Documentation
¶
Overview ¶
Package oauth2 contains all the necessary configurations to initialize the idp communication using oauth2 protocol
Index ¶
- Constants
- Variables
- func GetIDPCallbackURL() string
- func GetIDPCallbackURLDynamic() bool
- func GetIDPClientID() string
- func GetIDPSecret() string
- func GetIDPURL() string
- func GetIDPUserInfo() bool
- func GetRandomStateWithHMAC(length int, keyFunc StateKeyFunc) string
- func GetSTSEndpoint() string
- func IsIDPEnabled() bool
- type Config
- func (ac Config) AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string
- func (ac Config) Client(ctx context.Context, t *xoauth2.Token) *http.Client
- func (ac Config) Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)
- func (ac Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)
- func (ac Config) TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource
- type Configuration
- type DiscoveryDoc
- type LoginURLParams
- type OpenIDPCfg
- type Provider
- func (client *Provider) GenerateLoginURL(keyFunc StateKeyFunc, iDPName string) string
- func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN string, keyFunc StateKeyFunc) (*credentials.Credentials, error)
- func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, state string, keyFunc StateKeyFunc) (*xoauth2.Token, error)
- type ProviderConfig
- type StateKeyFunc
- type User
Constants ¶
const ( ConsoleMinIOServer = "CONSOLE_MINIO_SERVER" ConsoleIDPURL = "CONSOLE_IDP_URL" ConsoleIDPClientID = "CONSOLE_IDP_CLIENT_ID" ConsoleIDPSecret = "CONSOLE_IDP_SECRET" ConsoleIDPCallbackURL = "CONSOLE_IDP_CALLBACK" ConsoleIDPCallbackURLDynamic = "CONSOLE_IDP_CALLBACK_DYNAMIC" ConsoleIDPHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE" ConsoleIDPHmacSalt = "CONSOLE_IDP_HMAC_SALT" ConsoleIDPScopes = "CONSOLE_IDP_SCOPES" ConsoleIDPUserInfo = "CONSOLE_IDP_USERINFO" ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION" ConsoleIDPRoleARN = "CONSOLE_IDP_ROLE_ARN" )
Environment constants for console IDP/SSO configuration
Variables ¶
var DefaultDerivedKey = func() []byte { return pbkdf2.Key([]byte(getPassphraseForIDPHmac()), []byte(getSaltForIDPHmac()), 4096, 32, sha1.New) }
DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter its derived using pbkdf on CONSOLE_IDP_HMAC_PASSPHRASE with CONSOLE_IDP_HMAC_SALT
Functions ¶
func GetIDPCallbackURL ¶
func GetIDPCallbackURL() string
Public endpoint used by the identity oidcProvider when redirecting the user after identity verification
func GetIDPCallbackURLDynamic ¶
func GetIDPCallbackURLDynamic() bool
func GetIDPClientID ¶
func GetIDPClientID() string
func GetIDPSecret ¶
func GetIDPSecret() string
func GetIDPUserInfo ¶
func GetIDPUserInfo() bool
func GetRandomStateWithHMAC ¶
func GetRandomStateWithHMAC(length int, keyFunc StateKeyFunc) string
GetRandomStateWithHMAC computes message + hmac(message, pbkdf2(key, salt)) to be used as state during the oauth authorization
func GetSTSEndpoint ¶
func GetSTSEndpoint() string
func IsIDPEnabled ¶
func IsIDPEnabled() bool
Types ¶
type Config ¶
func (Config) AuthCodeURL ¶
func (ac Config) AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string
func (Config) PasswordCredentialsToken ¶
func (Config) TokenSource ¶
type Configuration ¶
type Configuration interface {
Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)
AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string
PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)
Client(ctx context.Context, t *xoauth2.Token) *http.Client
TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource
}
type DiscoveryDoc ¶
type DiscoveryDoc struct {
Issuer string `json:"issuer,omitempty"`
AuthEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
TokenEndpointAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}
DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration
type LoginURLParams ¶
type OpenIDPCfg ¶
type OpenIDPCfg map[string]ProviderConfig
func (OpenIDPCfg) NewOauth2ProviderClient ¶
func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)
NewOauth2ProviderClient instantiates a new oauth2 client using the `OpenIDPCfg` configuration struct. It returns a *Provider object that contains the necessary configuration to initiate an oauth2 authentication flow.
We only support Authentication with the Authorization Code Flow - spec: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
type Provider ¶
type Provider struct {
// oauth2Config is an interface configuration that contains the following fields
// Config{
// IDPName string
// ClientSecret string
// RedirectURL string
// Endpoint oauth2.Endpoint
// Scopes []string
// }
// - IDPName is the public identifier for this application
// - ClientSecret is a shared secret between this application and the authorization server
// - RedirectURL is the URL to redirect users going through
// the OAuth flow, after the resource owner's URLs.
// - Endpoint contains the resource server's token endpoint
// URLs. These are constants specific to each server and are
// often available via site-specific packages, such as
// google.Endpoint or github.Endpoint.
// - Scopes specifies optional requested permissions.
IDPName string
// if enabled means that we need extrace access_token as well
UserInfo bool
// contains filtered or unexported fields
}
Provider is a wrapper of the oauth2 configuration and the oidc provider
func NewOauth2ProviderClient ¶
func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)
NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials it returns a *Provider object that contains the necessary configuration to initiate an oauth2 authentication flow.
We only support Authentication with the Authorization Code Flow - spec: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
func (*Provider) GenerateLoginURL ¶
func (client *Provider) GenerateLoginURL(keyFunc StateKeyFunc, iDPName string) string
GenerateLoginURL returns a new login URL based on the configured IDP
func (*Provider) VerifyIdentity ¶
func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN string, keyFunc StateKeyFunc) (*credentials.Credentials, error)
VerifyIdentity will contact the configured IDP to the user identity based on the authorization code and state if the user is valid, then it will contact MinIO to get valid sts credentials based on the identity provided by the IDP
func (*Provider) VerifyIdentityForOperator ¶
func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, state string, keyFunc StateKeyFunc) (*xoauth2.Token, error)
VerifyIdentityForOperator will contact the configured IDP and validate the user identity based on the authorization code and state
type ProviderConfig ¶
type ProviderConfig struct {
URL string
DisplayName string // user-provided - can be empty
ClientID, ClientSecret string
HMACSalt, HMACPassphrase string
Scopes string
Userinfo bool
RedirectCallbackDynamic bool
RedirectCallback string
RoleArn string // can be empty
}
ProviderConfig - OpenID IDP Configuration for console.
func (ProviderConfig) GetARNInf ¶
func (pc ProviderConfig) GetARNInf() string
func (ProviderConfig) GetStateKeyFunc ¶
func (pc ProviderConfig) GetStateKeyFunc() StateKeyFunc
GetStateKeyFunc - return the key function used to generate the authorization code flow state parameter.
type StateKeyFunc ¶
type StateKeyFunc func() []byte
StateKeyFunc - is a function that returns a key used in OAuth Authorization flow state generation and verification.
type User ¶
type User struct {
AppMetadata map[string]interface{} `json:"app_metadata"`
Blocked bool `json:"blocked"`
CreatedAt string `json:"created_at"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
FamilyName string `json:"family_name"`
GivenName string `json:"given_name"`
Identities []interface{} `json:"identities"`
LastIP string `json:"last_ip"`
LastLogin string `json:"last_login"`
LastPasswordReset string `json:"last_password_reset"`
LoginsCount int `json:"logins_count"`
MultiFactor string `json:"multifactor"`
Name string `json:"name"`
Nickname string `json:"nickname"`
PhoneNumber string `json:"phone_number"`
PhoneVerified bool `json:"phone_verified"`
Picture string `json:"picture"`
UpdatedAt string `json:"updated_at"`
UserID string `json:"user_id"`
UserMetadata map[string]interface{} `json:"user_metadata"`
Username string `json:"username"`
}
Source Files