authlib

module

v0.0.0-...-5ed7b74 Latest Latest Go to latest Published: Jun 11, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/authlib

Links

Open Source Insights

README ¶

Authlib

A collection of common authn/authz utilities.

Authz

This package exports an RBAC client library that contains a set of utilities to check users permissions from Grafana.

Grafana Configuration

Grafana needs to be configured with the accessControlOnCall feature toggle set for the search permissions endpoint to be registered.

[feature_toggles]
enable = accessControlOnCall

Examples

Here is an example on how to check access on a resouce for a user.

package main

import (
	"context"
	"log"

	"github.com/grafana/authlib/authz"
)

func main() {
	client, err := authz.NewEnforcementClient(authz.Config{
		APIURL:  "http://localhost:3000",
		Token:   "<service account token>",
		JWKsURL: "<jwks url>",
	})

	if err != nil {
		log.Fatal("failed to construct authz client", err)
	}

	ok, err := client.HasAccess(context.Background(), "<id token>", "users:read", authz.Resource{
		Kind: "users",
		Attr: "id",
		ID:   "1",
	})

	if err != nil {
		log.Fatal("failed to perform access check", err)
	}

	log.Println("has access: ", ok)
}

Authn

This package exports an token verifier that can be used to verify signed jwt tokens. A common usecase for this component is to verify grafana id tokens.

This package will handle retrival and caching of jwks. It was desing to be generic over "Custom claims" so that we are not only restricted to the current structure of id tokens. This means that the parsed claims will contain standard jwts claims such as aud, exp etc plus specified custom claims.

package main

import (
	"context"
	"log"

	"github.com/grafana/authlib/authn"
)

type CustomClaims struct{}

func main() {
	verifier := authn.NewVerifier[CustomClaims](authn.VerifierConfig{
		AllowedAudiences: []string{},
	}, authn.TokenTypeID, authn.NewKeyRetiever(KeyRetrieverConfig{SigningKeysURL: "<jwks url>"}))

	claims, err := verifier.Verify(context.Background(), "<token>")

	if err != nil {
		log.Fatal("failed to verify id token: ", err)
	}

	log.Println("Claims: ", claims)
}

The verifier is generic over jwt.Claims. Most common use cases will be to either verify Grafana issued ID-Token or Access token. For those we have AccessTokenVerifier and IDTokenVerifier. These two structures are just simple wrappers around Verifier with expected claims.

Directories ¶

Path	Synopsis
authn
authz
proto/v1 Package authzv1 is a reverse proxy.	Package authzv1 is a reverse proxy.
cache
internal
httpclient

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL