Documentation ¶
Index ¶
- Constants
- Variables
- type AccessTokenClaims
- type AccessTokenConfigClaims
- type Authenticator
- func (a *Authenticator) Authorization(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) GetRBAC() *rbac.RBAC
- func (a *Authenticator) Groups(w http.ResponseWriter, r *http.Request) (openapi.AvailableGroups, error)
- func (a *Authenticator) Issue(ctx context.Context, info *IssueInfo) (*Tokens, error)
- func (a *Authenticator) Login(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
- func (a *Authenticator) TokenAuthorizationCode(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
- func (a *Authenticator) TokenClientCredentials(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
- func (a *Authenticator) TokenRefreshToken(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
- func (a *Authenticator) Verify(ctx context.Context, info *VerifyInfo) (*AccessTokenClaims, error)
- type Code
- type CustomAccessTokenClaims
- type CustomRefreshTokenClaims
- type Error
- type IDToken
- type IssueInfo
- type OIDCClaims
- type OIDCClaimsEmail
- type OIDCClaimsProfile
- type Options
- type RefreshTokenClaims
- type Scope
- type State
- type Tokens
- type VerifyInfo
Constants ¶
const (
ProviderCookie = "provider"
)
Variables ¶
var ( // ErrKeyFormat is raised when something is wrong with the // encryption keys. ErrKeyFormat = errors.New("key format error") // ErrTokenVerification is raised when token verification fails. ErrTokenVerification = errors.New("failed to verify token") )
var (
ErrUserNotDomainMapped = goerrors.New("user is not domain mapped to an organization")
)
Functions ¶
This section is empty.
Types ¶
type AccessTokenClaims ¶ added in v0.2.4
type AccessTokenClaims struct { jwt.Claims `json:",inline"` Config *AccessTokenConfigClaims `json:"cnf,omitempty"` // Custom claims are application specific extensions. Custom *CustomAccessTokenClaims `json:"cat,omitempty"` }
AccessTokenClaims is an application specific set of claims. TODO: this technically isn't conformant to oauth2 in that we don't specify the client_id claim, and there are probably others.
type AccessTokenConfigClaims ¶ added in v0.2.30
type AccessTokenConfigClaims struct { //nolint: tagliatelle X509Thumbprint *string `json:"x5t@S256,omitempty"` }
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator provides Keystone authentication functionality.
func New ¶
func New(options *Options, namespace string, client client.Client, issuer *jose.JWTIssuer, rbac *rbac.RBAC) *Authenticator
New returns a new authenticator with required fields populated. You must call AddFlags after this.
func (*Authenticator) Authorization ¶
func (a *Authenticator) Authorization(w http.ResponseWriter, r *http.Request)
Authorization redirects the client to the OIDC autorization endpoint to get an authorization code. Note that this function is responsible for either returning an authorization grant or error via a HTTP 302 redirect, or returning a HTML fragment for errors that cannot follow the provided redirect URI.
func (*Authenticator) GetRBAC ¶ added in v0.1.17
func (a *Authenticator) GetRBAC() *rbac.RBAC
func (*Authenticator) Groups ¶ added in v0.2.4
func (a *Authenticator) Groups(w http.ResponseWriter, r *http.Request) (openapi.AvailableGroups, error)
func (*Authenticator) Login ¶
func (a *Authenticator) Login(w http.ResponseWriter, r *http.Request)
Login handles the response from the user login prompt.
func (*Authenticator) OIDCCallback ¶
func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request)
OIDCCallback is called by the authorization endpoint in order to return an authorization back to us. We then exchange the code for an ID token, and refresh token. Remember, as far as the client is concerned we're still doing the code grant, so return errors in the redirect query.
func (*Authenticator) Token ¶
func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
Token issues an OAuth2 access token from the provided authorization code.
func (*Authenticator) TokenAuthorizationCode ¶ added in v0.2.30
func (a *Authenticator) TokenAuthorizationCode(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
TokenAuthorizationCode issues a token based on whether the provided code is correct and the client code verifier (PKCS) matches.
func (*Authenticator) TokenClientCredentials ¶ added in v0.2.30
func (a *Authenticator) TokenClientCredentials(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
TokenClientCredentials issues a token if the client credentials are valid. We only support mTLS based authentication.
func (*Authenticator) TokenRefreshToken ¶ added in v0.2.30
func (a *Authenticator) TokenRefreshToken(w http.ResponseWriter, r *http.Request) (*openapi.Token, error)
TokenRefreshToken issues a token if the provided refresh token is valid.
func (*Authenticator) Verify ¶ added in v0.1.14
func (a *Authenticator) Verify(ctx context.Context, info *VerifyInfo) (*AccessTokenClaims, error)
Verify checks the access token parses and validates.
type Code ¶
type Code struct { // ClientID is the client identifier. ClientID string `json:"cid"` // ClientRedirectURI is the redirect URL requested by the client. ClientRedirectURI string `json:"cri"` // ClientCodeChallenge records the client code challenge so we can // authenticate we are handing the authorization token back to the // correct client. ClientCodeChallenge string `json:"ccc"` // ClientScope records the requested client scope. ClientScope Scope `json:"csc,omitempty"` // ClientNonce is injected into a OIDC id_token. ClientNonce string `json:"cno,omitempty"` // IDToken is the full set of claims returned by the provider. IDToken IDToken `json:"idt"` // AccessToken is the user's access token. AccessToken string `json:"at"` // RefreshToken is the users's refresh token. RefreshToken string `json:"rt"` // AccessTokenExpiry tells us how long the token will last for. AccessTokenExpiry time.Time `json:"ate"` // OAuth2Provider is the name of the provider configuration in // use, this will reference the issuer and allow discovery. OAuth2Provider string `json:"oap"` }
Code is an authorization code to return to the client that can be exchanged for an access token. Much like how we client things in the oauth2 state during the OIDC exchange, to mitigate problems with horizonal scaling and sharing stuff, we do the same here. WARNING: Don't make this too big, the ingress controller will barf if the headers are too hefty.
type CustomAccessTokenClaims ¶ added in v0.2.4
type CustomAccessTokenClaims struct { // Provider is the provider name for the token. Provider string // AccessToken as defined for the IdP. AccessToken string `json:"at"` }
CustomAccessTokenClaims contains all application specific claims in a single top-level claim that won't clash with the ones defined by IETF.
type CustomRefreshTokenClaims ¶ added in v0.2.4
type CustomRefreshTokenClaims struct { // Provider is the provider name for the token. Provider string // RefreshToken as defined for the IdP. RefreshToken string `json:"rt"` }
CustomRefreshTokenClaims contains all application specific claims in a single top-level claim that won't clash with the ones defined by IETF.
type IDToken ¶
type IDToken struct { // Claims are the standard claims expected in a JWT. jwt.Claims `json:",inline"` // OIDC claims are claims defined by OIDC to be in an id_token. OIDCClaims `json:",inline"` // OIDCClaimsProfile are claims returned by the "profile" scope. OIDCClaimsProfile `json:",inline"` // OIDCClaimsEmail are claims returned by the "email" scope. OIDCClaimsEmail `json:",inline"` }
IDToken defines an OIDC id_token.
type OIDCClaims ¶ added in v0.1.2
type OIDCClaims struct { // Nonce should match the nonce provided by the client at authorization // time and should be verfified against the original nonce. Nonce string `json:"nonce,omitempty"` // ATHash is a hash of the access_token and should be verified by the // client before use. ATHash string `json:"at_hash,omitempty"` }
OIDCClaims are claims defined by OIDC to be in an id_token.
type OIDCClaimsEmail ¶ added in v0.1.2
type OIDCClaimsEmail struct { // Email is the user's email address. Email string `json:"email,omitempty"` // EmailVerified indicates whether this email address has been verified // and can be trusted as far as the issuer can tell. EmailVerified bool `json:"email_verified,omitempty"` }
OIDCClaimsEmail are claims that make be returned by requesting the email scope.
type OIDCClaimsProfile ¶ added in v0.1.2
type OIDCClaimsProfile struct { // Name is the user's full name. Name string `json:"name,omitempty"` // GivenName is the user's forename. GivenName string `json:"given_name,omitempty"` // FamilyName is the user's surname. FamilyName string `json:"family_name,omitempty"` // MiddleName is the user's middle name(s). MiddleName string `json:"middle_name,omitempty"` // Nickname is the user's nickname. Nickname string `json:"nickname,omitempty"` // PreferredUsername is how the user chooses to be addressed. PreferredUsername string `json:"preferred_username,omitempty"` // Profile is a URL to the user's profile page. Profile string `json:"profile,omitempty"` // Picture is a URL to the user's picture. Picture string `json:"picture,omitempty"` // Website is a URL to the user's website. Website string `json:"website,omitempty"` // Gender is the user's gender. Gender string `json:"gender,omitempty"` // BirthDate is the users' birth date formatted according to ISO8601. The year // portion may be 0000 if they choose not to reveal they are really old. BirthDate string `json:"birthdate,omitempty"` // ZoneInfo is the user's IANA assigned timezone. ZoneInfo string `json:"zoneinfo,omitempty"` // Locale is the user's RFC5646 language tag. Locale string `json:"locale,omitempty"` // UpdatedAt is when the user's profile was last updated. UpdatedAt string `json:"updated_at,omitempty"` }
OIDCClaimsProfile are claims that may be returned by requesting the profile scope.
type Options ¶
type Options struct { // AccessTokenDuration should be short to prevent long term use. AccessTokenDuration time.Duration // RefreshTokenDuration should be driven by the signing key rotation // period. RefreshTokenDuration time.Duration // TokenVerificationLeeway tells us how permissive we should or shouldn't // be of timing. TokenVerificationLeeway time.Duration // TokenLeewayDuration allows us to remove a period from the IdP access token // lifetime so we can "guarantee" ours will expire before theirs and force // a refresh before any errors can come from the IdP. TokenLeewayDuration time.Duration // TokenCacheSize is used to control the size of the LRU cache for token validation // checks. This bounds the memory use to prevent DoS attacks. TokenCacheSize int // Bool to indicate whether sign up is allowed AuthenticateUnknownUsers bool }
type RefreshTokenClaims ¶ added in v0.2.4
type RefreshTokenClaims struct { jwt.Claims `json:",inline"` // Custom claims are application specific extensions. Custom *CustomRefreshTokenClaims `json:"crt,omitempty"` }
RefreshTokenClaims is a basic set of JWT claims, plus a wrapper for the IdP's refresh token.
type Scope ¶
type Scope []string
Scope defines a list of scopes.
func (*Scope) MarshalJSON ¶ added in v0.1.2
MarshalJSON implements json.Marshaller.
func (*Scope) UnmarshalJSON ¶ added in v0.1.2
UnmarshalJSON implments json.Unmarshaller.
type State ¶
type State struct { // Nonce is the one time nonce used to create the token. Nonce string `json:"n"` // Code verfier is required to prove our identity when // exchanging the code with the token endpoint. CodeVerfier string `json:"cv"` // OAuth2Provider is the name of the provider configuration in // use, this will reference the issuer and allow discovery. OAuth2Provider string `json:"oap"` // ClientID is the client identifier. ClientID string `json:"cid"` // ClientRedirectURI is the redirect URL requested by the client. ClientRedirectURI string `json:"cri"` // Client state records the client's OAuth state while we interact // with the OIDC authorization server. ClientState string `json:"cst,omitempty"` // ClientCodeChallenge records the client code challenge so we can // authenticate we are handing the authorization token back to the // correct client. ClientCodeChallenge string `json:"ccc"` // ClientScope records the requested client scope. ClientScope Scope `json:"csc,omitempty"` // ClientNonce is injected into a OIDC id_token. ClientNonce string `json:"cno,omitempty"` }
State records state across the call to the authorization server. This must be encrypted with JWE.