Documentation
¶
Index ¶
- Constants
- Variables
- func DeleteAccessToken(ctx context.Context, provider string, token string) error
- func GetUserClaimFromContext[T any](ctx context.Context, claim string) (T, bool)
- func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
- func GetUserSubjectFromContext(ctx context.Context) string
- func NewOAuthConfig(c *server.ProviderConfig, provider string, cli bool) (*oauth2.Config, error)
- func NewProviderHttpClient(provider string) *http.Client
- func ValidateProviderToken(_ context.Context, provider db.ProviderClass, token string) error
- func WithAuthTokenContext(ctx context.Context, token openid.Token) context.Context
- type Identity
- type IdentityClient
- type IdentityProvider
- type JwkSetJwtValidator
- type JwtValidator
- type KeySetCache
- type KeySetFetcher
- type Resolver
Constants ¶
const ( // Github OAuth2 provider Github = "github" // GitHubApp provider GitHubApp = "github-app" )
Variables ¶
var OAuthSuccessHtml []byte
OAuthSuccessHtml is the html page sent to the client upon successful enrollment via CLI
Functions ¶
func DeleteAccessToken ¶
DeleteAccessToken deletes the access token for a given provider
func GetUserClaimFromContext ¶ added in v0.0.35
GetUserClaimFromContext returns the specified claim from the user subject in the context if found and of the correct type
func GetUserForGitHubId ¶ added in v0.0.39
func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
GetUserForGitHubId looks up a user in Keycloak by their GitHub ID. This is a temporary implementation until we have a proper interface in front of IDP implementations.
If the user is found, it returns their subject _in Keycloak_, suitable for use in the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may return a user of "" with no error if no users were found matching the GitHub ID.
func GetUserSubjectFromContext ¶ added in v0.0.24
GetUserSubjectFromContext returns the user subject from the context, or nil
func NewOAuthConfig ¶
NewOAuthConfig creates a new OAuth2 config for the given provider and whether the client is a CLI or web client
func NewProviderHttpClient ¶
NewProviderHttpClient creates a new http client for the given provider
func ValidateProviderToken ¶
ValidateProviderToken validates the given token for the given provider
Types ¶
type Identity ¶ added in v0.0.48
type Identity struct { // UserID is a stable unique identifier for the user. This may be a large // integer or a UUID, rather than something human-readable. // // For KeyCloak, this is `sub`. UserID string // HumanName is a human-readable name. Because humans are fickle, these may // not be unique or stable over time, though they should be unique at any // particular time. For example, Alex may change their handle from // "alexsmith" to "alexawesome" after a life change, and someone else might // enroll the "alexsmith" handle. If you are storing data, you want UserID, // not HumanName. If you are presenting data, you probably want HumanName. // // For KeyCloak, this is `preferred_username`. For some other providers, // this might be an email address. HumanName string // Provider is the identity provider that vended this identity. Note that // UserID and HumanName are only unique within the context of a single // identity provider. Provider IdentityProvider }
Identity represents a particular user's identity in a particular trust domain (represented by an IdentityProvider).
type IdentityClient ¶ added in v0.0.48
type IdentityClient struct {
// contains filtered or unexported fields
}
IdentityClient supports the ability to look up identities in one or more IdentityProviders.
func NewIdentityClient ¶ added in v0.0.48
func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)
NewIdentityClient creates a new IdentityClient with the supplied providers.
func (*IdentityClient) Register ¶ added in v0.0.48
func (c *IdentityClient) Register(p IdentityProvider) error
Register registers a new identity provider with the client.
type IdentityProvider ¶ added in v0.0.48
type IdentityProvider interface { Resolver // String returns the name of the identity provider. This should be a short // one-word string suitable for presentation. As a special case, a _single_ // provider may use the empty string as its name to act as a default / fallback // provider. String() string // URL returns the `iss` URL of the identity provider. URL() url.URL }
IdentityProvider provides an abstract interface for looking up identities in a remote identity provider.
type JwkSetJwtValidator ¶
type JwkSetJwtValidator struct {
// contains filtered or unexported fields
}
JwkSetJwtValidator is a JWT validator that uses a JWK set URL to validate the tokens
func (*JwkSetJwtValidator) ParseAndValidate ¶
func (j *JwkSetJwtValidator) ParseAndValidate(tokenString string) (openid.Token, error)
ParseAndValidate validates a token string and returns an openID token, or an error if the token is invalid
type JwtValidator ¶
JwtValidator provides the functions to validate a JWT
func NewJwtValidator ¶
func NewJwtValidator(ctx context.Context, jwksUrl string) (JwtValidator, error)
NewJwtValidator creates a new JWT validator that uses a JWK set URL to validate the tokens
type KeySetCache ¶
type KeySetCache struct {
// contains filtered or unexported fields
}
KeySetCache is a KeySetFetcher that fetches the JWK set from a cache
type KeySetFetcher ¶
KeySetFetcher provides the functions to fetch a JWK set
type Resolver ¶ added in v0.0.48
type Resolver interface { // Validate validates a token and returns an underlying identity representation // suitable for use in authz calls. This _probably_ reads data from the token, // but could fetch from an external provider. Validate(ctx context.Context, token jwt.Token) (*Identity, error) // Resolve takes either a human-readable identifier or a stable identifier and // returns the underlying identity. This may involve looking up or defining // the identity in the remote identity provider. // // For Keycloak + GitHub, this may define a new user in Keycloak based on // GitHub user data if the user is not already known to Keycloak. Resolve(ctx context.Context, id string) (*Identity, error) }
Resolver is an interface for resolving human-readable or stable identifiers from either JWTs or stored strings
Directories
¶
Path | Synopsis |
---|---|
Package keycloak provides an implementation of the Keycloak IdentityProvider.
|
Package keycloak provides an implementation of the Keycloak IdentityProvider. |
client
Package client provides primitives to interact with the openapi HTTP API.
|
Package client provides primitives to interact with the openapi HTTP API. |
Package mock_auth is a generated GoMock package.
|
Package mock_auth is a generated GoMock package. |
Package noop provides a no-op implementation of the JwtValidator interface
|
Package noop provides a no-op implementation of the JwtValidator interface |