Documentation ¶
Index ¶
- Constants
- Variables
- func SignatureFromJTI(jti string) string
- type AuthClientFunc
- type AuthClientMigrator
- type AuthUserFunc
- type AuthUserMigrator
- type Client
- func (c *Client) DisableScopeAccess(scopes ...string)
- func (c *Client) DisableTenantAccess(tenantIDs ...string)
- func (c *Client) EnableScopeAccess(scopes ...string)
- func (c *Client) EnableTenantAccess(tenantIDs ...string)
- func (c Client) Equal(x Client) bool
- func (c *Client) GetAudience() fosite.Arguments
- func (c *Client) GetGrantTypes() fosite.Arguments
- func (c *Client) GetHashedSecret() []byte
- func (c *Client) GetID() string
- func (c *Client) GetOwner() string
- func (c *Client) GetRedirectURIs() []string
- func (c *Client) GetResponseTypes() fosite.Arguments
- func (c *Client) GetScopes() fosite.Arguments
- func (c *Client) IsDisabled() bool
- func (c Client) IsEmpty() bool
- func (c *Client) IsPublic() bool
- type ClientManager
- type ClientStorer
- type Configurer
- type DeniedJTI
- type DeniedJTIManager
- type DeniedJTIStorer
- type Expirer
- type ListClientsRequest
- type ListRequestsRequest
- type ListUsersRequest
- type MultiFactorType
- type Request
- type RequestManager
- type RequestStorer
- type Store
- type User
- func (u User) Authenticate(cleartext string, hasher fosite.Hasher) error
- func (u *User) DisablePeopleAccess(personIDs ...string)
- func (u *User) DisableRegions(regions ...string)
- func (u *User) DisableRoles(roles ...string)
- func (u *User) DisableScopeAccess(scopes ...string)
- func (u *User) DisableTenantAccess(tenantIDs ...string)
- func (u *User) EnablePeopleAccess(personIDs ...string)
- func (u *User) EnableRegions(regions ...string)
- func (u *User) EnableRoles(roles ...string)
- func (u *User) EnableScopeAccess(scopes ...string)
- func (u *User) EnableTenantAccess(tenantIDs ...string)
- func (u User) Equal(x User) bool
- func (u User) FullName() string
- func (u *User) GetHashedSecret() []byte
- func (u User) IsEmpty() bool
- func (u *User) SetPassword(cleartext string, hasher fosite.Hasher) (err error)
- type UserManager
- type UserStorer
- type UsersByFirstName
- type UsersByLastName
- type UsersByUsername
Constants ¶
const ( // EntityOpenIDSessions provides the name of the entity to use in order to // create, read, update and delete OpenID Sessions. EntityOpenIDSessions = "openIDConnectSessions" // EntityAccessTokens provides the name of the entity to use in order to // create, read, update and delete Access Token sessions. EntityAccessTokens = "accessTokens" // EntityRefreshTokens provides the name of the entity to use in order to // create, read, update and delete Refresh Token sessions. EntityRefreshTokens = "refreshTokens" // EntityAuthorizationCodes provides the name of the entity to use in order // to create, read, update and delete Authorization Code sessions. EntityAuthorizationCodes = "authorizationCodes" // EntityPKCESessions provides the name of the entity to use in order to // create, read, update and delete Proof Key for Code Exchange sessions. EntityPKCESessions = "pkceSessions" // EntityJtiDenylist provides the name of the entity to use in order to // track and deny. EntityJtiDenylist = "jtiDenylist" // EntityClients provides the name of the entity to use in order to create, // read, update and delete Clients. EntityClients = "clients" // EntityUsers provides the name of the entity to use in order to create, // read, update and delete Users. EntityUsers = "users" )
Variables ¶
var ( // ErrResourceExists provides an error for when, in most cases, a record's // unique identifier already exists in the system. ErrResourceExists = errors.New("resource conflict") )
var MultiFactorTypeName = map[MultiFactorType]string{ MultiFactorType_UNSPECIFIED: "MultiFactorType_UNSPECIFIED", MultiFactorType_AUTHENTICATOR: "MultiFactorType_AUTHENTICATOR", MultiFactorType_EMAIL: "MultiFactorType_EMAIL", MultiFactorType_SMS: "MultiFactorType_SMS", }
Functions ¶
func SignatureFromJTI ¶ added in v0.21.0
SignatureFromJTI creates a JTI signature from the JWT Token ID.
Types ¶
type AuthClientFunc ¶ added in v0.14.0
AuthClientFunc enables developers to supply their own authentication function, to check old hashes that need to be upgraded for clients.
For example, you may have passwords in MD5 and wanting them to be migrated to fosite's default hasher, bcrypt. Therefore, if you do a mass data migration, the function you supply would have to:
+- Shortcut logic if the hash string prefix matches what you expect from the new hash - Get the current client record (return nil, false if not found) - Authenticate the current DB secret against MD5 - Return the Client record and if the client authenticated. - if true, the AuthenticateMigration function will upgrade the hash.
type AuthClientMigrator ¶ added in v0.14.0
type AuthClientMigrator interface { // Migrate is provided solely for the case where you want to migrate clients // and push in their old hash. This should perform an upsert, either // creating or overwriting the record with the newly provided record. // If Client.ID is passed in empty, a new ID will be generated for you. // Use with caution, be secure, don't be dumb. Migrate(ctx context.Context, migratedClient Client) (Client, error) // AuthenticateMigration enables developers to supply your own // authentication function, which in turn, if true, will migrate the secret // to the hasher implemented within fosite. AuthenticateMigration(ctx context.Context, currentAuth AuthClientFunc, clientID string, secret string) (Client, error) }
AuthClientMigrator provides an interface to enable storage backends to implement functionality to upgrade hashes currently stored in the datastore.
type AuthUserFunc ¶ added in v0.14.0
AuthUserFunc enables developers to supply their own authentication function, to check old hashes that need to be upgraded for users.
See AuthClientFunc for example usage.
type AuthUserMigrator ¶ added in v0.14.0
type AuthUserMigrator interface { // Migrate is provided solely for the case where you want to migrate users // and push in their old hash. This should perform an upsert, either // creating or overwriting the current record with the newly provided // record. // If User.ID is passed in empty, a new ID will be generated for you. // Use with caution, be secure, don't be dumb. Migrate(ctx context.Context, migratedUser User) (User, error) // AuthenticateMigration enables developers to supply your own // authentication function, which in turn, if true, will migrate the secret // to the hasher implemented within fosite. AuthenticateMigration(ctx context.Context, currentAuth AuthUserFunc, userID string, password string) (User, error) }
AuthUserMigrator provides an interface to enable storage backends to implement functionality to upgrade hashes currently stored in the datastore.
type Client ¶ added in v0.14.0
type Client struct { //// Client Meta // ID is the id for this client. ID string `bson:"id" json:"id" xml:"id"` // createTime is when the resource was created in seconds from the epoch. CreateTime int64 `bson:"createTime" json:"createTime" xml:"createTime"` // updateTime is the last time the resource was modified in seconds from // the epoch. UpdateTime int64 `bson:"updateTime" json:"updateTime" xml:"updateTime"` // AllowedAudiences contains a list of Audiences that the client has been // given rights to access. AllowedAudiences []string `bson:"allowedAudiences" json:"allowedAudiences,omitempty" xml:"allowedAudiences,omitempty"` // AllowedRegions contains a list of regions that the client has been // given permission to access. This enables filtering for clients based on // geographic region. AllowedRegions []string `bson:"allowedRegions" json:"allowedRegions,omitempty" xml:"allowedRegions,omitempty"` // AllowedTenantAccess contains a list of Tenants that the client has been // given rights to access. AllowedTenantAccess []string `bson:"allowedTenantAccess" json:"allowedTenantAccess,omitempty" xml:"allowedTenantAccess,omitempty"` // GrantTypes contains a list of grant types the client is allowed to use. // // Pattern: client_credentials|authorize_code|implicit|refresh_token GrantTypes []string `bson:"grantTypes" json:"grantTypes" xml:"grantTypes"` // ResponseTypes contains a list of the OAuth 2.0 response type strings // that the client can use at the authorization endpoint. // // Pattern: id_token|code|token ResponseTypes []string `bson:"responseTypes" json:"responseTypes" xml:"responseTypes"` // Scopes contains a list of values the client is entitled to use when // requesting an access token (as described in Section 3.3 of OAuth 2.0 // [RFC6749]). // // Pattern: ([a-zA-Z0-9\.]+\s)+ Scopes []string `bson:"scopes" json:"scopes" xml:"scopes"` // Public is a boolean that identifies this client as public, meaning that // it does not have a secret. It will disable the client_credentials grant // type for this client if set. Public bool `bson:"public" json:"public" xml:"public"` // Disabled stops the client from being able to authenticate to the system. Disabled bool `bson:"disabled" json:"disabled" xml:"disabled"` //// Client Content // Name contains a human-readable string name of the client to be presented // to the end-user during authorization. Name string `bson:"name" json:"name" xml:"name"` // Secret is the client's secret. The secret will be included in the create // request as cleartext, and then never again. The secret is stored using // BCrypt so it is impossible to recover it. // Tell your users that they need to remember the client secret as it will // not be made available again. Secret string `bson:"secret,omitempty" json:"secret,omitempty" xml:"secret,omitempty"` // RedirectURIs contains a list of allowed redirect urls for the client, for // example: http://mydomain/oauth/callback. RedirectURIs []string `bson:"redirectUris" json:"redirectUris" xml:"redirectUris"` // Owner identifies the owner of the OAuth 2.0 Client. Owner string `bson:"owner" json:"owner" xml:"owner"` // PolicyURI allows the application developer to provide a URI string that // points to a human-readable privacy policy document that describes how the // deployment organization collects, uses, retains, and discloses personal // data. PolicyURI string `bson:"policyUri" json:"policyUri" xml:"policyUri"` // TermsOfServiceURI allows the application developer to provide a URI // string that points to a human-readable terms of service document that // describes and outlines the contractual relationship between the end-user // and the client application that the end-user accepts when authorizing // their use of the client. TermsOfServiceURI string `bson:"termsOfServiceUri" json:"termsOfServiceUri" xml:"termsOfServiceUri"` // ClientURI allows the application developer to provide a URI string that // points to a human-readable web page that provides information about the // client application. // If present, the server SHOULD display this URL to the end-user in a // click-able fashion. ClientURI string `bson:"clientUri" json:"clientUri" xml:"clientUri"` // LogoURI is an URL string that references a logo for the client. LogoURI string `bson:"logoUri" json:"logoUri" xml:"logoUri"` // Contacts contains a list ways to contact the developers responsible for // this OAuth 2.0 client, typically email addresses. Contacts []string `bson:"contacts" json:"contacts" xml:"contacts"` // Published provides a switch to hide specific clients if not quite ready // for the prime time, or if wanting to keep them hidden. Published bool `bson:"published" json:"published" xml:"published"` }
Client provides the structure of an OAuth2.0 Client.
func (*Client) DisableScopeAccess ¶ added in v0.14.0
DisableScopeAccess disables client scope access.
func (*Client) DisableTenantAccess ¶ added in v0.14.0
DisableTenantAccess removes a single or multiple tenantIDs from the given client.
func (*Client) EnableScopeAccess ¶ added in v0.14.0
EnableScopeAccess enables client scope access.
func (*Client) EnableTenantAccess ¶ added in v0.14.0
EnableTenantAccess adds a single or multiple tenantIDs to the given client.
func (*Client) GetAudience ¶ added in v0.18.0
GetAudience returns the allowed audience(s) for this client.
func (*Client) GetGrantTypes ¶ added in v0.14.0
GetGrantTypes returns an array of strings, wrapped as `fosite.Arguments` to provide functions that allow verifying the Client's Grant Types against incoming requests.
func (*Client) GetHashedSecret ¶ added in v0.14.0
GetHashedSecret returns the Client's Hashed Secret for authenticating with the Identity Provider.
func (*Client) GetOwner ¶ added in v0.14.0
GetOwner returns a string which contains the OAuth Client owner's name. Generally speaking, this will be a developer or an organisation.
func (*Client) GetRedirectURIs ¶ added in v0.14.0
GetRedirectURIs returns the OAuth2.0 authorized Client redirect URIs.
func (*Client) GetResponseTypes ¶ added in v0.14.0
GetResponseTypes returns an array of strings, wrapped as `fosite.Arguments` to provide functions that allow verifying the Client's Response Types against incoming requests.
func (*Client) GetScopes ¶ added in v0.14.0
GetScopes returns an array of strings, wrapped as `fosite.Arguments` to provide functions that allow verifying the Client's scopes against incoming requests.
func (*Client) IsDisabled ¶ added in v0.14.0
IsDisabled returns a boolean as to whether the Client itself has had it's access disabled.
type ClientManager ¶ added in v0.14.0
type ClientManager interface { Configurer ClientStorer AuthClientMigrator }
ClientManager provides a generic interface to clients in order to build a Datastore backend.
type ClientStorer ¶ added in v0.14.0
type ClientStorer interface { // fosite.Storage provides get client. fosite.Storage List(ctx context.Context, filter ListClientsRequest) ([]Client, error) Create(ctx context.Context, client Client) (Client, error) Get(ctx context.Context, clientID string) (Client, error) Update(ctx context.Context, clientID string, client Client) (Client, error) Delete(ctx context.Context, clientID string) error // Utility Functions Authenticate(ctx context.Context, clientID string, secret string) (Client, error) GrantScopes(ctx context.Context, clientID string, scopes []string) (Client, error) RemoveScopes(ctx context.Context, clientID string, scopes []string) (Client, error) }
ClientStorer conforms to fosite.Storage and provides methods
type Configurer ¶ added in v0.14.0
type Configurer interface { // Configure configures the underlying database engine to match // requirements. // Configure will be called each time a service is started, so ensure this // function maintains idempotency. // The main use here is to apply creation of tables, collections, schemas // any needed migrations and configuration of indexes as required. Configure(ctx context.Context) error }
Configurer enables an implementer to configure required migrations, indexing and is called when the datastore connects.
type DeniedJTI ¶ added in v0.21.0
type DeniedJTI struct { JTI string `bson:"-" json:"-" xml:"-"` Signature string `bson:"signature" json:"signature" xml:"signature"` Expiry int64 `bson:"exp" json:"exp" xml:"exp"` }
DeniedJTI provides the structure for a Denied JSON Web Token (JWT) Token Identifier.
type DeniedJTIManager ¶ added in v0.21.0
type DeniedJTIManager interface { Configurer DeniedJTIStorer }
DeniedJTIManager provides a generic interface to clients in order to build a Datastore backend.
type DeniedJTIStorer ¶ added in v0.21.0
type DeniedJTIStorer interface { // Standard CRUD Storage API Create(ctx context.Context, deniedJti DeniedJTI) (DeniedJTI, error) Get(ctx context.Context, jti string) (DeniedJTI, error) Delete(ctx context.Context, jti string) error // DeleteBefore removes all denied JTIs before the given unix time. DeleteBefore(ctx context.Context, expBefore int64) error }
DeniedJTIStorer enables storing denied JWT Tokens, by ID.
type ListClientsRequest ¶ added in v0.14.0
type ListClientsRequest struct { // AllowedTenantAccess filters clients based on an Allowed Tenant Access. AllowedTenantAccess string `json:"allowedTenantAccess" xml:"allowedTenantAccess"` // AllowedRegion filters clients based on an Allowed Region. AllowedRegion string `json:"allowedRegion" xml:"allowedRegion"` // RedirectURI filters clients based on redirectURI. RedirectURI string `json:"redirectURI" xml:"redirectURI"` // GrantType filters clients based on GrantType. GrantType string `json:"grantType" xml:"grantType"` // ResponseType filters clients based on ResponseType. ResponseType string `json:"responseType" xml:"responseType"` // ScopesIntersection filters clients that have at least the listed scopes. // ScopesIntersection performs an AND operation. // For example: // - given ["cats"] the client must have "cats" in their scopes. // - given ["cats, dogs"] the client must have "cats" AND "dogs in their // scopes. // // If ScopesUnion is provided, a union operation will be performed as it // returns the wider selection. ScopesIntersection []string `json:"scopesIntersection" xml:"scopesIntersection"` // ScopesUnion filters users that have at least one of the listed scopes. // ScopesUnion performs an OR operation. // For example: // - given ["cats"] the client must have "cats" in their scopes. // - given ["cats, dogs"] the client must have "cats" OR "dogs in their // scopes. ScopesUnion []string `json:"scopesUnion" xml:"scopesUnion"` // Contact filters clients based on Contact. Contact string `json:"contact" xml:"contact"` // Public filters clients based on Public status. Public bool `json:"public" xml:"public"` // Disabled filters clients based on denied access. Disabled bool `json:"disabled" xml:"disabled"` // Published filters clients based on published status. Published bool `json:"published" xml:"published"` }
ListClientsRequest enables listing and filtering client records.
type ListRequestsRequest ¶ added in v0.14.0
type ListRequestsRequest struct { // ClientID enables filtering requests based on Client ID ClientID string `json:"clientId" xml:"clientId"` // UserID enables filtering requests based on User ID UserID string `json:"userId" xml:"userId"` // ScopesIntersection filters clients that have all of the listed scopes. // ScopesIntersection performs an AND operation. // If ScopesUnion is provided, a union operation will be performed as it // returns the wider selection. ScopesIntersection []string `json:"scopesIntersection" xml:"scopesIntersection"` // ScopesUnion filters users that have at least one of of the listed scopes. // ScopesUnion performs an OR operation. ScopesUnion []string `json:"scopesUnion" xml:"scopesUnion"` // GrantedScopesIntersection enables filtering requests based on GrantedScopes // GrantedScopesIntersection performs an AND operation. // If GrantedScopesIntersection is provided, a union operation will be // performed as it returns the wider selection. GrantedScopesIntersection []string `json:"grantedScopesIntersection" xml:"grantedScopesIntersection"` // GrantedScopesUnion enables filtering requests based on GrantedScopes // GrantedScopesUnion performs an OR operation. GrantedScopesUnion []string `json:"grantedScopesUnion" xml:"grantedScopesUnion"` }
ListRequestsRequest enables filtering stored Request entities.
type ListUsersRequest ¶ added in v0.14.0
type ListUsersRequest struct { // AllowedTenantAccess filters users based on an Allowed Tenant Access. AllowedTenantAccess string `json:"allowedTenantAccess" xml:"allowedTenantAccess"` // AllowedPersonAccess filters users based on Allowed Person Access. AllowedPersonAccess string `json:"allowedPersonAccess" xml:"allowedPersonAccess"` // PersonID filters users based on a person's identifier. PersonID string `json:"personId" xml:"personId"` // PersonIDs filters users based on a list of person identifiers. // Setting PersonID will take precedence over this filter. PersonIDs []string `json:"personIds" xml:"personIds"` // Username filters users based on username. Username string `json:"username" xml:"username"` // ScopesUnion filters users that have at least one of the listed scopes. // ScopesUnion performs an OR operation. // If ScopesUnion is provided, a union operation will be performed as it // returns the wider selection. ScopesUnion []string `json:"scopesUnion" xml:"scopesUnion"` // ScopesIntersection filters users that have all the listed scopes. // ScopesIntersection performs an AND operation. ScopesIntersection []string `json:"scopesIntersection" xml:"scopesIntersection"` // FirstName filters users based on their First Name. FirstName string `json:"firstName" xml:"firstName"` // LastName filters users based on their Last Name. LastName string `json:"lastName" xml:"lastName"` // Disabled filters users to those with disabled accounts. Disabled bool `json:"disabled" xml:"disabled"` }
ListUsersRequest enables filtering stored User entities.
type MultiFactorType ¶ added in v0.32.0
type MultiFactorType int32
MultiFactorType specifies the types of authentication a user can enrol in;
const ( MultiFactorType_UNSPECIFIED MultiFactorType = 0 MultiFactorType_AUTHENTICATOR MultiFactorType = 1 MultiFactorType_EMAIL MultiFactorType = 2 MultiFactorType_SMS MultiFactorType = 3 )
type Request ¶ added in v0.14.0
type Request struct { // ID contains the unique request identifier. ID string `bson:"id" json:"id" xml:"id"` // CreateTime is when the resource was created in seconds from the epoch. CreateTime int64 `bson:"createTime" json:"createTime" xml:"createTime"` // UpdateTime is the last time the resource was modified in seconds from // the epoch. UpdateTime int64 `bson:"updateTime" json:"updateTime" xml:"updateTime"` // RequestedAt is the time the request was made. RequestedAt time.Time `bson:"requestedAt" json:"requestedAt" xml:"requestedAt"` // Signature contains a unique session signature. Signature string `bson:"signature" json:"signature" xml:"signature"` // ClientID contains a link to the Client that was used to authenticate // this session. ClientID string `bson:"clientId" json:"clientId" xml:"clientId"` // UserID contains the subject's unique ID which links back to a stored // user account. UserID string `bson:"userId" json:"userId" xml:"userId"` // Scopes contains the scopes that the user requested. RequestedScope fosite.Arguments `bson:"scopes" json:"scopes" xml:"scopes"` // GrantedScope contains the list of scopes that the user was actually // granted. GrantedScope fosite.Arguments `bson:"grantedScopes" json:"grantedScopes" xml:"grantedScopes"` // RequestedAudience contains the audience the user requested. RequestedAudience fosite.Arguments `bson:"requestedAudience" json:"requestedAudience" xml:"requestedAudience"` // GrantedAudience contains the list of audiences the user was actually // granted. GrantedAudience fosite.Arguments `bson:"grantedAudience" json:"grantedAudience" xml:"grantedAudience"` // Form contains the url values that were passed in to authenticate the // user's client session. Form url.Values `bson:"formData" json:"formData" xml:"formData"` // Active is specifically used for Authorize Code flow revocation. Active bool `bson:"active" json:"active" xml:"active"` // Session contains the session data. The underlying structure differs // based on OAuth strategy, so we need to store it as binary-encoded JSON. // Otherwise, it can be stored but not unmarshalled back into a // fosite.Session. Session []byte `bson:"sessionData" json:"sessionData" xml:"sessionData"` }
Request is a concrete implementation of a fosite.Requester, extended to support the required data for OAuth2 and OpenID.
func NewRequest ¶ added in v0.14.0
func NewRequest() Request
NewRequest returns a new Mongo Store request object.
type RequestManager ¶ added in v0.14.0
type RequestManager interface { Configurer RequestStorer }
RequestManager provides an interface in order to build a compliant Fosite storage backend.
type RequestStorer ¶ added in v0.14.0
type RequestStorer interface { // OAuth2 storage interfaces. oauth2.CoreStorage // OpenID storage interfaces. openid.OpenIDConnectRequestStorage // Proof Key for Code Exchange storage interfaces. pkce.PKCERequestStorage // Implements the rest of oauth2.TokenRevocationStorage RevokeRefreshToken(ctx context.Context, requestID string) error RevokeAccessToken(ctx context.Context, requestID string) error // Implements the rest of oauth2.ResourceOwnerPasswordCredentialsGrantStorage Authenticate(ctx context.Context, username string, secret string) error // Standard CRUD Storage API List(ctx context.Context, entityName string, filter ListRequestsRequest) ([]Request, error) Create(ctx context.Context, entityName string, request Request) (Request, error) Get(ctx context.Context, entityName string, requestID string) (Request, error) Update(ctx context.Context, entityName string, requestID string, request Request) (Request, error) Delete(ctx context.Context, entityName string, requestID string) error DeleteBySignature(ctx context.Context, entityName string, signature string) error }
RequestStorer implements all fosite interfaces required to be a storage driver.
type Store ¶ added in v0.14.0
type Store struct { ClientManager DeniedJTIManager RequestManager UserManager }
Store brings all the interfaces together as a way to be composable into storage backend implementations
func (*Store) Authenticate ¶ added in v0.14.0
Authenticate provides a top level pointer to UserManager to implement fosite.ResourceOwnerPasswordCredentialsGrantStorage at the top level.
You can still access either the RequestManager API, or UserManager API by calling the methods on store direct depending on if you want the User resource returned as well via: - `store.RequestManager.Authenticate(ctx, username, secret) error` - `store.UserManager.Authenticate(ctx, username, secret) (User, error)`
type User ¶ added in v0.14.0
type User struct { //// User Meta // ID is the uniquely assigned uuid that references the user ID string `bson:"id" json:"id" xml:"id"` // createTime is when the resource was created in seconds from the epoch. CreateTime int64 `bson:"createTime" json:"createTime" xml:"createTime"` // updateTime is the last time the resource was modified in seconds from // the epoch. UpdateTime int64 `bson:"updateTime" json:"updateTime" xml:"updateTime"` // AllowedTenantAccess contains the Tenant IDs that the user has been given // rights to access. // This helps in multi-tenanted situations where a user can be given // explicit cross-tenant access. AllowedTenantAccess []string `bson:"allowedTenantAccess" json:"allowedTenantAccess,omitempty" xml:"allowedTenantAccess,omitempty"` // AllowedPersonAccess contains a list of Person IDs that the user is // allowed access to. // This helps in multi-tenanted situations where a user can be given // explicit access to other people accounts, for example, parents to // children records. AllowedPersonAccess []string `bson:"allowedPersonAccess" json:"allowedPersonAccess,omitempty" xml:"allowedPersonAccess,omitempty"` // Scopes contains the permissions that the user is entitled to request. Scopes []string `bson:"scopes" json:"scopes" xml:"scopes"` // Roles contains roles that a user has been granted. Roles []string `bson:"roles" json:"roles" xml:"roles"` // Regions contains a list of regions that the user has access to. Regions []string `bson:"regions" json:"regions" xml:"regions"` // PersonID is a uniquely assigned id that references a person within the // system. // This enables applications where an external person data store is present. // This helps in multi-tenanted situations where the person is unique, but // the underlying user accounts can exist per tenant. PersonID string `bson:"personId" json:"personId" xml:"personId"` // Disabled specifies whether the user has been disallowed from signing in Disabled bool `bson:"disabled" json:"disabled" xml:"disabled"` //// User Content // Username is used to authenticate a user Username string `bson:"username" json:"username" xml:"username"` // Password of the user - will be a hash based on your fosite selected // hasher. // If using this model directly in an API, be sure to clear the password // out when marshaling to json/xml. Password string `bson:"password,omitempty" json:"password,omitempty" xml:"password,omitempty"` // FirstName stores the user's Last Name FirstName string `bson:"firstName" json:"firstName" xml:"firstName"` // LastName stores the user's Last Name LastName string `bson:"lastName" json:"lastName" xml:"lastName"` // ProfileURI is a pointer to where their profile picture lives ProfileURI string `bson:"profileUri" json:"profileUri,omitempty" xml:"profileUri,omitempty"` // MFAFactors contains the MFA Factor ID to the type of factor the user is signed up to. MFAFactors map[string]MultiFactorType `bson:"mfaFactors" json:"mfaFactors,omitempty" xml:"mfaFactors,omitempty"` }
User provides the specific types for storing, editing, deleting and retrieving a User record in mongo.
func (User) Authenticate ¶ added in v0.14.0
Authenticate compares a cleartext string against the user's
func (*User) DisablePeopleAccess ¶ added in v0.14.0
DisablePeopleAccess disables user access to the provided people.
func (*User) DisableRegions ¶ added in v0.34.0
DisableRegions removes one or many regions from a user.
func (*User) DisableRoles ¶ added in v0.26.0
DisableRoles removes one or many roles from a user.
func (*User) DisableScopeAccess ¶ added in v0.14.0
DisableScopeAccess disables user access to one or many scopes.
func (*User) DisableTenantAccess ¶ added in v0.14.0
DisableTenantAccess disables user access to one or many tenants.
func (*User) EnablePeopleAccess ¶ added in v0.14.0
EnablePeopleAccess enables user access to the provided people
func (*User) EnableRegions ¶ added in v0.34.0
EnableRegions adds one or many regions to a user.
func (*User) EnableRoles ¶ added in v0.26.0
EnableRoles adds one or many roles to a user.
func (*User) EnableScopeAccess ¶ added in v0.14.0
EnableScopeAccess enables user access to one or many scopes.
func (*User) EnableTenantAccess ¶ added in v0.14.0
EnableTenantAccess enables user access to one or many tenants.
func (User) Equal ¶ added in v0.14.0
Equal enables checking equality as having a byte array in a struct stops allowing direct equality checks.
func (User) FullName ¶ added in v0.14.0
FullName concatenates the User's First Name and Last Name for templating purposes
func (*User) GetHashedSecret ¶ added in v0.14.0
GetHashedSecret returns the Users's Hashed Secret as a byte array
type UserManager ¶ added in v0.14.0
type UserManager interface { Configurer UserStorer AuthUserMigrator }
UserManager provides a generic interface to users in order to build a DataStore
type UserStorer ¶ added in v0.14.0
type UserStorer interface { List(ctx context.Context, filter ListUsersRequest) ([]User, error) Create(ctx context.Context, user User) (User, error) Get(ctx context.Context, userID string) (User, error) GetByUsername(ctx context.Context, username string) (User, error) Update(ctx context.Context, userID string, user User) (User, error) Delete(ctx context.Context, userID string) error // Utility Functions Authenticate(ctx context.Context, username string, password string) (User, error) AuthenticateByID(ctx context.Context, userID string, password string) (User, error) AuthenticateByUsername(ctx context.Context, username string, password string) (User, error) GrantScopes(ctx context.Context, userID string, scopes []string) (User, error) RemoveScopes(ctx context.Context, userID string, scopes []string) (User, error) }
UserStorer provides a definition of specific methods that are required to store a User in a data store.
type UsersByFirstName ¶ added in v0.14.0
type UsersByFirstName []User
UsersByFirstName enables sorting user accounts by First Name A-Z
func (UsersByFirstName) Len ¶ added in v0.14.0
func (u UsersByFirstName) Len() int
func (UsersByFirstName) Less ¶ added in v0.14.0
func (u UsersByFirstName) Less(i, j int) bool
func (UsersByFirstName) Swap ¶ added in v0.14.0
func (u UsersByFirstName) Swap(i, j int)
type UsersByLastName ¶ added in v0.14.0
type UsersByLastName []User
UsersByLastName enables sorting user accounts by Last Name A-Z
func (UsersByLastName) Len ¶ added in v0.14.0
func (u UsersByLastName) Len() int
func (UsersByLastName) Less ¶ added in v0.14.0
func (u UsersByLastName) Less(i, j int) bool
func (UsersByLastName) Swap ¶ added in v0.14.0
func (u UsersByLastName) Swap(i, j int)
type UsersByUsername ¶ added in v0.14.0
type UsersByUsername []User
UsersByUsername enables sorting user accounts by Username A-Z
func (UsersByUsername) Len ¶ added in v0.14.0
func (u UsersByUsername) Len() int
func (UsersByUsername) Less ¶ added in v0.14.0
func (u UsersByUsername) Less(i, j int) bool
func (UsersByUsername) Swap ¶ added in v0.14.0
func (u UsersByUsername) Swap(i, j int)