oidc

package
v0.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 21, 2021 License: MPL-2.0 Imports: 49 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// AuthMethodPrefix defines the prefix for AuthMethod public ids.
	AuthMethodPrefix = "amoidc"
	// AccountPrefix defines the prefix for Account public ids.
	AccountPrefix = "acctoidc"
)
View Source
const (
	OperationalStateField                  = "OperationalState"
	DisableDiscoveredConfigValidationField = "DisableDiscoveredConfigValidation"
	VersionField                           = "Version"
	NameField                              = "Name"
	DescriptionField                       = "Description"
	IssuerField                            = "Issuer"
	ClientIdField                          = "ClientId"
	ClientSecretField                      = "ClientSecret"
	CtClientSecretField                    = "CtClientSecret"
	ClientSecretHmacField                  = "ClientSecretHmac"
	MaxAgeField                            = "MaxAge"
	SigningAlgsField                       = "SigningAlgs"
	ApiUrlField                            = "ApiUrl"
	AudClaimsField                         = "AudClaims"
	CertificatesField                      = "Certificates"
	ClaimsScopesField                      = "ClaimsScopes"
	AccountClaimMapsField                  = "AccountClaimMaps"
)
View Source
const (
	SigningAlgVO       voName = "SigningAlgs"
	CertificateVO      voName = "Certificates"
	AudClaimVO         voName = "AudClaims"
	ClaimsScopesVO     voName = "ClaimsScopes"
	AccountClaimMapsVO voName = "AccountClaimMaps"
)
View Source
const (
	// AttemptExpiration defines the TTL for an authentication attempt
	AttemptExpiration = 5 * 60 * time.Second

	// FinalRedirectEndpoint is the endpoint that the oidc callback redirect
	// client to after the callback is complete.
	FinalRedirectEndpoint = "%s/authentication-complete"

	// AuthenticationErrorsEndpoint is the endpoint that will returned as the final redirect
	// from the callback when there are auth errors
	AuthenticationErrorsEndpoint = "%s/authentication-error"

	// CallbackEndpoint is the endpoint for the oidc callback which will be
	// included in the auth URL returned when an authen attempted is kicked off.
	CallbackEndpoint = "%s/v1/auth-methods/oidc:authenticate:callback"
)
View Source
const (
	DefaultClaimsScope = "openid"
)

Variables

This section is empty.

Functions

func Callback

func Callback(
	ctx context.Context,
	oidcRepoFn OidcRepoFactory,
	iamRepoFn IamRepoFactory,
	atRepoFn AuthTokenRepoFactory,
	am *AuthMethod,
	state, code string) (finalRedirect string, e error)

Callback is an oidc domain service function for processing a successful OIDC Authentication Response from an IdP oidc callback. On success, it returns a final redirect URL for the response to the IdP.

Callback can return several errors including errors.Forbidden for requests with non-unique states (which are replays)

For more info on a successful OIDC Authentication Response see: https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse

The service operation includes:

* Decrypt the state which has been encrypted with the OIDC DEK. If decryption fails, and error is returned. Decrypted state payload includes the token_request_id, nonce and final_redirect_url.

* Exchange the callbackCodeParameter for provider tokens and validate the tokens. Call UserInfo endpoint using access token.

* Use oidc.(Repository).upsertAccount to create/update account using ID Tokens claims. The "sub" claim as external ID and setting email and full name for the account.

* Use iam.(Repository).LookupUserWithLogin(...) look up the iam.User matching the Account.

* Use the authtoken.(Repository).CreateAuthToken(...) to create a pending auth token for the authenticated user.

func EncodeCertificates

func EncodeCertificates(certs ...*x509.Certificate) ([]string, error)

EncodeCertificates will encode a number of x509 certificates to PEMs.

func ParseAccountClaimMaps added in v0.2.1

func ParseAccountClaimMaps(m ...string) (map[string]string, error)

func ParseCertificates

func ParseCertificates(pems ...string) ([]*x509.Certificate, error)

ParseCertificates will parse a number of certificates PEMs to x509s.

func StartAuth

func StartAuth(ctx context.Context, oidcRepoFn OidcRepoFactory, authMethodId string, opt ...Option) (authUrl *url.URL, tokenId string, e error)

StartAuth accepts a request to start an OIDC authentication/authorization attempt. It returns two URLs and a tokenId. authUrl is an OIDC authorization request URL. The authUrl includes a "state" parameter which is encrypted and has a payload which includes (among other things) the final redirect (calculated from the clientInfo), a token_request_id, and nonce. The tokenUrl is the URL theclient can use to retrieve the results of the user's OIDC authentication attempt. The tokenId is an encrypted payload for the POST request to the tokenUrl.

If the auth method is in an InactiveState, then an error is returned.

Options supported:

WithRoundTripPayload(string) provides an option for a client roundtrip payload. This payload will be added to the final redirect as a query parameter.

func SupportedAlgorithm

func SupportedAlgorithm(a Alg) bool

SupportedAlgorithm returns true iff the provided algorithm is supported by boundary.

func TestConvertToUrls

func TestConvertToUrls(t *testing.T, urls ...string) []*url.URL

TestConvertToUrls will convert URL string representations to a slice of *url.URL

func TestPendingToken

func TestPendingToken(
	t *testing.T,
	tokenRepo *authtoken.Repository,
	user *iam.User,
	acct *Account,
	tokenRequestId string,
) *authtoken.AuthToken

TestPendingToken will create a pending auth token for the tokenRequestId (aka public id)

func TestSortAuthMethods

func TestSortAuthMethods(t *testing.T, methods []*AuthMethod)

TestSortAuthMethods will sort the provided auth methods by public id and it will sort each auth method's embedded value objects (algs, auds, certs, callbacks)

func TestTokenRequestId

func TestTokenRequestId(
	t *testing.T,
	am *AuthMethod,
	kms *kms.Kms,
	expIn time.Duration,
	tokenPublicId string,
) string

TestTokenRequestId will make a request.Token and encrypt/encode within a request.Wrapper. the returned string can be used as a parameter for functions like: oidc.TokenRequest

func TokenRequest

func TokenRequest(ctx context.Context, kms *kms.Kms, atRepoFn AuthTokenRepoFactory, authMethodId, tokenRequestId string) (*authtoken.AuthToken, error)

TokenRequest is an oidc domain service function for processing a token request from a Boundary client. Token requests are the result of a Boundary client polling the tokenUrl they received via StartAuth. On success, it returns Boundary token.

* Decrypt the tokenRequestId. If encryption fails, it returns an error.

* Use the authtoken.(Repository).IssueAuthToken to issue the request id's token and mark it as issued in the repo. If the token is already issue, an error is returned.

func UnwrapMessage added in v0.2.1

func UnwrapMessage(ctx context.Context, encodedWrappedMsg string) (*request.Wrapper, error)

UnwrapMessage does just that, it unwraps the encoded request.Wrapper proto message

Types

type Account

type Account struct {
	*store.Account
	// contains filtered or unexported fields
}

Account contains an OIDC auth account. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Accounts.

func AllocAccount

func AllocAccount() *Account

AllocAccount makes an empty one in memory

func NewAccount

func NewAccount(authMethodId string, subject string, opt ...Option) (*Account, error)

NewAccount creates a new in memory Account assigned to OIDC AuthMethod. WithIssuer, WithFullName, WithEmail, WithName and WithDescription are the only valid options. All other options are ignored.

Subject equals the locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.

Issuer equals the Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

FullName equals the End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.

Email equals the End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique

See: https://openid.net/specs/openid-connect-core-1_0.html

func TestAccount

func TestAccount(t *testing.T, conn *gorm.DB, am *AuthMethod, subject string, opt ...Option) *Account

TestAccount creates a test oidc auth account.

func (*Account) Clone

func (a *Account) Clone() *Account

Clone an Account.

func (*Account) SetTableName

func (a *Account) SetTableName(n string)

SetTableName sets the table name.

func (*Account) TableName

func (a *Account) TableName() string

TableName returns the table name.

type AccountClaimMap added in v0.2.1

type AccountClaimMap struct {
	*store.AccountClaimMap
	// contains filtered or unexported fields
}

AccountClaimMap defines optional OIDC scope values that are used to request claims, in addition to the default scope of "openid" (see: DefaultClaimsScope).

func AllocAccountClaimMap added in v0.2.1

func AllocAccountClaimMap() AccountClaimMap

AllocClaimsScope makes an empty one in memory

func NewAccountClaimMap added in v0.2.1

func NewAccountClaimMap(authMethodId, fromClaim string, toClaim AccountToClaim) (*AccountClaimMap, error)

func (*AccountClaimMap) Clone added in v0.2.1

func (cs *AccountClaimMap) Clone() *AccountClaimMap

Clone a AccountClaimMap

func (*AccountClaimMap) SetTableName added in v0.2.1

func (s *AccountClaimMap) SetTableName(n string)

SetTableName sets the table name.

func (*AccountClaimMap) TableName added in v0.2.1

func (s *AccountClaimMap) TableName() string

TableName returns the table name.

type AccountToClaim added in v0.2.1

type AccountToClaim string
const (
	ToSubClaim   AccountToClaim = "sub"
	ToEmailClaim AccountToClaim = "email"
	ToNameClaim  AccountToClaim = "name"
)

func ConvertToAccountToClaim added in v0.2.1

func ConvertToAccountToClaim(s string) (AccountToClaim, error)

type Alg

type Alg string

Alg represents asymmetric signing algorithms

const (
	// JOSE asymmetric signing algorithm values as defined by RFC 7518.
	//
	// See: https://tools.ietf.org/html/rfc7518#section-3.1
	RS256 Alg = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
	RS384 Alg = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
	RS512 Alg = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
	ES256 Alg = "ES256" // ECDSA using P-256 and SHA-256
	ES384 Alg = "ES384" // ECDSA using P-384 and SHA-384
	ES512 Alg = "ES512" // ECDSA using P-521 and SHA-512
	PS256 Alg = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
	PS384 Alg = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
	PS512 Alg = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
	EdDSA Alg = "EdDSA"
)

type AudClaim

type AudClaim struct {
	*store.AudClaim
	// contains filtered or unexported fields
}

AudClaim defines an audience claim for an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its AudClaims. AudClaims are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

see aud claim in the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func AllocAudClaim

func AllocAudClaim() AudClaim

AllocAudClaim make an empty one in memory.

func NewAudClaim

func NewAudClaim(authMethodId string, audClaim string) (*AudClaim, error)

NewAudClaim creates a new in memory audience claim assigned to an OIDC AuthMethod. It supports no options. If an AuthMethod as assigned AudClaims, then ID tokens issued from the provider must contain one of the assigned audiences to be valid.

For more info on oidc aud claims, see the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func (*AudClaim) Clone

func (c *AudClaim) Clone() *AudClaim

Clone an AudClaim

func (*AudClaim) SetTableName

func (c *AudClaim) SetTableName(n string)

SetTableName sets the table name.

func (*AudClaim) TableName

func (c *AudClaim) TableName() string

TableName returns the table name.

type AuthMethod

type AuthMethod struct {
	*store.AuthMethod
	// contains filtered or unexported fields
}

AuthMethod contains an OIDC auth method configuration. It is owned by a scope. AuthMethods can have Accounts, AudClaims, CallbackUrls, Certificates, SigningAlgs. AuthMethods also have one State at any given time which determines it's behavior for many its operations.

func AllocAuthMethod

func AllocAuthMethod() AuthMethod

AllocAuthMethod makes an empty one in memory

func NewAuthMethod

func NewAuthMethod(scopeId string, clientId string, clientSecret ClientSecret, opt ...Option) (*AuthMethod, error)

NewAuthMethod creates a new in memory AuthMethod assigned to scopeId. WithMaxAge, WithName and WithDescription are the only valid options. All other options are ignored.

State equals the state of the OIDC auth method. State is not a supported parameter when creating new AuthMethod's since it must be Inactive for all new AuthMethods.

Issuer equals a URL that identifies the OIDC provider. Boundary will strip off anything beyond scheme, host and port

ClientId equals an OAuth 2.0 Client Identifier valid at the Authorization Server.

ClientSecret equals the client's secret which will be encrypted when stored in the database and an hmac representation will also be stored when ever the secret changes. The secret is not returned via the API, the hmac is returned so callers can determine if it's been updated.

MaxAge equals the Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.

See: https://openid.net/specs/openid-connect-core-1_0.html

Supports the options of WithMaxAge, WithSigningAlgs, WithAudClaims, WithApiUrl and WithCertificates and all other options are ignored.

func TestAuthMethod

func TestAuthMethod(
	t *testing.T,
	conn *gorm.DB,
	databaseWrapper wrapping.Wrapper,
	scopeId string,
	state AuthMethodState,
	clientId string,
	clientSecret ClientSecret,
	opt ...Option) *AuthMethod

TestAuthMethod creates a test oidc auth method. WithName, WithDescription, WithMaxAge, WithApiUrl, WithIssuer, WithCertificates, WithAudClaims, and WithSigningAlgs options are supported.

func (*AuthMethod) Clone

func (a *AuthMethod) Clone() *AuthMethod

Clone an AuthMethod.

func (*AuthMethod) SetTableName

func (a *AuthMethod) SetTableName(n string)

SetTableName sets the table name.

func (*AuthMethod) TableName

func (a *AuthMethod) TableName() string

TableName returns the table name.

type AuthMethodState

type AuthMethodState string

AuthMethodState defines the possible states for an oidc auth method

const (
	UnknownState       AuthMethodState = "unknown"
	InactiveState      AuthMethodState = "inactive"
	ActivePrivateState AuthMethodState = "active-private"
	ActivePublicState  AuthMethodState = "active-public"
)

type AuthTokenRepoFactory

type AuthTokenRepoFactory func() (*authtoken.Repository, error)

AuthTokenRepoFactory is used by "service functions" to create a new auth token repo

type Certificate

type Certificate struct {
	*store.Certificate
	// contains filtered or unexported fields
}

Certificate defines a certificate to use as part of a trust root when connecting to the auth method's OIDC Provider. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Certificates. Certificates are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

func AllocCertificate

func AllocCertificate() Certificate

AllocCertificate makes an empty one in memory

func NewCertificate

func NewCertificate(authMethodId string, certificatePem string) (*Certificate, error)

NewCertificate creates a new in memory certificate assigned to and OIDC auth method.

func (*Certificate) Clone

func (c *Certificate) Clone() *Certificate

Clone a Certificate

func (*Certificate) SetTableName

func (c *Certificate) SetTableName(n string)

SetTableName sets the table name.

func (*Certificate) TableName

func (c *Certificate) TableName() string

TableName returns the table name.

type ClaimsScope added in v0.2.1

type ClaimsScope struct {
	*store.ClaimsScope
	// contains filtered or unexported fields
}

ClaimsScope defines optional OIDC scope values that are used to request claims, in addition to the default scope of "openid" (see: DefaultClaimsScope).

see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

func AllocClaimsScope added in v0.2.1

func AllocClaimsScope() ClaimsScope

AllocClaimsScope makes an empty one in memory

func NewClaimsScope added in v0.2.1

func NewClaimsScope(authMethodId, claimsScope string) (*ClaimsScope, error)

func (*ClaimsScope) Clone added in v0.2.1

func (cs *ClaimsScope) Clone() *ClaimsScope

Clone a ClaimsScope

func (*ClaimsScope) SetTableName added in v0.2.1

func (s *ClaimsScope) SetTableName(n string)

SetTableName sets the table name.

func (*ClaimsScope) TableName added in v0.2.1

func (s *ClaimsScope) TableName() string

TableName returns the table name.

type ClientSecret

type ClientSecret string

ClientSecret equals an AuthMethod's client secret. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (ClientSecret) MarshalJSON

func (s ClientSecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the client_secret.

func (ClientSecret) String

func (s ClientSecret) String() string

String will redact the client_secret.

type HTTPClient

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

type IamRepoFactory

type IamRepoFactory func() (*iam.Repository, error)

IamRepoFactory is used by "service functions" to create a new iam repo

type OidcRepoFactory

type OidcRepoFactory func() (*Repository, error)

OidcRepoFactory is used by "service functions" to create a new oidc repo

type Option

type Option func(*options)

Option - how Options are passed as arguments.

func WithAccountClaimMap added in v0.2.1

func WithAccountClaimMap(acm map[string]AccountToClaim) Option

WithAccountClaimMap provides an option for specifying an Account Claim map.

func WithApiUrl

func WithApiUrl(urls *url.URL) Option

WithApiUrl provides optional api URL to use in the various

func WithAudClaims

func WithAudClaims(aud ...string) Option

WithAudClaims provides optional audience claims

func WithAuthMethod

func WithAuthMethod(am *AuthMethod) Option

WithAuthMethod provides an option for passing an AuthMethod to the operation

func WithCertificates

func WithCertificates(certs ...*x509.Certificate) Option

WithCertificates provides optional certificates.

func WithClaimsScopes added in v0.2.1

func WithClaimsScopes(claimsScope ...string) Option

WithClaimsScopes provides optional claims scopes

func WithDescription

func WithDescription(desc string) Option

WithDescription provides an optional description.

func WithDryRun

func WithDryRun() Option

WithDryRun provides an option to do a "dry run" of a write operation, which will run verification steps and return any errors, but will not persist the data into the repository.

func WithEmail

func WithEmail(email string) Option

WithEmail provides an optional email address for the account.

func WithForce

func WithForce() Option

WithForce provides an option to force the write operation, regardless of whether or not it's pre-verification succeeds.

func WithFullName

func WithFullName(n string) Option

WithFullName provides an optional full name for the account.

func WithIssuer

func WithIssuer(iss *url.URL) Option

WithIssuer provides an option for specifying an issuer.

func WithKeyId

func WithKeyId(id string) Option

WithKeyId provides an option for specifying a key id.

func WithLimit

func WithLimit(l int) Option

WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.

func WithMaxAge

func WithMaxAge(max int) Option

WithMaxAge provides an optional max age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.

see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func WithName

func WithName(name string) Option

WithName provides an optional name.

func WithOperationalState

func WithOperationalState(state AuthMethodState) Option

WithOperationalState provides an option for specifying an issuer.

func WithOrderByCreateTime

func WithOrderByCreateTime(ascending bool) Option

WithOrderByCreateTime provides an option to specify ordering by the CreateTime field.

func WithPublicId

func WithPublicId(publicId string) Option

WithPublicId provides an option for passing a public id to the operation

func WithRoundtripPayload

func WithRoundtripPayload(payload string) Option

WithRoundTripPayload provides an option for passing an payload to be roundtripped during an authentication process.

func WithSigningAlgs

func WithSigningAlgs(alg ...Alg) Option

WithSigningAlgs provides optional signing algorithms

func WithUnauthenticatedUser

func WithUnauthenticatedUser(enabled bool) Option

WithUnauthenticatedUser provides an option for filtering results for an unauthenticated users.

type Repository

type Repository struct {
	// contains filtered or unexported fields
}

Repository is the oidc repository

func NewRepository

func NewRepository(r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*Repository, error)

NewRepository creates a new oidc Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.

func (*Repository) CreateAccount

func (r *Repository) CreateAccount(ctx context.Context, scopeId string, a *Account, opt ...Option) (*Account, error)

CreateAccount inserts an Account, a, into the repository and returns a new Account containing its PublicId. a is not changed. a must contain a valid AuthMethodId. a must not contain a PublicId. The PublicId is generated and assigned by this method. a must not contain an Issuer. The Issuer is retrieved from the auth method. If it does not contain an Issuer an error is returned.

a must contain a valid Subject. a.Subject must be unique for an a.AuthMethod/Issuer pair.

Both a.Name and a.Description are optional. If a.Name is set, it must be unique within a.AuthMethodId.

func (*Repository) CreateAuthMethod

func (r *Repository) CreateAuthMethod(ctx context.Context, am *AuthMethod, opt ...Option) (*AuthMethod, error)

CreateAuthMethod creates am (*AuthMethod) in the repo along with its associated embedded optional value objects of SigningAlgs, AudClaims, and Certificates and returns the newly created AuthMethod (with its PublicId set)

The AuthMethod's public id and version must be empty (zero values).

All options are ignored.

func (*Repository) DeleteAccount

func (r *Repository) DeleteAccount(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)

DeleteAccount deletes the account for the provided id from the repository returning a count of the number of records deleted. All options are ignored.

func (*Repository) DeleteAuthMethod

func (r *Repository) DeleteAuthMethod(ctx context.Context, publicId string, _ ...Option) (int, error)

DeleteAuthMethod will delete the auth method from the repository. It is idempotent so if the auth method was not found, return 0 (no rows affected) and nil. No options are currently supported.

func (*Repository) ListAccounts

func (r *Repository) ListAccounts(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*Account, error)

ListAccounts in an auth method and supports WithLimit option.

func (*Repository) ListAuthMethods

func (r *Repository) ListAuthMethods(ctx context.Context, scopeIds []string, opt ...Option) ([]*AuthMethod, error)

ListAuthMethods returns a slice of AuthMethods for the scopeId. The WithUnauthenticatedUser, WithLimit and WithOrder options are supported and

all other options are ignored.

func (*Repository) LookupAccount

func (r *Repository) LookupAccount(ctx context.Context, withPublicId string, opt ...Option) (*Account, error)

LookupAccount will look up an account in the repository. If the account is not found, it will return nil, nil. All options are ignored.

func (*Repository) LookupAuthMethod

func (r *Repository) LookupAuthMethod(ctx context.Context, publicId string, opt ...Option) (*AuthMethod, error)

LookupAuthMethod will lookup an auth method in the repo, along with its associated Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates. If it's not found, it will return nil, nil. The WithUnauthenticatedUser options is supported and all other options are ignored.

func (*Repository) MakeInactive

func (r *Repository) MakeInactive(ctx context.Context, authMethodId string, version uint32, _ ...Option) (*AuthMethod, error)

MakeInactive will transision an OIDC auth method from either the ActivePrivateState or the ActivePublicState to the InactiveState. No options are supported.

func (*Repository) MakePrivate

func (r *Repository) MakePrivate(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)

MakePrivate will transision an OIDC auth method from either the InactiveState or the ActivePublicState to the ActivePrivateState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.

func (*Repository) MakePublic

func (r *Repository) MakePublic(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)

MakePublic will transision an OIDC auth method from either the InactiveState or the ActivePrivateState to the ActivePublicState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.

func (*Repository) UpdateAccount

func (r *Repository) UpdateAccount(ctx context.Context, scopeId string, a *Account, version uint32, fieldMaskPaths []string, opt ...Option) (*Account, int, error)

UpdateAccount updates the repository entry for a.PublicId with the values in a for the fields listed in fieldMaskPaths. It returns a new Account containing the updated values and a count of the number of records updated. a is not changed.

a must contain a valid PublicId. Only a.Name and a.Description can be updated. If a.Name is set to a non-empty string, it must be unique within a.AuthMethodId.

An attribute of a will be set to NULL in the database if the attribute in a is the zero value and it is included in fieldMaskPaths.

func (*Repository) UpdateAuthMethod

func (r *Repository) UpdateAuthMethod(ctx context.Context, am *AuthMethod, version uint32, fieldMaskPaths []string, opt ...Option) (*AuthMethod, int, error)

UpdateAuthMethod will retrieve the auth method from the repository, and update it based on the field masks provided.

The auth method will not be persisted in the repository if the auth method's OperationalStatus is currently ActivePublic or ActivePrivate and the update would have resulted in an incomplete/non-operational auth method.

During update, the auth method will be tested/validated against its provider's published OIDC discovery document. If this validation succeeds, the auth method is persisted in the repository, and the written auth method is returned.

fieldMaskPaths provides field_mask.proto paths for fields that should be updated. Fields will be set to NULL if the field is a zero value and included in fieldMask. Name, Description, Issuer, ClientId, ClientSecret, MaxAge are all updatable fields. The AuthMethod's Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates are also updatable. if no updatable fields are included in the fieldMaskPaths, then an error is returned.

Options supported:

* WithDryRun: when this option is provided, the auth method is retrieved from the repo, updated based on the fieldMask, tested via Repository.ValidateDiscoveryInfo, the results of the update are returned, and and any errors reported. The updates are not peristed to the repository.

* WithForce: when this option is provided, the auth method is persisted in the repository without testing it's validity against its provider's published OIDC discovery document. Even if this option is provided, the auth method will not be persisted in the repository when the update would have resulted in an incomplete/non-operational auth method and it's OperationalStatus is currently ActivePublic or ActivePrivate.

Also, a successful update will invalidate (delete) the Repository's cache of the oidc.Provider for the AuthMethod.

func (*Repository) ValidateDiscoveryInfo

func (r *Repository) ValidateDiscoveryInfo(ctx context.Context, opt ...Option) error

ValidateDiscoveryInfo will test/validate the provided AuthMethod against the info from it's discovery URL.

It will verify that all required fields for a working AuthMethod have values.

If the AuthMethod is complete, ValidateDiscoveryInfo retrieves the auth method's OpenID Configuration document. The values in the AuthMethod (and associated data) are validated with the retrieved document. The issuer and id token signing algorithm in the configuration are validated with the retrieved document. ValidateDiscoveryInfo also verifies the authorization, token, and user_info endpoints by connecting to each and uses any certificates in the configuration as trust anchors to confirm connectivity.

Options supported are: WithPublicId, WithAuthMethod

type SigningAlg

type SigningAlg struct {
	*store.SigningAlg
	// contains filtered or unexported fields
}

SigningAlg defines an signing algorithm supported by an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its SigningAlgs. SigningAlgs are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

func AllocSigningAlg

func AllocSigningAlg() SigningAlg

AllocSigningAlg makes an empty one in memory

func NewSigningAlg

func NewSigningAlg(authMethodId string, alg Alg) (*SigningAlg, error)

NewSigningAlg creates a new in memory signing alg assigned to an OIDC AuthMethod. It supports no options.

func (*SigningAlg) Clone

func (s *SigningAlg) Clone() *SigningAlg

Clone a SigningAlg

func (*SigningAlg) SetTableName

func (s *SigningAlg) SetTableName(n string)

SetTableName sets the table name.

func (*SigningAlg) TableName

func (s *SigningAlg) TableName() string

TableName returns the table name.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL