Documentation ¶
Overview ¶
Package auth provides authentication and authorization capability
Index ¶
- Constants
- Variables
- func ContextWithAccount(ctx context.Context, account *Account) context.Context
- func Grant(rule *Rule) error
- func Revoke(rule *Rule) error
- func Verify(acc *Account, res *Resource, opts ...VerifyOption) error
- type Access
- type Account
- type Auth
- type AuthToken
- type GenerateOption
- func WithIssuer(i string) GenerateOption
- func WithMetadata(md map[string]string) GenerateOption
- func WithName(n string) GenerateOption
- func WithProvider(p string) GenerateOption
- func WithScopes(s ...string) GenerateOption
- func WithSecret(s string) GenerateOption
- func WithType(t string) GenerateOption
- type GenerateOptions
- type Option
- func Addrs(addrs ...string) Option
- func Client(c client.Client) Option
- func ClientToken(token *AuthToken) Option
- func Credentials(id, secret string) Option
- func Issuer(i string) Option
- func LoginURL(url string) Option
- func PrivateKey(key string) Option
- func PublicKey(key string) Option
- func Store(s store.Store) Option
- type Options
- type Resource
- type Rule
- type RulesOption
- type RulesOptions
- type TokenOption
- type TokenOptions
- type VerifyOption
- type VerifyOptions
Constants ¶
const ( // BearerScheme used for Authorization header BearerScheme = "Bearer " // TokenCookieName is the name of the cookie which stores the auth token TokenCookieName = "micro-token" // ScopePublic is the scope applied to a rule to allow access to the public ScopePublic = "" // ScopeAccount is the scope applied to a rule to limit to users with any valid account ScopeAccount = "*" )
Variables ¶
var ( // ErrInvalidToken is when the token provided is not valid ErrInvalidToken = errors.New("invalid token provided") // ErrForbidden is when a user does not have the necessary scope to access a resource ErrForbidden = errors.New("resource forbidden") )
var (
DefaultAuth = NewAuth()
)
Functions ¶
func ContextWithAccount ¶
ContextWithAccount sets the account in the context
Types ¶
type Account ¶
type Account struct { // ID of the account e.g. UUID. Should not change ID string `json:"id"` // Type of the account, e.g. service Type string `json:"type"` // Issuer of the account Issuer string `json:"issuer"` // Any other associated metadata Metadata map[string]string `json:"metadata"` // Scopes the account has access to Scopes []string `json:"scopes"` // Secret for the account, e.g. the password Secret string `json:"secret"` // Name of the account. User friendly name that might change e.g. a username or email Name string `json:"name"` }
Account provided by an auth provider
func AccountFromContext ¶
AccountFromContext gets the account from the context, which is set by the auth wrapper at the start of a call. If the account is not set, a nil account will be returned. The error is only returned when there was a problem retrieving an account
type Auth ¶
type Auth interface { // Init the auth Init(opts ...Option) // Options set for auth Options() Options // Generate a new account Generate(id string, opts ...GenerateOption) (*Account, error) // Verify an account has access to a resource using the rules Verify(acc *Account, res *Resource, opts ...VerifyOption) error // Inspect a token Inspect(token string) (*Account, error) // Token generated using refresh token or credentials Token(opts ...TokenOption) (*AuthToken, error) // Grant access to a resource Grant(rule *Rule) error // Revoke access to a resource Revoke(rule *Rule) error // Rules returns all the rules used to verify requests Rules(...RulesOption) ([]*Rule, error) // String returns the name of the implementation String() string }
Auth provides authentication and authorization
type AuthToken ¶
type AuthToken struct { // The token to be used for accessing resources AccessToken string `json:"access_token"` // RefreshToken to be used to generate a new token RefreshToken string `json:"refresh_token"` // Time of token creation Created time.Time `json:"created"` // Time of token expiry Expiry time.Time `json:"expiry"` }
AuthToken can be short or long lived
func Token ¶
func Token(opts ...TokenOption) (*AuthToken, error)
Token generated using refresh token or credentials
type GenerateOption ¶
type GenerateOption func(o *GenerateOptions)
func WithMetadata ¶
func WithMetadata(md map[string]string) GenerateOption
WithMetadata for the generated account
func WithProvider ¶
func WithProvider(p string) GenerateOption
WithProvider for the generated account
type GenerateOptions ¶
type GenerateOptions struct { // Metadata associated with the account Metadata map[string]string // Scopes the account has access too Scopes []string // Provider of the account, e.g. oauth Provider string // Type of the account, e.g. user Type string // Secret used to authenticate the account Secret string // Issuer of the account, e.g. micro Issuer string // Name of the acouunt e.g. an email or username Name string }
func NewGenerateOptions ¶
func NewGenerateOptions(opts ...GenerateOption) GenerateOptions
NewGenerateOptions from a slice of options
type Option ¶
type Option func(o *Options)
func ClientToken ¶
ClientToken sets the auth token to use when making requests
type Options ¶
type Options struct { // Issuer of the service's account Issuer string // ID is the services auth ID ID string // Secret is used to authenticate the service Secret string // Token is the services token used to authenticate itself Token *AuthToken // PublicKey for decoding JWTs PublicKey string // PrivateKey for encoding JWTs PrivateKey string // LoginURL is the relative url path where a user can login LoginURL string // Store to back auth Store store.Store // Client to use for RPC Client client.Client // Addrs sets the addresses of auth Addrs []string // Context to store other options Context context.Context }
func NewOptions ¶
type Resource ¶
type Resource struct { // Name of the resource, e.g. go.micro.service.notes Name string `json:"name"` // Type of resource, e.g. service Type string `json:"type"` // Endpoint resource e.g NotesService.Create Endpoint string `json:"endpoint"` }
Resource is an entity such as a user or
type Rule ¶
type Rule struct { // ID of the rule, e.g. "public" ID string // Scope the rule requires, a blank scope indicates open to the public and * indicates the rule // applies to any valid account Scope string // Resource the rule applies to Resource *Resource // Access determines if the rule grants or denies access to the resource Access Access // Priority the rule should take when verifying a request, the higher the value the sooner the // rule will be applied Priority int32 }
Rule is used to verify access to a resource
func Rules ¶
func Rules(...RulesOption) ([]*Rule, error)
Rules returns all the rules used to verify requests
type RulesOption ¶
type RulesOption func(o *RulesOptions)
func RulesContext ¶
func RulesContext(ctx context.Context) RulesOption
func RulesNamespace ¶
func RulesNamespace(ns string) RulesOption
type RulesOptions ¶
type TokenOption ¶
type TokenOption func(o *TokenOptions)
func WithCredentials ¶
func WithCredentials(id, secret string) TokenOption
func WithToken ¶
func WithToken(rt string) TokenOption
func WithTokenIssuer ¶
func WithTokenIssuer(iss string) TokenOption
type TokenOptions ¶
type TokenOptions struct { // ID for the account ID string // Secret for the account Secret string // RefreshToken is used to refesh a token RefreshToken string // Expiry is the time the token should live for Expiry time.Duration // Issuer of the account Issuer string }
func NewTokenOptions ¶
func NewTokenOptions(opts ...TokenOption) TokenOptions
NewTokenOptions from a slice of options
type VerifyOption ¶
type VerifyOption func(o *VerifyOptions)
func VerifyContext ¶
func VerifyContext(ctx context.Context) VerifyOption
func VerifyNamespace ¶
func VerifyNamespace(ns string) VerifyOption