tokenclient

package
v0.15.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 24, 2023 License: Apache-2.0 Imports: 12 Imported by: 0

README

Go Token Client

This tokenclient module provides slim client to call /oauth2/token identity service endpoints as specified here. Furthermore, it introduces a new API to support the following token flow:

  • Client Credentials Flow.
    The Client Credentials (RFC 6749, section 4.4) is used by clients to obtain an access token outside of the context of a user. It is used for non interactive applications (a CLI, a batch job, or for service-2-service communication) where the token is issued to the client application itself, instead of an end user for accessing resources without principal propagation.

Initialization

Instantiate TokenFlows which makes by default use of a simple http.Client, which should NOT be used in production.

config, err := env.ParseIdentityConfig()
if err != nil {
    panic(err)
}

tokenFlows, err := tokenclient.NewTokenFlows(config, tokenclient.Options{HTTPClient: <your http.Client>})
if err != nil {
    panic(err)
}

Get TokenFlows from middleware

In case you leverage auth.NewMiddleware, you can also get an initialized TokenFlows from there:

tokenFlows, err := authMiddleware.GetTokenFlows()
if err != nil {
    panic(err)
}

Usage

The TokenFlows allows applications to easily create and execute each flow.

Client Credentials Token Flow

Obtain a client credentials token:

params := map[string]string{
	"resource": "urn:sap:identity:consumer:clientid:<<consumer identifier>>",
}
customerTenantUrl := oidcToken.Issuer()
encodedToken, err := tokenFlows.ClientCredentials(context.TODO(), customerTenantUrl, tokenclient.RequestOptions{Params: params})
if err != nil {
    log.Fatal(err)
}

// optionally you can parse the token to access its claims
token, e := auth.NewToken(encodedToken)
if e != nil {
    log.Fatal(err)
}

In the above sample the resource parameter specifies the consumer's client id the token is targeted at.

Outlook: Cache

The TokenFlows will cache tokens internally.

Documentation

Overview

SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Cloud Security Client Go contributors

SPDX-License-Identifier: Apache-2.0

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Options 

type Options struct {
	HTTPClient *http.Client // Default: basic http.Client with a timeout of 10 seconds and allowing 50 idle connections
}

Options allows configuration http(s) client

type RequestFailedError 

type RequestFailedError struct {
	// StatusCode of failed request
	StatusCode int
	// contains filtered or unexported fields
}

RequestFailedError represents a HTTP server error

func (*RequestFailedError) Error 

func (e *RequestFailedError) Error() string

Error initializes RequestFailedError

type RequestOptions 

type RequestOptions struct {
	// Request parameters that shall be overwritten or added to the payload
	Params map[string]string
	// Token Endpoint overwrites the default used /oauth2/token
	TokenEndpoint string
}

RequestOptions allows to configure the token request

type TokenFlows 

type TokenFlows struct {
	Options Options
	// contains filtered or unexported fields
}

TokenFlows setup once per application.

func NewTokenFlows 

func NewTokenFlows(identity env.Identity, options Options) (*TokenFlows, error)

NewTokenFlows initializes token flows

identity provides credentials and url to authenticate client with identity service options specifies rest client including tls config. Note: Setup of default tls config is not supported for windows os. Module crypto/x509 supports SystemCertPool with go 1.18 (https://go-review.googlesource.com/c/go/+/353589/)

func (*TokenFlows) ClientCredentials 

func (t *TokenFlows) ClientCredentials(ctx context.Context, customerTenantURL string, options RequestOptions) (string, error)

ClientCredentials implements the client credentials flow (RFC 6749, section 4.4). Clients obtain an access token outside of the context of a user. It is used for non interactive applications (a CLI, a batch job, or for service-2-service communication) where the token is issued to the application itself, instead of an end user for accessing resources without principal propagation.

ctx carries the request context like the deadline or other values that should be shared across API boundaries. customerTenantURL like "https://custom.accounts400.ondemand.com" gives the host of the customers ias tenant options allows to provide additional request parameters

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.