authenticate

package
v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 13, 2024 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source
const (
	MailOTPAuthMethod  = AuthMethod(strategy.MailOTPAuthMethod)
	MailLinkAuthMethod = AuthMethod(strategy.MailLinkAuthMethod)
	PassKeyAuthMethod  = AuthMethod(strategy.PasskeyAuthMethod)
)

Variables

View Source
var (
	ErrStrategyNotApplicable = errors.New("strategy not applicable")
	ErrUnsupportedMethod     = errors.New("unsupported authentication method")
	ErrInvalidMailOTP        = errors.New("invalid mail otp")
	ErrFlowInvalid           = errors.New("invalid flow or expired")
)
View Source
var (
	ErrInvalidID = errors.New("user id is invalid")
)

Functions

func GetEmailFromContext

func GetEmailFromContext(ctx context.Context) (string, bool)

GetEmailFromContext returns email from context Deprecated

func GetSecretFromContext

func GetSecretFromContext(ctx context.Context) (string, bool)

func GetTokenFromContext

func GetTokenFromContext(ctx context.Context) (string, bool)

func SetContextWithEmail

func SetContextWithEmail(ctx context.Context, email string) context.Context

SetContextWithEmail sets email in context Deprecated

func SetContextWithPrincipal

func SetContextWithPrincipal(ctx context.Context, p *Principal) context.Context

Types

type AuthMethod

type AuthMethod string

func (AuthMethod) String

func (m AuthMethod) String() string

type ClientAssertion

type ClientAssertion string
const (
	// SessionClientAssertion is used to authenticate using session cookie
	SessionClientAssertion ClientAssertion = "session"
	// AccessTokenClientAssertion is used to authenticate using access token generated
	// by the system for the user
	AccessTokenClientAssertion ClientAssertion = "access_token"
	// OpaqueTokenClientAssertion is used to authenticate using opaque token generated
	// for API clients
	OpaqueTokenClientAssertion ClientAssertion = "opaque"
	// JWTGrantClientAssertion is used to authenticate using JWT token generated
	// using public/private key pair that provides access token for the client
	JWTGrantClientAssertion ClientAssertion = "jwt_grant"
	// ClientCredentialsClientAssertion is used to authenticate using client_id and client_secret
	// that provides access token for the client
	ClientCredentialsClientAssertion ClientAssertion = "client_credentials"
	// PassthroughHeaderClientAssertion is used to authenticate using headers passed by the client
	// this is non secure way of authenticating client in test environments
	PassthroughHeaderClientAssertion ClientAssertion = "passthrough_header"
)

func (ClientAssertion) String

func (a ClientAssertion) String() string

type Config

type Config struct {
	// CallbackURLs is external host used for redirect uri
	// host specified at 0th index will be used as default
	CallbackURLs []string `yaml:"callback_urls" mapstructure:"callback_urls" default:"[http://localhost:7400/v1beta1/auth/callback]"`

	AuthorizedRedirectURLs []string `yaml:"authorized_redirect_urls" mapstructure:"authorized_redirect_urls" `

	OIDCConfig map[string]OIDCConfig `yaml:"oidc_config" mapstructure:"oidc_config"`
	Session    SessionConfig         `yaml:"session" mapstructure:"session"`
	Token      TokenConfig           `yaml:"token" mapstructure:"token"`
	MailOTP    MailOTPConfig         `yaml:"mail_otp" mapstructure:"mail_otp"`
	MailLink   MailLinkConfig        `yaml:"mail_link" mapstructure:"mail_link"`
	PassKey    PassKeyConfig         `yaml:"passkey" mapstructure:"passkey"`
	TestUsers  testusers.Config      `yaml:"test_users" mapstructure:"test_users"`
}

type Flow

type Flow struct {
	ID uuid.UUID

	// authentication flow type
	Method string

	// Email is the email of the user
	Email string

	// StartURL is where flow should start from for verification
	StartURL string
	// FinishURL is where flow should end to after successful verification
	FinishURL string

	// Nonce is a once time use random string
	Nonce string

	Metadata metadata.Metadata

	// CreatedAt will be used to clean-up dead auth flows
	CreatedAt time.Time

	// ExpiresAt is the time when the flow will expire
	ExpiresAt time.Time
}

Flow is a temporary state used to finish login/registration flows

func (Flow) IsValid

func (f Flow) IsValid(currentTime time.Time) bool

type FlowRepository

type FlowRepository interface {
	Set(ctx context.Context, flow *Flow) error
	Get(ctx context.Context, id uuid.UUID) (*Flow, error)
	Delete(ctx context.Context, id uuid.UUID) error
	DeleteExpiredFlows(ctx context.Context) error
}

type MailLinkConfig added in v0.7.2

type MailLinkConfig struct {
	Subject  string        `yaml:"subject" mapstructure:"subject" default:"Frontier Login - One time link"`
	Body     string        `` /* 225-byte string literal not displayed */
	Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"10m"`
}

type MailOTPConfig

type MailOTPConfig struct {
	Subject  string        `yaml:"subject" mapstructure:"subject" default:"Frontier Login - OTP"`
	Body     string        `` /* 149-byte string literal not displayed */
	Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"10m"`
}

type OIDCConfig

type OIDCConfig struct {
	ClientID     string        `yaml:"client_id" mapstructure:"client_id"`
	ClientSecret string        `yaml:"client_secret" mapstructure:"client_secret"`
	IssuerUrl    string        `yaml:"issuer_url" mapstructure:"issuer_url"`
	Validity     time.Duration `yaml:"validity" mapstructure:"validity" default:"15m"`
}

type PassKeyConfig added in v0.7.14

type PassKeyConfig struct {
	RPDisplayName string   `yaml:"rpdisplayname"`
	RPID          string   `yaml:"rpid"`
	RPOrigins     []string `yaml:"rporigins"`
}

type Principal

type Principal struct {
	ID   string
	Type string

	User        *user.User
	ServiceUser *serviceuser.ServiceUser
}

func GetPrincipalFromContext

func GetPrincipalFromContext(ctx context.Context) (*Principal, bool)

type RegistrationFinishRequest

type RegistrationFinishRequest struct {
	Method string

	// used for OIDC & mail otp auth strategy
	Code        string
	State       string
	StateConfig map[string]any
}

type RegistrationFinishResponse

type RegistrationFinishResponse struct {
	User user.User
	Flow *Flow
}

type RegistrationStartRequest

type RegistrationStartRequest struct {
	Method string
	// ReturnToURL is where flow should end to after successful verification
	ReturnToURL string
	Email       string

	// callback_url will be used by strategy as last step to finish authentication flow
	// in OIDC this host will receive "state" and "code" query params, in case of magic links
	// this will be the url where user is redirected after clicking on magic link.
	// For most cases it could be host of frontier but in case of proxies, this will be proxy public endpoint.
	// callback_url should be one of the allowed urls configured at instance level
	CallbackUrl string
}

type RegistrationStartResponse

type RegistrationStartResponse struct {
	Flow        *Flow
	State       string
	StateConfig map[string]any
}

type Service

type Service struct {
	Now func() time.Time
	// contains filtered or unexported fields
}

func NewService

func NewService(logger log.Logger, config Config, flowRepo FlowRepository,
	mailDialer mailer.Dialer, tokenService token.Service, sessionService SessionService,
	userService UserService, serviceUserService ServiceUserService, webAuthConfig *webauthn.WebAuthn) *Service

func (Service) BuildToken

func (s Service) BuildToken(ctx context.Context, subjectID string, metadata map[string]string) ([]byte, error)

BuildToken creates an access token for the given subjectID

func (Service) Close

func (s Service) Close() error

func (Service) FinishFlow

func (Service) GetPrincipal

func (s Service) GetPrincipal(ctx context.Context, assertions ...ClientAssertion) (Principal, error)

func (Service) InitFlows

func (s Service) InitFlows(ctx context.Context) error

func (Service) JWKs

func (s Service) JWKs(ctx context.Context) jwk.Set

JWKs returns the public keys to verify the access token

func (Service) SanitizeCallbackURL added in v0.7.2

func (s Service) SanitizeCallbackURL(url string) string

SanitizeCallbackURL allows only callback host to white listed domains from config

func (Service) SanitizeReturnToURL added in v0.7.2

func (s Service) SanitizeReturnToURL(url string) string

SanitizeReturnToURL allows only redirect to white listed domains from config to avoid https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

func (Service) StartFlow

func (Service) SupportedStrategies

func (s Service) SupportedStrategies() []string

type ServiceUserService

type ServiceUserService interface {
	GetByJWT(ctx context.Context, token string) (serviceuser.ServiceUser, error)
	GetBySecret(ctx context.Context, clientID, clientSecret string) (serviceuser.ServiceUser, error)
}

type SessionConfig

type SessionConfig struct {
	HashSecretKey  string `mapstructure:"hash_secret_key" yaml:"hash_secret_key" default:"hash-secret-should-be-32-chars--"`
	BlockSecretKey string `mapstructure:"block_secret_key" yaml:"block_secret_key" default:"block-secret-should-be-32-chars-"`
	Domain         string `mapstructure:"domain" yaml:"domain" default:""`
	// SameSite can be set to "default", "lax", "strict" or "none"
	SameSite string `mapstructure:"same_site" yaml:"same_site" default:"lax"`
	// Validity is the duration for which the session is valid
	Validity time.Duration `mapstructure:"validity" yaml:"validity" default:"720h"`
	Secure   bool          `mapstructure:"secure" yaml:"secure" default:"false"`
}

type SessionService

type SessionService interface {
	ExtractFromContext(ctx context.Context) (*frontiersession.Session, error)
}

type TokenClaimConfig added in v0.8.0

type TokenClaimConfig struct {
	AddOrgIDsClaim    bool `yaml:"add_org_ids" mapstructure:"add_org_ids" default:"true"`
	AddUserEmailClaim bool `yaml:"add_user_email" mapstructure:"add_user_email" default:"true"`
}

type TokenConfig

type TokenConfig struct {
	// Path to rsa key file, it can contain more than one key as a json array
	// jwt will be signed by first key, but will be tried to be decoded by all matching key ids, this helps in key rotation.
	// If not provided, access token will not be generated
	RSAPath string `yaml:"rsa_path" mapstructure:"rsa_path"`
	// RSABase64 is base64 encoded rsa key, it can contain more than one key as a json array
	RSABase64 string `yaml:"rsa_base64" mapstructure:"rsa_base64"`

	// Issuer uniquely identifies the service that issued the token
	// a good example could be fully qualified domain name
	Issuer string `yaml:"iss" mapstructure:"iss" default:"frontier"`

	// Validity is the duration for which the token is valid
	Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"1h"`

	Claims TokenClaimConfig `yaml:"claims" mapstructure:"claims"`
}

type UserService

type UserService interface {
	GetByID(ctx context.Context, id string) (user.User, error)
	Create(context.Context, user.User) (user.User, error)
	Update(ctx context.Context, toUpdate user.User) (user.User, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL