Documentation
¶
Index ¶
- func GetAuthzEscaped(ctx *gin.Context) (authzEscaped string)
- func GetJWKSFromIssUrl(issuer string) (*jwk.Set, error)
- func GetJWKSURLFromIssuerURL(issuerUrl string) (string, error)
- func GetNSIssuerURL(prefix string) (string, error)
- func LookupIssuerJwksUrl(ctx context.Context, issuerUrlStr string) (jwksUrl *url.URL, err error)
- func Verify(ctx *gin.Context, authOption AuthOption) (status int, verified bool, err error)
- type AuthCheckImpl
- type AuthChecker
- type AuthOption
- type TokenConfig
- func (config *TokenConfig) AddAudienceAny()
- func (config *TokenConfig) AddAudiences(audiences ...string)
- func (config *TokenConfig) AddGroups(groups ...string)
- func (config *TokenConfig) AddRawScope(scope string)
- func (config *TokenConfig) AddResourceScopes(scopes ...token_scopes.ResourceScope)
- func (config *TokenConfig) AddScopes(scopes ...token_scopes.TokenScope)
- func (tokenConfig *TokenConfig) CreateToken() (string, error)
- func (tokenConfig *TokenConfig) CreateTokenWithKey(key jwk.Key) (string, error)
- func (config *TokenConfig) GetAudiences() []string
- func (config *TokenConfig) GetGroups() []string
- func (config *TokenConfig) GetScope() string
- func (config *TokenConfig) GetVersion() string
- func (config *TokenConfig) SetVersion(ver string) error
- func (config *TokenConfig) Validate() (bool, error)
- type TokenIssuer
- type TokenProfile
- type TokenSource
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAuthzEscaped ¶
Given a request, try to get a token from its "authz" query parameter or "Authorization" header
func GetJWKSURLFromIssuerURL ¶
Given an issuer url, lookup the JWKS URL from the openid-configuration For example, if the issuer URL is https://registry.com:8446/api/v1.0/registry/test-namespace, this function will return the key indicated by the openid-configuration JSON hosted at https://registry.com:8446/api/v1.0/registry/test-namespace/.well-known/openid-configuration.
func GetNSIssuerURL ¶
For a given prefix, get the prefix's issuer URL, where we consider that the openid endpoint we use to look up a key location. Note that this is NOT the same as the issuer key -- to find that, follow openid-style discovery using the issuer URL as a base.
func LookupIssuerJwksUrl ¶
Given an issuer URL, lookup the corresponding JWKS URL using OAuth2 metadata discovery
func Verify ¶
Check token authentication with token obtained from authOption.Sources, found the first token available and proceed to check against a list of authOption.Issuers with authOption.Scopes, return true and set "User" context to the issuer if any of the issuer check succeed
Scope check will pass if your token has ANY of the scopes in authOption.Scopes
Types ¶
type AuthCheckImpl ¶
type AuthCheckImpl struct{}
type AuthChecker ¶
type AuthChecker interface {
// contains filtered or unexported methods
}
type AuthOption ¶
type AuthOption struct { Sources []TokenSource Issuers []TokenIssuer Scopes []token_scopes.TokenScope AllScopes bool }
type TokenConfig ¶
type TokenConfig struct { Lifetime time.Duration // Lifetime is used to set 'exp' claim from now Issuer string // Issuer is 'iss' claim Subject string // Subject is 'sub' claim Claims map[string]string // Additional claims // contains filtered or unexported fields }
func NewScitoken ¶
func NewScitoken() (tc TokenConfig)
func NewTokenConfig ¶
func NewTokenConfig(tokenProfile TokenProfile) (tc TokenConfig, err error)
func NewWLCGToken ¶
func NewWLCGToken() (tc TokenConfig)
func (*TokenConfig) AddAudienceAny ¶
func (config *TokenConfig) AddAudienceAny()
Add audience="any" to the config based on the token profile.
For WLCG profile, it will be "https://wlcg.cern.ch/jwt/v1/any". For Scitokens profile, it will be "ANY"
func (*TokenConfig) AddAudiences ¶
func (config *TokenConfig) AddAudiences(audiences ...string)
func (*TokenConfig) AddGroups ¶
func (config *TokenConfig) AddGroups(groups ...string)
func (*TokenConfig) AddRawScope ¶
func (config *TokenConfig) AddRawScope(scope string)
AddRawScope appends a space-delimited, case-sensitive scope string to the Scope field.
Examples for valid scopes:
- "storage:read"
- "storage:read storage:write"
func (*TokenConfig) AddResourceScopes ¶
func (config *TokenConfig) AddResourceScopes(scopes ...token_scopes.ResourceScope)
AddResourceScopes appends multiple token_scopes.TokenScope to the Scope field.
func (*TokenConfig) AddScopes ¶
func (config *TokenConfig) AddScopes(scopes ...token_scopes.TokenScope)
AddScopes appends multiple token_scopes.TokenScope to the Scope field.
func (*TokenConfig) CreateToken ¶
func (tokenConfig *TokenConfig) CreateToken() (string, error)
CreateToken validates a JWT TokenConfig and if it's valid, create and sign a token based on the TokenConfig.
func (*TokenConfig) CreateTokenWithKey ¶
func (tokenConfig *TokenConfig) CreateTokenWithKey(key jwk.Key) (string, error)
Variant of CreateToken with a JWT provided by the caller
func (*TokenConfig) GetAudiences ¶
func (config *TokenConfig) GetAudiences() []string
func (*TokenConfig) GetGroups ¶
func (config *TokenConfig) GetGroups() []string
func (*TokenConfig) GetScope ¶
func (config *TokenConfig) GetScope() string
GetScope returns a list of space-delimited, case-sensitive strings from TokenConfig.scope
func (*TokenConfig) GetVersion ¶
func (config *TokenConfig) GetVersion() string
func (*TokenConfig) SetVersion ¶
func (config *TokenConfig) SetVersion(ver string) error
func (*TokenConfig) Validate ¶
func (config *TokenConfig) Validate() (bool, error)
Validate a TokenConfig given its profile and checks if the required claims are present per profile requirement and if provided config values are legal.
type TokenIssuer ¶
type TokenIssuer string
const ( FederationIssuer TokenIssuer = "FederationIssuer" LocalIssuer TokenIssuer = "LocalIssuer" )
type TokenProfile ¶
type TokenProfile string
const ( TokenProfileWLCG TokenProfile = "wlcg" TokenProfileScitokens2 TokenProfile = "scitokens2" TokenProfileNone TokenProfile = "none" )
func (TokenProfile) String ¶
func (p TokenProfile) String() string
type TokenSource ¶
type TokenSource string
const ( Header TokenSource = "AuthorizationHeader" // "Authorization" header Cookie TokenSource = "Cookie" // "login" cookie Authz TokenSource = "AuthzQueryParameter" // "authz" query parameter )