Documentation
¶
Overview ¶
Package oidc contains helpers for implementing OIDC-based auth for Waypoint servers and headless clients.
Index ¶
- func ProviderConfig(am *pb.AuthMethod_OIDC, sc *pb.ServerConfig) (*oidc.Config, error)
- func SelectorData(am *pb.AuthMethod_OIDC, idClaims, userClaims json.RawMessage) (map[string]interface{}, error)
- type CallbackServer
- func (s *CallbackServer) Close() error
- func (s *CallbackServer) ErrorCh() <-chan error
- func (s *CallbackServer) Nonce() string
- func (s *CallbackServer) RedirectUri() string
- func (s *CallbackServer) ServeHTTP(w http.ResponseWriter, req *http.Request)
- func (s *CallbackServer) SuccessCh() <-chan *pb.CompleteOIDCAuthRequest
- type ProviderCache
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ProviderConfig ¶
func ProviderConfig(am *pb.AuthMethod_OIDC, sc *pb.ServerConfig) (*oidc.Config, error)
ProviderConfig returns the OIDC provider configuration for an OIDC auth method. The ServerConfig argument can be nil. If it is not nil, then the server advertise addresses will be added as valid redirect URLs.
func SelectorData ¶
func SelectorData( am *pb.AuthMethod_OIDC, idClaims, userClaims json.RawMessage, ) (map[string]interface{}, error)
SelectorData returns the data for go-bexpr for selector evaluation. This is useful for server-side OIDC implementations, not client.
Types ¶
type CallbackServer ¶
type CallbackServer struct {
// contains filtered or unexported fields
}
CallbackServer is started with NewCallbackServer and creates an HTTP server for handling loopback OIDC auth redirects.
func NewCallbackServer ¶
func NewCallbackServer() (*CallbackServer, error)
NewCallbackServer creates and starts a new local HTTP server for OIDC authentication to redirect to. This is used to capture the necessary information to complete the authentication.
func (*CallbackServer) Close ¶
func (s *CallbackServer) Close() error
Close cleans up and shuts down the server. On close, errors may be sent to ErrorCh and should be ignored. Because of that, you should call close outside of receiving any errors on that channel.
func (*CallbackServer) ErrorCh ¶
func (s *CallbackServer) ErrorCh() <-chan error
ErrorCh returns a channel where any errors are sent. Errors may be sent after Close and should be disregarded.
func (*CallbackServer) Nonce ¶
func (s *CallbackServer) Nonce() string
Nonce returns a generated nonce that can be used for the request.
func (*CallbackServer) RedirectUri ¶
func (s *CallbackServer) RedirectUri() string
RedirectUri is the redirect URI that should be provided for the auth.
func (*CallbackServer) ServeHTTP ¶
func (s *CallbackServer) ServeHTTP(w http.ResponseWriter, req *http.Request)
ServeHTTP implements http.Handler and handles the callback request. This isn't usually used directly. Instead, get the server address.
func (*CallbackServer) SuccessCh ¶
func (s *CallbackServer) SuccessCh() <-chan *pb.CompleteOIDCAuthRequest
SuccessCh returns a channel that gets sent a partially completed request to complete the OIDC auth with the Waypoint server.
type ProviderCache ¶
type ProviderCache struct {
// contains filtered or unexported fields
}
ProviderCache is a cache for OIDC providers. OIDC providers are something you don't want to recreate per-request since they make HTTP requests themselves.
The ProviderCache purges a provider under two scenarios: (1) the provider config is updated and it is different and (2) after a set amount of time (see cacheExpiry for value) in case the remote provider configuration changed.
func NewProviderCache ¶
func NewProviderCache() *ProviderCache
NewProviderCache should be used to initialize a provider cache. This will start up background resources to manage the cache.
func (*ProviderCache) Clear ¶
func (c *ProviderCache) Clear()
Clear is called to delete all the providers in the cache.
func (*ProviderCache) Close ¶
func (c *ProviderCache) Close() error
Close implements io.Closer. This just calls Clear, but we implement io.Closer so that things that look for this interface implementation for "cleanup" will call this.
func (*ProviderCache) Delete ¶
func (c *ProviderCache) Delete(ctx context.Context, name string)
Delete force deletes a single auth method from the cache by name.
func (*ProviderCache) Get ¶
func (c *ProviderCache) Get( ctx context.Context, am *pb.AuthMethod, sc *pb.ServerConfig, ) (*oidc.Provider, error)
Get returns the OIDC provider for the given auth method configuration. This will initialize the provider if it isn't already in the cache or if the configuration changed.
Source Files