Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func WithClientInfo ¶
func WithClientInfo(ctx context.Context, info *ClientInfo) context.Context
WithClientInfo returns a new context with the given client info.
Types ¶
type ClientInfo ¶
func ClientInfoFromContext ¶
func ClientInfoFromContext(ctx context.Context) *ClientInfo
ClientInfoFromContext returns client info from the given context. This is generally set by clientcredentials.Interceptor.
func (*ClientInfo) LogFields ¶
func (c *ClientInfo) LogFields() []log.Field
LogFields represents a standard log representation of a client, for use in propagting in loggers for auditing purposes. It is safe to use on a nil *ClientInfo.
type HTTPAuthenticator ¶
type HTTPAuthenticator struct {
// contains filtered or unexported fields
}
See clientcredentials.NewHTTPMiddleware.
func NewHTTPAuthenticator ¶
func NewHTTPAuthenticator(logger log.Logger, introspector TokenIntrospector) *HTTPAuthenticator
NewHTTPAuthenticator provides a factor for auth middleware that uses SAMS service-to-service tokens to authenticate the requests.
If you are using ConnectRPC, use clientcredentials.NewInterceptor() instead. HTTPAuthenticator should only be used for non-ConnectRPC APIs.
func (*HTTPAuthenticator) RequireScopes ¶
func (a *HTTPAuthenticator) RequireScopes(requiredScopes scopes.Scopes, next http.Handler) http.Handler
RequireScopes performs an authorization check on the incoming HTTP request. It will return a 401 if the request does not have a valid SAMS access token, or a 403 if the token is valid but is missing ANY of the required scopes.
type Interceptor ¶
type Interceptor struct {
// contains filtered or unexported fields
}
See clientcredentials.NewInterceptor.
func NewInterceptor ¶
func NewInterceptor( logger log.Logger, introspector TokenIntrospector, methodOptionsRequiredScopesExtension *protoimpl.ExtensionInfo, ) *Interceptor
NewInterceptor creates a serverside ConnectRPC interceptor that ensures every incoming request has a valid client credential token with the required scopes indicated in the RPC method options. When used, required scopes CANNOT be empty - if no scopes are required, declare a separate service that does not use this interceptor.
To declare required SAMS scopes in your RPC, add the following to your proto schema:
extend google.protobuf.MethodOptions {
// The SAMS scopes required to use this RPC.
//
// The range 50000-99999 is reserved for internal use within individual organizations
// so you can use numbers in this range freely for in-house applications.
repeated string sams_required_scopes = 50001;
}
In your RPCs, add the `(sams_required_scopes)` option as a comma-delimited list:
rpc GetUserRoles(GetUserRolesRequest) returns (GetUserRolesResponse) {
option (sams_required_scopes) = "sams::user.roles::read";
};
This will generate a variable called `E_SamsRequiredScopes` in your generated proto bindings. This variable should be provided to NewInterceptor to allow it to identify where to source the required scopes from.
The provided logger is used to record internal-server errors.
func (*Interceptor) WrapStreamingClient ¶
func (i *Interceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc
func (*Interceptor) WrapStreamingHandler ¶
func (i *Interceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc
type TokenIntrospector ¶
type TokenIntrospector interface {
// IntrospectToken takes a SAMS access token and returns relevant metadata.
// This is generally implemented by *sams.TokensServiceV1.
//
// 🚨 SECURITY: SAMS will return a successful result if the token is valid, but
// is no longer active. It is critical that the caller not honor tokens where
// `.Active == false`.
IntrospectToken(ctx context.Context, token string) (*sams.IntrospectTokenResponse, error)
}
Source Files