Documentation ¶
Overview ¶
Package auth provides authentication related filters.
Basic - Check Basic Authentication ¶
The filter accepts two parameters, the first mandatory one is the path to the htpasswd file usually used with Apache or nginx. The second one is the optional realm name that will be displayed in the browser. Each incoming request will be validated against the password file, for more information which formats are currently supported check "https://github.com/abbot/go-http-auth". Assuming that the MD5 version will be used, new entries can be generated like
htpasswd -nbm myName myPassword
Embedding the filter in routes:
generic: * -> basicAuth("/path/to/htpasswd") -> "https://internal.example.org"; myRealm: Host("my.example.org") -> basicAuth("/path/to/htpasswd", "My Website") -> "https://my-internal.example.org";
OAuth2 - Check Bearer Tokens ¶
The auth filter takes the incoming request, and tries to extract the Bearer token from the Authorization header. Then it validates against a configured service. Depending on the settings, it also can check if the owner of the token belongs to a specific OAuth2 realm, and it can check if it has at least one of the predefined scopes. If any of the expectations are not met, it doesn't forward the request to the target endpoint, but returns with status 401.
OAuth2 - Provider Configuration - Tokeninfo ¶
To enable OAuth2 tokeninfo filters you have to set the CLI argument -oauth2-tokeninfo-url=<OAuthTokeninfoURL>. Scopes and key value pairs depend on the OAuth2 tokeninfo provider. AccessTokens has to be accepted by your OAuth2 provider's TokeninfoURL. Filter names starting with oauthTokeninfo will work on the returned data from TokeninfoURL. The request from skipper to TokeninfoURL will use the `Authorization: Bearer <access_token>` Header to do the request.
Additionally, you can also pass CLI argument -oauth2-tokeninfo-timeout=<OAuthTokeninfoTimeout> to control the default timeout duration for OAuth validation request. The default tokeninfo timeout is 2s.
Example json output of the tokeninfo response could be:
{ "access_token": "<mytoken>", "client_id": "ztoken", "cn": "Jane Doe", "expires_in": "300", "grant_type": "password", "realm": "/employees", "scope": [ "uid", "foo-r", "bar-w", "qux-rw" ], "token_type": "Bearer", "uid": "jdoe" }
OAuth2 - oauthTokeninfoAnyScope filter ¶
The filter oauthTokeninfoAnyScope allows access if one of the scopes is satisfied by the request.
a: Path("/a") -> oauthTokeninfoAnyScope("uid") -> "https://internal.example.org/"; b: Path("/b") -> oauthTokeninfoAnyScope("uid", "bar") -> "https://internal.example.org/";
OAuth - oauthTokeninfoAllScope() filter ¶
The filter oauthTokeninfoAllScope allows access if all of the scopes are satisfied by the request:
a: Path("/a") -> oauthTokeninfoAllScope("uid") -> "https://internal.example.org/"; b: Path("/b") -> oauthTokeninfoAllScope("uid", "bar") -> "https://internal.example.org/";
OAuth - oauthTokeninfoAnyKV() filter ¶
The filter oauthTokeninfoAnyKV allows access if the token information returned by OAuthTokeninfoURL has the given key and the given value.
The following route has a filter definition, that one of the keys "uid" or "foo" has the value "jdoe" or "bar". Additionally the second will check if there is a "realm" "/employees":
a: Path("/") -> oauthTokeninfoAnyKV("uid", "jdoe", "foo", "bar") -> "https://internal.example.org/"; b: Path("/") -> oauthTokeninfoAnyKV("realm","/employees", "uid", "jdoe", "foo", "bar") -> "https://internal.example.org/";
The same as route `a` above, but you also allow "uid=mstar" to access:
a: Path("/") -> oauthTokeninfoAnyKV("uid", "jdoe", "uid", "mstar") -> "https://internal.example.org/";
Example json output of this tokeninfo response:
{ "access_token": "<mytoken>", "client_id": "ztoken", "cn": "Jane Doe", "expires_in": "300", "grant_type": "password", "realm": "/employees", "scope": [ "uid", "foo-r", "bar-w", "qux-rw" ], "token_type": "Bearer", "uid": "jdoe" }
OAuth - oauthTokeninfoAllKV() filter ¶
The filter oauthTokeninfoAllKV allows access if the token information returned by OAuthTokeninfoURL has the given key and the given value.
The following route has a filter definition, that will check if all of the key value pairs match. Here "uid" has to have the value "jdoe" and "foo" has to have the value "bar". Additionally the second will check if there is a "realm" "/employees":
a: Path("/") -> oauthTokeninfoAllKV("uid", "jdoe", "foo", "bar") -> "https://internal.example.org/"; b: Path("/") -> oauthTokeninfoAllKV("realm", "/employees", "uid", "jdoe", "foo", "bar") -> "https://internal.example.org/";
Example json output of this information response:
{ "access_token": "<mytoken>", "client_id": "ztoken", "cn": "John Doe", "expires_in": "300", "grant_type": "password", "foo": "bar", "realm": "/employees", "scope": [ "uid", "foo-r", "bar-w", "qux-rw" ], "token_type": "Bearer", "uid": "jdoe" }
In case you are using any of the above 4 filters in your custom build, you can call the `Close()` method to close the `quit` channel and free up goroutines, to avoid goroutine leak
OAuth2 - Provider Configuration - Tokenintrospection ¶
Provider configuration is dynamically done by https://tools.ietf.org/html/draft-ietf-oauth-discovery-06#section-5, which means a GET /.well-known/openid-configuration to the issuer URL. Skipper will use the `introspection_endpoint` to configure the target to query for information and use `claims_supported` to validate valid filter configurations.
Example response from the openid-configuration endpoint:
{ "issuer" : "https://issuer.example.com", "token_endpoint" : "https://issuer.example.com/token", "introspection_endpoint": "https://issuer.example.com/token/introspect", "revocation_endpoint" : "https://issuer.example.com/token/revoke", "authorization_endpoint": "https://issuer.example.com/login", "userinfo_endpoint" : "https://issuer.example.com/userinfo", "jwks_uri" : "https://issuer.example.com/token/certs", "response_types_supported": [ "code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "scopes_supported": [ "openid", "email", "profile" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "claims_supported": [ "aud", "email", "email_verified", "exp", "family_name", "given_name", "iat", "iss", "locale", "name", "picture", "sub" ], "code_challenge_methods_supported": [ "plain", "S256" ] }
Additionally, you can also pass CLI argument -oauth2-tokenintrospect-timeout=<OAuthTokenintrospectTimeout> to control the default timeout duration for OAuth validation request. The default tokenintrospect timeout is 2s.
All oauthTokenintrospection* filters will work on the tokenintrospect response.
Example json output of the tokenintrospect response could be:
{ "access_token": "<mytoken>", "client_id": "ztoken", "name": "Jane Doe", "expires_in": "300", "grant_type": "password", "active": true, "sub": "a-sub", "iss": "https://issuer.example.com" "realm": "/employees", "claims": { "uid": "jdoe", "email": "jdoe@example.com" }, "scope": [ "email", "foo-r", ], "token_type": "Bearer", }
OAuth2 - oauthTokenintrospectionAnyClaims filter ¶
The filter oauthTokenintrospectionAnyClaims can be configured with claims validated from the openid-configuration `claims_supported` and will use the `introspection_endpoint` endpoint to query for the token information.
The filter oauthTokenintrospectionAnyClaims allows access if the token information has at least one of the claims in the token as configured in the filter.
The following route has a filter definition, that will check if there is one of the following claims in the token: "uid" or "email":
a: Path("/") -> oauthTokenintrospectionAnyClaims("https://issuer.example.com", "uid", "email") -> "https://internal.example.org/";
OAuth2 - oauthTokenintrospectionAllClaims filter ¶
The filter oauthTokenintrospectionAllClaims can be configured with claims validated from the openid-configuration `claims_supported` and will use the `introspection_endpoint` endpoint to query for the token information.
The filter oauthTokenintrospectionAllClaims allows access if the token information has at least one of the claims in the token as configured in the filter.
The following route has a filter definition, that will check if there all of the following claims in the token: "uid" and "email":
a: Path("/") -> oauthTokenintrospectionAllClaims("https://issuer.example.com", "uid", "email") -> "https://internal.example.org/";
OAuth2 - oauthTokenintrospectionAnyKV filter ¶
The filter oauthTokenintrospectionAnyKV will use the `introspection_endpoint` endpoint from the openid-configuration to query for the token information.
The filter oauthTokenintrospectionAnyKV allows access if the token information has at least one of the key-value pairs in the token as configured in the filter.
The following route has a filter definition, that will check if there one of the following key-value pairs in the token: "uid=jdoe" or "iss=https://issuer.example.com":
a: Path("/") -> oauthTokenintrospectionAnyKV("https://issuer.example.com", "uid", "jdoe", "iss", "https://issuer.example.com") -> "https://internal.example.org/";
The same as route `a` above, but you also allow "uid=mstar" to access:
a: Path("/") -> oauthTokenintrospectionAnyKV("https://issuer.example.com", "uid", "jdoe", "uid", "mstar", "iss", "https://issuer.example.com") -> "https://internal.example.org/";
OAuth2 - oauthTokenintrospectionAllKV filter ¶
The filter oauthTokenintrospectionAllKV will use the `introspection_endpoint` endpoint from the openid-configuration to query for the token information.
The filter oauthTokenintrospectionAnyKV allows access if the token information has all of the key-value pairs in the token as configured in the filter.
The following route has a filter definition, that will check if there are all of the following key-value pairs in the token: "uid=jdoe" or "iss=https://issuer.example.com":
a: Path("/") -> oauthTokenintrospectionAllKV("https://issuer.example.com", "uid", "jdoe", "iss", "https://issuer.example.com") -> "https://internal.example.org/";
OpenID - oauthOidcUserInfo filter ¶
The filter oauthOidcUserInfo is a filter for OAuth Implicit Flow authentication of users through OpenID Connect. It verifies that the token provided by the user upon authentication contains all the fields specified in the filter.
a: Path("/") -> oauthOidcUserInfo("https://accounts.identity-provider.com", "some-client-id", "some-client-secret", "http://callback.com/auth/provider/callback", "scope1 scope2", "field1 field2") -> "https://internal.example.org";
OpenID - oauthOidcAnyClaims filter ¶
The filter oauthOidcAnyClaims is a filter for OAuth Implicit Flow authentication scheme for users through OpenID Connect. It verifies that the token provided by the user upon authentication with the authentication provider contains at least one of the claims specified in the filter.
a: Path("/") -> oauthOidcAnyClaims("https://accounts.identity-provider.com", "some-client-id", "some-client-secret", "http://callback.com/auth/provider/callback", "scope1 scope2","claim1 claim2 claim3") -> "https://internal.example.org";
OpenID - oauthOidcAllClaims filter The filter oauthOidcAnyClaims is a filter for OAuth Implicit Flow authentication scheme for users through OpenID Connect. It verifies that the token provided by the user upon authentication with the authentication provider contains all of the claims specified in the filter.
a: Path("/") -> oauthOidcAllClaims("https://accounts.identity-provider.com", "some-client-id", "some-client-secret", "http://callback.com/auth/provider/callback", "scope1 scope2", "claim1 claim2") -> "https://internal.example.org";
OAuth - auditLog() filter ¶
The filter auditLog allows you to have an audit log for all requests. This filter should be always set, before checking with auth filters. To see only permitted access, you can set the auditLog() filter after the auth filter.
a: Path("/only-allowed-audit-log") -> oauthTokeninfoAnyScope("bar-w") -> auditLog() -> "https://internal.example.org/"; b: Path("/all-access-requests-audit-log") -> auditLog() -> oauthTokeninfoAnyScope("foo-r") -> "https://internal.example.org/";
Webhook - webhook() filter ¶
The filter webhook allows you to have a custom authentication and authorization endpoint for a route. Headers from the webhook response can be copied into the continuing request by specifying the headers to copy as an optional second argument to the filter
a: Path("/only-allowed-by-webhook") -> webhook("https://custom-webhook.example.org/auth") -> "https://protected-backend.example.org/"; b: Path("/copy-webhook-headers") -> webhook("https://custom-webhook.example.org/auth", "X-Copy-This-Header") -> "https://protected-backend.example.org/";
Forward Token - forwardToken() filter ¶
The filter is used to forward the result of token introspection or token info to the backend.
a: Path("/tokeninfo-protected") -> oauthTokeninfoAnyScope("uid") -> forwardToken("X-Tokeninfo-Forward") -> "https://internal.example.org"; b: Path("tokenintrospection-protected") -> oauthTokenintrospectionAnyKV("uid") -> forwardToken("X-Tokenintrospection-Forward") -> "http://internal.example.org";
Index ¶
- Constants
- Variables
- func NewBasicAuth() *basicSpec
- func NewBearerInjector(sr secrets.SecretsReader) filters.Spec
- func NewForwardToken() filters.Spec
- func NewForwardTokenField() filters.Spec
- func NewJwtMetrics() filters.Spec
- func NewJwtValidationWithOptions(o TokenintrospectionOptions) filters.Spec
- func NewOAuthOidcAllClaims(secretsFile string, secretsRegistry secrets.EncrypterCreator) filters.Specdeprecated
- func NewOAuthOidcAllClaimsWithOptions(secretsFile string, secretsRegistry secrets.EncrypterCreator, o OidcOptions) filters.Spec
- func NewOAuthOidcAnyClaims(secretsFile string, secretsRegistry secrets.EncrypterCreator) filters.Specdeprecated
- func NewOAuthOidcAnyClaimsWithOptions(secretsFile string, secretsRegistry secrets.EncrypterCreator, o OidcOptions) filters.Spec
- func NewOAuthOidcUserInfos(secretsFile string, secretsRegistry secrets.EncrypterCreator) filters.Specdeprecated
- func NewOAuthOidcUserInfosWithOptions(secretsFile string, secretsRegistry secrets.EncrypterCreator, o OidcOptions) filters.Spec
- func NewOAuthTokeninfoAllKV(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec
- func NewOAuthTokeninfoAllKVWithOptions(to TokeninfoOptions) filters.Spec
- func NewOAuthTokeninfoAllScope(oauthTokeninfoURL string, oauthTokeninfoTimeout time.Duration) filters.Spec
- func NewOAuthTokeninfoAllScopeWithOptions(to TokeninfoOptions) filters.Spec
- func NewOAuthTokeninfoAnyKV(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec
- func NewOAuthTokeninfoAnyKVWithOptions(to TokeninfoOptions) filters.Spec
- func NewOAuthTokeninfoAnyScope(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec
- func NewOAuthTokeninfoAnyScopeWithOptions(to TokeninfoOptions) filters.Spec
- func NewOAuthTokeninfoValidate(to TokeninfoOptions) filters.Spec
- func NewOAuthTokenintrospectionAllClaims(timeout time.Duration) filters.Spec
- func NewOAuthTokenintrospectionAllKV(timeout time.Duration) filters.Spec
- func NewOAuthTokenintrospectionAnyClaims(timeout time.Duration) filters.Spec
- func NewOAuthTokenintrospectionAnyKV(timeout time.Duration) filters.Spec
- func NewOIDCQueryClaimsFilter() filters.Spec
- func NewSecureOAuthTokenintrospectionAllClaims(timeout time.Duration) filters.Spec
- func NewSecureOAuthTokenintrospectionAllKV(timeout time.Duration) filters.Spec
- func NewSecureOAuthTokenintrospectionAnyClaims(timeout time.Duration) filters.Spec
- func NewSecureOAuthTokenintrospectionAnyKV(timeout time.Duration) filters.Spec
- func NewSetRequestHeaderFromSecret(sr secrets.SecretsReader) filters.Spec
- func NewWebhook(timeout time.Duration) filters.Spec
- func SetOIDCClaims(ctx filters.FilterContext, claims map[string]interface{})
- func TokeninfoWithOptions(create func(string, time.Duration) filters.Spec, o TokeninfoOptions) filters.Spec
- func TokenintrospectionWithOptions(create func(time.Duration) filters.Spec, o TokenintrospectionOptions) filters.Spec
- func WebhookWithOptions(o WebhookOptions) filters.Spec
- type CookieEncoder
- type EncryptedCookieEncoder
- type OAuthConfig
- func (c *OAuthConfig) GetAuthURLParameters(redirectURI string) []oauth2.AuthCodeOption
- func (c *OAuthConfig) GetConfig(req *http.Request) (*oauth2.Config, error)
- func (c *OAuthConfig) Init() error
- func (c *OAuthConfig) NewGrant() filters.Spec
- func (c *OAuthConfig) NewGrantCallback() filters.Spec
- func (c *OAuthConfig) NewGrantClaimsQuery() filters.Spec
- func (c *OAuthConfig) NewGrantLogout() filters.Spec
- func (c *OAuthConfig) NewGrantPreprocessor() routing.PreProcessor
- func (c *OAuthConfig) RedirectURLs(req *http.Request) (redirect, original string)
- type OauthState
- type OidcOptions
- type TokeninfoOptions
- type TokenintrospectionOptions
- type WebhookOptions
Constants ¶
const ( // Deprecated, use filters.BasicAuthName instead Name = filters.BasicAuthName ForceBasicAuthHeaderName = "WWW-Authenticate" ForceBasicAuthHeaderValue = "Basic realm=" DefaultRealmName = "Basic Realm" )
const ( // Deprecated, use filters.OAuthOidcUserInfoName instead OidcUserInfoName = filters.OAuthOidcUserInfoName // Deprecated, use filters.OAuthOidcAnyClaimsName instead OidcAnyClaimsName = filters.OAuthOidcAnyClaimsName // Deprecated, use filters.OAuthOidcAllClaimsName instead OidcAllClaimsName = filters.OAuthOidcAllClaimsName )
const ( // Deprecated, use filters.OAuthTokeninfoAnyScopeName instead OAuthTokeninfoAnyScopeName = filters.OAuthTokeninfoAnyScopeName // Deprecated, use filters.OAuthTokeninfoAllScopeName instead OAuthTokeninfoAllScopeName = filters.OAuthTokeninfoAllScopeName // Deprecated, use filters.OAuthTokeninfoAnyKVName instead OAuthTokeninfoAnyKVName = filters.OAuthTokeninfoAnyKVName // Deprecated, use filters.OAuthTokeninfoAllKVName instead OAuthTokeninfoAllKVName = filters.OAuthTokeninfoAllKVName )
const ( // Deprecated, use filters.OAuthTokenintrospectionAnyClaimsName instead OAuthTokenintrospectionAnyClaimsName = filters.OAuthTokenintrospectionAnyClaimsName // Deprecated, use filters.OAuthTokenintrospectionAllClaimsName instead OAuthTokenintrospectionAllClaimsName = filters.OAuthTokenintrospectionAllClaimsName // Deprecated, use filters.OAuthTokenintrospectionAnyKVName instead OAuthTokenintrospectionAnyKVName = filters.OAuthTokenintrospectionAnyKVName // Deprecated, use filters.OAuthTokenintrospectionAllKVName instead OAuthTokenintrospectionAllKVName = filters.OAuthTokenintrospectionAllKVName // Deprecated, use filters.SecureOAuthTokenintrospectionAnyClaimsName instead SecureOAuthTokenintrospectionAnyClaimsName = filters.SecureOAuthTokenintrospectionAnyClaimsName // Deprecated, use filters.SecureOAuthTokenintrospectionAllClaimsName instead SecureOAuthTokenintrospectionAllClaimsName = filters.SecureOAuthTokenintrospectionAllClaimsName // Deprecated, use filters.SecureOAuthTokenintrospectionAnyKVName instead SecureOAuthTokenintrospectionAnyKVName = filters.SecureOAuthTokenintrospectionAnyKVName // Deprecated, use filters.SecureOAuthTokenintrospectionAllKVName instead SecureOAuthTokenintrospectionAllKVName = filters.SecureOAuthTokenintrospectionAllKVName TokenIntrospectionConfigPath = "/.well-known/openid-configuration" )
const (
AuthUnknown = "authUnknown"
)
const ( // Deprecated, use filters.BearerInjectorName instead BearerInjectorName = filters.BearerInjectorName )
const ( // Deprecated, use filters.ForwardTokenFieldName instead ForwardTokenFieldName = filters.ForwardTokenFieldName )
const ( // Deprecated, use filters.ForwardTokenName instead ForwardTokenName = filters.ForwardTokenName )
const GrantCallbackName = filters.GrantCallbackName
GrantCallbackName is the filter name Deprecated, use filters.GrantCallbackName instead
const GrantClaimsQueryName = filters.GrantClaimsQueryName
GrantClaimsQueryName is the filter name Deprecated, use filters.GrantClaimsQueryName instead
const ( // Deprecated, use filters.GrantLogoutName instead GrantLogoutName = filters.GrantLogoutName )
const ( // Deprecated, use filters.JwtValidationName instead JwtValidationName = filters.JwtValidationName )
const ( // Deprecated, use filters.OAuthGrantName instead OAuthGrantName = filters.OAuthGrantName )
const ( // Deprecated, use filters.OidcClaimsQueryName instead OidcClaimsQueryName = filters.OidcClaimsQueryName )
const ( // Deprecated, use filters.WebhookName instead WebhookName = filters.WebhookName )
Variables ¶
var ( ErrMissingClientID = errors.New("missing client ID") ErrMissingClientSecret = errors.New("missing client secret") ErrMissingSecretsProvider = errors.New("missing secrets provider") ErrMissingSecretsRegistry = errors.New("missing secrets registry") ErrMissingSecretFile = errors.New("missing secret file") ErrMissingTokeninfoURL = errors.New("missing tokeninfo URL") ErrMissingProviderURLs = errors.New("missing provider URLs") )
Functions ¶
func NewBasicAuth ¶
func NewBasicAuth() *basicSpec
func NewBearerInjector ¶ added in v0.10.263
func NewBearerInjector(sr secrets.SecretsReader) filters.Spec
func NewForwardToken ¶ added in v0.10.113
NewForwardToken creates a filter to forward the result of token info or token introspection to the backend server.
func NewForwardTokenField ¶ added in v0.13.104
NewForwardTokenField creates a filter to forward fields from token info or token introspection or oidc user info as headers to the backend server.
func NewJwtMetrics ¶ added in v0.21.56
func NewJwtValidationWithOptions ¶ added in v0.13.104
func NewJwtValidationWithOptions(o TokenintrospectionOptions) filters.Spec
func NewOAuthOidcAllClaims
deprecated
added in
v0.10.153
func NewOAuthOidcAllClaims(secretsFile string, secretsRegistry secrets.EncrypterCreator) filters.Spec
Deprecated: use NewOAuthOidcAllClaimsWithOptions instead.
func NewOAuthOidcAllClaimsWithOptions ¶ added in v0.13.205
func NewOAuthOidcAllClaimsWithOptions(secretsFile string, secretsRegistry secrets.EncrypterCreator, o OidcOptions) filters.Spec
NewOAuthOidcAllClaimsWithOptions creates a filter spec which verifies that the token has all the claims specified
func NewOAuthOidcAnyClaims
deprecated
added in
v0.10.153
func NewOAuthOidcAnyClaims(secretsFile string, secretsRegistry secrets.EncrypterCreator) filters.Spec
Deprecated: use NewOAuthOidcAnyClaimsWithOptions instead.
func NewOAuthOidcAnyClaimsWithOptions ¶ added in v0.13.205
func NewOAuthOidcAnyClaimsWithOptions(secretsFile string, secretsRegistry secrets.EncrypterCreator, o OidcOptions) filters.Spec
NewOAuthOidcAnyClaimsWithOptions creates a filter spec which verifies that the token has one of the claims specified
func NewOAuthOidcUserInfos
deprecated
added in
v0.10.153
func NewOAuthOidcUserInfos(secretsFile string, secretsRegistry secrets.EncrypterCreator) filters.Spec
Deprecated: use NewOAuthOidcUserInfosWithOptions instead.
func NewOAuthOidcUserInfosWithOptions ¶ added in v0.13.205
func NewOAuthOidcUserInfosWithOptions(secretsFile string, secretsRegistry secrets.EncrypterCreator, o OidcOptions) filters.Spec
NewOAuthOidcUserInfosWithOptions creates filter spec which tests user info.
func NewOAuthTokeninfoAllKV ¶ added in v0.10.0
func NewOAuthTokeninfoAllKV(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec
NewOAuthTokeninfoAllKV creates a new auth filter specification to validate authorization for requests. Current implementation uses Bearer tokens to authorize requests and checks that the token contains all key value pairs provided.
func NewOAuthTokeninfoAllKVWithOptions ¶ added in v0.11.19
func NewOAuthTokeninfoAllKVWithOptions(to TokeninfoOptions) filters.Spec
func NewOAuthTokeninfoAllScope ¶ added in v0.10.0
func NewOAuthTokeninfoAllScope(oauthTokeninfoURL string, oauthTokeninfoTimeout time.Duration) filters.Spec
NewOAuthTokeninfoAllScope creates a new auth filter specification to validate authorization for requests. Current implementation uses Bearer tokens to authorize requests and checks that the token contains all scopes.
func NewOAuthTokeninfoAllScopeWithOptions ¶ added in v0.11.19
func NewOAuthTokeninfoAllScopeWithOptions(to TokeninfoOptions) filters.Spec
func NewOAuthTokeninfoAnyKV ¶ added in v0.10.0
func NewOAuthTokeninfoAnyKV(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec
NewOAuthTokeninfoAnyKV creates a new auth filter specification to validate authorization for requests. Current implementation uses Bearer tokens to authorize requests and checks that the token contains at least one key value pair provided.
func NewOAuthTokeninfoAnyKVWithOptions ¶ added in v0.11.19
func NewOAuthTokeninfoAnyKVWithOptions(to TokeninfoOptions) filters.Spec
func NewOAuthTokeninfoAnyScope ¶ added in v0.10.0
func NewOAuthTokeninfoAnyScope(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec
NewOAuthTokeninfoAnyScope creates a new auth filter specification to validate authorization for requests. Current implementation uses Bearer tokens to authorize requests and checks that the token contains at least one scope.
func NewOAuthTokeninfoAnyScopeWithOptions ¶ added in v0.11.19
func NewOAuthTokeninfoAnyScopeWithOptions(to TokeninfoOptions) filters.Spec
func NewOAuthTokeninfoValidate ¶ added in v0.21.131
func NewOAuthTokeninfoValidate(to TokeninfoOptions) filters.Spec
func NewOAuthTokenintrospectionAllClaims ¶ added in v0.10.59
func NewOAuthTokenintrospectionAllKV ¶ added in v0.10.59
NewOAuthTokenintrospectionAllKV creates a new auth filter specification to validate authorization for requests. Current implementation uses Bearer tokens to authorize requests and checks that the token contains at least one key value pair provided.
This is implementing RFC 7662 compliant implementation. It uses POST requests to call introspection_endpoint to get the information of the token validity.
It uses /.well-known/openid-configuration path to the passed oauthIssuerURL to find introspection_endpoint as defined in draft https://tools.ietf.org/html/draft-ietf-oauth-discovery-06, if oauthIntrospectionURL is a non empty string, it will set IntrospectionEndpoint to the given oauthIntrospectionURL.
func NewOAuthTokenintrospectionAnyClaims ¶ added in v0.10.59
func NewOAuthTokenintrospectionAnyKV ¶ added in v0.10.59
NewOAuthTokenintrospectionAnyKV creates a new auth filter specification to validate authorization for requests. Current implementation uses Bearer tokens to authorize requests and checks that the token contains at least one key value pair provided.
This is implementing RFC 7662 compliant implementation. It uses POST requests to call introspection_endpoint to get the information of the token validity.
It uses /.well-known/openid-configuration path to the passed oauthIssuerURL to find introspection_endpoint as defined in draft https://tools.ietf.org/html/draft-ietf-oauth-discovery-06, if oauthIntrospectionURL is a non empty string, it will set IntrospectionEndpoint to the given oauthIntrospectionURL.
func NewOIDCQueryClaimsFilter ¶ added in v0.11.38
func NewSecureOAuthTokenintrospectionAllClaims ¶ added in v0.10.234
func NewSecureOAuthTokenintrospectionAllKV ¶ added in v0.10.234
func NewSecureOAuthTokenintrospectionAnyClaims ¶ added in v0.10.234
func NewSecureOAuthTokenintrospectionAnyKV ¶ added in v0.10.234
Secure Introspection Point
func NewSetRequestHeaderFromSecret ¶ added in v0.18.54
func NewSetRequestHeaderFromSecret(sr secrets.SecretsReader) filters.Spec
func NewWebhook ¶ added in v0.10.68
NewWebhook creates a new auth filter specification to validate authorization for requests via an external web hook.
func SetOIDCClaims ¶ added in v0.21.244
func SetOIDCClaims(ctx filters.FilterContext, claims map[string]interface{})
Sets OIDC claims in the state bag. Intended for use with the oidcClaimsQuery filter.
func TokeninfoWithOptions ¶ added in v0.10.273
func TokeninfoWithOptions(create func(string, time.Duration) filters.Spec, o TokeninfoOptions) filters.Spec
TokeninfoWithOptions creates a new auth filter specification for token validation with additional settings to the mandatory tokeninfo URL and timeout.
Use one of the base initializer functions as the first argument: NewOAuthTokeninfoAllScope, NewOAuthTokeninfoAnyScope, NewOAuthTokeninfoAllKV or NewOAuthTokeninfoAnyKV.
func TokenintrospectionWithOptions ¶ added in v0.10.273
func TokenintrospectionWithOptions( create func(time.Duration) filters.Spec, o TokenintrospectionOptions, ) filters.Spec
TokenintrospectionWithOptions create a new auth filter specification for validating authorization requests with additional options to the mandatory timeout parameter.
Use one of the base initializer functions as the first argument: NewOAuthTokenintrospectionAnyKV, NewOAuthTokenintrospectionAllKV, NewOAuthTokenintrospectionAnyClaims, NewOAuthTokenintrospectionAllClaims, NewSecureOAuthTokenintrospectionAnyKV, NewSecureOAuthTokenintrospectionAllKV, NewSecureOAuthTokenintrospectionAnyClaims, NewSecureOAuthTokenintrospectionAllClaims, pass opentracing.Tracer and other options in TokenintrospectionOptions.
func WebhookWithOptions ¶ added in v0.10.273
func WebhookWithOptions(o WebhookOptions) filters.Spec
WebhookWithOptions creates a new auth filter specification to validate authorization of requests via an external web hook.
Types ¶
type CookieEncoder ¶ added in v0.21.50
type CookieEncoder interface { // Update creates a set of cookies that encodes the token and deletes previously existing cookies if necessary. // When token is nil it only returns cookies to delete. Update(request *http.Request, token *oauth2.Token) ([]*http.Cookie, error) // Read extracts the token from the request cookies. Read(request *http.Request) (*oauth2.Token, error) }
type EncryptedCookieEncoder ¶ added in v0.21.50
type EncryptedCookieEncoder struct { Encryption secrets.Encryption CookieName string RemoveSubdomains int Insecure bool }
EncryptedCookieEncoder is a CookieEncoder that encrypts the token before storing it in a cookie.
type OAuthConfig ¶ added in v0.12.0
type OAuthConfig struct { // TokeninfoURL is the URL of the service to validate OAuth2 tokens. TokeninfoURL string // Secrets is a secret registry to access secret keys used for encrypting // auth flow state and auth cookies. Secrets *secrets.Registry // SecretFile contains the filename with the encryption key for the authentication // cookie and grant flow state stored in Secrets. SecretFile string // AuthURL, the url to redirect the requests to when login is required. AuthURL string // TokenURL, the url where the access code should be exchanged for the // access token. TokenURL string // RevokeTokenURL, the url where the access and revoke tokens can be // revoked during a logout. RevokeTokenURL string // CallbackPath contains the path where the callback requests with the // authorization code should be redirected to. CallbackPath string // ClientID, the OAuth2 client id of the current service, used to exchange // the access code. Must be set if ClientIDFile is not provided. ClientID string // ClientSecret, the secret associated with the ClientID, used to exchange // the access code. Must be set if ClientSecretFile is not provided. ClientSecret string // ClientIDFile, the path to the file containing the OAuth2 client id of // the current service, used to exchange the access code. // Must be set if ClientID is not provided. // File name may contain {host} placeholder which will be replaced by the request host. // Requires SecretsProvider, the path (or path's directory if placeholder is present) will be added to it. ClientIDFile string // ClientSecretFile, the path to the file containing the secret associated // with the ClientID, used to exchange the access code. // Must be set if ClientSecret is not provided. // File name may contain {host} placeholder which will be replaced by the request host. // Requires SecretsProvider, the path (or path's directory if placeholder is present) will be added to it. ClientSecretFile string // SecretsProvider is used to read ClientIDFile and ClientSecretFile from the // file system. Supports secret rotation. SecretsProvider secrets.SecretsProvider // TokeninfoClient, optional. When set, it will be used for the // authorization requests to TokeninfoURL. When not set, a new default // client is created. TokeninfoClient *authClient // AuthClient, optional. When set, it will be used for the // access code exchange requests to TokenURL. When not set, a new default // client is created. AuthClient *snet.Client // AuthURLParameters, optional. Extra URL parameters to add when calling // the OAuth2 authorize or token endpoints. AuthURLParameters map[string]string // AccessTokenHeaderName, optional. When set, the access token will be set // on the request to a header with this name. AccessTokenHeaderName string // GrantTokeninfoKeys, optional. When not empty, keys not in this list are removed from the tokeninfo map. GrantTokeninfoKeys []string // GrantCookieEncoder, optional. Cookie encoder stores and extracts OAuth token from cookies. GrantCookieEncoder CookieEncoder // TokeninfoSubjectKey, optional. When set, it is used to look up the subject // ID in the tokeninfo map received from a tokeninfo endpoint request. TokeninfoSubjectKey string // TokenCookieName, optional. The name of the cookie used to store the // encrypted access token after a successful token exchange. TokenCookieName string // TokenCookieRemoveSubdomains sets the number of subdomains to remove from // the callback request hostname to obtain token cookie domain. // Init converts default nil to 1. TokenCookieRemoveSubdomains *int // Insecure omits Secure attribute of the token cookie and uses http scheme for callback url. Insecure bool // ConnectionTimeout used for tokeninfo, access-token and refresh-token endpoint. ConnectionTimeout time.Duration // MaxIdleConnectionsPerHost used for tokeninfo, access-token and refresh-token endpoint. MaxIdleConnectionsPerHost int // Tracer used for tokeninfo, access-token and refresh-token endpoint. Tracer opentracing.Tracer // contains filtered or unexported fields }
func (*OAuthConfig) GetAuthURLParameters ¶ added in v0.12.0
func (c *OAuthConfig) GetAuthURLParameters(redirectURI string) []oauth2.AuthCodeOption
func (*OAuthConfig) Init ¶ added in v0.12.0
func (c *OAuthConfig) Init() error
func (*OAuthConfig) NewGrant ¶ added in v0.12.0
func (c *OAuthConfig) NewGrant() filters.Spec
func (*OAuthConfig) NewGrantCallback ¶ added in v0.12.0
func (c *OAuthConfig) NewGrantCallback() filters.Spec
func (*OAuthConfig) NewGrantClaimsQuery ¶ added in v0.12.0
func (c *OAuthConfig) NewGrantClaimsQuery() filters.Spec
func (*OAuthConfig) NewGrantLogout ¶ added in v0.12.17
func (c *OAuthConfig) NewGrantLogout() filters.Spec
func (*OAuthConfig) NewGrantPreprocessor ¶ added in v0.12.0
func (c *OAuthConfig) NewGrantPreprocessor() routing.PreProcessor
func (*OAuthConfig) RedirectURLs ¶ added in v0.12.0
func (c *OAuthConfig) RedirectURLs(req *http.Request) (redirect, original string)
RedirectURLs constructs the redirect URI based on the request and the configured CallbackPath.
type OauthState ¶ added in v0.10.153
type OidcOptions ¶ added in v0.13.205
type TokeninfoOptions ¶ added in v0.10.273
type TokeninfoOptions struct { URL string Timeout time.Duration MaxIdleConns int Tracer opentracing.Tracer Metrics metrics.Metrics // CacheSize configures the maximum number of cached tokens. // The cache periodically evicts random items when number of cached tokens exceeds CacheSize. // Zero value disables tokeninfo cache. CacheSize int // CacheTTL limits the lifetime of a cached tokeninfo. // Tokeninfo is cached for the duration of "expires_in" field value seconds or // for the duration of CacheTTL if it is not zero and less than "expires_in" value. CacheTTL time.Duration }
type TokenintrospectionOptions ¶ added in v0.10.273
type WebhookOptions ¶ added in v0.10.273
Source Files ¶
- auth.go
- authclient.go
- basic.go
- bearer.go
- doc.go
- forwardtoken.go
- forwardtokenfield.go
- grant.go
- grantcallback.go
- grantclaimsquery.go
- grantconfig.go
- grantcookie.go
- grantflowstate.go
- grantlogout.go
- grantprep.go
- jwt_metrics.go
- jwt_validation.go
- oidc.go
- oidc_introspection.go
- secretheader.go
- tokeninfo.go
- tokeninfocache.go
- tokenintrospection.go
- webhook.go
- yamlconfig.go