Documentation ¶
Index ¶
- Constants
- Variables
- func Enabled(kvs config.KVS) bool
- func GetDefaultExpiration(dsecs string) (time.Duration, error)
- type Config
- func (r Config) GetRoleInfo() (arn.ARN, string, bool)
- func (r *Config) GetSettings() madmin.OpenIDSettings
- func (Config) ID() ID
- func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error
- func (r Config) InitializeProvider(kvs config.KVS) error
- func (r Config) LookupUser(userid string) (provider.User, error)
- func (r *Config) PopulatePublicKey() error
- func (r Config) ProviderEnabled() bool
- func (r *Config) UnmarshalJSON(data []byte) error
- func (r *Config) UserInfo(accessToken string) (map[string]interface{}, error)
- func (r *Config) Validate(token, accessToken, dsecs string) (map[string]interface{}, error)
- type DiscoveryDoc
- type ID
- type JWKS
- type Validator
- type Validators
Constants ¶
const ( JwksURL = "jwks_url" ConfigURL = "config_url" ClaimName = "claim_name" ClaimUserinfo = "claim_userinfo" ClaimPrefix = "claim_prefix" ClientID = "client_id" ClientSecret = "client_secret" RolePolicy = "role_policy" Vendor = "vendor" Scopes = "scopes" RedirectURI = "redirect_uri" RedirectURIDynamic = "redirect_uri_dynamic" // Vendor specific ENV only enabled if the Vendor matches == "vendor" KeyCloakRealm = "keycloak_realm" KeyCloakAdminURL = "keycloak_admin_url" EnvIdentityOpenIDVendor = "MINIO_IDENTITY_OPENID_VENDOR" EnvIdentityOpenIDClientID = "MINIO_IDENTITY_OPENID_CLIENT_ID" EnvIdentityOpenIDClientSecret = "MINIO_IDENTITY_OPENID_CLIENT_SECRET" EnvIdentityOpenIDURL = "MINIO_IDENTITY_OPENID_CONFIG_URL" EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME" EnvIdentityOpenIDClaimUserInfo = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO" EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX" EnvIdentityOpenIDRolePolicy = "MINIO_IDENTITY_OPENID_ROLE_POLICY" EnvIdentityOpenIDRedirectURI = "MINIO_IDENTITY_OPENID_REDIRECT_URI" EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC" EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES" // Vendor specific ENVs only enabled if the Vendor matches == "vendor" EnvIdentityOpenIDKeyCloakRealm = "MINIO_IDENTITY_OPENID_KEYCLOAK_REALM" EnvIdentityOpenIDKeyCloakAdminURL = "MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL" )
OpenID keys and envs.
Variables ¶
var ( SigningMethodES3256 *jwt.SigningMethodECDSA SigningMethodES3384 *jwt.SigningMethodECDSA SigningMethodES3512 *jwt.SigningMethodECDSA )
Specific instances for EC256 and company
var ( SigningMethodRS3256 *jwt.SigningMethodRSA SigningMethodRS3384 *jwt.SigningMethodRSA SigningMethodRS3512 *jwt.SigningMethodRSA )
Specific instances for RS256 and company
var ( DefaultKVS = config.KVS{ config.KV{ Key: ConfigURL, Value: "", }, config.KV{ Key: ClientID, Value: "", }, config.KV{ Key: ClientSecret, Value: "", }, config.KV{ Key: ClaimName, Value: iampolicy.PolicyName, }, config.KV{ Key: ClaimUserinfo, Value: "", }, config.KV{ Key: RolePolicy, Value: "", }, config.KV{ Key: ClaimPrefix, Value: "", }, config.KV{ Key: RedirectURI, Value: "", }, config.KV{ Key: RedirectURIDynamic, Value: "off", }, config.KV{ Key: Scopes, Value: "", }, } )
DefaultKVS - default config for OpenID config
var (
ErrTokenExpired = errors.New("token expired")
)
ErrTokenExpired - error token expired
var ( Help = config.HelpKVS{ config.HelpKV{ Key: ConfigURL, Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"`, Type: "url", }, config.HelpKV{ Key: ClientID, Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"`, Type: "string", }, config.HelpKV{ Key: ClientSecret, Description: `secret for the unique public identifier for apps e.g.`, Type: "string", Optional: true, }, config.HelpKV{ Key: ClaimName, Description: `JWT canned policy claim name, defaults to "policy"`, Optional: true, Type: "string", }, config.HelpKV{ Key: ClaimUserinfo, Description: `Enable fetching claims from UserInfo Endpoint for authenticated user`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: RolePolicy, Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"`, Optional: true, Type: "string", }, config.HelpKV{ Key: Scopes, Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`, Optional: true, Type: "csv", }, config.HelpKV{ Key: Vendor, Description: `Specify vendor type for vendor specific behavior to checking validity of temporary credentials and service accounts on MinIO`, Optional: true, Type: "string", }, config.HelpKV{ Key: KeyCloakRealm, Description: `Specify Keycloak 'realm' name, only honored if vendor was set to 'keycloak' as value, if no realm is specified 'master' is default`, Optional: true, Type: "string", }, config.HelpKV{ Key: KeyCloakAdminURL, Description: `Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/`, Optional: true, Type: "string", }, config.HelpKV{ Key: RedirectURIDynamic, Description: `Enable 'Host' header based dynamic redirect URI`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: ClaimPrefix, Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`, Optional: true, Type: "string", }, config.HelpKV{ Key: RedirectURI, Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`, Optional: true, Type: "string", }, config.HelpKV{ Key: config.Comment, Description: config.DefaultComment, Optional: true, Type: "sentence", }, config.HelpKV{ Key: ClaimPrefix, Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`, Optional: true, Type: "string", }, config.HelpKV{ Key: RedirectURI, Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`, Optional: true, Type: "string", }, } )
Help template for OpenID identity feature.
Functions ¶
Types ¶
type Config ¶
type Config struct { *sync.RWMutex Enabled bool `json:"enabled"` JWKS struct { URL *xnet.URL `json:"url"` } `json:"jwks"` URL *xnet.URL `json:"url,omitempty"` ClaimPrefix string `json:"claimPrefix,omitempty"` ClaimName string `json:"claimName,omitempty"` ClaimUserinfo bool `json:"claimUserInfo,omitempty"` RedirectURI string `json:"redirectURI,omitempty"` RedirectURIDynamic bool `json:"redirectURIDynamic"` DiscoveryDoc DiscoveryDoc ClientID string ClientSecret string RolePolicy string // contains filtered or unexported fields }
Config - OpenID Config RSA authentication target arguments
func LookupConfig ¶
func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error)
LookupConfig lookup jwks from config, override with any ENVs.
func (Config) GetRoleInfo ¶
GetRoleInfo - returns role ARN and policy if present, otherwise returns false boolean.
func (*Config) GetSettings ¶
func (r *Config) GetSettings() madmin.OpenIDSettings
GetSettings - fetches OIDC settings for site-replication related validation. NOTE that region must be populated by caller as this package does not know.
func (*Config) InitializeKeycloakProvider ¶
InitializeKeycloakProvider - initializes keycloak provider
func (Config) InitializeProvider ¶
InitializeProvider initializes if any additional vendor specific information was provided, initialization will return an error initial login fails.
func (Config) LookupUser ¶
LookupUser lookup userid for the provider
func (*Config) PopulatePublicKey ¶
PopulatePublicKey - populates a new publickey from the JWKS URL.
func (Config) ProviderEnabled ¶
ProviderEnabled returns true if any vendor specific provider is enabled.
func (*Config) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data.
func (*Config) UserInfo ¶
UserInfo returns claims for authenticated user from userInfo endpoint.
Some OIDC implementations such as GitLab do not support claims as part of the normal oauth2 flow, instead rely on service providers making calls to IDP to fetch additional claims available from the UserInfo endpoint
type DiscoveryDoc ¶
type DiscoveryDoc struct { Issuer string `json:"issuer,omitempty"` AuthEndpoint string `json:"authorization_endpoint,omitempty"` TokenEndpoint string `json:"token_endpoint,omitempty"` UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"` RevocationEndpoint string `json:"revocation_endpoint,omitempty"` JwksURI string `json:"jwks_uri,omitempty"` ResponseTypesSupported []string `json:"response_types_supported,omitempty"` SubjectTypesSupported []string `json:"subject_types_supported,omitempty"` IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"` ScopesSupported []string `json:"scopes_supported,omitempty"` TokenEndpointAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"` ClaimsSupported []string `json:"claims_supported,omitempty"` CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"` }
DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration
type JWKS ¶
type JWKS struct { Keys []*JWKS `json:"keys,omitempty"` Kty string `json:"kty"` Use string `json:"use,omitempty"` Kid string `json:"kid,omitempty"` Alg string `json:"alg,omitempty"` Crv string `json:"crv,omitempty"` X string `json:"x,omitempty"` Y string `json:"y,omitempty"` D string `json:"d,omitempty"` N string `json:"n,omitempty"` E string `json:"e,omitempty"` K string `json:"k,omitempty"` }
type Validator ¶
type Validator interface { // Validate is a custom validator function for this provider, // each validation is authenticationType or provider specific. Validate(idToken, accessToken, duration string) (map[string]interface{}, error) // ID returns provider name of this provider. ID() ID }
Validator interface describes basic implementation requirements of various authentication providers.
type Validators ¶
Validators - holds list of providers indexed by provider id.
func (*Validators) Add ¶
func (list *Validators) Add(provider Validator) error
Add - adds unique provider to provider list.
func (*Validators) Get ¶
func (list *Validators) Get(id ID) (p Validator, err error)
Get - returns the provider for the given providerID, if not found returns an error.
func (*Validators) List ¶
func (list *Validators) List() []ID
List - returns available provider IDs.