Documentation ¶
Overview ¶
Package oidcserver implements an OpenID Connect server with federated logins.
You can use the "packr clean" command to clean up this, and any other packr generated files.
Index ¶
- Constants
- type Authenticator
- type Client
- type ClientSource
- type Connector
- type ErrNoSuchClient
- type Identity
- type LoginRequest
- type RefreshConnector
- type Scopes
- type Server
- type ServerOption
- func WithAllowedOrigins(origins []string) ServerOption
- func WithAuthRequestValidity(validFor time.Duration) ServerOption
- func WithIDTokenValidity(validFor time.Duration) ServerOption
- func WithLogger(logger logrus.FieldLogger) ServerOption
- func WithPrometheusRegistry(registry *prometheus.Registry) ServerOption
- func WithSkipApprovalScreen(skip bool) ServerOption
- func WithSupportedResponseTypes(responseTypes []string) ServerOption
- type Signer
- type StaticClientSource
Constants ¶
const LocalConnector = "local"
LocalConnector is the local passwordDB connector which is an internal connector maintained by the server.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator interface { // Authenticate associates the user's identity with the given authID, then // returns final redirect URL. Authenticate(ctx context.Context, authID string, ident Identity) (returnURL string, err error) // LoginRequest loads the login request information for a given authID. LoginRequest(ctx context.Context, authID string) (LoginRequest, error) }
Authenticator is capable of associating the user's identity with a given authID, then returning the final redirect URL. This is the primary way a Connector calls back to Server to finalize the flow.
type Client ¶
type Client struct { // Client ID and secret used to identify the client. ID string `json:"id" yaml:"id"` Secret string `json:"secret" yaml:"secret"` // A registered set of redirect URIs. When redirecting from dex to the client, the URI // requested to redirect to MUST match one of these values, unless the client is "public". RedirectURIs []string `json:"redirectURIs" yaml:"redirectURIs"` // TrustedPeers are a list of peers which can issue tokens on this client's behalf using // the dynamic "oauth2:server:client_id:(client_id)" scope. If a peer makes such a request, // this client's ID will appear as the ID Token's audience. // // Clients inherently trust themselves. TrustedPeers []string `json:"trustedPeers" yaml:"trustedPeers"` // Public clients must use either use a redirectURL 127.0.0.1:X or "urn:ietf:wg:oauth:2.0:oob" Public bool `json:"public" yaml:"public"` // Name and LogoURL used when displaying this client to the end user. Name string `json:"name" yaml:"name"` LogoURL string `json:"logoURL" yaml:"logoURL"` }
Client represents an OAuth2 client.
For further reading see:
type ClientSource ¶
type ClientSource interface { // GetClient returns information about the given client ID. It will be // called for each lookup. If the client is not found but no other error // occurred, an ErrNoSuchClient should be returned GetClient(id string) (*Client, error) }
ClientSource can be queried to get information about an oauth2 client.
type Connector ¶
type Connector interface { // Initialize is called by Server before the connectors first authentication // flow. This passes an Authenticator which the connector can use to assign // an identity to the authorization flow, and determine the final URL to // send the user to Initialize(auth Authenticator) // LoginPage is called at the start of an authentication flow. This method // can render/return whatever it wants and run the user through any // arbitrary intermediate pages. The only requirement is that it threads the // AuthID through these, and at the end of the connector flow it needs to // pass this to the Authenticator's Authenticate method, and redirect the // user to the resulting URL. LoginPage(w http.ResponseWriter, r *http.Request, lr LoginRequest) }
Connector is used to actually manage the end user authentication
type ErrNoSuchClient ¶
type ErrNoSuchClient interface {
NoSuchClient()
}
ErrNoSuchClient indicates that the requested client does not exist
type Identity ¶
type Identity struct { UserID string Username string Email string EmailVerified bool Groups []string // ACR should contain the value of the Authentication Context Class this // requested was serviced with. OPTIONAL. ACR *string // AMR is the identifiers for authentication methods used in the // authentication. OPTIONAL AMR []string // ConnectorData holds data used by the connector for subsequent requests after initial // authentication, such as access tokens for upstream provides. // // This data is never shared with end users, OAuth clients, or through the API. ConnectorData []byte }
Identity represents the ID Token claims supported by the server.
type LoginRequest ¶
type LoginRequest struct { // AuthID is the unique identifier for this access request. It is assigned // at login request, and is needed to finalize the flow. AuthID string // Scopes are the Oauth2 Scopes for OIDC requests. Scopes Scopes // ACRValues indicate the requested Authorization Context Classes. This is // an _optional_ field, connectors can choose to ignore it. They are // specified in preference order. If the connector can handle this, it // should indicate the value used in the ACR field in the returned identity ACRValues []string }
LoginRequest encapsulates the information passed in for this SSO request.
type RefreshConnector ¶
type RefreshConnector interface { // Refresh is called when a client attempts to claim a refresh token. The // connector should attempt to update the identity object to reflect any // changes since the token was last refreshed. Refresh(ctx context.Context, s Scopes, identity Identity) (Identity, error) }
RefreshConnector is a connector that can update the client claims.
type Scopes ¶
type Scopes struct { // The client has requested a refresh token from the server. OfflineAccess bool // The client has requested group information about the end user. Groups bool }
Scopes represents additional data requested by the clients about the end user.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the top level object.
type ServerOption ¶
ServerOption defines optional configuration items for the OIDC server.
func WithAllowedOrigins ¶
func WithAllowedOrigins(origins []string) ServerOption
WithAllowedOrigins is a List of allowed origins for CORS requests on discovery, token and keys endpoint. If none are indicated, CORS requests are disabled. Passing in "*" will allow any domain.
func WithAuthRequestValidity ¶
func WithAuthRequestValidity(validFor time.Duration) ServerOption
WithAuthRequestValidity sets how long an authorization flow is considered valid.
func WithIDTokenValidity ¶
func WithIDTokenValidity(validFor time.Duration) ServerOption
WithIDTokenValidity sets how long issued ID tokens are valid for
func WithLogger ¶
func WithLogger(logger logrus.FieldLogger) ServerOption
WithLogger sets a logger on the server, otherwise no output will be logged
func WithPrometheusRegistry ¶
func WithPrometheusRegistry(registry *prometheus.Registry) ServerOption
func WithSkipApprovalScreen ¶
func WithSkipApprovalScreen(skip bool) ServerOption
WithSkipApprovalScreen can be used to set skipping the approval screen on a global level
func WithSupportedResponseTypes ¶
func WithSupportedResponseTypes(responseTypes []string) ServerOption
WithSupportedResponseTypes valid values are "code" to enable the code flow and "token" to enable the implicit flow. If no response types are supplied this value defaults to "code".
type Signer ¶
type Signer interface { // PublicKeys returns a keyset of all valid signer public keys considered // valid for signed tokens PublicKeys(ctx context.Context) (*jose.JSONWebKeySet, error) // SignerAlg returns the algorithm the signer uses SignerAlg(ctx context.Context) (jose.SignatureAlgorithm, error) // Sign the provided data Sign(ctx context.Context, data []byte) (signed []byte, err error) // VerifySignature verifies the signature given token against the current signers VerifySignature(ctx context.Context, jwt string) (payload []byte, err error) }
Signer is used for signing the identity tokens
type StaticClientSource ¶
StaticClientSource is a ClientSource backed by a static map of clients.
func NewStaticClientSource ¶
func NewStaticClientSource(clients []*Client) StaticClientSource
NewStaticClientSource creates a StaticClientSource from a list of clients.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package internal is a generated protocol buffer package.
|
Package internal is a generated protocol buffer package. |
You can use the "packr2 clean" command to clean up this, and any other packr generated files.
|
You can use the "packr2 clean" command to clean up this, and any other packr generated files. |