providers

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 22, 2024 License: MIT Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	CodeChallengeMethodPlain = "plain"
	CodeChallengeMethodS256  = "S256"
)
View Source
const (
	TokenTypeBearer = "Bearer"
)

Variables

View Source
var (
	// ErrNotImplemented is returned when a provider did not override a default
	// implementation method that doesn't have sensible defaults
	ErrNotImplemented = errors.New("not implemented")

	// ErrMissingCode is returned when a Redeem method is called with an empty
	// code
	ErrMissingCode = errors.New("missing code")

	// ErrMissingIDToken is returned when an oidc.Token does not contain the
	// extra `id_token` field for an IDToken.
	ErrMissingIDToken = errors.New("missing id_token")

	// ErrMissingOIDCVerifier is returned when a provider didn't set `Verifier`
	// but an attempt to call `Verifier.Verify` was about to be made.
	ErrMissingOIDCVerifier = errors.New("oidc verifier is not configured")
)

Functions

func NewVerifierFromConfig

func NewVerifierFromConfig(providerConfig options.Provider, p *ProviderData, client wrapper.HttpClient) error

Types

type AliyunProvider

type AliyunProvider struct {
	*ProviderData
}

func NewAliyunProvider

func NewAliyunProvider(p *ProviderData) *AliyunProvider

func (*AliyunProvider) Redeem

func (p *AliyunProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error

func (*AliyunProvider) RefreshSession

func (p *AliyunProvider) RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)

type OIDCProvider

type OIDCProvider struct {
	*ProviderData

	SkipNonce bool
}

OIDCProvider represents an OIDC based Identity Provider

func NewOIDCProvider

func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider

NewOIDCProvider initiates a new OIDCProvider

func (*OIDCProvider) EnrichSession

func (p *OIDCProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*OIDCProvider) GetLoginURL

func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string

GetLoginURL makes the LoginURL with optional nonce support

func (*OIDCProvider) Redeem

func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error

Redeem exchanges the OAuth2 authentication token for an ID token

func (*OIDCProvider) RefreshSession

func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)

RefreshSession uses the RefreshToken to fetch new Access and ID Tokens

func (*OIDCProvider) ValidateSession

func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession checks that the session's IDToken is still valid

type Provider

type Provider interface {
	Data() *ProviderData
	GetLoginURL(redirectURI, finalRedirect, nonce string, extraParams url.Values) string
	Redeem(ctx context.Context, redirectURI, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error
	// Deprecated: Migrate to EnrichSession
	GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error)
	EnrichSession(ctx context.Context, s *sessions.SessionState) error
	Authorize(ctx context.Context, s *sessions.SessionState) (bool, error)
	ValidateSession(ctx context.Context, s *sessions.SessionState) bool
	RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)
}

Provider represents an upstream identity provider implementation

func NewProvider

func NewProvider(providerConfig options.Provider) (Provider, error)

type ProviderData

type ProviderData struct {
	ProviderName string
	LoginURL     *url.URL
	RedeemURL    *url.URL
	ProfileURL   *url.URL
	ValidateURL  *url.URL
	ClientID     string
	ClientSecret string
	Scope        string
	// The picked CodeChallenge Method or empty if none.
	CodeChallengeMethod string
	// Code challenge methods supported by the Provider
	SupportedCodeChallengeMethods []string `json:"code_challenge_methods_supported,omitempty"`

	// Common OIDC options for any OIDC-based providers to consume
	UserClaim                string
	EmailClaim               string
	GroupsClaim              string
	Verifier                 internaloidc.IDTokenVerifier
	NeedsVerifier            bool
	SkipClaimsFromProfileURL bool

	// Universal Group authorization data structure
	// any provider can set to consume
	AllowedGroups map[string]struct{}

	RedeemTimeout   uint32
	VerifierTimeout uint32
	StoredSession   *middleware.StoredSessionLoader
	// contains filtered or unexported fields
}

ProviderData contains information required to configure all implementations of OAuth2 providers

func (*ProviderData) Authorize

func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error)

Authorize performs global authorization on an authenticated session. This is not used for fine-grained per route authorization rules.

func (*ProviderData) Data

func (p *ProviderData) Data() *ProviderData

Data returns the ProviderData

func (*ProviderData) EnrichSession

func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState) error

EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.

func (*ProviderData) GetClientSecret

func (p *ProviderData) GetClientSecret() (clientSecret string, err error)

func (*ProviderData) GetEmailAddress

func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error)

GetEmailAddress returns the Account email address Deprecated: Migrate to EnrichSession

func (*ProviderData) GetLoginURL

func (p *ProviderData) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string

GetLoginURL with typical oauth parameters codeChallenge and codeChallengeMethod are the PKCE challenge and method to append to the URL params. they will be empty strings if no code challenge should be presented

func (*ProviderData) LoginURLParams

func (p *ProviderData) LoginURLParams(overrides url.Values) url.Values

LoginURLParams returns the parameter values that should be passed to the IdP login URL. This is the default set of parameters configured for this provider, optionally overridden by the given overrides (typically from the URL of the /oauth2/start request) according to the configured rules for this provider.

func (*ProviderData) Redeem

func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error

Redeem provides a default implementation of the OAuth2 token redemption process The codeVerifier is set if a code_verifier parameter should be sent for PKCE

func (*ProviderData) RefreshSession

func (p *ProviderData) RefreshSession(_ context.Context, _ *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)

RefreshSession refreshes the user's session

func (*ProviderData) ValidateSession

func (p *ProviderData) ValidateSession(ctx context.Context, s *sessions.SessionState) bool

ValidateSession validates the AccessToken

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL