Affected by 
Documentation
¶
Overview ¶
Package identity provides support for making OpenID Connect (OIDC) and OAuth2 authenticated HTTP requests with third party identity providers.
Index ¶
- Constants
- Variables
- type Authenticator
- type AzureProvider
- type GoogleProvider
- type MockProvider
- func (mp MockProvider) Authenticate(ctx context.Context, code string) (*sessions.State, error)
- func (mp MockProvider) GetSignInURL(s string) string
- func (mp MockProvider) Refresh(ctx context.Context, s *sessions.State) (*sessions.State, error)
- func (mp MockProvider) Revoke(ctx context.Context, s *oauth2.Token) error
- type OIDCProvider
- type OktaProvider
- type OneLoginProvider
- type Provider
- func (p *Provider) Authenticate(ctx context.Context, code string) (*sessions.State, error)
- func (p *Provider) GetSignInURL(state string) string
- func (p *Provider) IdentityFromToken(ctx context.Context, t *oauth2.Token) (*oidc.IDToken, error)
- func (p *Provider) Refresh(ctx context.Context, s *sessions.State) (*sessions.State, error)
- func (p *Provider) Revoke(ctx context.Context, token *oauth2.Token) error
Constants ¶
const ( // AzureProviderName identifies the Azure identity provider AzureProviderName = "azure" // GitlabProviderName identifies the GitLab identity provider GitlabProviderName = "gitlab" // GoogleProviderName identifies the Google identity provider GoogleProviderName = "google" // OIDCProviderName identifies a generic OpenID connect provider OIDCProviderName = "oidc" // OktaProviderName identifies the Okta identity provider OktaProviderName = "okta" // OneLoginProviderName identifies the OneLogin identity provider OneLoginProviderName = "onelogin" )
Variables ¶
var ErrMissingProviderURL = errors.New("internal/identity: missing provider url")
ErrMissingProviderURL is returned when an identity provider requires a provider url does not receive one.
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator interface {
Authenticate(context.Context, string) (*sessions.State, error)
Refresh(context.Context, *sessions.State) (*sessions.State, error)
Revoke(context.Context, *oauth2.Token) error
GetSignInURL(state string) string
}
Authenticator is an interface representing the ability to authenticate with an identity provider.
type AzureProvider ¶
type AzureProvider struct {
*Provider
// non-standard oidc fields
RevokeURL string `json:"end_session_endpoint"`
}
AzureProvider is an implementation of the Provider interface
func NewAzureProvider ¶
func NewAzureProvider(p *Provider) (*AzureProvider, error)
NewAzureProvider returns a new AzureProvider and sets the provider url endpoints. https://www.pomerium.io/docs/identity-providers.html#azure-active-directory
func (*AzureProvider) GetSignInURL ¶
func (p *AzureProvider) GetSignInURL(state string) string
GetSignInURL returns the sign in url with typical oauth parameters
func (*AzureProvider) Revoke ¶
Revoke revokes the access token a given session state. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
func (*AzureProvider) UserGroups ¶
UserGroups returns a slice of group names a given user is in. `Directory.Read.All` is required. https://docs.microsoft.com/en-us/graph/api/resources/directoryobject?view=graph-rest-1.0 https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0
type GoogleProvider ¶
type GoogleProvider struct {
*Provider
RevokeURL string `json:"revocation_endpoint"`
// contains filtered or unexported fields
}
GoogleProvider is an implementation of the Provider interface.
func NewGoogleProvider ¶
func NewGoogleProvider(p *Provider) (*GoogleProvider, error)
NewGoogleProvider instantiates an OpenID Connect (OIDC) session with Google.
func (*GoogleProvider) GetSignInURL ¶
func (p *GoogleProvider) GetSignInURL(state string) string
GetSignInURL returns a URL to OAuth 2.0 provider's consent page that asks for permissions for the required scopes explicitly. Google requires an additional access scope for offline access which is a requirement for any application that needs to access a Google API when the user is not present. Support for this scope differs between OpenID Connect providers. For instance Google rejects it, favoring appending "access_type=offline" as part of the authorization request instead. Google only provide refresh_token on the first authorization from the user. If user clears cookies, re-authorization will not bring back refresh_token. A work around to this is to add prompt=consent to the OAuth redirect URL and will always return a refresh_token. https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
func (*GoogleProvider) Revoke ¶
Revoke revokes the access token a given session state.
https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke
func (*GoogleProvider) UserGroups ¶
UserGroups returns a slice of group names a given user is in NOTE: groups via Directory API is limited to 1 QPS! https://developers.google.com/admin-sdk/directory/v1/reference/groups/list https://developers.google.com/admin-sdk/directory/v1/limits
type MockProvider ¶
type MockProvider struct {
AuthenticateResponse sessions.State
AuthenticateError error
RefreshResponse sessions.State
RefreshError error
RevokeError error
GetSignInURLResponse string
}
MockProvider provides a mocked implementation of the providers interface.
func (MockProvider) Authenticate ¶
Authenticate is a mocked providers function.
func (MockProvider) GetSignInURL ¶
func (mp MockProvider) GetSignInURL(s string) string
GetSignInURL is a mocked providers function.
type OIDCProvider ¶
type OIDCProvider struct {
*Provider
}
OIDCProvider provides a standard, OpenID Connect implementation of an authorization identity provider. https://openid.net/specs/openid-connect-core-1_0.html
func NewOIDCProvider ¶
func NewOIDCProvider(p *Provider) (*OIDCProvider, error)
NewOIDCProvider creates a new instance of a generic OpenID Connect provider.
type OktaProvider ¶
type OktaProvider struct {
*Provider
RevokeURL string `json:"revocation_endpoint"`
// contains filtered or unexported fields
}
OktaProvider represents the Okta Identity Provider
https://www.pomerium.io/docs/identity-providers.html#okta
func NewOktaProvider ¶
func NewOktaProvider(p *Provider) (*OktaProvider, error)
NewOktaProvider creates a new instance of Okta as an identity provider.
func (*OktaProvider) Revoke ¶
Revoke revokes the access token a given session state. https://developer.okta.com/docs/api/resources/oidc#revoke
func (*OktaProvider) UserGroups ¶ added in v0.5.0
UserGroups fetches the groups of which the user is a member https://developer.okta.com/docs/reference/api/users/#get-user-s-groups
type OneLoginProvider ¶
type OneLoginProvider struct {
*Provider
// non-standard oidc fields
RevokeURL string `json:"revocation_endpoint"`
}
OneLoginProvider provides a standard, OpenID Connect implementation of an authorization identity provider.
func NewOneLoginProvider ¶
func NewOneLoginProvider(p *Provider) (*OneLoginProvider, error)
NewOneLoginProvider creates a new instance of an OpenID Connect provider.
func (*OneLoginProvider) Revoke ¶
Revoke revokes the access token a given session state. https://developers.onelogin.com/openid-connect/api/revoke-session
func (*OneLoginProvider) UserGroups ¶
UserGroups returns a slice of group names a given user is in. https://developers.onelogin.com/openid-connect/api/user-info
type Provider ¶
type Provider struct {
ProviderName string
RedirectURL *url.URL
ClientID string
ClientSecret string
ProviderURL string
Scopes []string
UserGroupFn func(context.Context, *sessions.State) ([]string, error)
// ServiceAccount can be set for those providers that require additional
// credentials or tokens to do follow up API calls (e.g. Google)
ServiceAccount string
// contains filtered or unexported fields
}
Provider contains the fields required for an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server. https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func (*Provider) Authenticate ¶
Authenticate creates an identity session with google from a authorization code, and follows up call to the admin/group api to check what groups the user is in.
func (*Provider) GetSignInURL ¶
GetSignInURL returns a URL to OAuth 2.0 provider's consent page that asks for permissions for the required scopes explicitly.
State is a token to protect the user from CSRF attacks. You must always provide a non-empty string and validate that it matches the the state query parameter on your redirect callback. See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
func (*Provider) IdentityFromToken ¶ added in v0.5.0
IdentityFromToken takes an identity provider issued JWT as input ('id_token') and returns a session state. The provided token's audience ('aud') must match Pomerium's client_id.
func (*Provider) Refresh ¶
Refresh renews a user's session using an oidc refresh token withoutreprompting the user. Group membership is also refreshed. https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
Source Files