Documentation
¶
Index ¶
- Constants
- func GenerateSignedToken(claims *Claims, key *keys.PrivKey) (string, error)
- func GetAccessToken(r *http.Request) (string, error)
- type AuthenticatedHandler
- type Claims
- type Handler
- type Handlers
- type PermissionsHandler
- type StandardHandler
- type TokenAuth
- func (t *TokenAuth) AuthorizeRequestPermissions(claims *Claims, request *http.Request) error
- func (t *TokenAuth) AuthorizeRequestScope(claims *Claims, request *http.Request) error
- func (t *TokenAuth) CheckRequestToken(r *http.Request) (*Claims, error)
- func (t *TokenAuth) CheckToken(token string, purpose string) (*Claims, error)
- func (t *TokenAuth) SetBlacklistSize(size int)
- func (t *TokenAuth) ValidatePermissionsClaim(claims *Claims, requiredPermissions []string) error
- func (t *TokenAuth) ValidateScopeClaim(claims *Claims, requiredScope string) error
- type UserHandler
Constants ¶
const ( // AudRokwire represents the ROKWIRE audience AudRokwire string = "rokwire" )
Variables ¶
This section is empty.
Functions ¶
func GenerateSignedToken ¶
GenerateSignedToken generates and signs a new JWT with the given claims using key
Types ¶
type AuthenticatedHandler ¶
type AuthenticatedHandler struct {
// contains filtered or unexported fields
}
AuthenticatedHandler entity This enforces that the token was the result of direct user authentication. This should be used to protect sensitive account settings
func NewAuthenticatedHandler ¶
func NewAuthenticatedHandler(userAuth *UserHandler) *AuthenticatedHandler
NewAuthenticatedHandler creates a new AuthenticatedHandler
func (*AuthenticatedHandler) GetTokenAuth ¶
func (h *AuthenticatedHandler) GetTokenAuth() *TokenAuth
GetTokenAuth exposes the TokenAuth for the handler
type Claims ¶
type Claims struct {
// Required Standard Claims: sub, aud, exp, iat
jwt.StandardClaims
OrgID string `json:"org_id" validate:"required"` // Organization ID
AppID string `json:"app_id"` // Application ID
SessionID string `json:"session_id"` // Session ID
Purpose string `json:"purpose" validate:"required"` // Token purpose (eg. access...)
AuthType string `json:"auth_type" validate:"required"` // Authentication method (eg. email, phone...)
Permissions string `json:"permissions"` // Granted permissions
Scope string `json:"scope"` // Granted scope
Anonymous bool `json:"anonymous"` // Is the user anonymous?
Authenticated bool `json:"authenticated"` // Did the user authenticate? (false on refresh)
Service bool `json:"service"` // Is this token for a service account?
FirstParty bool `json:"first_party"` // Is this token used by a first party service (eg. ROKWIRE building block)?
Admin bool `json:"admin"` // Is this token for an admin?
System bool `json:"system"` // Is this token for a system admin?
// User Data: DO NOT USE AS IDENTIFIER OR SHARE WITH THIRD-PARTY SERVICES
Name string `json:"name,omitempty"` // User full name
Email string `json:"email,omitempty"` // User email address
Phone string `json:"phone,omitempty"` // User phone number
Username string `json:"username,omitempty"` // Username
ExternalIDs map[string]string `json:"external_ids,omitempty"` // External user identifiers for use in external integrations
//TODO: Once the new user ID scheme has been adopted across all services these claims should be removed
UID string `json:"uid,omitempty"` // Unique user identifier for specified "auth_type"
}
Claims represents the standard claims included in access tokens
func (Claims) AppOrg ¶
func (c Claims) AppOrg() authservice.AppOrgPair
AppOrg returns the AppOrgPair for the claims
func (Claims) CanAccess ¶
CanAccess returns an error if the claims do not grant access to a resource with the given appID, orgId, and system status
func (Claims) Scopes ¶
func (c Claims) Scopes() []authorization.Scope
Scopes returns the scopes from the claims as a slice
type Handlers ¶
type Handlers struct {
Standard Handler
Permissions *PermissionsHandler
User *UserHandler
Authenticated *AuthenticatedHandler
}
Handlers represents the standard token auth handlers
func NewHandlers ¶
NewHandlers creates new token auth handlers
type PermissionsHandler ¶
type PermissionsHandler struct {
// contains filtered or unexported fields
}
PermissionsHandler entity This enforces that the token has permissions matching the policy
func NewPermissionsHandler ¶
func NewPermissionsHandler(auth Handler) *PermissionsHandler
NewPermissionsHandler creates a new PermissionsHandler
func (*PermissionsHandler) GetTokenAuth ¶
func (h *PermissionsHandler) GetTokenAuth() *TokenAuth
GetTokenAuth exposes the TokenAuth for the handler
type StandardHandler ¶
type StandardHandler struct {
// contains filtered or unexported fields
}
StandardHandler entity This enforces that the token is valid
func NewScopeHandler ¶
func NewScopeHandler(tokenAuth *TokenAuth, claimsCheck func(*Claims, *http.Request) (int, error)) *StandardHandler
NewScopeHandler creates a new StandardHandler that checks scopes
func NewStandardHandler ¶
func NewStandardHandler(tokenAuth *TokenAuth, claimsCheck func(*Claims, *http.Request) (int, error)) *StandardHandler
NewStandardHandler creates a new StandardHandler
func (*StandardHandler) GetTokenAuth ¶
func (h *StandardHandler) GetTokenAuth() *TokenAuth
GetTokenAuth exposes the TokenAuth for the handler
type TokenAuth ¶
type TokenAuth struct {
// contains filtered or unexported fields
}
TokenAuth contains configurations and helper functions required to validate tokens
func NewTokenAuth ¶
func NewTokenAuth(acceptRokwireTokens bool, serviceRegManager *authservice.ServiceRegManager, permissionAuth authorization.Authorization, scopeAuth authorization.Authorization) (*TokenAuth, error)
NewTokenAuth creates and configures a new TokenAuth instance authorization maybe nil if performing manual authorization
func (*TokenAuth) AuthorizeRequestPermissions ¶
AuthorizeRequestPermissions will authorize the request if the permissions claim passes the permissionsAuth
Returns nil on success and error on failure.
func (*TokenAuth) AuthorizeRequestScope ¶
AuthorizeRequestScope will authorize the request if the scope claim passes the scopeAuth
Returns nil on success and error on failure.
func (*TokenAuth) CheckRequestToken ¶
CheckRequestToken is a convenience function which retrieves and checks the access token included in a request and returns the claims Access tokens must be provided as a Bearer token in the "Authorization" header
func (*TokenAuth) CheckToken ¶
CheckToken validates the provided token and returns the token claims
func (*TokenAuth) SetBlacklistSize ¶
SetBlacklistSize sets the maximum size of the token blacklist queue
The default value is 1024
func (*TokenAuth) ValidatePermissionsClaim ¶
ValidatePermissionsClaim will validate that the provided token claims contain one or more of the required permissions
Returns nil on success and error on failure.
func (*TokenAuth) ValidateScopeClaim ¶
ValidateScopeClaim will validate that the provided token claims contain the required scope
If an empty required scope is provided, the claims must contain a valid global scope such as 'all:all:all' or '{service}:all:all'
Returns nil on success and error on failure.
type UserHandler ¶
type UserHandler struct {
// contains filtered or unexported fields
}
UserHandler entity This enforces that the token is not anonymous
func NewUserHandler ¶
func NewUserHandler(auth Handler) *UserHandler
NewUserHandler creates a new UserHandler
func (*UserHandler) GetTokenAuth ¶
func (h *UserHandler) GetTokenAuth() *TokenAuth
GetTokenAuth exposes the TokenAuth for the handler
Source Files