oidc

package
v1.4.5-rancher1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2016 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

oidc implements the authenticator.Token interface using the OpenID Connect protocol.

config := oidc.OIDCOptions{
	IssuerURL:     "https://accounts.google.com",
	ClientID:      os.Getenv("GOOGLE_CLIENT_ID"),
	UsernameClaim: "email",
}
tokenAuthenticator, err := oidc.New(config)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type OIDCAuthenticator

type OIDCAuthenticator struct {
	// contains filtered or unexported fields
}

func New

func New(opts OIDCOptions) (*OIDCAuthenticator, error)

New creates a token authenticator which validates OpenID Connect ID Tokens.

func (*OIDCAuthenticator) AuthenticateToken

func (a *OIDCAuthenticator) AuthenticateToken(value string) (user.Info, bool, error)

AuthenticateToken decodes and verifies a ID Token using the OIDC client, if the verification succeeds, then it will extract the user info from the JWT claims.

func (*OIDCAuthenticator) Close added in v1.2.0

func (a *OIDCAuthenticator) Close()

Close stops all goroutines used by the authenticator.

type OIDCOptions added in v1.3.0

type OIDCOptions struct {
	// IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
	// field of all tokens produced by the provider and is used for configuration
	// discovery.
	//
	// The URL is usually the provider's URL without a path, for example
	// "https://accounts.google.com" or "https://login.salesforce.com".
	//
	// The provider must implement configuration discovery.
	// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
	IssuerURL string

	// ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
	// client to ensure the plugin can be used with public providers.
	//
	// The plugin supports the "authorized party" OpenID Connect claim, which allows
	// specialized providers to issue tokens to a client for a different client.
	// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
	ClientID string

	// Path to a PEM encoded root certificate of the provider.
	CAFile string

	// UsernameClaim is the JWT field to use as the user's username.
	UsernameClaim string

	// GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
	// groups with a ID Token field. If the GrouppClaim field is present in a ID Token the value
	// must be a list of strings.
	GroupsClaim string
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL