oauthstate

package
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 8, 2022 License: Apache-2.0 Imports: 6 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AnonymousOAuthState

type AnonymousOAuthState struct {
	// TokenName is the name of the SPIAccessToken object for which we are initiating the OAuth flow
	TokenName string `json:"tokenName"`

	// TokenNamespace is the namespace of the SPIAccessToken object for which we are initiating the OAuth flow
	TokenNamespace string `json:"tokenNamespace"`

	// IssuedAt is the timestamp when the state was generated.
	IssuedAt int64 `json:"issuedAt,omitempty"`

	// Scopes is the list of the service-provider-specific scopes that we require in the service provider
	Scopes []string `json:"scopes"`

	// ServiceProviderType is the type of the service provider
	ServiceProviderType config.ServiceProviderType `json:"serviceProviderType"`

	// ServiceProviderUrl the URL where the service provider is to be reached
	ServiceProviderUrl string `json:"serviceProviderUrl"`
}

AnonymousOAuthState is the state that is initially put to the OAuth URL by the operator. It does not hold the information about the user that initiated the OAuth flow because the operator most probably doesn't know the true identity of the initiating human. This state is put by the operator to the status of the SPIAccessToken and points to an endpoint in the OAuth service. OAuth service requires kubernetes authentication on this endpoint, enriches the state with identity of the user accessing the endpoint and redirects the caller once again to the actual service provider with the state that also contains the identity of the requesting caller.

func (AnonymousOAuthState) Validate added in v0.4.1

func (s AnonymousOAuthState) Validate() error

Validate validates that IssuedAt is in the past.

type Codec

type Codec struct {
	Signer        jose.Signer
	SigningSecret []byte
}

Codec is in charge of encoding and decoding the state passed through the OAuth flow as the state query parameter.

func NewCodec

func NewCodec(signingSecret []byte) (Codec, error)

NewCodec creates a new codec using the secret used for signing the JWT tokens that represent the state in the query parameters. The signing is used to make it harder to forge malicious OAuth flow requests. We don't need to encrypt the state strings, because they don't contain any information that would not be obtainable from the requests initiating the OAuth flow.

func (*Codec) Encode added in v0.4.1

func (s *Codec) Encode(state interface{}) (token string, err error)

Encode encodes the provided state as a signed JWT token

func (*Codec) ParseAnonymous

func (s *Codec) ParseAnonymous(state string) (AnonymousOAuthState, error)

ParseAnonymous parses the state from the URL query parameter and returns the anonymous state struct. It also validates the struct using AnonymousOAuthState.Validate method.

func (*Codec) ParseInto added in v0.4.1

func (s *Codec) ParseInto(state string, dest interface{}) error

ParseInto tries to parse the provided state into the dest object. Note that no validation is done on the parsed object.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL