auth

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 16, 2020 License: MIT Imports: 10 Imported by: 4

Documentation

Overview

Package auth provides authentication properties and functionalities for the connector service.

TokenValidator provides the functionality for authenticating a JWT token in a received request. Others provide the basic structures needed.

Index

Constants

View Source
const (
	// ToChannelFromBotLoginURLPrefix : Login URL prefix
	ToChannelFromBotLoginURLPrefix = "https://login.microsoftonline.com/"

	// ToChannelFromBotTokenEndpointPathTOCHANNELFROMBOTTOKENENDPOINTPATH : Login URL token endpoint path
	ToChannelFromBotTokenEndpointPathTOCHANNELFROMBOTTOKENENDPOINTPATH = "/oauth2/v2.0/token"

	// DefaultChannelAuthTenant : Default tenant from which to obtain a token for bot to channel communication
	DefaultChannelAuthTenant = "botframework.com"

	// ToChannelFromBotOauthScope : OAuth scope to request
	ToChannelFromBotOauthScope = "https://api.botframework.com/.default"

	// ToBotFromChannelTokenIssuer : Token issuer
	ToBotFromChannelTokenIssuer = "https://api.botframework.com"

	// BotOpenIDMetadataKey : Application Setting Key for the OpenIdMetadataURL value.
	BotOpenIDMetadataKey = "BotOpenIdMetadata"

	// ChannelService : Application Setting Key for the ChannelService value.
	ChannelService = "ChannelService"

	// OauthURLKey Application Setting Key for the OAuthURL value.
	OauthURLKey = "OAuthApiEndpoint"

	// EmulateOauthCardsKey : Application Settings Key for whether to emulate OAuthCards when using the emulator.
	EmulateOauthCardsKey = "EmulateOAuthCards"

	// AuthorizedParty "azp" Claim.
	//Authorized party - the party to which the ID Token was issued.
	//This claim follows the general format set forth in the OpenID Spec.
	//    http://openid.net/specs/openid-connect-core-10.html#IDToken
	AuthorizedParty = "azp"

	/*AudienceClaim From RFC 7519.
	      https://tools.ietf.org/html/rfc7519#section-4.1.3
	  The "aud" (audience) claim identifies the recipients that the JWT is
	  intended for.  Each principal intended to process the JWT MUST
	  identify itself with a value in the audience claim.If the principal
	  processing the claim does not identify itself with a value in the
	  "aud" claim when this claim is present, then the JWT MUST be
	  rejected.In the general case, the "aud" value is an array of case-
	  sensitive strings, each containing a StringOrURI value.In the
	  special case when the JWT has one audience, the "aud" value MAY be a
	  single case-sensitive string containing a StringOrURI value.The
	  interpretation of audience values is generally application specific.
	  Use of this claim is OPTIONAL.
	*/
	AudienceClaim = "aud"

	/*IssuerClaim  From RFC 7519.
	      https://tools.ietf.org/html/rfc7519#section-4.1.1
	  The "iss" (issuer) claim identifies the principal that issued the
	  JWT.  The processing of this claim is generally application specific.
	  The "iss" value is a case-sensitive string containing a StringOrURI
	  value.  Use of this claim is OPTIONAL.
	*/
	IssuerClaim = "iss"

	/*KeyIDHeader From RFC 7515
	      https://tools.ietf.org/html/rfc7515#section-4.1.4
	  The "kid" (key ID) Header Parameter is a hint indicating which key
	  was used to secure the JWS. This parameter allows originators to
	  explicitly signal a change of key to recipients. The structure of
	  the "kid" value is unspecified. Its value MUST be a case-sensitive
	  string. Use of this Header Parameter is OPTIONAL.
	  When used with a JWK, the "kid" value is used to match a JWK "kid"
	  parameter value.
	*/
	KeyIDHeader = "kid"

	// VersionClaim Token version claim name. As used in Microsoft AAD tokens.
	VersionClaim = "ver"

	// AppIDClaim App ID claim name. As used in Microsoft AAD 1.0 tokens.
	AppIDClaim = "appid"

	// ServiceURLClaim Service URL claim name. As used in Microsoft Bot Framework v3.1 auth.
	ServiceURLClaim = "serviceurl"
)

Variables

View Source
var (
	// ToChannelFromBotLoginURL : Login URL
	//
	//DEPRECATED: DO NOT USE
	ToChannelFromBotLoginURL = []string{
		"https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token",
	}

	// ToBotFromChannelOpenIDMetadataURL : OpenID metadata document for tokens coming from MSA
	ToBotFromChannelOpenIDMetadataURL = []string{
		"https://login.botframework.com/v1/.well-known/openidconfiguration",
	}

	// ToBotFromEnterpriseChannelOpenIDMetadataURLFormat : OpenID metadata document for tokens coming from MSA
	ToBotFromEnterpriseChannelOpenIDMetadataURLFormat = []string{
		"https://{channelService}.enterprisechannel.botframework.com",
		"/v1/.well-known/openidconfiguration",
	}

	// ToBotFromEmulatorOpenIDMetadataURL : OpenID metadata document for tokens coming from MSA
	ToBotFromEmulatorOpenIDMetadataURL = []string{
		"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
	}

	// AllowedSigningAlgorithms : Tokens come from channels to the bot. The code
	//that uses this also supports tokens coming from the emulator.
	AllowedSigningAlgorithms = []string{"RS256", "RS384", "RS512"}
)

Functions

This section is empty.

Types

type Claim

type Claim interface{}

Claim represents a claim in a JWT token.

func NewClaim

func NewClaim(tpe, val string) Claim

NewClaim contructs and returns a new Claim value.

type ClaimsIdentity

type ClaimsIdentity interface {
	GetClaimValue(string) string
	IsAuthenticated() bool
}

ClaimsIdentity is the interface to process claims in a JWT token.

func NewClaimIdentity

func NewClaimIdentity(claims map[string]interface{}, isAuth bool) ClaimsIdentity

NewClaimIdentity creates and returns a new ClaimsIdentity value.

type CredentialProvider

type CredentialProvider interface {
	IsValidAppID(appID string) bool
	GetAppPassword() string
	GetAppID() string
	IsAuthenticationDisabled() bool
}

CredentialProvider represents and provides functionality for a type of Credential.

type DefaultClaim

type DefaultClaim struct {
	Type  string
	Value string
}

DefaultClaim is the default implementation fo Claim.

type DefaultClaimIdentity

type DefaultClaimIdentity struct {
	// contains filtered or unexported fields
}

DefaultClaimIdentity implements ClaimsIdentity to create and process Claim values.

func (DefaultClaimIdentity) GetClaimValue

func (ci DefaultClaimIdentity) GetClaimValue(cType string) string

GetClaimValue returns value for a specified property of a claim.

func (DefaultClaimIdentity) IsAuthenticated

func (ci DefaultClaimIdentity) IsAuthenticated() bool

IsAuthenticated returns if the Claim is authenticated.

type JwtTokenValidator

type JwtTokenValidator struct {
	cache.AuthCache
}

JwtTokenValidator is the default implementation of TokenValidator.

func (*JwtTokenValidator) AuthenticateRequest

func (jv *JwtTokenValidator) AuthenticateRequest(ctx context.Context, activity schema.Activity, authHeader string, credentials CredentialProvider, channelService string) (ClaimsIdentity, error)

AuthenticateRequest autheticates received request from connector service.

The Bearer token is validated for the correct issuer, audience, serviceURL expiry and the signature is verified using the public JWK fetched from BotFramework API.

type SimpleCredentialProvider

type SimpleCredentialProvider struct {
	AppID    string
	Password string
}

SimpleCredentialProvider can be used for authentication to the connector service using AppID and Password.

func (SimpleCredentialProvider) GetAppID

func (sp SimpleCredentialProvider) GetAppID() string

GetAppID returns the AppID of the credential.

func (SimpleCredentialProvider) GetAppPassword

func (sp SimpleCredentialProvider) GetAppPassword() string

GetAppPassword returns the Password of the credential.

func (SimpleCredentialProvider) IsAuthenticationDisabled

func (sp SimpleCredentialProvider) IsAuthenticationDisabled() bool

IsAuthenticationDisabled checks if no authentication is to be performed.

func (SimpleCredentialProvider) IsValidAppID

func (sp SimpleCredentialProvider) IsValidAppID(appID string) bool

IsValidAppID returns if the specified appID is valid.

type TokenValidator

type TokenValidator interface {
	AuthenticateRequest(ctx context.Context, activity schema.Activity, authHeader string, credentials CredentialProvider, channelService string) (ClaimsIdentity, error)
}

TokenValidator provides functionanlity to authenticate a request from the connector service.

func NewJwtTokenValidator

func NewJwtTokenValidator() TokenValidator

NewJwtTokenValidator returns a new TokenValidator value with an empty cache

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL