Documentation
¶
Index ¶
- Constants
- func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer)
- func WithAPIAuth(next http.Handler, srv *AuthServer) http.Handler
- func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context
- func WithWebAuth(next http.Handler, srv *AuthServer) http.Handler
- type AuthConfig
- type AuthServer
- type CookieConfig
- type JWTAuthorizationHeaderPrincipalGetter
- type JWTCookiePrincipalGetter
- type MultiAuthPrincipal
- type OIDCConfig
- type PrincipalGetter
- type SessionState
- type UserPrincipal
Constants ¶
const ( // StateCookieName is the name of the cookie that holds state during auth flow. StateCookieName = "state" // IDTokenCookieName is the name of the cookie that holds the ID Token once // the user has authenticated successfully with the OIDC Provider. IDTokenCookieName = "id_token" // RefreshTokenCookieName is the name of the cookie that holds the refresh // token. RefreshTokenCookieName = "refresh_token" )
Variables ¶
This section is empty.
Functions ¶
func RegisterAuthServer ¶
func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer)
RegisterAuthServer registers the /callback route under a specified prefix. This route is called by the OIDC Provider in order to pass back state after the authentication flow completes.
func WithAPIAuth ¶
func WithAPIAuth(next http.Handler, srv *AuthServer) http.Handler
WithAPIAuth middleware adds auth validation to API handlers.
Unauthorized requests will be denied with a 401 status code.
func WithPrincipal ¶
func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context
WithPrincipal sets the principal into the context.
func WithWebAuth ¶
func WithWebAuth(next http.Handler, srv *AuthServer) http.Handler
WithWebAuth middleware adds auth validation to HTML handlers.
Unauthorized requests will be redirected to the OIDC Provider. It is meant to be used with routes that serve HTML content, not API routes.
Types ¶
type AuthConfig ¶
type AuthConfig struct { OIDCConfig CookieConfig }
AuthConfig is used to configure an AuthServer.
type AuthServer ¶
type AuthServer struct {
// contains filtered or unexported fields
}
AuthServer interacts with an OIDC issuer to handle the OAuth2 process flow.
func NewAuthServer ¶
func NewAuthServer(ctx context.Context, logger logr.Logger, client *http.Client, config AuthConfig) (*AuthServer, error)
NewAuthServer creates a new AuthServer object.
func (*AuthServer) ServeHTTP ¶
func (c *AuthServer) ServeHTTP(rw http.ResponseWriter, r *http.Request)
func (*AuthServer) SetRedirectURL ¶
func (c *AuthServer) SetRedirectURL(url string)
SetRedirectURL is used to set the redirect URL. This is meant to be used in unit tests only.
type CookieConfig ¶
CookieConfig is used to configure the cookies that get issued from the OIDC issuer once the OAuth2 process flow completes.
type JWTAuthorizationHeaderPrincipalGetter ¶
type JWTAuthorizationHeaderPrincipalGetter struct {
// contains filtered or unexported fields
}
JWTAuthorizationHeaderPrincipalGetter inspects the Authorization header (bearer token) for a JWT token and returns a principal object.
func (*JWTAuthorizationHeaderPrincipalGetter) Principal ¶
func (pg *JWTAuthorizationHeaderPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type JWTCookiePrincipalGetter ¶
type JWTCookiePrincipalGetter struct {
// contains filtered or unexported fields
}
JWTCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal object.
func (*JWTCookiePrincipalGetter) Principal ¶
func (pg *JWTCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)
type MultiAuthPrincipal ¶
type MultiAuthPrincipal []PrincipalGetter
MultiAuthPrincipal looks for a principal in an array of principal getters and if it finds an error or a principal it returns, otherwise it returns (nil,nil).
func (MultiAuthPrincipal) Principal ¶
func (m MultiAuthPrincipal) Principal(r *http.Request) (*UserPrincipal, error)
type OIDCConfig ¶
OIDCConfig is used to configure an AuthServer to interact with an OIDC issuer.
type PrincipalGetter ¶
type PrincipalGetter interface { // Principal extracts a principal from the http.Request. // It's not an error for there to be no principal in the request. Principal(r *http.Request) (*UserPrincipal, error) }
PrincipalGetter implementations are responsible for extracting a named principal from an HTTP request.
func NewJWTAuthorizationHeaderPrincipalGetter ¶
func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier) PrincipalGetter
func NewJWTCookiePrincipalGetter ¶
func NewJWTCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string) PrincipalGetter
type SessionState ¶
SessionState represents the state that needs to be persisted between the AuthN request from the Relying Party (RP) to the authorization endpoint of the OpenID Provider (OP) and the AuthN response back from the OP to the RP's callback URL. This state could be persisted server-side in a data store such as Redis but we prefer to operate stateless so we store this in a cookie instead. The cookie value and the value of the "state" parameter passed in the AuthN request are identical and set to the base64-encoded, JSON serialised state.
https://openid.net/specs/openid-connect-core-1_0.html#Overview https://auth0.com/docs/configure/attack-protection/state-parameters#alternate-redirect-method https://community.auth0.com/t/state-parameter-and-user-redirection/8387/2
type UserPrincipal ¶
UserPrincipal is a simple model for the user, including their ID and Groups.
func Principal ¶
func Principal(ctx context.Context) *UserPrincipal
Principal gets the principal from the context.