oauth2

package
v0.2.39 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 20, 2024 License: Apache-2.0 Imports: 35 Imported by: 3

Documentation

Index

Constants

View Source
const (
	ProviderCookie = "provider"
)

Variables

View Source
var (
	// ErrKeyFormat is raised when something is wrong with the
	// encryption keys.
	ErrKeyFormat = errors.New("key format error")

	// ErrTokenVerification is raised when token verification fails.
	ErrTokenVerification = errors.New("failed to verify token")
)
View Source
var (
	ErrUserNotDomainMapped = goerrors.New("user is not domain mapped to an organization")
)

Functions

This section is empty.

Types

type AccessTokenClaims added in v0.2.4

type AccessTokenClaims struct {
	jwt.Claims `json:",inline"`

	Config *AccessTokenConfigClaims `json:"cnf,omitempty"`

	// Custom claims are application specific extensions.
	Custom *CustomAccessTokenClaims `json:"cat,omitempty"`
}

AccessTokenClaims is an application specific set of claims. TODO: this technically isn't conformant to oauth2 in that we don't specify the client_id claim, and there are probably others.

type AccessTokenConfigClaims added in v0.2.30

type AccessTokenConfigClaims struct {
	//nolint: tagliatelle
	X509Thumbprint *string `json:"x5t@S256,omitempty"`
}

type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator provides Keystone authentication functionality.

func New

func New(options *Options, namespace string, client client.Client, issuer *jose.JWTIssuer, rbac *rbac.RBAC) *Authenticator

New returns a new authenticator with required fields populated. You must call AddFlags after this.

func (*Authenticator) Authorization

func (a *Authenticator) Authorization(w http.ResponseWriter, r *http.Request)

Authorization redirects the client to the OIDC autorization endpoint to get an authorization code. Note that this function is responsible for either returning an authorization grant or error via a HTTP 302 redirect, or returning a HTML fragment for errors that cannot follow the provided redirect URI.

func (*Authenticator) GetRBAC added in v0.1.17

func (a *Authenticator) GetRBAC() *rbac.RBAC

func (*Authenticator) Groups added in v0.2.4

func (*Authenticator) Issue added in v0.1.13

func (a *Authenticator) Issue(ctx context.Context, info *IssueInfo) (*Tokens, error)

Issue issues a new JWT access token.

func (*Authenticator) Login

func (a *Authenticator) Login(w http.ResponseWriter, r *http.Request)

Login handles the response from the user login prompt.

func (*Authenticator) OIDCCallback

func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request)

OIDCCallback is called by the authorization endpoint in order to return an authorization back to us. We then exchange the code for an ID token, and refresh token. Remember, as far as the client is concerned we're still doing the code grant, so return errors in the redirect query.

func (*Authenticator) Token

Token issues an OAuth2 access token from the provided authorization code.

func (*Authenticator) TokenAuthorizationCode added in v0.2.30

func (a *Authenticator) TokenAuthorizationCode(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)

TokenAuthorizationCode issues a token based on whether the provided code is correct and the client code verifier (PKCS) matches.

func (*Authenticator) TokenClientCredentials added in v0.2.30

func (a *Authenticator) TokenClientCredentials(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)

TokenClientCredentials issues a token if the client credentials are valid. We only support mTLS based authentication.

func (*Authenticator) TokenRefreshToken added in v0.2.30

func (a *Authenticator) TokenRefreshToken(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)

TokenRefreshToken issues a token if the provided refresh token is valid.

func (*Authenticator) Verify added in v0.1.14

func (a *Authenticator) Verify(ctx context.Context, info *VerifyInfo) (*AccessTokenClaims, error)

Verify checks the access token parses and validates.

type Code

type Code struct {
	// ClientID is the client identifier.
	ClientID string `json:"cid"`
	// ClientRedirectURI is the redirect URL requested by the client.
	ClientRedirectURI string `json:"cri"`
	// ClientCodeChallenge records the client code challenge so we can
	// authenticate we are handing the authorization token back to the
	// correct client.
	ClientCodeChallenge string `json:"ccc"`
	// ClientScope records the requested client scope.
	ClientScope Scope `json:"csc,omitempty"`
	// ClientNonce is injected into a OIDC id_token.
	ClientNonce string `json:"cno,omitempty"`
	// IDToken is the full set of claims returned by the provider.
	IDToken IDToken `json:"idt"`
	// AccessToken is the user's access token.
	AccessToken string `json:"at"`
	// RefreshToken is the users's refresh token.
	RefreshToken string `json:"rt"`
	// AccessTokenExpiry tells us how long the token will last for.
	AccessTokenExpiry time.Time `json:"ate"`
	// OAuth2Provider is the name of the provider configuration in
	// use, this will reference the issuer and allow discovery.
	OAuth2Provider string `json:"oap"`
}

Code is an authorization code to return to the client that can be exchanged for an access token. Much like how we client things in the oauth2 state during the OIDC exchange, to mitigate problems with horizonal scaling and sharing stuff, we do the same here. WARNING: Don't make this too big, the ingress controller will barf if the headers are too hefty.

type CustomAccessTokenClaims added in v0.2.4

type CustomAccessTokenClaims struct {
	// Provider is the provider name for the token.
	Provider string
	// AccessToken as defined for the IdP.
	AccessToken string `json:"at"`
}

CustomAccessTokenClaims contains all application specific claims in a single top-level claim that won't clash with the ones defined by IETF.

type CustomRefreshTokenClaims added in v0.2.4

type CustomRefreshTokenClaims struct {
	// Provider is the provider name for the token.
	Provider string
	// RefreshToken as defined for the IdP.
	RefreshToken string `json:"rt"`
}

CustomRefreshTokenClaims contains all application specific claims in a single top-level claim that won't clash with the ones defined by IETF.

type Error

type Error string
const (
	ErrorInvalidRequest          Error = "invalid_request"
	ErrorUnauthorizedClient      Error = "unauthorized_client"
	ErrorAccessDenied            Error = "access_denied"
	ErrorUnsupportedResponseType Error = "unsupported_response_type"
	ErrorInvalidScope            Error = "invalid_scope"
	ErrorServerError             Error = "server_error"
)

type IDToken

type IDToken struct {
	// Claims are the standard claims expected in a JWT.
	jwt.Claims `json:",inline"`
	// OIDC claims are claims defined by OIDC to be in an id_token.
	OIDCClaims `json:",inline"`
	// OIDCClaimsProfile are claims returned by the "profile" scope.
	OIDCClaimsProfile `json:",inline"`
	// OIDCClaimsEmail are claims returned by the "email" scope.
	OIDCClaimsEmail `json:",inline"`
}

IDToken defines an OIDC id_token.

type IssueInfo added in v0.2.4

type IssueInfo struct {
	Issuer         string
	Audience       string
	Subject        string
	Tokens         *Tokens
	X509Thumbprint string
}

type OIDCClaims added in v0.1.2

type OIDCClaims struct {
	// Nonce should match the nonce provided by the client at authorization
	// time and should be verfified against the original nonce.
	Nonce string `json:"nonce,omitempty"`
	// ATHash is a hash of the access_token and should be verified by the
	// client before use.
	ATHash string `json:"at_hash,omitempty"`
}

OIDCClaims are claims defined by OIDC to be in an id_token.

type OIDCClaimsEmail added in v0.1.2

type OIDCClaimsEmail struct {
	// Email is the user's email address.
	Email string `json:"email,omitempty"`
	// EmailVerified indicates whether this email address has been verified
	// and can be trusted as far as the issuer can tell.
	EmailVerified bool `json:"email_verified,omitempty"`
}

OIDCClaimsEmail are claims that make be returned by requesting the email scope.

type OIDCClaimsProfile added in v0.1.2

type OIDCClaimsProfile struct {
	// Name is the user's full name.
	Name string `json:"name,omitempty"`
	// GivenName is the user's forename.
	GivenName string `json:"given_name,omitempty"`
	// FamilyName is the user's surname.
	FamilyName string `json:"family_name,omitempty"`
	// MiddleName is the user's middle name(s).
	MiddleName string `json:"middle_name,omitempty"`
	// Nickname is the user's nickname.
	Nickname string `json:"nickname,omitempty"`
	// PreferredUsername is how the user chooses to be addressed.
	PreferredUsername string `json:"preferred_username,omitempty"`
	// Profile is a URL to the user's profile page.
	Profile string `json:"profile,omitempty"`
	// Picture is a URL to the user's picture.
	Picture string `json:"picture,omitempty"`
	// Website is a URL to the user's website.
	Website string `json:"website,omitempty"`
	// Gender is the user's gender.
	Gender string `json:"gender,omitempty"`
	// BirthDate is the users' birth date formatted according to ISO8601.  The year
	// portion may be 0000 if they choose not to reveal they are really old.
	BirthDate string `json:"birthdate,omitempty"`
	// ZoneInfo is the user's IANA assigned timezone.
	ZoneInfo string `json:"zoneinfo,omitempty"`
	// Locale is the user's RFC5646 language tag.
	Locale string `json:"locale,omitempty"`
	// UpdatedAt is when the user's profile was last updated.
	UpdatedAt string `json:"updated_at,omitempty"`
}

OIDCClaimsProfile are claims that may be returned by requesting the profile scope.

type Options

type Options struct {
	// AccessTokenDuration should be short to prevent long term use.
	AccessTokenDuration time.Duration

	// RefreshTokenDuration should be driven by the signing key rotation
	// period.
	RefreshTokenDuration time.Duration

	// TokenVerificationLeeway tells us how permissive we should or shouldn't
	// be of timing.
	TokenVerificationLeeway time.Duration

	// TokenLeewayDuration allows us to remove a period from the IdP access token
	// lifetime so we can "guarantee" ours will expire before theirs and force
	// a refresh before any errors can come from the IdP.
	TokenLeewayDuration time.Duration

	// TokenCacheSize is used to control the size of the LRU cache for token validation
	// checks.  This bounds the memory use to prevent DoS attacks.
	TokenCacheSize int
}

func (*Options) AddFlags added in v0.1.16

func (o *Options) AddFlags(f *pflag.FlagSet)

type RefreshTokenClaims added in v0.2.4

type RefreshTokenClaims struct {
	jwt.Claims `json:",inline"`

	// Custom claims are application specific extensions.
	Custom *CustomRefreshTokenClaims `json:"crt,omitempty"`
}

RefreshTokenClaims is a basic set of JWT claims, plus a wrapper for the IdP's refresh token.

type Scope

type Scope []string

Scope defines a list of scopes.

func NewScope

func NewScope(s string) Scope

NewScope creates a new scopes object.

func (*Scope) MarshalJSON added in v0.1.2

func (l *Scope) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Marshaller.

func (*Scope) UnmarshalJSON added in v0.1.2

func (l *Scope) UnmarshalJSON(value []byte) error

UnmarshalJSON implments json.Unmarshaller.

type State

type State struct {
	// Nonce is the one time nonce used to create the token.
	Nonce string `json:"n"`
	// Code verfier is required to prove our identity when
	// exchanging the code with the token endpoint.
	CodeVerfier string `json:"cv"`
	// OAuth2Provider is the name of the provider configuration in
	// use, this will reference the issuer and allow discovery.
	OAuth2Provider string `json:"oap"`
	// ClientID is the client identifier.
	ClientID string `json:"cid"`
	// ClientRedirectURI is the redirect URL requested by the client.
	ClientRedirectURI string `json:"cri"`
	// Client state records the client's OAuth state while we interact
	// with the OIDC authorization server.
	ClientState string `json:"cst,omitempty"`
	// ClientCodeChallenge records the client code challenge so we can
	// authenticate we are handing the authorization token back to the
	// correct client.
	ClientCodeChallenge string `json:"ccc"`
	// ClientScope records the requested client scope.
	ClientScope Scope `json:"csc,omitempty"`
	// ClientNonce is injected into a OIDC id_token.
	ClientNonce string `json:"cno,omitempty"`
}

State records state across the call to the authorization server. This must be encrypted with JWE.

type Tokens added in v0.2.4

type Tokens struct {
	Provider     string
	Expiry       time.Time
	AccessToken  string
	RefreshToken *string
}

type VerifyInfo added in v0.2.4

type VerifyInfo struct {
	Issuer   string
	Audience string
	Token    string
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL