Documentation ¶
Overview ¶
Package oauthflow implements OAuth/OIDC support for device and token flows
Package oauthflow contains utilities to obtain OAuth2/OIDC tokens.
Index ¶
- Constants
- Variables
- func ConnectorIDOpt(prov string) oauth2.AuthCodeOption
- func SubjectFromToken(tok *oidc.IDToken) (string, error)
- func SubjectFromUnverifiedToken(tok []byte) (string, error)
- type DefaultFlowClientCredentials
- type DeviceFlowTokenGetter
- type InteractiveIDTokenGetter
- type OIDCIDToken
- type PKCE
- type StaticTokenGetter
- type TokenGetter
Constants ¶
const ( // SigstoreDeviceURL specifies the Device Code endpoint for the public good Sigstore service /* #nosec */ // Deprecated: this constant (while correct) should not be used SigstoreDeviceURL = "https://oauth2.sigstore.dev/auth/device/code" // SigstoreTokenURL specifies the Token endpoint for the public good Sigstore service /* #nosec */ // Deprecated: this constant (while correct) should not be used SigstoreTokenURL = "https://oauth2.sigstore.dev/auth/device/token" )
const ( // PublicInstanceGithubAuthSubURL Default connector ids used by `oauth2.sigstore.dev` for Github PublicInstanceGithubAuthSubURL = "https://github.com/login/oauth" // PublicInstanceGoogleAuthSubURL Default connector ids used by `oauth2.sigstore.dev` for Google PublicInstanceGoogleAuthSubURL = "https://accounts.google.com" // PublicInstanceMicrosoftAuthSubURL Default connector ids used by `oauth2.sigstore.dev` for Microsoft PublicInstanceMicrosoftAuthSubURL = "https://login.microsoftonline.com" )
const (
// PKCES256 is the SHA256 option required by the PKCE RFC
PKCES256 = "S256"
)
Variables ¶
var DefaultIDTokenGetter = &InteractiveIDTokenGetter{ HTMLPage: soauth.InteractiveSuccessHTML, }
DefaultIDTokenGetter is the default implementation. The HTML page and message printed to the terminal can be customized.
var PublicInstanceGithubIDTokenGetter = &InteractiveIDTokenGetter{ HTMLPage: DefaultIDTokenGetter.HTMLPage, ExtraAuthURLParams: []oauth2.AuthCodeOption{ConnectorIDOpt(PublicInstanceGithubAuthSubURL)}, }
PublicInstanceGithubIDTokenGetter is a `oauth2.sigstore.dev` flow selecting github as an Idp Flow is based on `DefaultIDTokenGetter` fields
var PublicInstanceGoogleIDTokenGetter = &InteractiveIDTokenGetter{ HTMLPage: DefaultIDTokenGetter.HTMLPage, ExtraAuthURLParams: []oauth2.AuthCodeOption{ConnectorIDOpt(PublicInstanceGoogleAuthSubURL)}, }
PublicInstanceGoogleIDTokenGetter is a `oauth2.sigstore.dev` flow selecting github as an Idp Flow is based on `DefaultIDTokenGetter` fields
var PublicInstanceMicrosoftIDTokenGetter = &InteractiveIDTokenGetter{ HTMLPage: DefaultIDTokenGetter.HTMLPage, ExtraAuthURLParams: []oauth2.AuthCodeOption{ConnectorIDOpt(PublicInstanceMicrosoftAuthSubURL)}, }
PublicInstanceMicrosoftIDTokenGetter is a `oauth2.sigstore.dev` flow selecting microsoft as an Idp Flow is based on `DefaultIDTokenGetter` fields
Functions ¶
func ConnectorIDOpt ¶
func ConnectorIDOpt(prov string) oauth2.AuthCodeOption
ConnectorIDOpt requests the value of prov as a the connector_id (either on URL or in form body) on the initial request; this is used by Dex
func SubjectFromToken ¶
SubjectFromToken extracts the subject claim from an OIDC Identity Token
func SubjectFromUnverifiedToken ¶
SubjectFromUnverifiedToken extracts the subject claim from the raw bytes of an OIDC identity token.
Types ¶
type DefaultFlowClientCredentials ¶
type DefaultFlowClientCredentials struct { Issuer string // contains filtered or unexported fields }
DefaultFlowClientCredentials fetches an OIDC Identity token using the Client Credentials Grant flow as specified in RFC8628
func NewClientCredentialsFlow ¶
func NewClientCredentialsFlow(issuer string) *DefaultFlowClientCredentials
NewClientCredentialsFlow creates a new DefaultFlowClientCredentials that retrieves an OIDC Identity Token using a Client Credentials Grant
func (*DefaultFlowClientCredentials) CodeURL ¶
func (d *DefaultFlowClientCredentials) CodeURL() (string, error)
CodeURL fetches the client credentials token authorization endpoint URL from the provider's well-known configuration endpoint
func (*DefaultFlowClientCredentials) GetIDToken ¶
func (d *DefaultFlowClientCredentials) GetIDToken(p *oidc.Provider, cfg oauth2.Config) (*OIDCIDToken, error)
GetIDToken gets an OIDC ID Token from the specified provider using the Client Credentials Grant flow
type DeviceFlowTokenGetter ¶
type DeviceFlowTokenGetter struct { MessagePrinter func(string) Sleeper func(time.Duration) Issuer string // contains filtered or unexported fields }
DeviceFlowTokenGetter fetches an OIDC Identity token using the Device Code Grant flow as specified in RFC8628
func NewDeviceFlowTokenGetter ¶
func NewDeviceFlowTokenGetter(issuer, codeURL, _ string) *DeviceFlowTokenGetter
NewDeviceFlowTokenGetter creates a new DeviceFlowTokenGetter that retrieves an OIDC Identity Token using a Device Code Grant Deprecated: NewDeviceFlowTokenGetter is deprecated; use NewDeviceFlowTokenGetterForIssuer() instead
func NewDeviceFlowTokenGetterForIssuer ¶
func NewDeviceFlowTokenGetterForIssuer(issuer string) *DeviceFlowTokenGetter
NewDeviceFlowTokenGetterForIssuer creates a new DeviceFlowTokenGetter that retrieves an OIDC Identity Token using a Device Code Grant
func (*DeviceFlowTokenGetter) CodeURL ¶
func (d *DeviceFlowTokenGetter) CodeURL() (string, error)
CodeURL fetches the device authorization endpoint URL from the provider's well-known configuration endpoint
func (*DeviceFlowTokenGetter) GetIDToken ¶
func (d *DeviceFlowTokenGetter) GetIDToken(p *oidc.Provider, cfg oauth2.Config) (*OIDCIDToken, error)
GetIDToken gets an OIDC ID Token from the specified provider using the device code grant flow
type InteractiveIDTokenGetter ¶
type InteractiveIDTokenGetter struct { HTMLPage string ExtraAuthURLParams []oauth2.AuthCodeOption Input io.Reader Output io.Writer }
InteractiveIDTokenGetter is a type to get ID tokens for oauth flows
func (*InteractiveIDTokenGetter) GetIDToken ¶
func (i *InteractiveIDTokenGetter) GetIDToken(p *oidc.Provider, cfg oauth2.Config) (*OIDCIDToken, error)
GetIDToken gets an OIDC ID Token from the specified provider using an interactive browser session
func (*InteractiveIDTokenGetter) GetInput ¶
func (i *InteractiveIDTokenGetter) GetInput() io.Reader
GetInput returns the input reader for the token getter. If one is not set, it defaults to stdin.
func (*InteractiveIDTokenGetter) GetOutput ¶
func (i *InteractiveIDTokenGetter) GetOutput() io.Writer
GetOutput returns the output writer for the token getter. If one is not set, it defaults to stderr.
type OIDCIDToken ¶
type OIDCIDToken struct { RawString string // RawString provides the raw token (a base64-encoded JWT) value Subject string // Subject is the extracted subject from the raw token }
OIDCIDToken represents an OIDC Identity Token
func OIDConnect ¶
func OIDConnect(issuer, id, secret, redirectURL string, tg TokenGetter) (*OIDCIDToken, error)
OIDConnect requests an OIDC Identity Token from the specified issuer using the specified client credentials and TokenGetter NOTE: If the redirectURL is empty a listener on localhost:0 is configured with '/auth/callback' as default path.
type PKCE ¶
PKCE specifies the challenge and value pair required to fulfill RFC7636
func NewPKCE ¶
NewPKCE creates a new PKCE challenge for the specified provider per its supported methods (obtained through OIDC discovery endpoint)
func (*PKCE) AuthURLOpts ¶
func (p *PKCE) AuthURLOpts() []oauth2.AuthCodeOption
AuthURLOpts returns the set of request parameters required during the initial exchange of the OAuth2 flow
func (*PKCE) TokenURLOpts ¶
func (p *PKCE) TokenURLOpts() []oauth2.AuthCodeOption
TokenURLOpts returns the set of request parameters required during the token request exchange flow
type StaticTokenGetter ¶
type StaticTokenGetter struct {
RawToken string
}
StaticTokenGetter is a token getter that works on a JWT that is already known
func (*StaticTokenGetter) GetIDToken ¶
func (stg *StaticTokenGetter) GetIDToken(_ *oidc.Provider, _ oauth2.Config) (*OIDCIDToken, error)
GetIDToken extracts an OIDCIDToken from the raw token *without verification*
type TokenGetter ¶
type TokenGetter interface {
GetIDToken(provider *oidc.Provider, config oauth2.Config) (*OIDCIDToken, error)
}
TokenGetter provides a way to get an OIDC ID Token from an OIDC IdP