Documentation ¶
Index ¶
- Constants
- Variables
- func GetEmailFromContext(ctx context.Context) (string, bool)
- func GetSecretFromContext(ctx context.Context) (string, bool)
- func GetTokenFromContext(ctx context.Context) (string, bool)
- func SetContextWithEmail(ctx context.Context, email string) context.Context
- func SetContextWithPrincipal(ctx context.Context, p *Principal) context.Context
- type AuthMethod
- type ClientAssertion
- type Config
- type Flow
- type FlowRepository
- type MailLinkConfig
- type MailOTPConfig
- type OIDCConfig
- type PassKeyConfig
- type Principal
- type RegistrationFinishRequest
- type RegistrationFinishResponse
- type RegistrationStartRequest
- type RegistrationStartResponse
- type Service
- func (s Service) BuildToken(ctx context.Context, subjectID string, metadata map[string]string) ([]byte, error)
- func (s Service) Close() error
- func (s Service) FinishFlow(ctx context.Context, request RegistrationFinishRequest) (*RegistrationFinishResponse, error)
- func (s Service) GetPrincipal(ctx context.Context, assertions ...ClientAssertion) (Principal, error)
- func (s Service) InitFlows(ctx context.Context) error
- func (s Service) JWKs(ctx context.Context) jwk.Set
- func (s Service) SanitizeCallbackURL(url string) string
- func (s Service) SanitizeReturnToURL(url string) string
- func (s Service) StartFlow(ctx context.Context, request RegistrationStartRequest) (*RegistrationStartResponse, error)
- func (s Service) SupportedStrategies() []string
- type ServiceUserService
- type SessionConfig
- type SessionService
- type TokenClaimConfig
- type TokenConfig
- type UserService
Constants ¶
View Source
const ( MailOTPAuthMethod = AuthMethod(strategy.MailOTPAuthMethod) MailLinkAuthMethod = AuthMethod(strategy.MailLinkAuthMethod) PassKeyAuthMethod = AuthMethod(strategy.PasskeyAuthMethod) )
Variables ¶
View Source
var ( ErrStrategyNotApplicable = errors.New("strategy not applicable") ErrUnsupportedMethod = errors.New("unsupported authentication method") ErrInvalidMailOTP = errors.New("invalid mail otp") ErrFlowInvalid = errors.New("invalid flow or expired") )
View Source
var APIAssertions = []ClientAssertion{ SessionClientAssertion, AccessTokenClientAssertion, OpaqueTokenClientAssertion, JWTGrantClientAssertion, ClientCredentialsClientAssertion, PassthroughHeaderClientAssertion, }
View Source
var (
ErrInvalidID = errors.New("user id is invalid")
)
Functions ¶
func GetEmailFromContext ¶
GetEmailFromContext returns email from context Deprecated
func SetContextWithEmail ¶
SetContextWithEmail sets email in context Deprecated
Types ¶
type AuthMethod ¶
type AuthMethod string
func (AuthMethod) String ¶
func (m AuthMethod) String() string
type ClientAssertion ¶
type ClientAssertion string
const ( // SessionClientAssertion is used to authenticate using session cookie SessionClientAssertion ClientAssertion = "session" // AccessTokenClientAssertion is used to authenticate using access token generated // by the system for the user AccessTokenClientAssertion ClientAssertion = "access_token" // OpaqueTokenClientAssertion is used to authenticate using opaque token generated // for API clients OpaqueTokenClientAssertion ClientAssertion = "opaque" // JWTGrantClientAssertion is used to authenticate using JWT token generated // using public/private key pair that provides access token for the client JWTGrantClientAssertion ClientAssertion = "jwt_grant" // ClientCredentialsClientAssertion is used to authenticate using client_id and client_secret // that provides access token for the client ClientCredentialsClientAssertion ClientAssertion = "client_credentials" // PassthroughHeaderClientAssertion is used to authenticate using headers passed by the client // this is non secure way of authenticating client in test environments PassthroughHeaderClientAssertion ClientAssertion = "passthrough_header" )
func (ClientAssertion) String ¶
func (a ClientAssertion) String() string
type Config ¶
type Config struct { // CallbackURLs is external host used for redirect uri // host specified at 0th index will be used as default CallbackURLs []string `yaml:"callback_urls" mapstructure:"callback_urls" default:"[http://localhost:7400/v1beta1/auth/callback]"` AuthorizedRedirectURLs []string `yaml:"authorized_redirect_urls" mapstructure:"authorized_redirect_urls" ` OIDCConfig map[string]OIDCConfig `yaml:"oidc_config" mapstructure:"oidc_config"` Session SessionConfig `yaml:"session" mapstructure:"session"` Token TokenConfig `yaml:"token" mapstructure:"token"` MailOTP MailOTPConfig `yaml:"mail_otp" mapstructure:"mail_otp"` MailLink MailLinkConfig `yaml:"mail_link" mapstructure:"mail_link"` PassKey PassKeyConfig `yaml:"passkey" mapstructure:"passkey"` TestUsers testusers.Config `yaml:"test_users" mapstructure:"test_users"` }
type Flow ¶
type Flow struct { ID uuid.UUID // authentication flow type Method string // Email is the email of the user Email string // StartURL is where flow should start from for verification StartURL string // FinishURL is where flow should end to after successful verification FinishURL string // Nonce is a once time use random string Nonce string Metadata metadata.Metadata // CreatedAt will be used to clean-up dead auth flows CreatedAt time.Time // ExpiresAt is the time when the flow will expire ExpiresAt time.Time }
Flow is a temporary state used to finish login/registration flows
type FlowRepository ¶
type MailLinkConfig ¶ added in v0.7.2
type MailOTPConfig ¶
type OIDCConfig ¶
type OIDCConfig struct { ClientID string `yaml:"client_id" mapstructure:"client_id"` ClientSecret string `yaml:"client_secret" mapstructure:"client_secret"` IssuerUrl string `yaml:"issuer_url" mapstructure:"issuer_url"` Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"15m"` }
type PassKeyConfig ¶ added in v0.7.14
type Principal ¶
type Principal struct { ID string Type string User *user.User ServiceUser *serviceuser.ServiceUser }
type RegistrationStartRequest ¶
type RegistrationStartRequest struct { Method string // ReturnToURL is where flow should end to after successful verification ReturnToURL string Email string // callback_url will be used by strategy as last step to finish authentication flow // in OIDC this host will receive "state" and "code" query params, in case of magic links // this will be the url where user is redirected after clicking on magic link. // For most cases it could be host of frontier but in case of proxies, this will be proxy public endpoint. // callback_url should be one of the allowed urls configured at instance level CallbackUrl string }
type Service ¶
func NewService ¶
func NewService(logger log.Logger, config Config, flowRepo FlowRepository, mailDialer mailer.Dialer, tokenService token.Service, sessionService SessionService, userService UserService, serviceUserService ServiceUserService, webAuthConfig *webauthn.WebAuthn) *Service
func (Service) BuildToken ¶
func (s Service) BuildToken(ctx context.Context, subjectID string, metadata map[string]string) ([]byte, error)
BuildToken creates an access token for the given subjectID
func (Service) FinishFlow ¶
func (s Service) FinishFlow(ctx context.Context, request RegistrationFinishRequest) (*RegistrationFinishResponse, error)
func (Service) GetPrincipal ¶
func (Service) SanitizeCallbackURL ¶ added in v0.7.2
SanitizeCallbackURL allows only callback host to white listed domains from config
func (Service) SanitizeReturnToURL ¶ added in v0.7.2
SanitizeReturnToURL allows only redirect to white listed domains from config to avoid https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
func (Service) StartFlow ¶
func (s Service) StartFlow(ctx context.Context, request RegistrationStartRequest) (*RegistrationStartResponse, error)
func (Service) SupportedStrategies ¶
type ServiceUserService ¶
type ServiceUserService interface { GetByJWT(ctx context.Context, token string) (serviceuser.ServiceUser, error) GetBySecret(ctx context.Context, clientID, clientSecret string) (serviceuser.ServiceUser, error) }
type SessionConfig ¶
type SessionConfig struct { HashSecretKey string `mapstructure:"hash_secret_key" yaml:"hash_secret_key" default:"hash-secret-should-be-32-chars--"` BlockSecretKey string `mapstructure:"block_secret_key" yaml:"block_secret_key" default:"block-secret-should-be-32-chars-"` Domain string `mapstructure:"domain" yaml:"domain" default:""` // SameSite can be set to "default", "lax", "strict" or "none" SameSite string `mapstructure:"same_site" yaml:"same_site" default:"lax"` // Validity is the duration for which the session is valid Validity time.Duration `mapstructure:"validity" yaml:"validity" default:"720h"` Secure bool `mapstructure:"secure" yaml:"secure" default:"false"` }
type SessionService ¶
type SessionService interface {
ExtractFromContext(ctx context.Context) (*frontiersession.Session, error)
}
type TokenClaimConfig ¶ added in v0.8.0
type TokenConfig ¶
type TokenConfig struct { // Path to rsa key file, it can contain more than one key as a json array // jwt will be signed by first key, but will be tried to be decoded by all matching key ids, this helps in key rotation. // If not provided, access token will not be generated RSAPath string `yaml:"rsa_path" mapstructure:"rsa_path"` // RSABase64 is base64 encoded rsa key, it can contain more than one key as a json array RSABase64 string `yaml:"rsa_base64" mapstructure:"rsa_base64"` // Issuer uniquely identifies the service that issued the token // a good example could be fully qualified domain name Issuer string `yaml:"iss" mapstructure:"iss" default:"frontier"` // Validity is the duration for which the token is valid Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"1h"` Claims TokenClaimConfig `yaml:"claims" mapstructure:"claims"` }
Click to show internal directories.
Click to hide internal directories.