auth

package
v0.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 25, 2022 License: MPL-2.0 Imports: 11 Imported by: 13

Documentation

Index

Constants

View Source 
const (
	// StateCookieName is the name of the cookie that holds state during auth flow.
	StateCookieName = "state"
	// IDTokenCookieName is the name of the cookie that holds the ID Token once
	// the user has authenticated successfully with the OIDC Provider.
	IDTokenCookieName = "id_token"
	// RefreshTokenCookieName is the name of the cookie that holds the refresh
	// token.
	RefreshTokenCookieName = "refresh_token"
)

Variables

This section is empty.

Functions

func RegisterAuthServer 

func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer)

RegisterAuthServer registers the /callback route under a specified prefix. This route is called by the OIDC Provider in order to pass back state after the authentication flow completes.

func WithAPIAuth 

func WithAPIAuth(next http.Handler, srv *AuthServer) http.Handler

WithAPIAuth middleware adds auth validation to API handlers.

Unauthorized requests will be denied with a 401 status code.

func WithPrincipal 

func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context

WithPrincipal sets the principal into the context.

func WithWebAuth 

func WithWebAuth(next http.Handler, srv *AuthServer) http.Handler

WithWebAuth middleware adds auth validation to HTML handlers.

Unauthorized requests will be redirected to the OIDC Provider. It is meant to be used with routes that serve HTML content, not API routes.

Types

type AuthConfig 

type AuthConfig struct {
	OIDCConfig
	CookieConfig
}

AuthConfig is used to configure an AuthServer.

type AuthServer 

type AuthServer struct {
	// contains filtered or unexported fields
}

AuthServer interacts with an OIDC issuer to handle the OAuth2 process flow.

func NewAuthServer 

func NewAuthServer(ctx context.Context, logger logr.Logger, client *http.Client, config AuthConfig) (*AuthServer, error)

NewAuthServer creates a new AuthServer object.

func (*AuthServer) ServeHTTP 

func (c *AuthServer) ServeHTTP(rw http.ResponseWriter, r *http.Request)

func (*AuthServer) SetRedirectURL 

func (c *AuthServer) SetRedirectURL(url string)

SetRedirectURL is used to set the redirect URL. This is meant to be used in unit tests only.

type CookieConfig 

type CookieConfig struct {
	CookieDuration     time.Duration
	IssueSecureCookies bool
}

CookieConfig is used to configure the cookies that get issued from the OIDC issuer once the OAuth2 process flow completes.

type JWTAuthorizationHeaderPrincipalGetter 

type JWTAuthorizationHeaderPrincipalGetter struct {
	// contains filtered or unexported fields
}

JWTAuthorizationHeaderPrincipalGetter inspects the Authorization header (bearer token) for a JWT token and returns a principal object.

func (*JWTAuthorizationHeaderPrincipalGetter) Principal 

func (pg *JWTAuthorizationHeaderPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

type JWTCookiePrincipalGetter 

type JWTCookiePrincipalGetter struct {
	// contains filtered or unexported fields
}

JWTCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal object.

func (*JWTCookiePrincipalGetter) Principal 

func (pg *JWTCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

type MultiAuthPrincipal 

type MultiAuthPrincipal []PrincipalGetter

MultiAuthPrincipal looks for a principal in an array of principal getters and if it finds an error or a principal it returns, otherwise it returns (nil,nil).

func (MultiAuthPrincipal) Principal 

func (m MultiAuthPrincipal) Principal(r *http.Request) (*UserPrincipal, error)

type OIDCConfig 

type OIDCConfig struct {
	IssuerURL    string
	ClientID     string
	ClientSecret string
	RedirectURL  string
}

OIDCConfig is used to configure an AuthServer to interact with an OIDC issuer.

type PrincipalGetter 

type PrincipalGetter interface {
	// Principal extracts a principal from the http.Request.
	// It's not an error for there to be no principal in the request.
	Principal(r *http.Request) (*UserPrincipal, error)
}

PrincipalGetter implementations are responsible for extracting a named principal from an HTTP request.

func NewJWTAuthorizationHeaderPrincipalGetter 

func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier) PrincipalGetter

func NewJWTCookiePrincipalGetter 

func NewJWTCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string) PrincipalGetter

type SessionState 

type SessionState struct {
	Nonce     string `json:"n"`
	ReturnURL string `json:"return_url"`
}

SessionState represents the state that needs to be persisted between the AuthN request from the Relying Party (RP) to the authorization endpoint of the OpenID Provider (OP) and the AuthN response back from the OP to the RP's callback URL. This state could be persisted server-side in a data store such as Redis but we prefer to operate stateless so we store this in a cookie instead. The cookie value and the value of the "state" parameter passed in the AuthN request are identical and set to the base64-encoded, JSON serialised state.

https://openid.net/specs/openid-connect-core-1_0.html#Overview https://auth0.com/docs/configure/attack-protection/state-parameters#alternate-redirect-method https://community.auth0.com/t/state-parameter-and-user-redirection/8387/2

type UserPrincipal 

type UserPrincipal struct {
	ID     string   `json:"id"`
	Groups []string `json:"groups"`
}

UserPrincipal is a simple model for the user, including their ID and Groups.

func Principal 

func Principal(ctx context.Context) *UserPrincipal

Principal gets the principal from the context.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.