handlers

package
v0.0.0-...-ba1c585 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 29, 2017 License: BSD-3-Clause Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewOAuthBlessingHandler

func NewOAuthBlessingHandler(ctx *context.T, params OAuthBlesserParams, apps RegisteredAppMap) http.Handler

NewOAuthBlessingHandler returns an http.Handler that uses Google OAuth2 Access tokens to obtain the username of the requestor and reponds with blessings for that username.

The blessings are namespaced under the ClientID for the access token. In particular, the name of the granted blessing is of the form <idp>:<appID>:<email> where <idp> is the name of the default blessings used by the identity provider and <appID> is the name of the 'app' - either the OAuth ClientID or a registered alias.

Blessings generated by this service carry a third-party revocation caveat if a RevocationManager is specified by the params or they carry an ExpiryCaveat that expires after the duration specified by the params.

The handler expects the following request parameters:

  • "public_key": Base64 DER encoded PKIX representation of the client's public key
  • "caveats": Base64 VOM encoded list of caveats [OPTIONAL]
  • "token": Google OAuth2 Access token
  • "output_format": The encoding format for the returned blessings. The following formats are supported:
  • "json": JSON-encoding of the wire format of Blessings.
  • "base64vom": Base64URL encoding of VOM-encoded Blessings [DEFAULT]

The response consists of blessings encoded in the requested output format.

WARNINGS:

  • There is no binding between the channel over which the access token was obtained and the channel used to make this request.
  • There is no "proof of possession of private key" required by the server.

Thus, if Mallory (attacker) possesses the access token associated with Alice's account (victim), she may be able to obtain a blessing with Alice's name on it for any public key of her choice.

Types

type BlessingRoot

type BlessingRoot struct {
	P security.Principal
}

BlessingRoot is an http.Handler implementation that renders the server's blessing names and public key in a json string.

func (BlessingRoot) ServeHTTP

func (b BlessingRoot) ServeHTTP(w http.ResponseWriter, r *http.Request)

type OAuthBlesserParams

type OAuthBlesserParams struct {
	// The OAuth provider that must have issued the access tokens accepted by ths service.
	OAuthProvider oauth.OAuthProvider
	// The object name of the discharger service. If this is empty then revocation caveats will not be granted.
	DischargerLocation string
	// The revocation manager that generates caveats and manages revocation.
	RevocationManager revocation.RevocationManager
	// The duration for which blessings will be valid. (Used iff RevocationManager is nil).
	BlessingDuration time.Duration
}

OAuthBlesserParams represents all the parameters required for exchanging an OAuth token for blessings.

type RegisteredAppMap

type RegisteredAppMap map[string]struct {
	Extension string
}

Map of client id -> blessing extension The blessing given for a token with ClientID 'id' is generated by extending the default blessing of this service's principal with the extension held in this map for 'id'. The string "{email}" in the Extension will be replaced by the email from the request's access token.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL