Documentation ¶
Overview ¶
Package auth implements authentication and authorization framework for HTTP servers.
Index ¶
- Constants
- Variables
- func Authenticate(m ...Method) router.Middleware
- func CurrentIdentity(c context.Context) identity.Identity
- func GetDB(c context.Context) (authdb.DB, error)
- func GetPerRPCCredentials(kind RPCAuthorityKind, opts ...RPCOption) (credentials.PerRPCCredentials, error)
- func GetRPCTransport(c context.Context, kind RPCAuthorityKind, opts ...RPCOption) (http.RoundTripper, error)
- func GetSigner(c context.Context) signing.Signer
- func GetTokenSource(c context.Context, kind RPCAuthorityKind, opts ...RPCOption) (oauth2.TokenSource, error)
- func Initialize(c context.Context, cfg *Config) context.Context
- func InstallHandlers(r *router.Router, base router.MiddlewareChain)
- func IsMember(c context.Context, groups ...string) (bool, error)
- func LoginURL(c context.Context, dest string) (string, error)
- func LogoutURL(c context.Context, dest string) (string, error)
- func MintAccessTokenForServiceAccount(ctx context.Context, params MintAccessTokenParams) (*oauth2.Token, error)
- func MintDelegationToken(ctx context.Context, p DelegationTokenParams) (*delegation.Token, error)
- func MintProjectToken(ctx context.Context, p ProjectTokenParams) (*oauth2.Token, error)
- func ModifyConfig(c context.Context, cb func(Config) Config) context.Context
- func WithState(c context.Context, s State) context.Context
- type AccessTokenProvider
- type AnonymousTransportProvider
- type Authenticator
- func (a *Authenticator) Authenticate(c context.Context, r *http.Request) (context.Context, error)
- func (a *Authenticator) GetMiddleware() router.Middleware
- func (a *Authenticator) LoginURL(c context.Context, dest string) (string, error)
- func (a *Authenticator) LogoutURL(c context.Context, dest string) (string, error)
- type Config
- type DBProvider
- type DelegationTokenParams
- type GoogleOAuth2Method
- type Method
- type MintAccessTokenParams
- type ProjectTokenParams
- type RPCAuthorityKind
- type RPCOption
- type Session
- type SessionStore
- type State
- type User
- type UserCredentialsGetter
- type UsersAPI
Constants ¶
const ( // MaxDelegationTokenTTL is maximum allowed token lifetime that can be // requested via MintDelegationToken. MaxDelegationTokenTTL = 3 * time.Hour )
const ( // MaxScopedTokenTTL is maximum allowed token lifetime that can be // requested via MintScopedToken. MaxScopedTokenTTL = 15 * time.Minute )
const XLUCIProjectHeader = "X-Luci-Project"
XLUCIProjectHeader is a header with the current project for internal LUCI RPCs done via AsProject authority.
Variables ¶
var ( // ErrNotConfigured is returned by Authenticate and other functions if the // context wasn't previously initialized via 'Initialize'. ErrNotConfigured = errors.New("auth: the library is not properly configured") // ErrNoUsersAPI is returned by LoginURL and LogoutURL if none of // the authentication methods support UsersAPI. ErrNoUsersAPI = errors.New("auth: methods do not support login or logout URL") // ErrBadClientID is returned by Authenticate if caller is using // non-whitelisted OAuth2 client. More info is in the log. ErrBadClientID = errors.New("auth: OAuth client_id is not whitelisted") // ErrIPNotWhitelisted is returned when an account is restricted by an IP // whitelist and request's remote_addr is not in it. ErrIPNotWhitelisted = errors.New("auth: IP is not whitelisted") // ErrNoForwardableCreds is returned when attempting to forward credentials // (via AsCredentialsForwarder) that are not forwardable. ErrNoForwardableCreds = errors.New("auth: no forwardable credentials in the context") )
var ( // ErrTokenServiceNotConfigured is returned by MintDelegationToken if the // token service URL is not configured. This usually means the corresponding // auth service is not paired with a token server. ErrTokenServiceNotConfigured = fmt.Errorf("auth: token service URL is not configured") // ErrBrokenTokenService is returned by MintDelegationToken if the RPC to the // token service succeeded, but response doesn't make sense. This should not // generally happen. ErrBrokenTokenService = fmt.Errorf("auth: unrecognized response from the token service") // ErrAnonymousDelegation is returned by MintDelegationToken if it is used in // a context of handling of an anonymous call. // // There's no identity to delegate in this case. ErrAnonymousDelegation = fmt.Errorf("auth: can't get delegation token for anonymous user") // ErrBadTargetHost is returned by MintDelegationToken if it receives invalid // TargetHost parameter. ErrBadTargetHost = fmt.Errorf("auth: invalid TargetHost (doesn't look like a hostname:port pair)") // ErrBadTokenTTL is returned by MintDelegationToken and MintProjectToken if requested // token lifetime is outside of the allowed range. ErrBadTokenTTL = fmt.Errorf("auth: requested token TTL is invalid") // ErrBadDelegationTag is returned by MintDelegationToken if some of the // passed tags are malformed. ErrBadDelegationTag = fmt.Errorf("auth: provided delegation tags are invalid") )
var ErrBadOAuthToken = errors.New("oauth: bad access token")
ErrBadOAuthToken is returned by GoogleOAuth2Method if the access token it checks is bad.
Functions ¶
func Authenticate ¶
func Authenticate(m ...Method) router.Middleware
Authenticate returns a middleware that performs authentication.
Typically you only one one Method, but you may specify multiple Methods to be tried in order (see Authenticator).
This middleware either updates the context by injecting the authentication state into it (enabling functions like CurrentIdentity and IsMember), or aborts the request with an HTTP 401 or HTTP 500 error.
Note that it passes through anonymous requests. CurrentIdentity returns identity.AnonymousIdentity in this case. Use separate authorization layer to further restrict the access, if necessary.
func CurrentIdentity ¶
CurrentIdentity return identity of the current caller.
Shortcut for GetState(c).User().Identity(). Returns AnonymousIdentity if the context doesn't have State.
func GetDB ¶
GetDB returns most recent snapshot of authorization database using DBProvider installed in the context via 'Initialize' or 'ModifyConfig'.
If no factory is installed, returns DB that forbids everything and logs errors. It is often good enough for unit tests that do not care about authorization, and still not horribly bad if accidentally used in production.
func GetPerRPCCredentials ¶
func GetPerRPCCredentials(kind RPCAuthorityKind, opts ...RPCOption) (credentials.PerRPCCredentials, error)
GetPerRPCCredentials returns gRPC's PerRPCCredentials implementation.
It can be used to authenticate outbound gPRC RPC's.
func GetRPCTransport ¶
func GetRPCTransport(c context.Context, kind RPCAuthorityKind, opts ...RPCOption) (http.RoundTripper, error)
GetRPCTransport returns http.RoundTripper to use for outbound HTTP RPC requests.
Usage:
tr, err := auth.GetRPCTransport(c, auth.AsSelf, auth.WithScopes("...")) if err != nil { return err } client := &http.Client{Transport: tr} ...
func GetSigner ¶
GetSigner returns the signing.Signer instance representing the service.
It is injected into the context as part of Config. It can be used to grab a service account the service is running as or its current public certificates.
Returns nil if the signer is not available.
func GetTokenSource ¶
func GetTokenSource(c context.Context, kind RPCAuthorityKind, opts ...RPCOption) (oauth2.TokenSource, error)
GetTokenSource returns an oauth2.TokenSource bound to the supplied Context.
Supports only AsSelf, AsCredentialsForwarder and AsActor authorization kinds, since they are only ones that exclusively use OAuth2 tokens and no other extra headers.
While GetPerRPCCredentials is preferred, this can be used by packages that cannot or do not properly handle this gRPC option.
func Initialize ¶
Initialize inserts authentication configuration into the context.
An initialized context is required by any other function in the package. They return ErrNotConfigured otherwise.
Calling Initialize twice causes a panic.
func InstallHandlers ¶
func InstallHandlers(r *router.Router, base router.MiddlewareChain)
InstallHandlers installs authentication related HTTP handlers.
All new HTTP routes live under '/auth/api/' prefix.
If you are using appengine/gaeauth/server, these handlers are already installed.
func IsMember ¶
IsMember returns true if the current caller is in any of the given groups.
Unknown groups are considered empty (the function returns false).
May return errors if the check can not be performed (e.g. on datastore issues).
func LoginURL ¶
LoginURL returns a URL that, when visited, prompts the user to sign in, then redirects the user to the URL specified by dest.
Shortcut for GetState(c).Authenticator().LoginURL(...).
func LogoutURL ¶
LogoutURL returns a URL that, when visited, signs the user out, then redirects the user to the URL specified by dest.
Shortcut for GetState(c).Authenticator().LogoutURL(...).
func MintAccessTokenForServiceAccount ¶
func MintAccessTokenForServiceAccount(ctx context.Context, params MintAccessTokenParams) (*oauth2.Token, error)
MintAccessTokenForServiceAccount produces an access token for some service account that the current service has "iam.serviceAccountActor" role in.
Used to implement AsActor authorization kind, but can also be used directly, if needed. The token is cached internally. Same token may be returned by multiple calls, if its lifetime allows.
Recognizes transient errors and marks them, but does not automatically retry. Has internal timeout of 10 sec.
func MintDelegationToken ¶
func MintDelegationToken(ctx context.Context, p DelegationTokenParams) (*delegation.Token, error)
MintDelegationToken returns a delegation token that can be used by the current service to "pretend" to be the current caller (as returned by CurrentIdentity(...)) when sending requests to some other LUCI service.
The delegation token is essentially a signed assertion that the current service is allowed to access some other service on behalf of the current user.
A token can be targeted to some single specific service or usable by any allowed LUCI service (aka 'untargeted'). See TargetHost and Untargeted fields in DelegationTokenParams.
The token is cached internally. Same token may be returned by multiple calls, if its lifetime allows.
func MintProjectToken ¶
MintProjectToken returns a LUCI project-scoped OAuth2 token that can be used to access external resources on behalf of the project.
It protects against accidental cross-project resource access. A token is targeted to some single specific LUCI project. The token is cached internally. Same token may be returned by multiple calls, if its lifetime allows.
func ModifyConfig ¶
ModifyConfig makes a context with a derived configuration.
It grabs current configuration from the context (if any), passes it to the callback, and puts whatever callback returns into a derived context.
Types ¶
type AccessTokenProvider ¶
AccessTokenProvider knows how to generate OAuth2 access token for the service account belonging to the server itself.
type AnonymousTransportProvider ¶
type AnonymousTransportProvider func(c context.Context) http.RoundTripper
AnonymousTransportProvider returns http.RoundTriper that can make unauthenticated HTTP requests.
The returned round tripper is assumed to be bound to the context and won't outlive it.
type Authenticator ¶
type Authenticator struct {
Methods []Method // a list of authentication methods to try
}
Authenticator performs authentication of incoming requests.
It is a stateless object configured with a list of methods to try when authenticating incoming requests. It implements Authenticate method that performs high-level authentication logic using the provided list of low-level auth methods.
Note that most likely you don't need to instantiate this object directly. Use Authenticate middleware instead. Authenticator is exposed publicly only to be used in advanced cases, when you need to fine-tune authentication behavior.
func (*Authenticator) Authenticate ¶
Authenticate authenticates the requests and adds State into the context.
Returns an error if credentials are provided, but invalid. If no credentials are provided (i.e. the request is anonymous), finishes successfully, but in that case State.Identity() returns AnonymousIdentity.
func (*Authenticator) GetMiddleware ¶
func (a *Authenticator) GetMiddleware() router.Middleware
GetMiddleware returns a middleware that uses this Authenticator for authentication.
It uses a.Authenticate internally and handles errors appropriately.
func (*Authenticator) LoginURL ¶
LoginURL returns a URL that, when visited, prompts the user to sign in, then redirects the user to the URL specified by dest.
Returns ErrNoUsersAPI if none of the authentication methods support login URLs.
type Config ¶
type Config struct { // DBProvider is a callback that returns most recent DB instance. DBProvider DBProvider // Signer possesses the service's private key and can sign blobs with it. // // It provides the bundle with corresponding public keys and information about // the service account they belong too (the service's own identity). // // Used to implement '/auth/api/v1/server/(certificates|info)' routes. Signer signing.Signer // AccessTokenProvider knows how to generate OAuth2 access token for the // service account belonging to the server itself. AccessTokenProvider AccessTokenProvider // AnonymousTransport returns http.RoundTriper that can make unauthenticated // HTTP requests. // // The returned round tripper is assumed to be bound to the context and won't // outlive it. AnonymousTransport AnonymousTransportProvider // EndUserIP takes a request and returns IP address of a user that sent it. // // If nil, a default implementation is used. It simply returns r.RemoteAddr. // // A custom implementation may parse X-Forwarded-For header (or other headers) // depending on how load balancers and proxies in front the server populate // them. EndUserIP func(r *http.Request) string // IsDevMode is true when running the server locally during development. // // Setting this to true changes default deadlines. For instance, GAE dev // server is known to be very slow and deadlines tuned for production // environment are too limiting. IsDevMode bool }
Config contains global configuration of the auth library.
This configuration adjusts the library to the particular execution environment (GAE, Flex, whatever). It contains concrete implementations of various interfaces used by the library.
It lives in the context and must be installed there by some root middleware (via ModifyConfig call).
type DBProvider ¶
DBProvider is a callback that returns most recent DB instance.
DB represents a snapshot of user groups used for authorization checks.
type DelegationTokenParams ¶
type DelegationTokenParams struct { // TargetHost, if given, is hostname (with, possibly, ":port") of a service // that the token will be sent to. // // If this parameter is used, the resulting delegation token is scoped // only to the service at TargetHost. All other services will reject it. // // Must be set if Untargeted is false. Ignored if Untargeted is true. TargetHost string // Untargeted, if true, indicates that the caller is requesting a token that // is not scoped to any particular service. // // Such token can be sent to any supported LUCI service. Only whitelisted set // of callers have such superpower. // // If Untargeted is true, TargetHost is ignored. Untargeted bool // MinTTL defines an acceptable token lifetime. // // The returned token will be valid for at least MinTTL, but no longer than // MaxDelegationTokenTTL (which is 3h). // // Default is 10 min. MinTTL time.Duration // Intent is a reason why the token is created. // // Used only for logging purposes on the auth service, will be indexed. Should // be a short identifier-like string. // // Optional. Intent string // Tags are optional arbitrary key:value pairs embedded into the token. // // They convey circumstance of why the token is created. // // Services that accept the token may use them for additional authorization // decisions. Please use extremely carefully, only when you control both sides // of the delegation link and can guarantee that services involved understand // the tags. Tags []string // contains filtered or unexported fields }
DelegationTokenParams is passed to MintDelegationToken.
type GoogleOAuth2Method ¶
type GoogleOAuth2Method struct { // Scopes is a list of OAuth scopes to check when authenticating the token. Scopes []string // contains filtered or unexported fields }
GoogleOAuth2Method implements Method on top of Google's OAuth2 endpoint.
It is useful for development verification (e.g., "dev_appserver") or verification in environments without the User API (e.g., Flex).
func (*GoogleOAuth2Method) Authenticate ¶
func (m *GoogleOAuth2Method) Authenticate(c context.Context, r *http.Request) (user *User, err error)
Authenticate implements Method.
func (*GoogleOAuth2Method) GetUserCredentials ¶
func (m *GoogleOAuth2Method) GetUserCredentials(c context.Context, r *http.Request) (*oauth2.Token, error)
GetUserCredentials implements UserCredentialsGetter.
type Method ¶
type Method interface { // Authenticate extracts user information from the incoming request. // // It returns: // * (*User, nil) on success. // * (nil, nil) if the method is not applicable. // * (nil, error) if the method is applicable, but credentials are invalid. Authenticate(context.Context, *http.Request) (*User, error) }
Method implements a particular kind of low-level authentication mechanism.
It may also optionally implement UsersAPI (if the method support login and logout URLs).
Methods are not usually used directly, but passed to Authenticator{...} that knows how to apply them.
type MintAccessTokenParams ¶
type MintAccessTokenParams struct { // ServiceAccount is an email of a service account to mint a token for. ServiceAccount string // Scopes is a list of OAuth scopes the token should have. Scopes []string // MinTTL defines an acceptable token lifetime. // // The returned token will be valid for at least MinTTL, but no longer than // one hour. // // Default is 2 min. MinTTL time.Duration }
MintAccessTokenParams is passed to MintAccessTokenForServiceAccount.
type ProjectTokenParams ¶
type ProjectTokenParams struct { // LuciProject is the name of the LUCI project for which a token will be obtained. LuciProject string // OAuthScopes resemble the requested OAuth scopes for which the token is valid. OAuthScopes []string // MinTTL defines a minimally acceptable token lifetime. // // The returned token will be valid for at least MinTTL, but no longer than // MaxScopedTokenTTL (which is 15min). // // Default is 2 min. MinTTL time.Duration // contains filtered or unexported fields }
ProjectTokenParams defines the parameters to create project scoped service account OAuth2 tokens.
type RPCAuthorityKind ¶
type RPCAuthorityKind int
RPCAuthorityKind defines under whose authority RPCs are made.
const ( // NoAuth is used for outbound RPCs that don't have any implicit auth headers. NoAuth RPCAuthorityKind = iota // AsSelf is used for outbound RPCs sent with the authority of the current // service itself. // // RPC requests done in this mode will have 'Authorization' header set to the // OAuth2 access token of the service's own service account. // // By default uses "https://www.googleapis.com/auth/userinfo.email" API scope. // Can be customized with WithScopes() options. // // AsSelf should be used very sparingly, only for "maintenance" RPCs that // happen outside of the context of any LUCI project or any end-user request. // Using AsSelf to authorize RPCs that touch user data leads to "confused // deputy" problems. Strongly prefer to use AsProject or AsUser instead. AsSelf // AsUser is used for outbound RPCs that inherit the authority of a user // that initiated the request that is currently being handled, regardless of // how exactly the user was authenticated. // // The implementation is based on LUCI-specific protocol that uses special // delegation tokens. Only LUCI backends can understand them. // // If you need to call non-LUCI services, and incoming requests are // authenticated via OAuth access tokens, use AsCredentialsForwarder instead. // // If the current request was initiated by an anonymous caller, the RPC will // have no auth headers (just like in NoAuth mode). // // Can also be used together with MintDelegationToken to make requests on // user behalf asynchronously. For example, to associate end-user authority // with some delayed task, call MintDelegationToken (in a context of a user // initiated request) when this task is created and store the resulting token // along with the task. Then, to make an RPC on behalf of the user from the // task use GetRPCTransport(ctx, AsUser, WithDelegationToken(token)). AsUser // AsCredentialsForwarder is used for outbound RPCs that just forward the // user credentials, exactly as they were received by the service. // // For authenticated calls, works only if the current request was // authenticated via an OAuth access token. // // If the current request was initiated by an anonymous caller, the RPC will // have no auth headers (just like in NoAuth mode). // // An attempt to use GetRPCTransport(ctx, AsCredentialsForwarder) with // unsupported credentials results in an error. AsCredentialsForwarder // AsActor is used for outbound RPCs sent with the authority of some service // account that the current service has "iam.serviceAccountActor" role in. // // RPC requests done in this mode will have 'Authorization' header set to // the access token of the service account specified by WithServiceAccount() // option. // // By default uses "https://www.googleapis.com/auth/userinfo.email" API scope. // Can be customized with WithScopes() options. AsActor // AsProject is used for outbounds RPCs sent with the authority of some LUCI // project (specified via WithProject option). // // When used to call external services (anything that is not a part of the // current LUCI deployment), uses 'Authorization' header with OAuth2 access // token associated with the project-specific service account (specified with // the LUCI project definition in 'project.cfg' deployment configuration // file). // // By default uses "https://www.googleapis.com/auth/userinfo.email" API scope // in this case. Can be customized with WithScopes() options. // // When used to call LUCI services belonging the same LUCI deployment (per // 'internal_service_regexp' setting in 'security.cfg' deployment // configuration file) uses the current service's OAuth2 access token plus // 'X-Luci-Project' header with the project name. Such calls are authenticated // by the peer as coming from 'project:<name>' identity. Any custom OAuth // scopes supplied via WithScopes() option are ignored in this case. AsProject )
type RPCOption ¶
type RPCOption interface {
// contains filtered or unexported methods
}
RPCOption is an option for GetRPCTransport or GetPerRPCCredentials functions.
func WithDelegationTags ¶
WithDelegationTags can be used to attach tags to the delegation token used internally in AsUser mode.
The recipient of the RPC that uses the delegation will be able to extract them, if necessary. They are also logged in the token server logs.
Each tag is a key:value string.
Note that any delegation tags are ignored if the current request was initiated by an anonymous caller, since delegation protocol is not actually used in this case.
func WithDelegationToken ¶
WithDelegationToken can be used to attach an existing delegation token to requests made in AsUser mode.
The token can be obtained earlier via MintDelegationToken call. The transport doesn't attempt to validate it and just blindly sends it to the other side.
func WithMonitoringClient ¶
WithMonitoringClient allows to override 'client' field that goes into HTTP client monitoring metrics (such as 'http/response_status').
The default value of the field is "luci-go-server".
Note that the metrics also include hostname of the target service (in 'name' field), so in most cases it is fine to use the default client name. Overriding it may be useful if you want to differentiate between requests made to the same host from a bunch of different places in the code.
This option has absolutely no effect when passed GetPerRPCCredentials() or GetTokenSource(). It applies only to GetRPCTransport().
func WithProject ¶
WithProject can be used to generate an OAuth token with an identity bound to that particular LUCI project.
func WithScopes ¶
WithScopes can be used to customize OAuth scopes for outbound RPC requests.
If not used, the requests are made with "userinfo.email" scope.
func WithServiceAccount ¶
WithServiceAccount option must be used with AsActor authority kind to specify what service account to act as.
type Session ¶
type Session struct { SessionID string // same as `sessionID` passed to GetSession() UserID string // authentication provider specific user id User User // user profile, including identity string Exp time.Time // when the session expires }
Session is returned by SessionStore.GetSession(...).
type SessionStore ¶
type SessionStore interface { // OpenSession create a new session for a user with given expiration time. // It returns unique session ID. OpenSession(c context.Context, userID string, u *User, exp time.Time) (string, error) // CloseSession closes a session given its ID. Does nothing if session is // already closed or doesn't exist. Returns only transient errors. CloseSession(c context.Context, sessionID string) error // GetSession returns existing non-expired session given its ID. Returns nil // if session doesn't exist, closed or expired. Returns only transient errors. GetSession(c context.Context, sessionID string) (*Session, error) }
SessionStore keeps user sessions in some permanent storage. SessionStore is used by some authentication methods (e.g. openid.AuthMethod).
type State ¶
type State interface { // Authenticator is an Authenticator used to authenticate the request. Authenticator() *Authenticator // DB is authdb.DB snapshot with authorization information to use when // processing this request. // // Use directly only when you know what your are doing. Prefer to use wrapping // functions (e.g. IsMember) instead. DB() authdb.DB // Method returns authentication method used for current request or nil if // request is anonymous. // // If non-nil, its one of the methods in Authenticator.Methods. Method() Method // User holds the identity and profile of the current caller. User.Identity // usually matches PeerIdentity(), but can be different if delegation is used. // This field is never nil. For anonymous call it contains User with identity // AnonymousIdentity. Do not modify it. User() *User // PeerIdentity identifies whoever is making the request. It's an identity // directly extracted from user credentials (ignoring delegation tokens). PeerIdentity() identity.Identity // PeerIP is IP address (IPv4 or IPv6) of whoever is making the request or // nil if not available. PeerIP() net.IP // UserCredentials is an end-user credentials as they were received if they // are allowed to be forwarded. UserCredentials() (*oauth2.Token, error) }
State is stored in the context when handling an incoming request. It contains authentication related state of the current request.
func GetState ¶
GetState return State stored in the context by 'Authenticate' call, the background state if 'Authenticate' wasn't used or nil if the auth library wasn't configured.
The background state roughly is similar to the state of anonymous call. Various background non user-facing handlers (crons, task queues) that do not use 'Authenticate' see this state by default. Its most important role is to provide access to authdb.DB (and all functionality that depends on it) to background handlers.
type User ¶
type User struct { // Identity is identity string of the user (may be AnonymousIdentity). // If User is returned by Authenticate(...), Identity string is always present // and valid. Identity identity.Identity `json:"identity,omitempty"` // Superuser is true if the user is site-level administrator. For example, on // GAE this bit is set for GAE-level administrators. Optional, default false. Superuser bool `json:"superuser,omitempty"` // Email is email of the user. Optional, default "". Don't use it as a key // in various structures. Prefer to use Identity() instead (it is always // available). Email string `json:"email,omitempty"` // Name is full name of the user. Optional, default "". Name string `json:"name,omitempty"` // Picture is URL of the user avatar. Optional, default "". Picture string `json:"picture,omitempty"` // ClientID is the ID of the pre-registered OAuth2 client so its identity can // be verified. Used only by authentication methods based on OAuth2. // See https://developers.google.com/console/help/#generatingoauth2 for more. ClientID string `json:"client_id,omitempty"` }
User represents identity and profile of a user.
func CurrentUser ¶
CurrentUser represents the current caller.
Shortcut for GetState(c).User(). Returns user with AnonymousIdentity if the context doesn't have State.
type UserCredentialsGetter ¶
type UserCredentialsGetter interface { // GetUserCredentials extracts an OAuth access token from the incoming request // or returns an error if it isn't possible. // // May omit token's expiration time if it isn't known. // // Guaranteed to be called only after the successful authentication, so it // doesn't have to recheck the validity of the token. GetUserCredentials(context.Context, *http.Request) (*oauth2.Token, error) }
UserCredentialsGetter may be additionally implemented by Method if it knows how to extract end-user credentials from the incoming request. Currently understands only OAuth2 tokens.
type UsersAPI ¶
type UsersAPI interface { // LoginURL returns a URL that, when visited, prompts the user to sign in, // then redirects the user to the URL specified by dest. LoginURL(c context.Context, dest string) (string, error) // LogoutURL returns a URL that, when visited, signs the user out, // then redirects the user to the URL specified by dest. LogoutURL(c context.Context, dest string) (string, error) }
UsersAPI may be additionally implemented by Method if it supports login and logout URLs.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package authdb contains definition of Authentication Database (aka AuthDB).
|
Package authdb contains definition of Authentication Database (aka AuthDB). |
dump
Package dump implements loading AuthDB from dumps in Google Storage.
|
Package dump implements loading AuthDB from dumps in Google Storage. |
internal/certs
Package certs knows how to fetch certificate bundles of trusted services.
|
Package certs knows how to fetch certificate bundles of trusted services. |
internal/globset
Package globset preprocesses []identity.Glob for faster querying.
|
Package globset preprocesses []identity.Glob for faster querying. |
internal/graph
Package graph implements handling of the groups graph.
|
Package graph implements handling of the groups graph. |
internal/ipaddr
Package ipaddr implements IP whitelist check.
|
Package ipaddr implements IP whitelist check. |
internal/legacy
Package legacy contains older implementation of IsMember check.
|
Package legacy contains older implementation of IsMember check. |
internal/oauthid
Package oauthid implements OAuth client ID whitelist check.
|
Package oauthid implements OAuth client ID whitelist check. |
internal/seccfg
Package seccfg interprets SecurityConfig proto message.
|
Package seccfg interprets SecurityConfig proto message. |
Package authtest implements some interfaces used by auth package to simplify unit testing.
|
Package authtest implements some interfaces used by auth package to simplify unit testing. |
Package delegation contains low-level API for working with delegation tokens.
|
Package delegation contains low-level API for working with delegation tokens. |
Package openid implements OpenID Connect Login protocol (client side).
|
Package openid implements OpenID Connect Login protocol (client side). |
Package service implements a wrapper around API exposed by auth_service: https://github.com/luci/luci-py/tree/master/appengine/auth_service
|
Package service implements a wrapper around API exposed by auth_service: https://github.com/luci/luci-py/tree/master/appengine/auth_service |
Package signing provides interfaces to sign arbitrary small blobs with RSA-SHA256 signature (PKCS1v15) and verify such signatures.
|
Package signing provides interfaces to sign arbitrary small blobs with RSA-SHA256 signature (PKCS1v15) and verify such signatures. |
signingtest
Package signingtest implements signing.Signer interface using small random keys.
|
Package signingtest implements signing.Signer interface using small random keys. |
Package xsrf provides Cross Site Request Forgery prevention middleware.
|
Package xsrf provides Cross Site Request Forgery prevention middleware. |