Documentation
¶
Index ¶
- type OIDCIssuer
- type OIDCIssuerVerifier
- type OIDCToken
- type OpenIDClient
- func (o *OpenIDClient) AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string
- func (o *OpenIDClient) Exchange(ctx context.Context, code string) (OIDCToken, error)
- func (o *OpenIDClient) Extract(rq *http.Request) (string, error)
- func (o *OpenIDClient) Verify(ctx context.Context, token string) (TokenClaims, error)
- type ServiceAccountAuthClient
- type TokenClaims
- type TokenExtractor
- type TokenExtractorPlugins
- type TokenExtractorVerifier
- type TokenVerifier
- type TokenVerifierPlugins
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type OIDCIssuer ¶
type OIDCIssuer interface {
// AuthCodeURL returns a URL to OpenID provider's consent page
// that asks for permissions for the required scopes explicitly.
//
// state is a token to protect the user from CSRF attacks. You must
// always provide a non-zero string and validate that it matches the
// the state query parameter on your redirect callback.
// See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string
// Exchange converts an authorization code into a token.
Exchange(ctx context.Context, code string) (OIDCToken, error)
}
OIDCIssuer exposes methods for getting OIDC tokens
type OIDCIssuerVerifier ¶
type OIDCIssuerVerifier interface {
OIDCIssuer
TokenVerifier
}
OIDCIssuerVerifier combines OIDCIssuer and TokenVerifier
type OIDCToken ¶
type OIDCToken struct {
// AccessToken is the token that authorizes and authenticates
// the requests.
AccessToken string
// RefreshToken is a token that's used by the application
// (as opposed to the user) to refresh the access token
// if it expires.
RefreshToken string
// Expiry is the optional expiration time of the access token.
//
// If zero, TokenSource implementations will reuse the same
// token forever and RefreshToken or equivalent
// mechanisms for that TokenSource will not be used.
Expiry time.Time
// IDToken is the token that contains claims about authenticated user
//
// Users should use TokenVerifier.Verify method to verify and extract claim from the token
IDToken string
}
OIDCToken represents the credentials used to authorize the requests to access protected resources on the OAuth 2.0 provider's backend.
type OpenIDClient ¶
type OpenIDClient struct {
// contains filtered or unexported fields
}
OpenIDClient implements OIDCIssuerVerifier and TokenExtractorVerifier
func NewOpenIDClient ¶
func NewOpenIDClient(issuer, clientID, clientSecret, redirectURI string, extractor TokenExtractor, insecureSkipVerify bool, rootCertificates *x509.CertPool) (*OpenIDClient, error)
NewOpenIDClient returns an authentication middleware which authenticates against an openID server. If rootCertificates is nil, the host's root CAs will be used.
func (*OpenIDClient) AuthCodeURL ¶
func (o *OpenIDClient) AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string
AuthCodeURL returns a URL to OpenID provider's consent page that asks for permissions for the required scopes explicitly.
State is a token to protect the user from CSRF attacks. You must always provide a non-zero string and validate that it matches the the state query parameter on your redirect callback. See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
func (*OpenIDClient) Extract ¶
func (o *OpenIDClient) Extract(rq *http.Request) (string, error)
Extractor knows how to extract the ID token from the request
func (*OpenIDClient) Verify ¶
func (o *OpenIDClient) Verify(ctx context.Context, token string) (TokenClaims, error)
Verify parses a raw ID Token, verifies it's been signed by the provider, preforms any additional checks depending on the Config, and returns the payload as TokenClaims.
type ServiceAccountAuthClient ¶
type ServiceAccountAuthClient struct {
// contains filtered or unexported fields
}
ServiceAccountAuthClient implements TokenExtractorVerifier interface
func NewServiceAccountAuthClient ¶
func NewServiceAccountAuthClient(headerBearerTokenExtractor TokenExtractor, jwtTokenAuthenticator serviceaccount.TokenAuthenticator, saTokenProvider provider.PrivilegedServiceAccountTokenProvider) *ServiceAccountAuthClient
NewServiceAccountAuthClient returns a client that knows how to read and verify service account's tokens
func (*ServiceAccountAuthClient) Extract ¶
func (s *ServiceAccountAuthClient) Extract(rq *http.Request) (string, error)
Extractor knows how to extract the ID token from the request
func (*ServiceAccountAuthClient) Verify ¶
func (s *ServiceAccountAuthClient) Verify(ctx context.Context, token string) (TokenClaims, error)
Verify parses a raw ID Token, verifies it's been signed by the provider, preforms any additional checks depending on the Config, and returns the payload as TokenClaims.
type TokenClaims ¶
type TokenClaims struct {
Name string
Email string
Subject string
Groups []string
Expiry apiv1.Time
}
TokenClaims holds various claims extracted from the id_token
type TokenExtractor ¶
type TokenExtractor interface {
// Extract gets a token from the given HTTP request
Extract(r *http.Request) (string, error)
}
TokenExtractor is an interface that knows how to extract a token
func NewCombinedExtractor ¶
func NewCombinedExtractor(extractors ...TokenExtractor) TokenExtractor
NewCombinedExtractor returns an token extractor which tries a list of token extractors until it finds a token
func NewCookieHeaderBearerTokenExtractor ¶
func NewCookieHeaderBearerTokenExtractor(header string) TokenExtractor
func NewHeaderBearerTokenExtractor ¶
func NewHeaderBearerTokenExtractor(header string) TokenExtractor
NewHeaderBearerTokenExtractor returns a token extractor which extracts the token from the given header
func NewQueryParamBearerTokenExtractor ¶
func NewQueryParamBearerTokenExtractor(header string) TokenExtractor
NewQueryParamBearerTokenExtractor returns a token extractor which extracts the token from the given query parameter
type TokenExtractorPlugins ¶
type TokenExtractorPlugins struct {
// contains filtered or unexported fields
}
TokenExtractorPlugins implements TokenExtractor by calling registered plugins for a token extraction
func NewTokenExtractorPlugins ¶
func NewTokenExtractorPlugins(plugins []TokenExtractor) *TokenExtractorPlugins
NewTokenExtractorPlugins creates a new instance of TokenExtractorPlugins with the given plugins
func (*TokenExtractorPlugins) Extract ¶
func (p *TokenExtractorPlugins) Extract(r *http.Request) (string, error)
Extract calls all registered plugins to get a token from the given request. This method stops when a token has been found and doesn't try remaining plugins. If all plugins were checked an error is returned.
type TokenExtractorVerifier ¶
type TokenExtractorVerifier interface {
TokenVerifier
TokenExtractor
}
TokenExtractorVerifier combines TokenVerifier and TokenExtractor interfaces
type TokenVerifier ¶
type TokenVerifier interface {
// Verify parses a raw ID Token, verifies it's been signed by the provider, preforms
// any additional checks depending on the Config, and returns the payload as TokenClaims.
Verify(ctx context.Context, token string) (TokenClaims, error)
}
TokenVerifier knows how to verify a token
type TokenVerifierPlugins ¶
type TokenVerifierPlugins struct {
// contains filtered or unexported fields
}
TokenVerifierPlugins implements TokenVerifier interface by calling registered plugins for a token verification
func NewTokenVerifierPlugins ¶
func NewTokenVerifierPlugins(plugins []TokenVerifier) *TokenVerifierPlugins
NewTokenVerifierPlugins creates a new instance of TokenVerifierPlugins with the given plugins
func (*TokenVerifierPlugins) Verify ¶
func (p *TokenVerifierPlugins) Verify(ctx context.Context, token string) (TokenClaims, error)
Verify calls all registered plugins to check the given token. This method stops when a token has been validated and doesn't try remaining plugins. If all plugins were checked an error is returned.
Source Files