tokenauth

package
v1.0.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AudRokwire string = "rokwire"
)

Variables

This section is empty.

Functions

func GetRequestTokens 

func GetRequestTokens(r *http.Request) (string, string, error)

GetRequestTokens retrieves tokens from the request headers and/or cookies Mobile Clients/Secure Servers: Access tokens must be provided as a Bearer token 

in the "Authorization" header

Web Clients: Access tokens must be provided in the "rokwire-access-token" cookie 

and CSRF tokens must be provided in the "CSRF" header

Types

type Claims 

type Claims struct {
	// Required Standard Claims: sub, aud, exp, iat
	jwt.StandardClaims
	OrgID         string `json:"org_id" validate:"required"`    // Organization ID
	AppID         string `json:"app_id"`                        // Application ID
	SessionID     string `json:"session_id"`                    // Session ID
	Purpose       string `json:"purpose" validate:"required"`   // Token purpose (eg. access, csrf...)
	AuthType      string `json:"auth_type" validate:"required"` // Authentication method (eg. email, phone...)
	Permissions   string `json:"permissions"`                   // Granted permissions
	Scope         string `json:"scope"`                         // Granted scope
	Anonymous     bool   `json:"anonymous"`                     // Is the user anonymous?
	Authenticated bool   `json:"authenticated"`                 // Did the user authenticate? (false on refresh)
	Service       bool   `json:"service"`                       // Is this token for a service account?
	FirstParty    bool   `json:"first_party"`                   // Is this token used by a first party service (eg. ROKWIRE building block)?
	Admin         bool   `json:"admin"`                         // Is this token for an admin?
	System        bool   `json:"system"`                        // Is this token for a system admin?

	// User Data: DO NOT USE AS IDENTIFIER OR SHARE WITH THIRD-PARTY SERVICES
	Name        string            `json:"name,omitempty"`         // User full name
	Email       string            `json:"email,omitempty"`        // User email address
	Phone       string            `json:"phone,omitempty"`        // User phone number
	ExternalIDs map[string]string `json:"external_ids,omitempty"` // External user identifiers for use in external integrations

	//TODO: Once the new user ID scheme has been adopted across all services these claims should be removed
	UID string `json:"uid,omitempty"` // Unique user identifier for specified "auth_type"
}

Claims represents the standard claims included in access tokens

type TokenAuth 

type TokenAuth struct {
	// contains filtered or unexported fields
}

TokenAuth contains configurations and helper functions required to validate tokens

func NewTokenAuth 

func NewTokenAuth(acceptRokwireTokens bool, authService *authservice.AuthService, permissionAuth authorization.Authorization, scopeAuth authorization.Authorization) (*TokenAuth, error)

NewTokenAuth creates and configures a new TokenAuth instance authorization maybe nil if performing manual authorization

func (*TokenAuth) AuthorizeRequestPermissions 

func (t *TokenAuth) AuthorizeRequestPermissions(claims *Claims, request *http.Request) error

AuthorizeRequestPermissions will authorize the request if the permissions claim passes the permissionsAuth 

Returns nil on success and error on failure.

func (*TokenAuth) AuthorizeRequestScope 

func (t *TokenAuth) AuthorizeRequestScope(claims *Claims, request *http.Request) error

AuthorizeRequestScope will authorize the request if the scope claim passes the scopeAuth 

Returns nil on success and error on failure.

func (*TokenAuth) CheckRequestTokens 

func (t *TokenAuth) CheckRequestTokens(r *http.Request) (*Claims, error)

CheckRequestTokens is a convenience function which retrieves and checks any tokens included in a request and returns the access token claims Mobile Clients/Secure Servers: Access tokens must be provided as a Bearer token 

in the "Authorization" header

Web Clients: Access tokens must be provided in the "rokwire-access-token" cookie 

and CSRF tokens must be provided in the "CSRF" header

func (*TokenAuth) CheckToken 

func (t *TokenAuth) CheckToken(token string, purpose string) (*Claims, error)

CheckToken validates the provided token and returns the token claims

func (*TokenAuth) SetBlacklistSize 

func (t *TokenAuth) SetBlacklistSize(size int)

SetBlacklistSize sets the maximum size of the token blacklist queue 

The default value is 1024

func (*TokenAuth) ValidateCsrfTokenClaims 

func (t *TokenAuth) ValidateCsrfTokenClaims(accessClaims *Claims, csrfClaims *Claims) error

ValidateCsrfTokenClaims will validate that the CSRF token claims appropriately match the access token claims 

Returns nil on success and error on failure.

func (*TokenAuth) ValidatePermissionsClaim 

func (t *TokenAuth) ValidatePermissionsClaim(claims *Claims, requiredPermissions []string) error

ValidatePermissionsClaim will validate that the provided token claims contain one or more of the required permissions 

Returns nil on success and error on failure.

func (*TokenAuth) ValidateScopeClaim 

func (t *TokenAuth) ValidateScopeClaim(claims *Claims, requiredScope string) error

ValidateScopeClaim will validate that the provided token claims contain the required scope 

If an empty required scope is provided, the claims must contain a valid global scope such as 'all' or '{service}:all'
Returns nil on success and error on failure.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.