Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ForwardCookies ¶
ForwardCookies parses particular http cookies (Flipts state and client token) and forwards them as grpc metadata entries. This allows us to abstract away http constructs from the internal gRPC implementation.
Types ¶
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware contains various extensions for appropriate integration of the OIDC services behind gRPC gateway. This includes forwarding cookies as gRPC metadata, adapting callback responses to http cookies, and establishing appropriate state parameters for csrf provention during the oauth/oidc flow.
func NewHTTPMiddleware ¶
func NewHTTPMiddleware(config config.AuthenticationSession) Middleware
NewHTTPMiddleware constructs and configures a new oidc HTTP middleware from the supplied authentication configuration struct.
func (Middleware) ForwardResponseOption ¶
func (m Middleware) ForwardResponseOption(ctx context.Context, w http.ResponseWriter, resp proto.Message) error
ForwardResponseOption is a grpc gateway forward response option function implementation. The purpose of which is to intercept outgoing Callback operation responses. When intercepted the resulting clientToken is stripped from the response payload and instead added to a response header cookie (Set-Cookie). This ensures a secure browser session can be established. The user-agent is then redirected to the root of the domain.
func (Middleware) Handler ¶
func (m Middleware) Handler(next http.Handler) http.Handler
Handler is a http middleware used to decorate the OIDC provider gateway handler. The middleware intercepts authorize attempts and automatically establishes an appropriate state parameter. It does so by wrapping any provided state parameter in a JSON object with an additional cryptographically-random generated security token. The payload is then encoded in base64 and added back to the state query param. The payload is then also encoded as a http cookie which is bound to the callback path.
type Server ¶
type Server struct {
auth.UnimplementedAuthenticationMethodOIDCServiceServer
// contains filtered or unexported fields
}
Server is the core OIDC server implementation for Flipt. It supports two primary operations: - AuthorizeURL - Callback These are two legs of the OIDC/OAuth flow. Step 1 is Flipt establishes a URL directed at the delegated authentication service (e.g. Google). The URL is configured using the client ID configured for the provided, a state parameter used to prevent CSRF attacks and a callback URL directing back to the Callback operation. Step 2 the user-agent navigates to the authorizer and establishes authenticity with them. Once established they're redirected to the Callback operation with an authenticity code. Step 3 the Callback operation uses this "code" and exchanges with the authorization service for an ID Token. The validity of the response is checked (signature verified) and then the identity details contained in this response are used to create a temporary Flipt client token. This client token can be used to access the rest of the Flipt API. Given the user-agent is requestin using HTTP the token is instead established as an HTTP cookie.
func NewServer ¶
func NewServer( logger *zap.Logger, store storageauth.Store, config config.AuthenticationConfig, ) *Server
func (*Server) AuthorizeURL ¶
func (s *Server) AuthorizeURL(ctx context.Context, req *auth.AuthorizeURLRequest) (*auth.AuthorizeURLResponse, error)
AuthorizeURL constructs and returns a URL directed at the requested OIDC provider based on our internal oauth2 client configuration. The operation is configured to return a URL which ultimately redirects to the callback operation below.
func (*Server) Callback ¶
func (s *Server) Callback(ctx context.Context, req *auth.CallbackRequest) (_ *auth.CallbackResponse, err error)
Callback attempts to authenticate a callback request from a delegated authorization service. Given the request includes a "state" parameter then the requests metadata is interrogated for the "flipt_client_state" metadata key. This entry must exist and the value match the request state. The provided code is exchanged with the associated authorization service provider for an "id_token". We verify the retrieved "id_token" is valid and for our client. Once verified we extract the users associated email address. Given all this completes successfully then we established an associated clientToken in the backing authentication store with the identity information retrieved as metadata.
func (*Server) RegisterGRPC ¶
RegisterGRPC registers the server as an Server on the provided grpc server.
Source Files
Directories