oidcserver

package
v0.0.0-...-c9bb2cb Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2021 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Package oidcserver implements an OpenID Connect server with federated logins.

You can use the "packr clean" command to clean up this, and any other packr generated files.

Index

Constants

View Source
const LocalConnector = "local"

LocalConnector is the local passwordDB connector which is an internal connector maintained by the server.

Variables

This section is empty.

Functions

This section is empty.

Types

type Authenticator

type Authenticator interface {
	// Authenticate associates the user's identity with the given authID, then
	// returns final redirect URL.
	Authenticate(ctx context.Context, authID string, ident Identity) (returnURL string, err error)

	// LoginRequest loads the login request information for a given authID.
	LoginRequest(ctx context.Context, authID string) (LoginRequest, error)
}

Authenticator is capable of associating the user's identity with a given authID, then returning the final redirect URL. This is the primary way a Connector calls back to Server to finalize the flow.

type Client

type Client struct {
	// Client ID and secret used to identify the client.
	ID     string `json:"id" yaml:"id"`
	Secret string `json:"secret" yaml:"secret"`

	// A registered set of redirect URIs. When redirecting from dex to the client, the URI
	// requested to redirect to MUST match one of these values, unless the client is "public".
	RedirectURIs []string `json:"redirectURIs" yaml:"redirectURIs"`

	// TrustedPeers are a list of peers which can issue tokens on this client's behalf using
	// the dynamic "oauth2:server:client_id:(client_id)" scope. If a peer makes such a request,
	// this client's ID will appear as the ID Token's audience.
	//
	// Clients inherently trust themselves.
	TrustedPeers []string `json:"trustedPeers" yaml:"trustedPeers"`

	// Public clients must use either use a redirectURL 127.0.0.1:X or "urn:ietf:wg:oauth:2.0:oob"
	Public bool `json:"public" yaml:"public"`

	// Name and LogoURL used when displaying this client to the end user.
	Name    string `json:"name" yaml:"name"`
	LogoURL string `json:"logoURL" yaml:"logoURL"`
}

Client represents an OAuth2 client.

For further reading see:

type ClientSource

type ClientSource interface {
	// GetClient returns information about the given client ID. It will be
	// called for each lookup. If the client is not found but no other error
	// occurred, an ErrNoSuchClient should be returned
	GetClient(id string) (*Client, error)
}

ClientSource can be queried to get information about an oauth2 client.

type Connector

type Connector interface {
	// Initialize is called by Server before the connectors first authentication
	// flow. This passes an Authenticator which the connector can use to assign
	// an identity to the authorization flow, and determine the final URL to
	// send the user to
	Initialize(auth Authenticator)

	// LoginPage is called at the start of an authentication flow. This method
	// can render/return whatever it wants and run the user through any
	// arbitrary intermediate pages. The only requirement is that it threads the
	// AuthID through these, and at the end of the connector flow it needs to
	// pass this to the Authenticator's Authenticate method, and redirect the
	// user to the resulting URL.
	LoginPage(w http.ResponseWriter, r *http.Request, lr LoginRequest)
}

Connector is used to actually manage the end user authentication

type ErrNoSuchClient

type ErrNoSuchClient interface {
	NoSuchClient()
}

ErrNoSuchClient indicates that the requested client does not exist

type Identity

type Identity struct {
	UserID        string
	Username      string
	Email         string
	EmailVerified bool

	Groups []string

	// ACR should contain the value of the Authentication Context Class this
	// requested was serviced with. OPTIONAL.
	ACR *string
	// AMR is the identifiers for authentication methods used in the
	// authentication. OPTIONAL
	AMR []string

	// ConnectorData holds data used by the connector for subsequent requests after initial
	// authentication, such as access tokens for upstream provides.
	//
	// This data is never shared with end users, OAuth clients, or through the API.
	ConnectorData []byte
}

Identity represents the ID Token claims supported by the server.

type LoginRequest

type LoginRequest struct {
	// AuthID is the unique identifier for this access request. It is assigned
	// at login request, and is needed to finalize the flow.
	AuthID string
	// Scopes are the Oauth2 Scopes for OIDC requests.
	Scopes Scopes

	// ACRValues indicate the requested Authorization Context Classes. This is
	// an _optional_ field, connectors can choose to ignore it. They are
	// specified in preference order. If the connector can handle this, it
	// should indicate the value used in the ACR field in the returned identity
	ACRValues []string
}

LoginRequest encapsulates the information passed in for this SSO request.

type RefreshConnector

type RefreshConnector interface {
	// Refresh is called when a client attempts to claim a refresh token. The
	// connector should attempt to update the identity object to reflect any
	// changes since the token was last refreshed.
	Refresh(ctx context.Context, s Scopes, identity Identity) (Identity, error)
}

RefreshConnector is a connector that can update the client claims.

type Scopes

type Scopes struct {
	// The client has requested a refresh token from the server.
	OfflineAccess bool

	// The client has requested group information about the end user.
	Groups bool
}

Scopes represents additional data requested by the clients about the end user.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server is the top level object.

func New

func New(issuer string, storage storage.Storage, signer Signer, connectors map[string]Connector, clients ClientSource, opts ...ServerOption) (*Server, error)

func (*Server) ServeHTTP

func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)

type ServerOption

type ServerOption func(s *Server) error

ServerOption defines optional configuration items for the OIDC server.

func WithAllowedOrigins

func WithAllowedOrigins(origins []string) ServerOption

WithAllowedOrigins is a List of allowed origins for CORS requests on discovery, token and keys endpoint. If none are indicated, CORS requests are disabled. Passing in "*" will allow any domain.

func WithAuthRequestValidity

func WithAuthRequestValidity(validFor time.Duration) ServerOption

WithAuthRequestValidity sets how long an authorization flow is considered valid.

func WithIDTokenValidity

func WithIDTokenValidity(validFor time.Duration) ServerOption

WithIDTokenValidity sets how long issued ID tokens are valid for

func WithLogger

func WithLogger(logger logrus.FieldLogger) ServerOption

WithLogger sets a logger on the server, otherwise no output will be logged

func WithPrometheusRegistry

func WithPrometheusRegistry(registry *prometheus.Registry) ServerOption

func WithSkipApprovalScreen

func WithSkipApprovalScreen(skip bool) ServerOption

WithSkipApprovalScreen can be used to set skipping the approval screen on a global level

func WithSupportedResponseTypes

func WithSupportedResponseTypes(responseTypes []string) ServerOption

WithSupportedResponseTypes valid values are "code" to enable the code flow and "token" to enable the implicit flow. If no response types are supplied this value defaults to "code".

type Signer

type Signer interface {
	// PublicKeys returns a keyset of all valid signer public keys considered
	// valid for signed tokens
	PublicKeys(ctx context.Context) (*jose.JSONWebKeySet, error)
	// SignerAlg returns the algorithm the signer uses
	SignerAlg(ctx context.Context) (jose.SignatureAlgorithm, error)
	// Sign the provided data
	Sign(ctx context.Context, data []byte) (signed []byte, err error)
	// VerifySignature verifies the signature given token against the current signers
	VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
}

Signer is used for signing the identity tokens

type StaticClientSource

type StaticClientSource map[string]*Client

StaticClientSource is a ClientSource backed by a static map of clients.

func NewStaticClientSource

func NewStaticClientSource(clients []*Client) StaticClientSource

NewStaticClientSource creates a StaticClientSource from a list of clients.

func (StaticClientSource) GetClient

func (s StaticClientSource) GetClient(id string) (*Client, error)

Directories

Path Synopsis
Package internal is a generated protocol buffer package.
Package internal is a generated protocol buffer package.
You can use the "packr2 clean" command to clean up this, and any other packr generated files.
You can use the "packr2 clean" command to clean up this, and any other packr generated files.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL