oauth2

package
v0.1.14 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 19, 2024 License: Apache-2.0 Imports: 29 Imported by: 3

Documentation

Index

Constants

View Source
const (
	ProviderCookie = "provider"
)

Variables

View Source
var (
	// ErrKeyFormat is raised when something is wrong with the
	// encryption keys.
	ErrKeyFormat = errors.New("key format error")

	// ErrTokenVerification is raised when token verification fails.
	ErrTokenVerification = errors.New("failed to verify token")
)

Functions

This section is empty.

Types

type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator provides Keystone authentication functionality.

func New

func New(options *Options, namespace string, client client.Client, issuer *jose.JWTIssuer, rbac *rbac.RBAC) *Authenticator

New returns a new authenticator with required fields populated. You must call AddFlags after this.

func (*Authenticator) Authorization

func (a *Authenticator) Authorization(w http.ResponseWriter, r *http.Request)

Authorization redirects the client to the OIDC autorization endpoint to get an authorization code. Note that this function is responsible for either returning an authorization grant or error via a HTTP 302 redirect, or returning a HTML fragment for errors that cannot follow the provided redirect URI.

func (*Authenticator) Issue added in v0.1.13

func (a *Authenticator) Issue(r *http.Request, code *Code, expiresAt time.Time) (string, error)

Issue issues a new JWT access token.

func (*Authenticator) Login

func (a *Authenticator) Login(w http.ResponseWriter, r *http.Request)

Login handles the response from the user login prompt.

func (*Authenticator) OIDCCallback

func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request)

OIDCCallback is called by the authorization endpoint in order to return an authorization back to us. We then exchange the code for an ID token, and refresh token. Remember, as far as the client is concerned we're still doing the code grant, so return errors in the redirect query.

func (*Authenticator) Token

Token issues an OAuth2 access token from the provided autorization code.

func (*Authenticator) Verify added in v0.1.14

func (a *Authenticator) Verify(r *http.Request, tokenString string) (*Claims, error)

Verify checks the access token parses and validates.

type Claims

type Claims struct {
	jwt.Claims `json:",inline"`

	// Unikorn claims are application specific extensions.
	Unikorn *UnikornClaims `json:"unikorn,omitempty"`
}

Claims is an application specific set of claims. TODO: this technically isn't conformant to oauth2 in that we don't specify the client_id claim, and there are probably others.

type Code

type Code struct {
	// ClientID is the client identifier.
	ClientID string `json:"cid"`
	// ClientRedirectURI is the redirect URL requested by the client.
	ClientRedirectURI string `json:"cri"`
	// ClientCodeChallenge records the client code challenge so we can
	// authenticate we are handing the authorization token back to the
	// correct client.
	ClientCodeChallenge string `json:"ccc"`
	// ClientScope records the requested client scope.
	ClientScope Scope `json:"csc,omitempty"`
	// ClientNonce is injected into a OIDC id_token.
	ClientNonce string `json:"cno,omitempty"`
	// Subject is the canonical subject name (not an alias).
	Subject string `json:"sub"`
	// Groups is the set of groups the user has with the IdP.
	Groups []string `json:"grp,omitempty"`
}

Code is an authorization code to return to the client that can be exchanged for an access token. Much like how we client things in the oauth2 state during the OIDC exchange, to mitigate problems with horizonal scaling and sharing stuff, we do the same here. WARNING: Don't make this too big, the ingress controller will barf if the headers are too hefty.

type Error

type Error string
const (
	ErrorInvalidRequest          Error = "invalid_request"
	ErrorUnauthorizedClient      Error = "unauthorized_client"
	ErrorAccessDenied            Error = "access_denied"
	ErrorUnsupportedResponseType Error = "unsupported_response_type"
	ErrorInvalidScope            Error = "invalid_scope"
	ErrorServerError             Error = "server_error"
)

type IDToken

type IDToken struct {
	// Claims are the standard claims expected in a JWT.
	jwt.Claims `json:",inline"`
	// OIDC claims are claims defined by OIDC to be in an id_token.
	OIDCClaims `json:",inline"`
	// OIDCClaimsProfile are claims returned by the "profile" scope.
	OIDCClaimsProfile `json:",inline"`
	// OIDCClaimsEmail are claims returned by the "email" scope.
	OIDCClaimsEmail `json:",inline"`
}

IDToken defines an OIDC id_token.

type OIDCClaims added in v0.1.2

type OIDCClaims struct {
	// Nonce should match the nonce provided by the client at authorization
	// time and should be verfified against the original nonce.
	Nonce string `json:"nonce,omitempty"`
	// ATHash is a hash of the access_token and should be verified by the
	// client before use.
	ATHash string `json:"at_hash,omitempty"`
}

OIDCClaims are claims defined by OIDC to be in an id_token.

type OIDCClaimsEmail added in v0.1.2

type OIDCClaimsEmail struct {
	// Email is the user's email address.
	Email string `json:"email,omitempty"`
	// EmailVerified indicates whether this email address has been verified
	// and can be trusted as far as the issuer can tell.
	EmailVerified bool `json:"email_verified,omitempty"`
}

OIDCClaimsEmail are claims that make be returned by requesting the email scope.

type OIDCClaimsProfile added in v0.1.2

type OIDCClaimsProfile struct {
	// Name is the user's full name.
	Name string `json:"name,omitempty"`
	// GivenName is the user's forename.
	GivenName string `json:"given_name,omitempty"`
	// FamilyName is the user's surname.
	FamilyName string `json:"family_name,omitempty"`
	// MiddleName is the user's middle name(s).
	MiddleName string `json:"middle_name,omitempty"`
	// Nickname is the user's nickname.
	Nickname string `json:"nickname,omitempty"`
	// PreferredUsername is how the user chooses to be addressed.
	PreferredUsername string `json:"preferred_username,omitempty"`
	// Profile is a URL to the user's profile page.
	Profile string `json:"profile,omitempty"`
	// Picture is a URL to the user's picture.
	Picture string `json:"picture,omitempty"`
	// Website is a URL to the user's website.
	Website string `json:"website,omitempty"`
	// Gender is the user's gender.
	Gender string `json:"gender,omitempty"`
	// BirthDate is the users' birth date formatted according to ISO8601.  The year
	// portion may be 0000 if they choose not to reveal they are really old.
	BirthDate string `json:"birthdate,omitempty"`
	// ZoneInfo is the user's IANA assigned timezone.
	ZoneInfo string `json:"zoneinfo,omitempty"`
	// Locale is the user's RFC5646 language tag.
	Locale string `json:"locale,omitempty"`
	// UpdatedAt is when the user's profile was last updated.
	UpdatedAt string `json:"updated_at,omitempty"`
}

OIDCClaimsProfile are claims that may be returned by requesting the profile scope.

type Options

type Options struct {
}

type Scope

type Scope []string

Scope defines a list of scopes.

func NewScope

func NewScope(s string) Scope

NewScope creates a new scopes object.

func (*Scope) MarshalJSON added in v0.1.2

func (l *Scope) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Marshaller.

func (*Scope) UnmarshalJSON added in v0.1.2

func (l *Scope) UnmarshalJSON(value []byte) error

UnmarshalJSON implments json.Unmarshaller.

type State

type State struct {
	// Nonce is the one time nonce used to create the token.
	Nonce string `json:"n"`
	// Code verfier is required to prove our identity when
	// exchanging the code with the token endpoint.
	CodeVerfier string `json:"cv"`
	// OAuth2Provider is the name of the provider configuration in
	// use, this will reference the issuer and allow discovery.
	OAuth2Provider string `json:"oap"`
	// ClientID is the client identifier.
	ClientID string `json:"cid"`
	// ClientRedirectURI is the redirect URL requested by the client.
	ClientRedirectURI string `json:"cri"`
	// Client state records the client's OAuth state while we interact
	// with the OIDC authorization server.
	ClientState string `json:"cst,omitempty"`
	// ClientCodeChallenge records the client code challenge so we can
	// authenticate we are handing the authorization token back to the
	// correct client.
	ClientCodeChallenge string `json:"ccc"`
	// ClientScope records the requested client scope.
	ClientScope Scope `json:"csc,omitempty"`
	// ClientNonce is injected into a OIDC id_token.
	ClientNonce string `json:"cno,omitempty"`
}

State records state across the call to the authorization server. This must be encrypted with JWE.

type UnikornClaims added in v0.1.13

type UnikornClaims struct {
	// Groups is a list of groups the user has on the backend IdP.
	Groups []string `json:"groups,omitempty"`
}

UnikornClaims contains all application specific claims in a single top-level claim that won't clash with the ones defined by IETF.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL