Documentation
¶
Overview ¶
Package iamgooglemember provides primitives for resolving IAM members from Google ID tokens.
Index ¶
Constants ¶
View Source
const ( GoogleCloudEndpointUserInfoHeader = "x-endpoint-api-userinfo" GoogleCloudAPIGatewayUserInfoHeader = "x-apigateway-api-userinfo" )
Known UserInfo headers.
View Source
const Issuer = "accounts.google.com"
Issuer is the issuer of Google ID tokens.
Variables ¶
This section is empty.
Functions ¶
func ResolveAuthorizationHeader ¶
func ResolveAuthorizationHeader(userInfoResolver UserInfoResolver) iammember.Resolver
ResolveAuthorizationHeader returns an iammember.Resolver that uses the provided UserInfoResolver to resolve IAM members from the standard authorization header.
func ResolveUserInfoHeader ¶
func ResolveUserInfoHeader(header string, userInfoResolver UserInfoResolver) iammember.Resolver
ResolveUserInfoHeader returns an iammember.Resolver that uses the provided UserInfoResolver to resolve IAM members from a UserInfo header.
Types ¶
type UserInfo ¶
type UserInfo struct {
// Issuer is an identifier for the Issuer of the response.
// Always https://accounts.google.com or accounts.google.com for Google ID tokens.
Issuer string `json:"iss,omitempty"`
// ClientID of the authorized presenter.
// This claim is only needed when the party requesting the ID token is not the same as the audience of the ID token.
// This may be the case at Google for hybrid apps where a web application and Android app have a different OAuth 2.0
// client ID but share the same Google APIs project.
ClientID string `json:"azp,omitempty"`
// Audience that this ID token is intended for.
Audience string `json:"aud,omitempty"`
// Subject is an identifier for the user, unique among all Google accounts and never reused.
Subject string `json:"sub,omitempty"`
// HostedDomain is the hosted G Suite domain of the user. Provided only if the user belongs to a hosted domain.
HostedDomain string `json:"hd,omitempty"`
// Email is user's email address. May be unset.
Email string `json:"email,omitempty"`
// EmailVerified is true if the user's e-mail address has been verified; otherwise false.
EmailVerified bool `json:"email_verified,omitempty"`
// AccessTokenHash provides validation that the access token is tied to the identity token.
// If the ID token is issued with an access token value in the server flow, this claim is always included.
// This claim can be used as an alternate mechanism to protect against cross-site request forgery attacks,
// but if you use CSRF it is not necessary to verify the access token.
AccessTokenHash string `json:"at_hash,omitempty"`
// Name is the user's full name, in a displayable form.
// When name claims are present, you can use them to update your app's user records.
// Note that this claim is never guaranteed to be present.
Name string `json:"name,omitempty"`
// Picture is the URL of the user's profile picture.
// When picture claims are present, you can use them to update your app's user records.
// Note that this claim is never guaranteed to be present.
Picture string `json:"picture,omitempty"`
// GivenName is the user's given name(s) or first name(s). Might be provided when a name claim is present.
GivenName string `json:"given_name,omitempty"`
// FamilyName is the user's surname(s) or last name(s). Might be provided when a name claim is present.
FamilyName string `json:"family_name,omitempty"`
// The user's locale, represented by a BCP 47 language tag. Might be provided when a name claim is present.
Locale string `json:"locale,omitempty"`
// IssuedAt is the time the ID token was issued.
// Represented in Unix time (integer seconds).
IssuedAt int64 `json:"iat,omitempty"`
// Expires is the expiration time on or after which the ID token must not be accepted.
// Represented in Unix time (integer seconds).
Expires int64 `json:"exp,omitempty"`
// JWTID is the JWT ID of the ID token.
JWTID string `json:"jti,omitempty"`
}
UserInfo from a Google ID token.
See: https://developers.google.com/identity/protocols/oauth2/openid-connect
func (*UserInfo) UnmarshalBase64 ¶
UnmarshalBase64 unmarshals the UserInfo from the provided Base64-URL-encoded string.
func (*UserInfo) UnmarshalJWT ¶
UnmarshalJWT unmarshals the UserInfo from the provided JWT token.
Source Files
Click to show internal directories.
Click to hide internal directories.