identifier

package
v0.64.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 19, 2024 License: Apache-2.0 Imports: 42 Imported by: 1

README

LibreGraph Connect Identifier

Web app for browser sign-in, sign-out and account management.

Documentation

Index

Constants

View Source 
const (
	SessionIDClaim           = "sid"
	LogonRefClaim            = "lref"
	ExternalAuthorityIDClaim = "eaid"
	LockedScopesClaim        = "lscp"
)

Additional claims as used by the identifier in its own tokens.

View Source 
const (
	// FlowOIDC is the string value for the oidc flow.
	FlowOIDC = "oidc"
	// FlowOAuth is the string value for the oauth flow.
	FlowOAuth = "oauth"
	// FlowConsent is the string value for the consent flow.
	FlowConsent = "consent"
)
View Source 
const (
	// ModeLogonUsernameEmptyPasswordCookie is the logon mode which requires a
	// username which matches the currently signed in user in the cookie and an
	// empty password.
	ModeLogonUsernameEmptyPasswordCookie = "0"
	// ModeLogonUsernamePassword is the logon mode which requires a username
	// and a password.
	ModeLogonUsernamePassword = "1"
)
View Source 
const (
	// MustBeSignedIn is a authorize mode which tells the authorization code,
	// that it is expected to have a signed in user and everything else should
	// be treated as error.
	MustBeSignedIn = "must"
)
View Source 
const (
	ObsoleteUserClaimsClaim = "claims"
)

History claims previously used by the identifier in its own tokens.

View Source 
const (
	// StateModeEndSession is a state mode which selects end session specific
	// actions when processing state requests.
	StateModeEndSession = "0"
)

Variables

This section is empty.

Functions

func NewRecordContext 

func NewRecordContext(ctx context.Context, record *Record) context.Context

NewRecordContext returns a new Context that carries the Record.

Types

type Config 

type Config struct {
	Config *config.Config

	BaseURI    *url.URL
	ScopesConf string

	LogonCookieName     string
	LogonCookieSameSite http.SameSite

	ConsentCookieSameSite http.SameSite

	StateCookieSameSite http.SameSite

	PathPrefix     string
	StaticFolder   string
	WebAppDisabled bool

	AuthorizationEndpointURI *url.URL
	SignedOutEndpointURI     *url.URL

	DefaultSignInPageText   *string
	DefaultUsernameHintText *string
	UILocales               []string

	Backend backends.Backend
}

Config defines a Server's configuration settings. 

type Consent struct {
	Allow    bool   `json:"allow"`
	RawScope string `json:"scope"`
}

Consent is the data received and sent to allow or cancel consent flows.

func (*Consent) Scopes 

func (c *Consent) Scopes(requestedScopes map[string]bool) (map[string]bool, map[string]bool)

Scopes returns the associated consents approved scopes filtered by the provided requested scopes and the full unfiltered approved scopes table.

type ConsentRequest 

type ConsentRequest struct {
	State          string `json:"state"`
	Allow          bool   `json:"allow"`
	RawScope       string `json:"scope"`
	ClientID       string `json:"client_id"`
	RawRedirectURI string `json:"redirect_uri"`
	Ref            string `json:"ref"`
	Nonce          string `json:"flow_nonce"`
}

A ConsentRequest is the request data as sent to the consent endpoint.

type HelloRequest 

type HelloRequest struct {
	State          string `json:"state"`
	Flow           string `json:"flow"`
	RawScope       string `json:"scope"`
	RawPrompt      string `json:"prompt"`
	ClientID       string `json:"client_id"`
	RawRedirectURI string `json:"redirect_uri"`
	RawIDTokenHint string `json:"id_token_hint"`
	RawMaxAge      string `json:"max_age"`

	Scopes      map[string]bool `json:"-"`
	Prompts     map[string]bool `json:"-"`
	RedirectURI *url.URL        `json:"-"`
	IDTokenHint *jwt.Token      `json:"-"`
	MaxAge      time.Duration   `json:"-"`
}

A HelloRequest is the request data as send to the hello endpoint.

type HelloResponse 

type HelloResponse struct {
	State       string `json:"state"`
	Flow        string `json:"flow"`
	Success     bool   `json:"success"`
	Username    string `json:"username,omitempty"`
	DisplayName string `json:"displayName,omitempty"`

	Next          string           `json:"next,omitempty"`
	ContinueURI   string           `json:"continue_uri,omitempty"`
	Scopes        map[string]bool  `json:"scopes,omitempty"`
	ClientDetails *clients.Details `json:"client,omitempty"`
	Meta          *meta.Meta       `json:"meta,omitempty"`
	Branding      *meta.Branding   `json:"branding,omitempty"`
}

A HelloResponse holds a response as sent by the hello endpoint.

type IdentifiedUser 

type IdentifiedUser struct {
	// contains filtered or unexported fields
}

A IdentifiedUser is a user with meta data.

func (*IdentifiedUser) BackendName 

func (u *IdentifiedUser) BackendName() string

BackendName returns the accociated users underlaying backend name.

func (*IdentifiedUser) Claims 

func (u *IdentifiedUser) Claims() jwt.MapClaims

Claims returns extra claims of the accociated user.

func (*IdentifiedUser) Email 

func (u *IdentifiedUser) Email() string

Email returns the associated users email field.

func (*IdentifiedUser) EmailVerified 

func (u *IdentifiedUser) EmailVerified() bool

EmailVerified returns trye if the associated users email field was verified.

func (*IdentifiedUser) ExternalAuthorityID 

func (u *IdentifiedUser) ExternalAuthorityID() *string

func (*IdentifiedUser) FamilyName 

func (u *IdentifiedUser) FamilyName() string

FamilyName returns the associated users family name field.

func (*IdentifiedUser) GivenName 

func (u *IdentifiedUser) GivenName() string

GivenName returns the associated users given name field.

func (*IdentifiedUser) ID 

func (u *IdentifiedUser) ID() int64

ID returns the associated users numeric user id. If it is 0, it means that this user does not have a numeric ID. Do not use this field to identify a user - always use the subject instead. The numeric ID is kept for compatibility with systems which require user identification to be numeric.

func (*IdentifiedUser) LockedScopes added in v0.53.0 

func (u *IdentifiedUser) LockedScopes() []string

func (*IdentifiedUser) LoggedOn 

func (u *IdentifiedUser) LoggedOn() (bool, time.Time)

LoggedOn returns true if the accociated user has a logonAt time set.

func (*IdentifiedUser) LogonRef 

func (u *IdentifiedUser) LogonRef() *string

UserRef returns the accociated users underlaying logon reference.

func (*IdentifiedUser) Name 

func (u *IdentifiedUser) Name() string

Name returns the associated users name field. This is the display name of the accociated user.

func (*IdentifiedUser) ScopedClaims 

func (u *IdentifiedUser) ScopedClaims(authorizedScopes map[string]bool) jwt.MapClaims

ScopedClaims returns scope bound extra claims of the accociated user.

func (*IdentifiedUser) Scopes added in v0.52.0 

func (u *IdentifiedUser) Scopes() []string

Scopes returns the scopes attached to this user.

func (*IdentifiedUser) SessionRef 

func (u *IdentifiedUser) SessionRef() *string

SessionRef returns the accociated users underlaying session reference.

func (*IdentifiedUser) Subject 

func (u *IdentifiedUser) Subject() string

Subject returns the associated users subject field. The subject is the main authentication identifier of the user.

func (*IdentifiedUser) UniqueID 

func (u *IdentifiedUser) UniqueID() string

UniqueID returns the accociated users unique user id. When empty, then this user does not have a unique ID. This field can be used for unique user mapping to external systems which use the same authentication source as Konnect. The value depends entirely on the identifier backend.

func (*IdentifiedUser) Username 

func (u *IdentifiedUser) Username() string

Username returns the accociated users username. This might be different or the same as the subject, depending on the backend in use. If can also be empty, which means that the accociated user does not have a username.

type Identifier 

type Identifier struct {
	Config *Config
	// contains filtered or unexported fields
}

Identifier defines a identification login area with its endpoints using a Kopano Core server as backend logon provider.

func NewIdentifier 

func NewIdentifier(c *Config) (*Identifier, error)

NewIdentifier returns a new Identifier.

func (*Identifier) AddRoutes 

func (i *Identifier) AddRoutes(ctx context.Context, router *mux.Router)

AddRoutes adds the endpoint routes of the accociated Identifier to the provided router with the provided context.

func (*Identifier) EndSession 

func (i *Identifier) EndSession(ctx context.Context, user *IdentifiedUser, rw http.ResponseWriter, postRedirectURI *url.URL, state string) (*url.URL, error)

EndSession begins the process to end the session either directly or indirectly based on the provided user. It optionally returns an uri which shall be used as redirection target or an error.

func (*Identifier) ErrorPage 

func (i *Identifier) ErrorPage(rw http.ResponseWriter, code int, title string, message string)

ErrorPage writes a HTML error page to the provided ResponseWriter.

func (*Identifier) GetConsentFromConsentCookie 

func (i *Identifier) GetConsentFromConsentCookie(ctx context.Context, rw http.ResponseWriter, req *http.Request, state string) (*Consent, error)

GetConsentFromConsentCookie extract consent information for the provided request and the provide state.

func (*Identifier) GetStateFromStateCookie 

func (i *Identifier) GetStateFromStateCookie(ctx context.Context, rw http.ResponseWriter, req *http.Request, scope string, state string) (*StateData, error)

GetStateFromStateCookie extracts state information for the provided request using the provided scope and state.

func (*Identifier) GetUserFromID 

func (i *Identifier) GetUserFromID(ctx context.Context, userID string, sessionRef *string, requestedScopes map[string]bool) (*IdentifiedUser, error)

GetUserFromID looks up the user identified by the provided userID by requesting the associated backend.

func (*Identifier) GetUserFromLogonCookie 

func (i *Identifier) GetUserFromLogonCookie(ctx context.Context, req *http.Request, maxAge time.Duration, refreshSession bool) (*IdentifiedUser, error)

GetUserFromLogonCookie looks up the associated cookie name from the provided request, parses it and returns the user containing the information found in the coookie payload data.

func (*Identifier) Name 

func (i *Identifier) Name() string

Name returns the active identifiers backend's name.

func (*Identifier) OnSetLogon 

func (i *Identifier) OnSetLogon(cb func(ctx context.Context, rw http.ResponseWriter, user identity.User) error) error

OnSetLogon implements a way to register hooks whenever logon information is set by the accociated Identifier.

func (*Identifier) OnUnsetLogon 

func (i *Identifier) OnUnsetLogon(cb func(ctx context.Context, rw http.ResponseWriter) error) error

OnUnsetLogon implements a way to register hooks whenever logon information is set by the accociated Identifier.

func (*Identifier) RegisterManagers 

func (i *Identifier) RegisterManagers(mgrs *managers.Managers) error

RegisterManagers registers the provided managers,

func (*Identifier) ScopesSupported 

func (i *Identifier) ScopesSupported() []string

ScopesSupported return the scopes supported by the accociated Identifier.

func (*Identifier) ServeHTTP 

func (i *Identifier) ServeHTTP(rw http.ResponseWriter, req *http.Request)

ServeHTTP implements the http.Handler interface.

func (*Identifier) SetConsentToConsentCookie 

func (i *Identifier) SetConsentToConsentCookie(ctx context.Context, rw http.ResponseWriter, cr *ConsentRequest, consent *Consent) error

SetConsentToConsentCookie serializses the provided Consent using the provided ConsentRequest and sets it as cookie on the provided ReponseWriter.

func (*Identifier) SetKey 

func (i *Identifier) SetKey(key []byte) error

SetKey sets the provided key for the accociated identifier.

func (*Identifier) SetStateToStateCookie 

func (i *Identifier) SetStateToStateCookie(ctx context.Context, rw http.ResponseWriter, scope string, sd *StateData) error

SetStateToStateCookie serializses the provided StateRequest and sets it as cookie on the provided ReponseWriter.

func (*Identifier) SetUserToLogonCookie 

func (i *Identifier) SetUserToLogonCookie(ctx context.Context, rw http.ResponseWriter, user *IdentifiedUser) error

SetUserToLogonCookie serializes the provided user into an encrypted string and sets it as cookie on the provided http.ResponseWriter.

func (*Identifier) UnsetLogonCookie 

func (i *Identifier) UnsetLogonCookie(ctx context.Context, user *IdentifiedUser, rw http.ResponseWriter) error

UnsetLogonCookie adds cookie remove headers to the provided http.ResponseWriter effectively implementing logout.

type LogonRequest 

type LogonRequest struct {
	State string `json:"state"`

	Params []string      `json:"params"`
	Hello  *HelloRequest `json:"hello"`
}

A LogonRequest is the request data as sent to the logon endpoint

type LogonResponse 

type LogonResponse struct {
	Success bool   `json:"success"`
	State   string `json:"state"`

	Hello *HelloResponse `json:"hello"`
}

A LogonResponse holds a response as sent by the logon endpoint.

type Record 

type Record struct {
	HelloRequest *HelloRequest
	RealIP       string
	UserAgent    string

	BackendUser    backends.UserFromBackend
	IdentifiedUser *IdentifiedUser
}

Record is the struct which the identifier puts into the context.

func FromRecordContext 

func FromRecordContext(ctx context.Context) (*Record, bool)

FromRecordContext returns the Record value stored in ctx, if any.

func NewRecord added in v0.64.0 

func NewRecord(req *http.Request, c *config.Config) *Record

func RecordFromRequestContext added in v0.64.0 

func RecordFromRequestContext(ctx context.Context, c *config.Config) (*Record, bool)

RecordFromRequestContext returns a new Record value based on the request stored in ctx, if any.

type StateData 

type StateData struct {
	State string `json:"state"`
	Mode  string `json:"mode,omitempty"`

	RawQuery string `json:"raw_query,omitempty"`

	ClientID string `json:"client_id"`
	Ref      string `json:"ref,omitempty"`

	Extra map[string]interface{} `json:"extra,omitempty"`

	Trampolin *TrampolinData `json:"trampolin,omitempty"`
}

StateData contains data bound to a state.

type StateRequest 

type StateRequest struct {
	State string
}

A StateRequest is a general request with a state.

type StateResponse 

type StateResponse struct {
	Success bool   `json:"success"`
	State   string `json:"state"`
}

A StateResponse hilds a response as reply to a StateRequest.

type TrampolinData 

type TrampolinData struct {
	URI   string `json:"uri"`
	Scope string `json:"scope"`
}

Source Files

View all Source files

Directories

Path Synopsis
ldap
libregraph
scopes

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.