) ExecutionIdentity() string
func (IdentityContext) IsEmpty ¶
func (c IdentityContext) IsEmpty() bool
func (IdentityContext) Scopes ¶
func (c IdentityContext) Scopes() sets.String
func (IdentityContext) UserID ¶
func (c IdentityContext) UserID() string
func (IdentityContext) UserInfo ¶
func (c IdentityContext) UserInfo() *service.UserInfoResponse
func (IdentityContext) WithContext ¶
func (c IdentityContext) WithContext(ctx context.Context) context.Context
func (IdentityContext) WithExecutionUserIdentifier ¶ added in v1.1.96
func (c IdentityContext) WithExecutionUserIdentifier(euid string) IdentityContext
WithExecutionUserIdentifier creates a copy of the original identity context and attach ExecutionIdentity
type PreRedirectHookError ¶ added in v1.1.121
func (*PreRedirectHookError) Error ¶ added in v1.1.121
func (e *PreRedirectHookError) Error() string
type PreRedirectHookFunc ¶ added in v1.1.121
type PreRedirectHookFunc func(ctx context.Context, authCtx interfaces.AuthenticationContext, request *http.Request, w http.ResponseWriter) *PreRedirectHookError
PreRedirectHookFunc Interface used for running custom code before the redirect happens during a successful auth flow. This might be useful in cases where the auth flow allows the user to login since the IDP has been configured for eg: to allow all users from a particular domain to login but you want to restrict access to only a particular set of user ids. eg : users@domain.com are allowed to login but user user1@domain.com, user2@domain.com should only be allowed PreRedirectHookError is the error interface which allows the user to set correct http status code and Message to be set in case the function returns an error without which the current usage in GetCallbackHandler will set this to InternalServerError
type SecretsSet ¶
type SecretsSet struct { TokenHashKey []byte TokenSigningRSAPrivateKey *rsa.PrivateKey CookieHashKey []byte CookieBlockKey []byte }
func NewSecrets ¶
func NewSecrets() (SecretsSet, error)
type UserInfoForwardResponseHandler ¶ added in v1.1.50
type UserInfoForwardResponseHandler func(ctx context.Context, w http.ResponseWriter, m protoiface.MessageV1) error
func GetUserInfoForwardResponseHandler ¶ added in v1.1.50
func GetUserInfoForwardResponseHandler() UserInfoForwardResponseHandler
type UserInfoProvider ¶
type UserInfoProvider struct { }
func NewUserInfoProvider ¶
func NewUserInfoProvider() UserInfoProvider
func (UserInfoProvider) UserInfo ¶
func (s UserInfoProvider) UserInfo(ctx context.Context, _ *service.UserInfoRequest) (*service.UserInfoResponse, error)
UserInfo returns user_info claims about the currently logged in user. See the OpenID Connect spec at https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse for more information.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
OAuthServer implementation that serve oauth2 authorize and client_credentials flows.
|
OAuthServer implementation that serve oauth2 authorize and client_credentials flows. |