Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AnonymousOAuthState ¶
type AnonymousOAuthState struct {
// TokenName is the name of the SPIAccessToken object for which we are initiating the OAuth flow
TokenName string `json:"tokenName"`
// TokenNamespace is the namespace of the SPIAccessToken object for which we are initiating the OAuth flow
TokenNamespace string `json:"tokenNamespace"`
// IssuedAt is the timestamp when the state was generated.
IssuedAt int64 `json:"issuedAt,omitempty"`
// Scopes is the list of the service-provider-specific scopes that we require in the service provider
Scopes []string `json:"scopes"`
// ServiceProviderType is the type of the service provider
ServiceProviderType config.ServiceProviderType `json:"serviceProviderType"`
// ServiceProviderUrl the URL where the service provider is to be reached
ServiceProviderUrl string `json:"serviceProviderUrl"`
}
AnonymousOAuthState is the state that is initially put to the OAuth URL by the operator. It does not hold the information about the user that initiated the OAuth flow because the operator most probably doesn't know the true identity of the initiating human. This state is put by the operator to the status of the SPIAccessToken and points to an endpoint in the OAuth service. OAuth service requires kubernetes authentication on this endpoint, enriches the state with identity of the user accessing the endpoint and redirects the caller once again to the actual service provider with the state that also contains the identity of the requesting caller.
func (AnonymousOAuthState) Validate ¶ added in v0.4.1
func (s AnonymousOAuthState) Validate() error
Validate validates that IssuedAt is in the past.
type Codec ¶
type Codec struct {
Signer jose.Signer
SigningSecret []byte
}
Codec is in charge of encoding and decoding the state passed through the OAuth flow as the state query parameter.
func NewCodec ¶
NewCodec creates a new codec using the secret used for signing the JWT tokens that represent the state in the query parameters. The signing is used to make it harder to forge malicious OAuth flow requests. We don't need to encrypt the state strings, because they don't contain any information that would not be obtainable from the requests initiating the OAuth flow.
func (*Codec) ParseAnonymous ¶
func (s *Codec) ParseAnonymous(state string) (AnonymousOAuthState, error)
ParseAnonymous parses the state from the URL query parameter and returns the anonymous state struct. It also validates the struct using AnonymousOAuthState.Validate method.
Source Files