oauth2

package
v0.20.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 19, 2022 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Overview

Package oauth2 contains all the necessary configurations to initialize the idp communication using oauth2 protocol

Index

Constants

View Source
const (
	ConsoleMinIOServer           = "CONSOLE_MINIO_SERVER"
	ConsoleIDPURL                = "CONSOLE_IDP_URL"
	ConsoleIDPClientID           = "CONSOLE_IDP_CLIENT_ID"
	ConsoleIDPSecret             = "CONSOLE_IDP_SECRET"
	ConsoleIDPCallbackURL        = "CONSOLE_IDP_CALLBACK"
	ConsoleIDPCallbackURLDynamic = "CONSOLE_IDP_CALLBACK_DYNAMIC"
	ConsoleIDPHmacPassphrase     = "CONSOLE_IDP_HMAC_PASSPHRASE"
	ConsoleIDPHmacSalt           = "CONSOLE_IDP_HMAC_SALT"
	ConsoleIDPScopes             = "CONSOLE_IDP_SCOPES"
	ConsoleIDPUserInfo           = "CONSOLE_IDP_USERINFO"
	ConsoleIDPTokenExpiration    = "CONSOLE_IDP_TOKEN_EXPIRATION"
)

Environment constants for console IDP/SSO configuration

Variables

View Source
var DefaultIDPConfig = "_"

Functions

func GetIDPCallbackURL

func GetIDPCallbackURL() string

Public endpoint used by the identity oidcProvider when redirecting the user after identity verification

func GetIDPCallbackURLDynamic

func GetIDPCallbackURLDynamic() bool

func GetIDPClientID

func GetIDPClientID() string

func GetIDPSecret

func GetIDPSecret() string

func GetIDPURL

func GetIDPURL() string

func GetIDPUserInfo

func GetIDPUserInfo() bool

func GetRandomStateWithHMAC

func GetRandomStateWithHMAC(length int) string

GetRandomStateWithHMAC computes message + hmac(message, pbkdf2(key, salt)) to be used as state during the oauth authorization

func GetSTSEndpoint

func GetSTSEndpoint() string

func IsIDPEnabled

func IsIDPEnabled() bool

Types

type Config

type Config struct {
	xoauth2.Config
}

func (Config) AuthCodeURL

func (ac Config) AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string

func (Config) Client

func (ac Config) Client(ctx context.Context, t *xoauth2.Token) *http.Client

func (Config) Exchange

func (ac Config) Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)

func (Config) PasswordCredentialsToken

func (ac Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)

func (Config) TokenSource

func (ac Config) TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource

type Configuration

type Configuration interface {
	Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)
	AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string
	PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)
	Client(ctx context.Context, t *xoauth2.Token) *http.Client
	TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource
}

type DiscoveryDoc

type DiscoveryDoc struct {
	Issuer                           string   `json:"issuer,omitempty"`
	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
	JwksURI                          string   `json:"jwks_uri,omitempty"`
	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
}

DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration

type OpenIDPCfg

type OpenIDPCfg map[string]ProviderConfig

func (OpenIDPCfg) NewOauth2ProviderClient

func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)

NewOauth2ProviderClient instantiates a new oauth2 client using the `OpenIDPCfg` configuration struct. It returns a *Provider object that contains the necessary configuration to initiate an oauth2 authentication flow.

We only support Authentication with the Authorization Code Flow - spec: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

type Provider

type Provider struct {
	// oauth2Config is an interface configuration that contains the following fields
	// Config{
	// 	 ClientID string
	//	 ClientSecret string
	//	 RedirectURL string
	//	 Endpoint oauth2.Endpoint
	//	 Scopes []string
	// }
	// - ClientID is the public identifier for this application
	// - ClientSecret is a shared secret between this application and the authorization server
	// - RedirectURL is the URL to redirect users going through
	//   the OAuth flow, after the resource owner's URLs.
	// - Endpoint contains the resource server's token endpoint
	//   URLs. These are constants specific to each server and are
	//   often available via site-specific packages, such as
	//   google.Endpoint or github.Endpoint.
	// - Scopes specifies optional requested permissions.
	ClientID string
	// if enabled means that we need extrace access_token as well
	UserInfo bool
	// contains filtered or unexported fields
}

Provider is a wrapper of the oauth2 configuration and the oidc provider

func NewOauth2ProviderClient

func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)

NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials it returns a *Provider object that contains the necessary configuration to initiate an oauth2 authentication flow.

We only support Authentication with the Authorization Code Flow - spec: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

func (*Provider) GenerateLoginURL

func (client *Provider) GenerateLoginURL() string

GenerateLoginURL returns a new login URL based on the configured IDP

func (*Provider) VerifyIdentity

func (client *Provider) VerifyIdentity(ctx context.Context, code, state string) (*credentials.Credentials, error)

VerifyIdentity will contact the configured IDP to the user identity based on the authorization code and state if the user is valid, then it will contact MinIO to get valid sts credentials based on the identity provided by the IDP

func (*Provider) VerifyIdentityForOperator

func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, state string) (*xoauth2.Token, error)

VerifyIdentityForOperator will contact the configured IDP and validate the user identity based on the authorization code and state

type ProviderConfig

type ProviderConfig struct {
	URL                      string
	DisplayName              string // user-provided - can be empty
	ClientID, ClientSecret   string
	HMACSalt, HMACPassphrase string
	Scopes                   string
	Userinfo                 bool
	RedirectCallbackDynamic  bool
	RedirectCallback         string
}

ProviderConfig - OpenID IDP Configuration for console.

type User

type User struct {
	AppMetadata       map[string]interface{} `json:"app_metadata"`
	Blocked           bool                   `json:"blocked"`
	CreatedAt         string                 `json:"created_at"`
	Email             string                 `json:"email"`
	EmailVerified     bool                   `json:"email_verified"`
	FamilyName        string                 `json:"family_name"`
	GivenName         string                 `json:"given_name"`
	Identities        []interface{}          `json:"identities"`
	LastIP            string                 `json:"last_ip"`
	LastLogin         string                 `json:"last_login"`
	LastPasswordReset string                 `json:"last_password_reset"`
	LoginsCount       int                    `json:"logins_count"`
	MultiFactor       string                 `json:"multifactor"`
	Name              string                 `json:"name"`
	Nickname          string                 `json:"nickname"`
	PhoneNumber       string                 `json:"phone_number"`
	PhoneVerified     bool                   `json:"phone_verified"`
	Picture           string                 `json:"picture"`
	UpdatedAt         string                 `json:"updated_at"`
	UserID            string                 `json:"user_id"`
	UserMetadata      map[string]interface{} `json:"user_metadata"`
	Username          string                 `json:"username"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL