Documentation ¶
Overview ¶
Package oidc contains common OIDC functionality needed by Pinniped.
Index ¶
- Constants
- func FositeErrorForLog(err error) []interface{}
- func FositeOauth2Helper(oauthStore interface{}, issuer string, ...) fosite.OAuth2Provider
- func GrantScopeIfRequested(authorizeRequester fosite.AuthorizeRequester, scopeName string)
- func ScopeWasRequested(authorizeRequester fosite.AuthorizeRequester, scopeName string) bool
- func TokenExchangeFactory(config *compose.Config, storage interface{}, strategy interface{}) interface{}
- type Codec
- type Decoder
- type Encoder
- type KubeStorage
- func (k KubeStorage) ClientAssertionJWTValid(ctx context.Context, jti string) error
- func (k KubeStorage) CreateAccessTokenSession(ctx context.Context, signatureOfAccessToken string, requester fosite.Requester) (err error)
- func (k KubeStorage) CreateAuthorizeCodeSession(ctx context.Context, signatureOfAuthcode string, r fosite.Requester) (err error)
- func (k KubeStorage) CreateOpenIDConnectSession(ctx context.Context, fullAuthcode string, requester fosite.Requester) error
- func (k KubeStorage) CreatePKCERequestSession(ctx context.Context, signatureOfAuthcode string, requester fosite.Requester) error
- func (k KubeStorage) CreateRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string, request fosite.Requester) (err error)
- func (k KubeStorage) DeleteAccessTokenSession(ctx context.Context, signatureOfAccessToken string) (err error)
- func (k KubeStorage) DeleteOpenIDConnectSession(ctx context.Context, fullAuthcode string) error
- func (k KubeStorage) DeletePKCERequestSession(ctx context.Context, signatureOfAuthcode string) error
- func (k KubeStorage) DeleteRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string) (err error)
- func (k KubeStorage) GetAccessTokenSession(ctx context.Context, signatureOfAccessToken string, session fosite.Session) (request fosite.Requester, err error)
- func (k KubeStorage) GetAuthorizeCodeSession(ctx context.Context, signatureOfAuthcode string, s fosite.Session) (request fosite.Requester, err error)
- func (k KubeStorage) GetClient(ctx context.Context, id string) (fosite.Client, error)
- func (k KubeStorage) GetOpenIDConnectSession(ctx context.Context, fullAuthcode string, requester fosite.Requester) (fosite.Requester, error)
- func (k KubeStorage) GetPKCERequestSession(ctx context.Context, signatureOfAuthcode string, session fosite.Session) (fosite.Requester, error)
- func (k KubeStorage) GetRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string, session fosite.Session) (request fosite.Requester, err error)
- func (k KubeStorage) InvalidateAuthorizeCodeSession(ctx context.Context, signatureOfAuthcode string) (err error)
- func (k KubeStorage) RevokeAccessToken(ctx context.Context, requestID string) error
- func (k KubeStorage) RevokeRefreshToken(ctx context.Context, requestID string) error
- func (k KubeStorage) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error
- type NullStorage
- func (NullStorage) CreateAccessTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error)
- func (NullStorage) CreateAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Requester) (err error)
- func (NullStorage) CreateOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) error
- func (NullStorage) CreatePKCERequestSession(_ context.Context, _ string, _ fosite.Requester) error
- func (NullStorage) CreateRefreshTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error)
- func (NullStorage) DeleteAccessTokenSession(_ context.Context, _ string) (err error)
- func (NullStorage) DeleteOpenIDConnectSession(_ context.Context, _ string) error
- func (NullStorage) DeletePKCERequestSession(_ context.Context, _ string) error
- func (NullStorage) DeleteRefreshTokenSession(_ context.Context, _ string) (err error)
- func (NullStorage) GetAccessTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error)
- func (NullStorage) GetAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error)
- func (NullStorage) GetOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) (fosite.Requester, error)
- func (NullStorage) GetPKCERequestSession(_ context.Context, _ string, _ fosite.Session) (fosite.Requester, error)
- func (NullStorage) GetRefreshTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error)
- func (NullStorage) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error)
- func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error
- func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error
- type TimeoutsConfiguration
- type TokenExchangeHandler
- func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool
- func (t *TokenExchangeHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool
- func (t *TokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error
- func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, ...) error
- type UpstreamIdentityProvidersLister
- type UpstreamLDAPIdentityProvidersLister
- type UpstreamOIDCIdentityProvidersLister
- type UpstreamStateParamData
Constants ¶
View Source
const ( WellKnownEndpointPath = "/.well-known/openid-configuration" AuthorizationEndpointPath = "/oauth2/authorize" TokenEndpointPath = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential CallbackEndpointPath = "/callback" JWKSEndpointPath = "/jwks.json" PinnipedIDPsPathV1Alpha1 = "/v1alpha1/pinniped_identity_providers" )
View Source
const ( // Just in case we need to make a breaking change to the format of the upstream state param, // we are including a format version number. This gives the opportunity for a future version of Pinniped // to have the consumer of this format decide to reject versions that it doesn't understand. UpstreamStateParamFormatVersion = "1" // The `name` passed to the encoder for encoding the upstream state param value. This name is short // because it will be encoded into the upstream state param value and we're trying to keep that small. UpstreamStateParamEncodingName = "s" // CSRFCookieName is the name of the browser cookie which shall hold our CSRF value. // The `__Host` prefix has a special meaning. See: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Cookie_prefixes. CSRFCookieName = "__Host-pinniped-csrf" // CSRFCookieEncodingName is the `name` passed to the encoder for encoding and decoding the CSRF // cookie contents. CSRFCookieEncodingName = "csrf" // The name of the issuer claim specified in the OIDC spec. IDTokenIssuerClaim = "iss" // The name of the subject claim specified in the OIDC spec. IDTokenSubjectClaim = "sub" // DownstreamUsernameClaim is a custom claim in the downstream ID token // whose value is mapped from a claim in the upstream token. // By default the value is the same as the downstream subject claim's. DownstreamUsernameClaim = "username" // DownstreamGroupsClaim is what we will use to encode the groups in the downstream OIDC ID token // information. DownstreamGroupsClaim = "groups" // CSRFCookieLifespan is the length of time that the CSRF cookie is valid. After this time, the // Supervisor's authorization endpoint should give the browser a new CSRF cookie. We set it to // a week so that it is unlikely to expire during a login. CSRFCookieLifespan = time.Hour * 24 * 7 )
Variables ¶
This section is empty.
Functions ¶
func FositeErrorForLog ¶
func FositeErrorForLog(err error) []interface{}
FositeErrorForLog generates a list of information about the provided Fosite error that can be passed to a plog function (e.g., plog.Info()).
Sample usage:
err := someFositeLibraryFunction() if err != nil { plog.Info("some error", FositeErrorForLog(err)...) ... }
func FositeOauth2Helper ¶
func FositeOauth2Helper( oauthStore interface{}, issuer string, hmacSecretOfLengthAtLeast32Func func() []byte, jwksProvider jwks.DynamicJWKSProvider, timeoutsConfiguration TimeoutsConfiguration, ) fosite.OAuth2Provider
func GrantScopeIfRequested ¶
func GrantScopeIfRequested(authorizeRequester fosite.AuthorizeRequester, scopeName string)
func ScopeWasRequested ¶
func ScopeWasRequested(authorizeRequester fosite.AuthorizeRequester, scopeName string) bool
func TokenExchangeFactory ¶
Types ¶
type Codec ¶
Codec is both the encoding and decoding sides of the securecookie.Codec interface. It is interface'd here so that we properly wrap the securecookie dependency.
type KubeStorage ¶
type KubeStorage struct {
// contains filtered or unexported fields
}
func NewKubeStorage ¶
func NewKubeStorage(secrets corev1client.SecretInterface, timeoutsConfiguration TimeoutsConfiguration) *KubeStorage
func (KubeStorage) ClientAssertionJWTValid ¶
func (k KubeStorage) ClientAssertionJWTValid(ctx context.Context, jti string) error
func (KubeStorage) CreateAccessTokenSession ¶
func (KubeStorage) CreateAuthorizeCodeSession ¶
func (KubeStorage) CreateOpenIDConnectSession ¶
func (KubeStorage) CreatePKCERequestSession ¶
func (KubeStorage) CreateRefreshTokenSession ¶
func (KubeStorage) DeleteAccessTokenSession ¶
func (k KubeStorage) DeleteAccessTokenSession(ctx context.Context, signatureOfAccessToken string) (err error)
func (KubeStorage) DeleteOpenIDConnectSession ¶
func (k KubeStorage) DeleteOpenIDConnectSession(ctx context.Context, fullAuthcode string) error
func (KubeStorage) DeletePKCERequestSession ¶
func (k KubeStorage) DeletePKCERequestSession(ctx context.Context, signatureOfAuthcode string) error
func (KubeStorage) DeleteRefreshTokenSession ¶
func (k KubeStorage) DeleteRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string) (err error)
func (KubeStorage) GetAccessTokenSession ¶
func (KubeStorage) GetAuthorizeCodeSession ¶
func (KubeStorage) GetOpenIDConnectSession ¶
func (KubeStorage) GetPKCERequestSession ¶
func (KubeStorage) GetRefreshTokenSession ¶
func (KubeStorage) InvalidateAuthorizeCodeSession ¶
func (k KubeStorage) InvalidateAuthorizeCodeSession(ctx context.Context, signatureOfAuthcode string) (err error)
func (KubeStorage) RevokeAccessToken ¶
func (k KubeStorage) RevokeAccessToken(ctx context.Context, requestID string) error
func (KubeStorage) RevokeRefreshToken ¶
func (k KubeStorage) RevokeRefreshToken(ctx context.Context, requestID string) error
func (KubeStorage) SetClientAssertionJWT ¶
type NullStorage ¶
type NullStorage struct {
clientregistry.StaticClientManager
}
func (NullStorage) CreateAccessTokenSession ¶
func (NullStorage) CreateAuthorizeCodeSession ¶
func (NullStorage) CreateOpenIDConnectSession ¶
func (NullStorage) CreatePKCERequestSession ¶
func (NullStorage) CreateRefreshTokenSession ¶
func (NullStorage) DeleteAccessTokenSession ¶
func (NullStorage) DeleteAccessTokenSession(_ context.Context, _ string) (err error)
func (NullStorage) DeleteOpenIDConnectSession ¶
func (NullStorage) DeleteOpenIDConnectSession(_ context.Context, _ string) error
func (NullStorage) DeletePKCERequestSession ¶
func (NullStorage) DeletePKCERequestSession(_ context.Context, _ string) error
func (NullStorage) DeleteRefreshTokenSession ¶
func (NullStorage) DeleteRefreshTokenSession(_ context.Context, _ string) (err error)
func (NullStorage) GetAccessTokenSession ¶
func (NullStorage) GetAuthorizeCodeSession ¶
func (NullStorage) GetOpenIDConnectSession ¶
func (NullStorage) GetPKCERequestSession ¶
func (NullStorage) GetRefreshTokenSession ¶
func (NullStorage) InvalidateAuthorizeCodeSession ¶
func (NullStorage) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error)
func (NullStorage) RevokeAccessToken ¶
func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error
func (NullStorage) RevokeRefreshToken ¶
func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error
type TimeoutsConfiguration ¶
type TimeoutsConfiguration struct { // The length of time that our state param that we encrypt and pass to the upstream OIDC IDP should be considered // valid. If a state param generated by the authorize endpoint is sent to the callback endpoint after this much // time has passed, then the callback endpoint should reject it. This allows us to set a limit on how long // the end user has to finish their login with the upstream IDP, including the time that it takes to fumble // with password manager and two-factor authenticator apps, and also accounting for taking a coffee break while // the browser is sitting at the upstream IDP's login page. UpstreamStateParamLifespan time.Duration // How long an authcode issued by the callback endpoint is valid. This determines how much time the end user // has to come back to exchange the authcode for tokens at the token endpoint. AuthorizeCodeLifespan time.Duration // The lifetime of an downstream access token issued by the token endpoint. Access tokens should generally // be fairly short-lived. AccessTokenLifespan time.Duration // The lifetime of an downstream ID token issued by the token endpoint. This should generally be the same // as the AccessTokenLifespan, or longer if it would be useful for the user's proof of identity to be valid // for longer than their proof of authorization. IDTokenLifespan time.Duration // The lifetime of an downstream refresh token issued by the token endpoint. This should generally be // significantly longer than the access token lifetime, so it can be used to refresh the access token // multiple times. Once the refresh token expires, the user's session is over and they will need // to start a new authorization request, which will require them to log in again with the upstream IDP // in their web browser. RefreshTokenLifespan time.Duration // AuthorizationCodeSessionStorageLifetime is the length of time after which an authcode is allowed to be garbage // collected from storage. Authcodes are kept in storage after they are redeemed to allow the system to mark the // authcode as already used, so it can reject any future uses of the same authcode with special case handling which // include revoking the access and refresh tokens associated with the session. Therefore, this should be // significantly longer than the AuthorizeCodeLifespan, and there is probably no reason to make it longer than // the sum of the AuthorizeCodeLifespan and the RefreshTokenLifespan. AuthorizationCodeSessionStorageLifetime time.Duration // PKCESessionStorageLifetime is the length of time after which PKCE data is allowed to be garbage collected from // storage. PKCE sessions are closely related to authorization code sessions. After the authcode is successfully // redeemed, the PKCE session is explicitly deleted. After the authcode expires, the PKCE session is no longer needed, // but it is not explicitly deleted. Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll // avoid making it exactly the same as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it // while it is being used. PKCESessionStorageLifetime time.Duration // OIDCSessionStorageLifetime is the length of time after which the OIDC session data related to an authcode // is allowed to be garbage collected from storage. Due to a bug in an underlying library, these are not explicitly // deleted. Similar to the PKCE session, they are not needed anymore after the corresponding authcode has expired. // Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll avoid making it exactly the same // as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it while it is being used. OIDCSessionStorageLifetime time.Duration // AccessTokenSessionStorageLifetime is the length of time after which an access token's session data is allowed // to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid // or else the refresh flow will not work properly. So this must be longer than RefreshTokenLifespan. AccessTokenSessionStorageLifetime time.Duration // RefreshTokenSessionStorageLifetime is the length of time after which a refresh token's session data is allowed // to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid. // Therefore, this can be just slightly longer than the RefreshTokenLifespan. We'll avoid making it exactly the same // as RefreshTokenLifespan to avoid any chance of the garbage collector deleting it while it is being used. // If an expired token is still stored when the user tries to refresh it, then they will get a more specific // error message telling them that the token is expired, rather than a more generic error that is returned // when the token does not exist. If this is desirable, then the RefreshTokenSessionStorageLifetime can be made // to be significantly larger than RefreshTokenLifespan, at the cost of slower cleanup. RefreshTokenSessionStorageLifetime time.Duration }
func DefaultOIDCTimeoutsConfiguration ¶
func DefaultOIDCTimeoutsConfiguration() TimeoutsConfiguration
Get the defaults for the Supervisor server.
type TokenExchangeHandler ¶
type TokenExchangeHandler struct {
// contains filtered or unexported fields
}
func (*TokenExchangeHandler) CanHandleTokenEndpointRequest ¶
func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool
func (*TokenExchangeHandler) CanSkipClientAuth ¶
func (t *TokenExchangeHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool
func (*TokenExchangeHandler) HandleTokenEndpointRequest ¶
func (t *TokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error
func (*TokenExchangeHandler) PopulateTokenEndpointResponse ¶
func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error
type UpstreamIdentityProvidersLister ¶
type UpstreamIdentityProvidersLister interface { UpstreamOIDCIdentityProvidersLister UpstreamLDAPIdentityProvidersLister }
type UpstreamLDAPIdentityProvidersLister ¶
type UpstreamLDAPIdentityProvidersLister interface {
GetLDAPIdentityProviders() []provider.UpstreamLDAPIdentityProviderI
}
type UpstreamOIDCIdentityProvidersLister ¶
type UpstreamOIDCIdentityProvidersLister interface {
GetOIDCIdentityProviders() []provider.UpstreamOIDCIdentityProviderI
}
type UpstreamStateParamData ¶
type UpstreamStateParamData struct { AuthParams string `json:"p"` UpstreamName string `json:"u"` Nonce nonce.Nonce `json:"n"` CSRFToken csrftoken.CSRFToken `json:"c"` PKCECode pkce.Code `json:"k"` FormatVersion string `json:"v"` }
UpstreamStateParamData is the format of the state parameter that we use when we communicate to an upstream OIDC provider.
Keep the JSON to a minimal size because the upstream provider could impose size limitations on the state param.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package auth provides a handler for the OIDC authorization endpoint.
|
Package auth provides a handler for the OIDC authorization endpoint. |
Package callback provides a handler for the OIDC callback endpoint.
|
Package callback provides a handler for the OIDC callback endpoint. |
Package clientregistry defines Pinniped's OAuth2/OIDC clients.
|
Package clientregistry defines Pinniped's OAuth2/OIDC clients. |
Package discovery provides a handler for the OIDC discovery endpoint.
|
Package discovery provides a handler for the OIDC discovery endpoint. |
Package downstreamsession provides some shared helpers for creating downstream OIDC sessions.
|
Package downstreamsession provides some shared helpers for creating downstream OIDC sessions. |
Package dynamiccodec provides a type that can encode information using a just-in-time signing and (optionally) encryption secret.
|
Package dynamiccodec provides a type that can encode information using a just-in-time signing and (optionally) encryption secret. |
Package idpdiscovery provides a handler for the upstream IDP discovery endpoint.
|
Package idpdiscovery provides a handler for the upstream IDP discovery endpoint. |
Package discovery provides a handler for the OIDC discovery endpoint.
|
Package discovery provides a handler for the OIDC discovery endpoint. |
formposthtml
Package formposthtml defines HTML templates used by the Supervisor.
|
Package formposthtml defines HTML templates used by the Supervisor. |
Package token provides a handler for the OIDC token endpoint.
|
Package token provides a handler for the OIDC token endpoint. |
Click to show internal directories.
Click to hide internal directories.