authzserver

package
v0.0.0-...-267b159 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 17, 2023 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Overview

OAuthServer implementation that serve oauth2 authorize and client_credentials flows.

Index

Constants

View Source
const (
	ClientIDClaim = "client_id"
	UserIDClaim   = "user_info"
	ScopeClaim    = "scp"
	KeyIDClaim    = "key_id"
)

Variables

This section is empty.

Functions

func GetIssuer

func GetIssuer(ctx context.Context, req *http.Request, cfg *config.Config) string

func GetJSONWebKeysEndpoint

func GetJSONWebKeysEndpoint(authCtx interfaces.AuthenticationContext) http.HandlerFunc

GetJSONWebKeysEndpoint serves requests to the jwks endpoint. ref: https://tools.ietf.org/html/rfc7517

func RegisterHandlers

func RegisterHandlers(handler interfaces.HandlerRegisterer, authCtx interfaces.AuthenticationContext)

RegisterHandlers registers http endpoints for handling OAuth2 flow (/authorize,

Types

type Encryptor

type Encryptor interface {
	Encrypt(raw string) (cypher string, err error)
	Decrypt(cypher string) (raw string, err error)
}

type OAuth2MetadataProvider

type OAuth2MetadataProvider struct {
	// contains filtered or unexported fields
}

func NewService

func NewService(config *authConfig.Config) OAuth2MetadataProvider

func (OAuth2MetadataProvider) AuthFuncOverride

func (s OAuth2MetadataProvider) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)

Override auth func to enforce anonymous access on the implemented APIs Ref: https://github.com/grpc-ecosystem/go-grpc-middleware/blob/master/auth/auth.go#L31

func (OAuth2MetadataProvider) GetOAuth2Metadata

type Provider

type Provider struct {
	fosite.OAuth2Provider
	// contains filtered or unexported fields
}

Provider implements OAuth2 Authorization Server.

func NewProvider

NewProvider creates a new OAuth2 Provider that is able to do OAuth 2-legged and 3-legged flows. It'll lookup config.SecretNameClaimSymmetricKey and config.SecretNameTokenSigningRSAKey secrets from the secret manager to use to sign and generate hashes for tokens. The RSA Private key is expected to be in PEM format with the public key embedded. Use auth.GetInitSecretsCommand() to generate new valid secrets that will be accepted by this provider. The config.SecretNameClaimSymmetricKey must be a 32-bytes long key in Base64Encoding.

func (Provider) KeySet

func (p Provider) KeySet() jwk.Set

func (Provider) NewJWTSessionToken

func (p Provider) NewJWTSessionToken(subject, appID, issuer, audience string, userInfoClaims *service.UserInfoResponse) *fositeOAuth2.JWTSession

NewJWTSessionToken is a helper function for creating a new session.

func (Provider) PublicKeys

func (p Provider) PublicKeys() []rsa.PublicKey

func (Provider) ValidateAccessToken

func (p Provider) ValidateAccessToken(ctx context.Context, expectedAudience, tokenStr string) (interfaces.IdentityContext, error)

type ResourceServer

type ResourceServer struct {
	// contains filtered or unexported fields
}

ResourceServer authorizes access requests issued by an external Authorization Server.

func NewOAuth2ResourceServer

func NewOAuth2ResourceServer(ctx context.Context, cfg authConfig.ExternalAuthorizationServer, fallbackBaseURL config.URL) (ResourceServer, error)

NewOAuth2ResourceServer initializes a new OAuth2ResourceServer.

func (ResourceServer) ValidateAccessToken

func (r ResourceServer) ValidateAccessToken(ctx context.Context, expectedAudience, tokenStr string) (interfaces.IdentityContext, error)

type StatelessCodeProvider

type StatelessCodeProvider struct {
	oauth22.CoreStrategy
	// contains filtered or unexported fields
}

StatelessCodeProvider offers a strategy that encodes authorization code and refresh tokens into JWT to avoid requiring storing these tokens on the server side. These tokens are usually short lived so storing them to a persistent store (e.g. DB) is not desired. A more suitable store would be an in-memory read-efficient store (e.g. Redis) however, that would add additional requirements on setting up nebulaAdmin and hence why we are going with this strategy.

func (StatelessCodeProvider) AuthorizeCodeSignature

func (p StatelessCodeProvider) AuthorizeCodeSignature(token string) string

func (StatelessCodeProvider) Decrypt

func (p StatelessCodeProvider) Decrypt(encrypted string) (string, error)

func (StatelessCodeProvider) Encrypt

func (p StatelessCodeProvider) Encrypt(raw string) (string, error)

func (StatelessCodeProvider) GenerateAccessToken

func (p StatelessCodeProvider) GenerateAccessToken(ctx context.Context, requester fosite.Requester) (token string, signature string, err error)

func (StatelessCodeProvider) GenerateAuthorizeCode

func (p StatelessCodeProvider) GenerateAuthorizeCode(ctx context.Context, requester fosite.Requester) (token string, signature string, err error)

func (StatelessCodeProvider) GenerateRefreshToken

func (p StatelessCodeProvider) GenerateRefreshToken(ctx context.Context, requester fosite.Requester) (token string, signature string, err error)

func (StatelessCodeProvider) RefreshTokenSignature

func (p StatelessCodeProvider) RefreshTokenSignature(token string) string

func (StatelessCodeProvider) ValidateAuthorizeCode

func (p StatelessCodeProvider) ValidateAuthorizeCode(ctx context.Context, requester fosite.Requester, token string) (err error)

func (StatelessCodeProvider) ValidateRefreshToken

func (p StatelessCodeProvider) ValidateRefreshToken(ctx context.Context, requester fosite.Requester, token string) (err error)

type StatelessTokenStore

type StatelessTokenStore struct {
	*storage.MemoryStore
	jwt.JWTStrategy
	// contains filtered or unexported fields
}

StatelessTokenStore provides a ship on top of the MemoryStore to avoid storing tokens in memory (or elsewhere) but instead hydrates fosite.Request and sessions from the tokens themselves.

func (StatelessTokenStore) DeleteRefreshTokenSession

func (s StatelessTokenStore) DeleteRefreshTokenSession(_ context.Context, _ string) (err error)

func (StatelessTokenStore) GetAuthorizeCodeSession

func (s StatelessTokenStore) GetAuthorizeCodeSession(ctx context.Context, code string, _ fosite.Session) (fosite.Requester, error)

func (StatelessTokenStore) GetPKCERequestSession

func (s StatelessTokenStore) GetPKCERequestSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error)

func (StatelessTokenStore) GetRefreshTokenSession

func (s StatelessTokenStore) GetRefreshTokenSession(ctx context.Context, signature string, _ fosite.Session) (request fosite.Requester, err error)

func (StatelessTokenStore) InvalidateAuthorizeCodeSession

func (s StatelessTokenStore) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL