Documentation ¶
Overview ¶
oidc implements the authenticator.Token interface using the OpenID Connect protocol.
config := oidc.Options{ IssuerURL: "https://accounts.google.com", ClientID: os.Getenv("GOOGLE_CLIENT_ID"), UsernameClaim: "email", } tokenAuthenticator, err := oidc.New(config)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
func New ¶
func New(opts Options) (*Authenticator, error)
func (*Authenticator) AuthenticateToken ¶
func (a *Authenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)
func (*Authenticator) Close ¶
func (a *Authenticator) Close()
type CAContentProvider ¶
type CAContentProvider interface {
CurrentCABundleContent() []byte
}
Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.
type Options ¶
type Options struct { // IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" // field of all tokens produced by the provider and is used for configuration // discovery. // // The URL is usually the provider's URL without a path, for example // "https://accounts.google.com" or "https://login.salesforce.com". // // The provider must implement configuration discovery. // See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig IssuerURL string // Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer. KeySet oidc.KeySet // ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single // client to ensure the plugin can be used with public providers. // // The plugin supports the "authorized party" OpenID Connect claim, which allows // specialized providers to issue tokens to a client for a different client. // See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken ClientID string // PEM encoded root certificate contents of the provider. Mutually exclusive with Client. CAContentProvider CAContentProvider // Optional http.Client used to make all requests to the remote issuer. Mutually exclusive with CAContentProvider. Client *http.Client // UsernameClaim is the JWT field to use as the user's username. UsernameClaim string // UsernamePrefix, if specified, causes claims mapping to username to be prefix with // the provided value. A value "oidc:" would result in usernames like "oidc:john". UsernamePrefix string // GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's // groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value // must be a string or list of strings. GroupsClaim string // GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the // value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing". GroupsPrefix string // SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that // can be used by the provider to sign tokens. // // https://tools.ietf.org/html/rfc7518#section-3.1 // // This value defaults to RS256, the value recommended by the OpenID Connect // spec: // // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation SupportedSigningAlgs []string // RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the // required claims key value pairs are present in the ID Token. RequiredClaims map[string]string // contains filtered or unexported fields }
Click to show internal directories.
Click to hide internal directories.