Documentation ¶
Index ¶
- Constants
- Variables
- func ContextWithAuthNInfo(ctx context.Context, key jwk.Key, accessToken jwt.Token, raw string) context.Context
- func GetAccessTokenFromContext(ctx context.Context, l *logger.Logger) jwt.Token
- func GetJWKFromContext(ctx context.Context, l *logger.Logger) jwk.Key
- func GetRawAccessTokenFromContext(ctx context.Context, l *logger.Logger) string
- type AuthNConfig
- type Authentication
- type CasbinConfig
- type Config
- type Enforcer
- type OIDCConfiguration
- type PolicyConfig
Constants ¶
const ( ActionRead = "read" ActionWrite = "write" ActionDelete = "delete" ActionUnsafe = "unsafe" ActionOther = "other" )
const (
// DiscoveryPath is the path to the discovery endpoint
DiscoveryPath = "/.well-known/openid-configuration"
)
Variables ¶
var (
ErrPolicyMalformed = errors.New("malformed authz policy")
)
Functions ¶
func ContextWithAuthNInfo ¶ added in v0.4.2
func GetAccessTokenFromContext ¶ added in v0.4.1
Types ¶
type AuthNConfig ¶
type AuthNConfig struct { EnforceDPoP bool `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"` Issuer string `mapstructure:"issuer" json:"issuer"` Audience string `mapstructure:"audience" json:"audience"` Policy PolicyConfig `mapstructure:"policy" json:"policy"` CacheRefresh string `mapstructure:"cache_refresh_interval"` DPoPSkew time.Duration `mapstructure:"dpopskew" default:"1h"` TokenSkew time.Duration `mapstructure:"skew" default:"1m"` PublicClientID string `mapstructure:"public_client_id" json:"public_client_id,omitempty"` }
AuthNConfig is the configuration need for the platform to validate tokens
type Authentication ¶
type Authentication struct {
// contains filtered or unexported fields
}
Authentication holds a jwks cache and information about the openid configuration
func NewAuthenticator ¶
func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error)
Creates new authN which is used to verify tokens for a set of given issuers
func (*Authentication) ExtendAuthzDefaultPolicy ¶ added in v0.4.10
func (a *Authentication) ExtendAuthzDefaultPolicy(policies [][]string) error
func (Authentication) MuxHandler ¶
func (a Authentication) MuxHandler(handler http.Handler) http.Handler
verifyTokenHandler is a http handler that verifies the token
func (Authentication) UnaryServerInterceptor ¶
func (a Authentication) UnaryServerInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error)
UnaryServerInterceptor is a grpc interceptor that verifies the token in the metadata
type CasbinConfig ¶
type CasbinConfig struct {
PolicyConfig
}
type Config ¶
type Config struct { Enabled bool `mapstructure:"enabled" json:"enabled" default:"true" ` PublicRoutes []string `mapstructure:"-"` AuthNConfig `mapstructure:",squash"` }
AuthConfig pulls AuthN and AuthZ together
type Enforcer ¶
type Enforcer struct { *casbin.Enforcer Config CasbinConfig Policy string // contains filtered or unexported fields }
func NewCasbinEnforcer ¶
func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)
newCasbinEnforcer creates a new casbin enforcer
func (*Enforcer) Enforce ¶
casbinEnforce is a helper function to enforce the policy with casbin TODO implement a common type so this can be used for both http and grpc
func (*Enforcer) ExtendDefaultPolicy ¶ added in v0.4.10
Extend the default policy
type OIDCConfiguration ¶
type OIDCConfiguration struct { Issuer string `json:"issuer"` AuthorizationEndpoint string `json:"authorization_endpoint"` TokenEndpoint string `json:"token_endpoint"` JwksURI string `json:"jwks_uri"` ResponseTypesSupported []string `json:"response_types_supported"` SubjectTypesSupported []string `json:"subject_types_supported"` IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"` RequireRequestURIRegistration bool `json:"require_request_uri_registration"` PublicClientID string `json:"public_client_id,omitempty"` }
OIDCConfiguration holds the openid configuration for the issuer. Currently only required fields are included (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
func DiscoverOIDCConfiguration ¶
func DiscoverOIDCConfiguration(ctx context.Context, issuer string, logger *logger.Logger) (*OIDCConfiguration, error)
DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided