Documentation ¶
Index ¶
- Constants
- Variables
- func NewVerifierFromConfig(providerConfig options.Provider, p *ProviderData, client wrapper.HttpClient) error
- type AliyunProvider
- type OIDCProvider
- func (p *OIDCProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error
- func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string
- func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, ...) error
- func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, ...) (bool, error)
- func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool
- type Provider
- type ProviderData
- func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error)
- func (p *ProviderData) Data() *ProviderData
- func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState) error
- func (p *ProviderData) GetClientSecret() (clientSecret string, err error)
- func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error)
- func (p *ProviderData) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string
- func (p *ProviderData) LoginURLParams(overrides url.Values) url.Values
- func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, ...) error
- func (p *ProviderData) RefreshSession(_ context.Context, _ *sessions.SessionState, client wrapper.HttpClient, ...) (bool, error)
- func (p *ProviderData) ValidateSession(ctx context.Context, s *sessions.SessionState) bool
Constants ¶
const ( CodeChallengeMethodPlain = "plain" CodeChallengeMethodS256 = "S256" )
const (
TokenTypeBearer = "Bearer"
)
Variables ¶
var ( // ErrNotImplemented is returned when a provider did not override a default // implementation method that doesn't have sensible defaults ErrNotImplemented = errors.New("not implemented") // ErrMissingCode is returned when a Redeem method is called with an empty // code ErrMissingCode = errors.New("missing code") // ErrMissingIDToken is returned when an oidc.Token does not contain the // extra `id_token` field for an IDToken. ErrMissingIDToken = errors.New("missing id_token") // ErrMissingOIDCVerifier is returned when a provider didn't set `Verifier` // but an attempt to call `Verifier.Verify` was about to be made. ErrMissingOIDCVerifier = errors.New("oidc verifier is not configured") )
Functions ¶
func NewVerifierFromConfig ¶
func NewVerifierFromConfig(providerConfig options.Provider, p *ProviderData, client wrapper.HttpClient) error
Types ¶
type AliyunProvider ¶
type AliyunProvider struct {
*ProviderData
}
func NewAliyunProvider ¶
func NewAliyunProvider(p *ProviderData) *AliyunProvider
func (*AliyunProvider) Redeem ¶
func (p *AliyunProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error
func (*AliyunProvider) RefreshSession ¶
func (p *AliyunProvider) RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)
type OIDCProvider ¶
type OIDCProvider struct { *ProviderData SkipNonce bool }
OIDCProvider represents an OIDC based Identity Provider
func NewOIDCProvider ¶
func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider
NewOIDCProvider initiates a new OIDCProvider
func (*OIDCProvider) EnrichSession ¶
func (p *OIDCProvider) EnrichSession(_ context.Context, s *sessions.SessionState) error
EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.
func (*OIDCProvider) GetLoginURL ¶
func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string
GetLoginURL makes the LoginURL with optional nonce support
func (*OIDCProvider) Redeem ¶
func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error
Redeem exchanges the OAuth2 authentication token for an ID token
func (*OIDCProvider) RefreshSession ¶
func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)
RefreshSession uses the RefreshToken to fetch new Access and ID Tokens
func (*OIDCProvider) ValidateSession ¶
func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool
ValidateSession checks that the session's IDToken is still valid
type Provider ¶
type Provider interface { Data() *ProviderData GetLoginURL(redirectURI, finalRedirect, nonce string, extraParams url.Values) string Redeem(ctx context.Context, redirectURI, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error // Deprecated: Migrate to EnrichSession GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) EnrichSession(ctx context.Context, s *sessions.SessionState) error Authorize(ctx context.Context, s *sessions.SessionState) (bool, error) ValidateSession(ctx context.Context, s *sessions.SessionState) bool RefreshSession(ctx context.Context, s *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error) }
Provider represents an upstream identity provider implementation
type ProviderData ¶
type ProviderData struct { ProviderName string LoginURL *url.URL RedeemURL *url.URL ProfileURL *url.URL ValidateURL *url.URL ClientID string ClientSecret string Scope string // The picked CodeChallenge Method or empty if none. CodeChallengeMethod string // Code challenge methods supported by the Provider SupportedCodeChallengeMethods []string `json:"code_challenge_methods_supported,omitempty"` // Common OIDC options for any OIDC-based providers to consume UserClaim string EmailClaim string GroupsClaim string Verifier internaloidc.IDTokenVerifier NeedsVerifier bool SkipClaimsFromProfileURL bool // Universal Group authorization data structure // any provider can set to consume AllowedGroups map[string]struct{} RedeemTimeout uint32 VerifierTimeout uint32 StoredSession *middleware.StoredSessionLoader // contains filtered or unexported fields }
ProviderData contains information required to configure all implementations of OAuth2 providers
func (*ProviderData) Authorize ¶
func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error)
Authorize performs global authorization on an authenticated session. This is not used for fine-grained per route authorization rules.
func (*ProviderData) Data ¶
func (p *ProviderData) Data() *ProviderData
Data returns the ProviderData
func (*ProviderData) EnrichSession ¶
func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState) error
EnrichSession is called after Redeem to allow providers to enrich session fields such as User, Email, Groups with provider specific API calls.
func (*ProviderData) GetClientSecret ¶
func (p *ProviderData) GetClientSecret() (clientSecret string, err error)
func (*ProviderData) GetEmailAddress ¶
func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error)
GetEmailAddress returns the Account email address Deprecated: Migrate to EnrichSession
func (*ProviderData) GetLoginURL ¶
func (p *ProviderData) GetLoginURL(redirectURI, state, _ string, extraParams url.Values) string
GetLoginURL with typical oauth parameters codeChallenge and codeChallengeMethod are the PKCE challenge and method to append to the URL params. they will be empty strings if no code challenge should be presented
func (*ProviderData) LoginURLParams ¶
func (p *ProviderData) LoginURLParams(overrides url.Values) url.Values
LoginURLParams returns the parameter values that should be passed to the IdP login URL. This is the default set of parameters configured for this provider, optionally overridden by the given overrides (typically from the URL of the /oauth2/start request) according to the configured rules for this provider.
func (*ProviderData) Redeem ¶
func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code, codeVerifier string, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) error
Redeem provides a default implementation of the OAuth2 token redemption process The codeVerifier is set if a code_verifier parameter should be sent for PKCE
func (*ProviderData) RefreshSession ¶
func (p *ProviderData) RefreshSession(_ context.Context, _ *sessions.SessionState, client wrapper.HttpClient, callback func(args ...interface{}), timeout uint32) (bool, error)
RefreshSession refreshes the user's session
func (*ProviderData) ValidateSession ¶
func (p *ProviderData) ValidateSession(ctx context.Context, s *sessions.SessionState) bool
ValidateSession validates the AccessToken