Documentation ¶
Index ¶
- Constants
- Variables
- func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, ...) (interface{}, error)
- func GetAndValidateTokenObjectFromContext(ctx context.Context, claims config.Claims, provider *oidc.Provider) (*oidc.IDToken, error)
- func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor
- func GetAuthenticationInterceptor(authContext interfaces.AuthenticationContext) func(context.Context) (context.Context, error)
- func GetCallbackHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc
- func GetLoginHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc
- func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetMeEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetOAuth2MetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetOIdCMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func GetOauth2Config(options config.OAuthOptions) (oauth2.Config, error)
- func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)
- func HashCsrfState(csrf string) string
- func NewCsrfCookie() http.Cookie
- func NewCsrfToken(seed int64) string
- func NewRedirectCookie(ctx context.Context, redirectURL string) *http.Cookie
- func NewSecureCookie(cookieName, value string, hashKey, blockKey []byte) (http.Cookie, error)
- func ParseAndValidate(ctx context.Context, claims config.Claims, rawIDToken string, ...) (*oidc.IDToken, error)
- func ReadSecureCookie(ctx context.Context, cookie http.Cookie, hashKey, blockKey []byte) (string, error)
- func RefreshTokensIfExists(ctx context.Context, authContext interfaces.AuthenticationContext, ...) http.HandlerFunc
- func VerifyCsrfCookie(ctx context.Context, request *http.Request) error
- func WithAuditFields(ctx context.Context, clientIds []string, tokenIssuedAt time.Time) context.Context
- func WithUserEmail(ctx context.Context, email string) context.Context
- type Context
- func (c Context) Claims() config.Claims
- func (c Context) CookieManager() interfaces.CookieHandler
- func (c Context) GetBaseURL() *url.URL
- func (c Context) GetHTTPClient() *http.Client
- func (c Context) GetOAuth2MetadataURL() *url.URL
- func (c Context) GetOIdCMetadataURL() *url.URL
- func (c Context) GetUserInfoURL() *url.URL
- func (c Context) OAuth2Config() *oauth2.Config
- func (c Context) OidcProvider() *oidc.Provider
- func (c Context) Options() config.OAuthOptions
- type CookieManager
- func (c CookieManager) DeleteCookies(ctx context.Context, writer http.ResponseWriter)
- func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (idToken, accessToken, refreshToken string, err error)
- func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error
- type HTTPRequestToMetadataAnnotator
- type UserInfoResponse
Constants ¶
const ( ErrAuthContext errors.ErrorCode = "AUTH_CONTEXT_SETUP_FAILED" ErrConfigFileRead errors.ErrorCode = "CONFIG_OPTION_FILE_READ_FAILED" )
const ( ErrSecureCookie errors.ErrorCode = "SECURE_COOKIE_ERROR" // #nosec ErrInvalidCsrfToken errors.ErrorCode = "CSRF_TOKEN_VALIDATION_FAILED" )
const ( ErrB64Decoding errors.ErrorCode = "BINARY_DECODING_FAILED" // #nosec ErrTokenNil errors.ErrorCode = "EMPTY_OAUTH_TOKEN" // #nosec ErrNoIDToken errors.ErrorCode = "NO_ID_TOKEN_IN_RESPONSE" )
const ( RedirectURLParameter = "redirect_url" FromHTTPKey = "from_http" FromHTTPVal = "true" PrincipalContextKey contextutils.Key = "principal" )
const ( ErrRefreshingToken errors.ErrorCode = "TOKEN_REFRESH_FAILURE" ErrTokenExpired errors.ErrorCode = "JWT_EXPIRED" ErrJwtValidation errors.ErrorCode = "JWT_VERIFICATION_FAILED" )
const AuthorizationResponseCodeType = "code"
const BearerScheme = "Bearer"
const CsrfFormKey = "state"
OAuth2 Parameters
const DefaultAuthorizationHeader = "authorization"
const (
ErrIdpClient errors.ErrorCode = "IDP_REQUEST_FAILED"
)
const (
IdpConnectionTimeout = 10 * time.Second
)
const OAuth2MetadataEndpoint = ".well-known/oauth-authorization-server"
https://tools.ietf.org/html/rfc8414 This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path
const OIdCMetadataEndpoint = ".well-known/openid-configuration"
https://openid.net/specs/openid-connect-discovery-1_0.html This should be defined without a leading slash. If there is one, the url library's ResolveReference will make it a root path
const RefreshToken = "refresh_token"
Variables ¶
var AllowedChars = []rune("abcdefghijklmnopqrstuvwxyz1234567890")
Functions ¶
func AuthenticationLoggingInterceptor ¶
func AuthenticationLoggingInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
func GetAndValidateTokenObjectFromContext ¶ added in v0.1.7
func GetAndValidateTokenObjectFromContext(ctx context.Context, claims config.Claims, provider *oidc.Provider) (*oidc.IDToken, error)
This function attempts to extract a token from the context, and will then call the validation function, passing up any errors.
func GetAuthenticationCustomMetadataInterceptor ¶
func GetAuthenticationCustomMetadataInterceptor(authCtx interfaces.AuthenticationContext) grpc.UnaryServerInterceptor
This function produces a gRPC middleware interceptor intended to be used when running authentication with non-default gRPC headers (metadata). Because the default `authorization` header is reserved for use by Envoy, clients wishing to pass tokens to Admin will need to use a different string, specified in this package's Config object. This interceptor will scan for that arbitrary string, and then rename it to the default string, which the downstream auth/auditing interceptors will detect and validate.
func GetAuthenticationInterceptor ¶
func GetAuthenticationInterceptor(authContext interfaces.AuthenticationContext) func(context.Context) (context.Context, error)
This is the function that chooses to enforce or not enforce authentication. It will attempt to get the token from the incoming context, validate it, and decide whether or not to let the request through.
func GetCallbackHandler ¶
func GetCallbackHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc
func GetLoginHandler ¶
func GetLoginHandler(ctx context.Context, authContext interfaces.AuthenticationContext) http.HandlerFunc
func GetLogoutEndpointHandler ¶ added in v0.1.7
func GetLogoutEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
func GetMeEndpointHandler ¶
func GetMeEndpointHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
TODO: Add this to the Admin service IDL in Flyte IDL so that this can be exposed from gRPC as well. This returns a handler that will retrieve user info, from the OAuth2 authorization server. See the OpenID Connect spec at https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse for more information.
func GetOAuth2MetadataEndpointRedirectHandler ¶ added in v0.3.36
func GetOAuth2MetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
This returns a handler that will redirect (303) to the well-known metadata endpoint for the OAuth2 authorization server See https://tools.ietf.org/html/rfc8414 for more information.
func GetOIdCMetadataEndpointRedirectHandler ¶ added in v0.3.36
func GetOIdCMetadataEndpointRedirectHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc
This returns a handler that will redirect (303) to the well-known metadata endpoint for the OAuth2 authorization server See https://tools.ietf.org/html/rfc8414 for more information.
func GetOauth2Config ¶
func GetOauth2Config(options config.OAuthOptions) (oauth2.Config, error)
This creates a oauth2 library config object, with values from the Flyte Admin config
func GetRefreshedToken ¶
func GetRefreshedToken(ctx context.Context, oauth *oauth2.Config, accessToken, refreshToken string) (*oauth2.Token, error)
Refresh a JWT
func HashCsrfState ¶
func NewCsrfCookie ¶
func NewCsrfToken ¶
func NewRedirectCookie ¶
This function takes in a string and returns a cookie that's used to keep track of where to send the user after the OAuth2 login flow is complete.
func NewSecureCookie ¶
func ParseAndValidate ¶
func ReadSecureCookie ¶
func RefreshTokensIfExists ¶
func RefreshTokensIfExists(ctx context.Context, authContext interfaces.AuthenticationContext, handlerFunc http.HandlerFunc) http.HandlerFunc
Look for access token and refresh token, if both are present and the access token is expired, then attempt to refresh. Otherwise do nothing and proceed to the next handler. If successfully refreshed, proceed to the landing page.
func WithAuditFields ¶ added in v0.2.0
Types ¶
type Context ¶
type Context struct {
// contains filtered or unexported fields
}
Please see the comment on the corresponding AuthenticationContext for more information.
func (Context) CookieManager ¶
func (c Context) CookieManager() interfaces.CookieHandler
func (Context) GetBaseURL ¶
func (Context) GetHTTPClient ¶
func (Context) GetOAuth2MetadataURL ¶ added in v0.3.36
func (Context) GetOIdCMetadataURL ¶ added in v0.3.36
func (Context) GetUserInfoURL ¶
func (Context) OAuth2Config ¶
func (Context) OidcProvider ¶
func (c Context) OidcProvider() *oidc.Provider
func (Context) Options ¶
func (c Context) Options() config.OAuthOptions
type CookieManager ¶
type CookieManager struct {
// contains filtered or unexported fields
}
func NewCookieManager ¶
func NewCookieManager(ctx context.Context, hashKeyEncoded, blockKeyEncoded string) (CookieManager, error)
func (CookieManager) DeleteCookies ¶ added in v0.1.7
func (c CookieManager) DeleteCookies(ctx context.Context, writer http.ResponseWriter)
func (CookieManager) RetrieveTokenValues ¶
func (c CookieManager) RetrieveTokenValues(ctx context.Context, request *http.Request) (idToken, accessToken, refreshToken string, err error)
TODO: Separate refresh token from access token, remove named returns, and use stdlib errors. RetrieveTokenValues retrieves id, access and refresh tokens from cookies if they exist. The existence of a refresh token in a cookie is optional and hence failure to find or read that cookie is tolerated. An error is returned in case of failure to retrieve and read either the id or the access tokens.
func (CookieManager) SetTokenCookies ¶
func (c CookieManager) SetTokenCookies(ctx context.Context, writer http.ResponseWriter, token *oauth2.Token) error
type HTTPRequestToMetadataAnnotator ¶
func GetHTTPMetadataTaggingHandler ¶ added in v0.1.7
func GetHTTPMetadataTaggingHandler(authContext interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator
Intercepts the incoming HTTP requests and marks it as such so that the downstream code can use it to enforce auth. See the enforceHTTP/Grpc options for more information.
func GetHTTPRequestCookieToMetadataHandler ¶
func GetHTTPRequestCookieToMetadataHandler(authContext interfaces.AuthenticationContext) HTTPRequestToMetadataAnnotator
This is effectively middleware for the grpc gateway, it allows us to modify the translation between HTTP request and gRPC request. There are two potential sources for bearer tokens, it can come from an authorization header (not yet implemented), or encrypted cookies. Note that when deploying behind Envoy, you have the option to look for a configurable, non-standard header name. The token is extracted and turned into a metadata object which is then attached to the request, from which the token is extracted later for verification.
type UserInfoResponse ¶
type UserInfoResponse struct { Sub string `json:"sub"` Name string `json:"name"` PreferredUsername string `json:"preferred_username"` GivenName string `json:"given_name"` FamilyName string `json:"family_name"` Email string `json:"email"` Picture string `json:"picture"` }
This struct represents what should be returned by an IDP according to the specification at
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
Keep in mind that not all fields are necessarily populated, and additional fields may be present as well. This is a sample response object returned from Okta for instance
{ "sub": "abc123", "name": "John Smith", "locale": "US", "preferred_username": "jsmith123@company.com", "given_name": "John", "family_name": "Smith", "zoneinfo": "America/Los_Angeles", "updated_at": 1568750854 }