Documentation ¶
Overview ¶
OAuthServer implementation that serve oauth2 authorize and client_credentials flows.
Index ¶
- Constants
- func GetIssuer(ctx context.Context, req *http.Request, cfg *config.Config) string
- func GetJSONWebKeysEndpoint(authCtx interfaces.AuthenticationContext) http.HandlerFunc
- func RegisterHandlers(handler interfaces.HandlerRegisterer, authCtx interfaces.AuthenticationContext)
- type Encryptor
- type OAuth2MetadataProvider
- func (s OAuth2MetadataProvider) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)
- func (s OAuth2MetadataProvider) GetOAuth2Metadata(ctx context.Context, r *service.OAuth2MetadataRequest) (*service.OAuth2MetadataResponse, error)
- func (s OAuth2MetadataProvider) GetPublicClientConfig(context.Context, *service.PublicClientAuthConfigRequest) (*service.PublicClientAuthConfigResponse, error)
- type Provider
- func (p Provider) KeySet() jwk.Set
- func (p Provider) NewJWTSessionToken(subject, appID, issuer, audience string, ...) *fositeOAuth2.JWTSession
- func (p Provider) PublicKeys() []rsa.PublicKey
- func (p Provider) ValidateAccessToken(ctx context.Context, expectedAudience, tokenStr string) (interfaces.IdentityContext, error)
- type ResourceServer
- type StatelessCodeProvider
- func (p StatelessCodeProvider) AuthorizeCodeSignature(token string) string
- func (p StatelessCodeProvider) Decrypt(encrypted string) (string, error)
- func (p StatelessCodeProvider) Encrypt(raw string) (string, error)
- func (p StatelessCodeProvider) GenerateAccessToken(ctx context.Context, requester fosite.Requester) (token string, signature string, err error)
- func (p StatelessCodeProvider) GenerateAuthorizeCode(ctx context.Context, requester fosite.Requester) (token string, signature string, err error)
- func (p StatelessCodeProvider) GenerateRefreshToken(ctx context.Context, requester fosite.Requester) (token string, signature string, err error)
- func (p StatelessCodeProvider) RefreshTokenSignature(token string) string
- func (p StatelessCodeProvider) ValidateAuthorizeCode(ctx context.Context, requester fosite.Requester, token string) (err error)
- func (p StatelessCodeProvider) ValidateRefreshToken(ctx context.Context, requester fosite.Requester, token string) (err error)
- type StatelessTokenStore
- func (s StatelessTokenStore) DeleteRefreshTokenSession(_ context.Context, _ string) (err error)
- func (s StatelessTokenStore) GetAuthorizeCodeSession(ctx context.Context, code string, _ fosite.Session) (fosite.Requester, error)
- func (s StatelessTokenStore) GetPKCERequestSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error)
- func (s StatelessTokenStore) GetRefreshTokenSession(ctx context.Context, signature string, _ fosite.Session) (request fosite.Requester, err error)
- func (s StatelessTokenStore) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error)
Constants ¶
const ( ClientIDClaim = "client_id" UserIDClaim = "user_info" ScopeClaim = "scp" KeyIDClaim = "key_id" )
Variables ¶
This section is empty.
Functions ¶
func GetJSONWebKeysEndpoint ¶
func GetJSONWebKeysEndpoint(authCtx interfaces.AuthenticationContext) http.HandlerFunc
GetJSONWebKeysEndpoint serves requests to the jwks endpoint. ref: https://tools.ietf.org/html/rfc7517
func RegisterHandlers ¶
func RegisterHandlers(handler interfaces.HandlerRegisterer, authCtx interfaces.AuthenticationContext)
RegisterHandlers registers http endpoints for handling OAuth2 flow (/authorize,
Types ¶
type OAuth2MetadataProvider ¶
type OAuth2MetadataProvider struct {
// contains filtered or unexported fields
}
func NewService ¶
func NewService(config *authConfig.Config) OAuth2MetadataProvider
func (OAuth2MetadataProvider) AuthFuncOverride ¶
func (s OAuth2MetadataProvider) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)
Override auth func to enforce anonymous access on the implemented APIs Ref: https://github.com/grpc-ecosystem/go-grpc-middleware/blob/master/auth/auth.go#L31
func (OAuth2MetadataProvider) GetOAuth2Metadata ¶
func (s OAuth2MetadataProvider) GetOAuth2Metadata(ctx context.Context, r *service.OAuth2MetadataRequest) (*service.OAuth2MetadataResponse, error)
func (OAuth2MetadataProvider) GetPublicClientConfig ¶
func (s OAuth2MetadataProvider) GetPublicClientConfig(context.Context, *service.PublicClientAuthConfigRequest) (*service.PublicClientAuthConfigResponse, error)
type Provider ¶
type Provider struct { fosite.OAuth2Provider // contains filtered or unexported fields }
Provider implements OAuth2 Authorization Server.
func NewProvider ¶
func NewProvider(ctx context.Context, cfg config.AuthorizationServer, sm core.SecretManager) (Provider, error)
NewProvider creates a new OAuth2 Provider that is able to do OAuth 2-legged and 3-legged flows. It'll lookup config.SecretNameClaimSymmetricKey and config.SecretNameTokenSigningRSAKey secrets from the secret manager to use to sign and generate hashes for tokens. The RSA Private key is expected to be in PEM format with the public key embedded. Use auth.GetInitSecretsCommand() to generate new valid secrets that will be accepted by this provider. The config.SecretNameClaimSymmetricKey must be a 32-bytes long key in Base64Encoding.
func (Provider) NewJWTSessionToken ¶
func (p Provider) NewJWTSessionToken(subject, appID, issuer, audience string, userInfoClaims *service.UserInfoResponse) *fositeOAuth2.JWTSession
NewJWTSessionToken is a helper function for creating a new session.
func (Provider) PublicKeys ¶
func (Provider) ValidateAccessToken ¶
func (p Provider) ValidateAccessToken(ctx context.Context, expectedAudience, tokenStr string) (interfaces.IdentityContext, error)
type ResourceServer ¶
type ResourceServer struct {
// contains filtered or unexported fields
}
ResourceServer authorizes access requests issued by an external Authorization Server.
func NewOAuth2ResourceServer ¶
func NewOAuth2ResourceServer(ctx context.Context, cfg authConfig.ExternalAuthorizationServer, fallbackBaseURL config.URL) (ResourceServer, error)
NewOAuth2ResourceServer initializes a new OAuth2ResourceServer.
func (ResourceServer) ValidateAccessToken ¶
func (r ResourceServer) ValidateAccessToken(ctx context.Context, expectedAudience, tokenStr string) (interfaces.IdentityContext, error)
type StatelessCodeProvider ¶
type StatelessCodeProvider struct { oauth22.CoreStrategy // contains filtered or unexported fields }
StatelessCodeProvider offers a strategy that encodes authorization code and refresh tokens into JWT to avoid requiring storing these tokens on the server side. These tokens are usually short lived so storing them to a persistent store (e.g. DB) is not desired. A more suitable store would be an in-memory read-efficient store (e.g. Redis) however, that would add additional requirements on setting up nebulaAdmin and hence why we are going with this strategy.
func NewStatelessCodeProvider ¶
func NewStatelessCodeProvider(cfg config.AuthorizationServer, blockKey [auth.SymmetricKeyLength]byte, strategy oauth22.CoreStrategy) StatelessCodeProvider
func (StatelessCodeProvider) AuthorizeCodeSignature ¶
func (p StatelessCodeProvider) AuthorizeCodeSignature(token string) string
func (StatelessCodeProvider) Decrypt ¶
func (p StatelessCodeProvider) Decrypt(encrypted string) (string, error)
func (StatelessCodeProvider) Encrypt ¶
func (p StatelessCodeProvider) Encrypt(raw string) (string, error)
func (StatelessCodeProvider) GenerateAccessToken ¶
func (StatelessCodeProvider) GenerateAuthorizeCode ¶
func (StatelessCodeProvider) GenerateRefreshToken ¶
func (StatelessCodeProvider) RefreshTokenSignature ¶
func (p StatelessCodeProvider) RefreshTokenSignature(token string) string
func (StatelessCodeProvider) ValidateAuthorizeCode ¶
func (StatelessCodeProvider) ValidateRefreshToken ¶
type StatelessTokenStore ¶
type StatelessTokenStore struct { *storage.MemoryStore jwt.JWTStrategy // contains filtered or unexported fields }
StatelessTokenStore provides a ship on top of the MemoryStore to avoid storing tokens in memory (or elsewhere) but instead hydrates fosite.Request and sessions from the tokens themselves.
func (StatelessTokenStore) DeleteRefreshTokenSession ¶
func (s StatelessTokenStore) DeleteRefreshTokenSession(_ context.Context, _ string) (err error)
func (StatelessTokenStore) GetAuthorizeCodeSession ¶
func (StatelessTokenStore) GetPKCERequestSession ¶
func (StatelessTokenStore) GetRefreshTokenSession ¶
func (StatelessTokenStore) InvalidateAuthorizeCodeSession ¶
func (s StatelessTokenStore) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error)