Documentation
¶
Index ¶
- Variables
- func Issue(i *jose.JWTIssuer, r *http.Request, code *Code, expiresAt time.Time) (string, error)
- func Verify(i *jose.JWTIssuer, r *http.Request, tokenString string) (*claims.Claims, error)
- type Authenticator
- func (a *Authenticator) Authorization(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) Login(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request)
- func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*generated.Token, error)
- type Code
- type Error
- type IDToken
- type OIDCClaims
- type OIDCClaimsEmail
- type OIDCClaimsProfile
- type Options
- type State
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ErrKeyFormat is raised when something is wrong with the // encryption keys. ErrKeyFormat = errors.New("key format error") // ErrTokenVerification is raised when token verification fails. ErrTokenVerification = errors.New("failed to verify token") )
Functions ¶
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator provides Keystone authentication functionality.
func New ¶
func New(options *Options, namespace string, client client.Client, issuer *jose.JWTIssuer) *Authenticator
New returns a new authenticator with required fields populated. You must call AddFlags after this.
func (*Authenticator) Authorization ¶
func (a *Authenticator) Authorization(w http.ResponseWriter, r *http.Request)
Authorization redirects the client to the OIDC autorization endpoint to get an authorization code. Note that this function is responsible for either returning an authorization grant or error via a HTTP 302 redirect, or returning a HTML fragment for errors that cannot follow the provided redirect URI.
func (*Authenticator) Login ¶
func (a *Authenticator) Login(w http.ResponseWriter, r *http.Request)
func (*Authenticator) OIDCCallback ¶
func (a *Authenticator) OIDCCallback(w http.ResponseWriter, r *http.Request)
OIDCCallback is called by the authorization endpoint in order to return an authorization back to us. We then exchange the code for an ID token, and refresh token. Remember, as far as the client is concerned we're still doing the code grant, so return errors in the redirect query.
func (*Authenticator) Token ¶
func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*generated.Token, error)
Token issues an OAuth2 access token from the provided autorization code.
type Code ¶
type Code struct {
// ClientID is the client identifier.
ClientID string `json:"cid"`
// ClientRedirectURI is the redirect URL requested by the client.
ClientRedirectURI string `json:"cri"`
// ClientCodeChallenge records the client code challenge so we can
// authenticate we are handing the authorization token back to the
// correct client.
ClientCodeChallenge string `json:"ccc"`
// ClientScope records the requested client scope.
ClientScope scope.Scope `json:"csc,omitempty"`
// ClientNonce is injected into a OIDC id_token.
ClientNonce string `json:"cno,omitempty"`
// TODO: we would be a lot more flexible by passing all the claims over...
// Email is exactly that.
Email string `json:"email"`
// Organization is the user's organization name.
Organization string `json:"org"`
}
Code is an authorization code to return to the client that can be exchanged for an access token. Much like how we client things in the oauth2 state during the OIDC exchange, to mitigate problems with horizonal scaling and sharing stuff, we do the same here. WARNING: Don't make this too big, the ingress controller will barf if the headers are too hefty.
type IDToken ¶
type IDToken struct {
// Claims are the standard claims expected in a JWT.
jwt.Claims `json:",inline"`
// OIDC claims are claims defined by OIDC to be in an id_token.
OIDCClaims `json:",inline"`
// OIDCClaimsProfile are claims returned by the "profile" scope.
OIDCClaimsProfile `json:",inline"`
// OIDCClaimsEmail are claims returned by the "email" scope.
OIDCClaimsEmail `json:",inline"`
}
IDToken defines an OIDC id_token.
type OIDCClaims ¶ added in v0.1.2
type OIDCClaims struct {
// Nonce should match the nonce provided by the client at authorization
// time and should be verfified against the original nonce.
Nonce string `json:"nonce,omitempty"`
// ATHash is a hash of the access_token and should be verified by the
// client before use.
ATHash string `json:"at_hash,omitempty"`
}
OIDCClaims are claims defined by OIDC to be in an id_token.
type OIDCClaimsEmail ¶ added in v0.1.2
type OIDCClaimsEmail struct {
// Email is the user's email address.
Email string `json:"email,omitempty"`
// EmailVerified indicates whether this email address has been verified
// and can be trusted as far as the issuer can tell.
EmailVerified bool `json:"email_verified,omitempty"`
}
OIDCClaimsEmail are claims that make be returned by requesting the email scope.
type OIDCClaimsProfile ¶ added in v0.1.2
type OIDCClaimsProfile struct {
// Name is the user's full name.
Name string `json:"name,omitempty"`
// GivenName is the user's forename.
GivenName string `json:"given_name,omitempty"`
// FamilyName is the user's surname.
FamilyName string `json:"family_name,omitempty"`
// MiddleName is the user's middle name(s).
MiddleName string `json:"middle_name,omitempty"`
// Nickname is the user's nickname.
Nickname string `json:"nickname,omitempty"`
// PreferredUsername is how the user chooses to be addressed.
PreferredUsername string `json:"preferred_username,omitempty"`
// Profile is a URL to the user's profile page.
Profile string `json:"profile,omitempty"`
// Picture is a URL to the user's picture.
Picture string `json:"picture,omitempty"`
// Website is a URL to the user's website.
Website string `json:"website,omitempty"`
// Gender is the user's gender.
Gender string `json:"gender,omitempty"`
// BirthDate is the users' birth date formatted according to ISO8601. The year
// portion may be 0000 if they choose not to reveal they are really old.
BirthDate string `json:"birthdate,omitempty"`
// ZoneInfo is the user's IANA assigned timezone.
ZoneInfo string `json:"zoneinfo,omitempty"`
// Locale is the user's RFC5646 language tag.
Locale string `json:"locale,omitempty"`
// UpdatedAt is when the user's profile was last updated.
UpdatedAt string `json:"updated_at,omitempty"`
}
OIDCClaimsProfile are claims that may be returned by requesting the profile scope.
type State ¶
type State struct {
// Nonce is the one time nonce used to create the token.
Nonce string `json:"n"`
// Code verfier is required to prove our identity when
// exchanging the code with the token endpoint.
CodeVerfier string `json:"cv"`
// OAuth2Provider is the name of the provider configuration in
// use, this will reference the issuer and allow discovery.
OAuth2Provider string `json:"oap"`
// Organization is a reference to the organization name.
Organization string `json:"org"`
// ClientID is the client identifier.
ClientID string `json:"cid"`
// ClientRedirectURI is the redirect URL requested by the client.
ClientRedirectURI string `json:"cri"`
// Client state records the client's OAuth state while we interact
// with the OIDC authorization server.
ClientState string `json:"cst,omitempty"`
// ClientCodeChallenge records the client code challenge so we can
// authenticate we are handing the authorization token back to the
// correct client.
ClientCodeChallenge string `json:"ccc"`
// ClientScope records the requested client scope.
ClientScope scope.Scope `json:"csc,omitempty"`
// ClientNonce is injected into a OIDC id_token.
ClientNonce string `json:"cno,omitempty"`
}
State records state across the call to the authorization server. This must be encrypted with JWE.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.