authn

package
v0.96.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 10, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package authn provides the middleware handler responsible for authenticating requests and adding the Identity to the request context. @todo rename this package to authn (authentication) to distinguish from authz (authorization)

Index

Constants

View Source 
const Header = "x-oidc-id-token"

Variables

This section is empty.

Functions

func Handler 

func Handler(v Verifier, allowedAudiences []string, header string, next http.Handler) http.Handler

Handler returns a handler that verifies the request is authentic and adds a Identity to the request context.

func NewContext 

func NewContext(ctx context.Context, u Identity) context.Context

NewContext returns a new Context that carries value u. Use FromContext to retrieve the value.

func NewVerifier 

func NewVerifier(ctx context.Context, log *slog.Logger, issuer string) (*oidc.IDTokenVerifier, error)

NewVerifier returns an *oidc.IDTokenVerifier that implements Verifier from an oidc.Provider for issuer which performs jwks .well-known discovery.

Types

type Identity 

type Identity interface {
	// Issuer is the oidc issuer url.
	Issuer() string
	// Subject is the unique id of the user within the context of the issuer.
	Subject() string
	// Email address of the user.
	Email() string
	// Verified is true if the email address has been verified by the identity provider.
	Verified() bool
	// Name is usually set on the initial id token, often omitted by google in refreshed id tokens.
	Name() string
	// Groups is the groups claim.
	Groups() []string
	// GivenName is the given name of the user.
	GivenName() string
	// FamilyName is the family name of the user.
	FamilyName() string
	// Picture is an optional avatar image url for the user.
	Picture() string
}

Identity is the interface that defines an authenticated subject (principal, person or service) in the system. The methods correspond to oidc claims for the cli api client using scopes of, "email profile groups offline_access"

The primary use case is Dex connected to Google using the Google connector with a groups reader service account to fetch group membership.

Behavior to keep in mind with Dex v2.37.0 and the `google` connector:

1. There is only one refresh token stored for each user/client pair. 2. Dex does not return the `name` claim in the id token returned from exchanging a refresh token. Google specifies they may omit the name claim. oauth spec says providers may omit the name in refresh responses.

func FromContext 

func FromContext(ctx context.Context) (Identity, error)

FromContext returns the value previously stored in ctx by NewContext or nil.

type Verifier 

type Verifier interface {
	Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error)
}

Verifier is the interface that wraps the basic Verify method to verify an oidc id token is authentic. Intended for use in request handlers.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.