oidc

package
v1.39.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 25, 2024 License: GPL-3.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var PKCEVerifier, _ = capoidc.NewCodeVerifier()

PCKEVerifier is a code verifier used for a PKCE flow during OIDC authentication. This value is declared outside the scope of the function because of consistency throughout the authenciation legs of OIDC.

Functions

This section is empty.

Types

type Server

type Server struct {
	auth.UnimplementedAuthenticationMethodOIDCServiceServer
	// contains filtered or unexported fields
}

Server is the core OIDC server implementation for Flipt. It supports two primary operations: - AuthorizeURL - Callback These are two legs of the OIDC/OAuth flow. Step 1 is Flipt establishes a URL directed at the delegated authentication service (e.g. Google). The URL is configured using the client ID configured for the provided, a state parameter used to prevent CSRF attacks and a callback URL directing back to the Callback operation. Step 2 the user-agent navigates to the authorizer and establishes authenticity with them. Once established they're redirected to the Callback operation with an authenticity code. Step 3 the Callback operation uses this "code" and exchanges with the authorization service for an ID Token. The validity of the response is checked (signature verified) and then the identity details contained in this response are used to create a temporary Flipt client token. This client token can be used to access the rest of the Flipt API. Given the user-agent is requestin using HTTP the token is instead established as an HTTP cookie.

func NewServer

func NewServer(
	logger *zap.Logger,
	store storageauth.Store,
	config config.AuthenticationConfig,
) *Server

func (*Server) AuthorizeURL

AuthorizeURL constructs and returns a URL directed at the requested OIDC provider based on our internal oauth2 client configuration. The operation is configured to return a URL which ultimately redirects to the callback operation below.

func (*Server) Callback

func (s *Server) Callback(ctx context.Context, req *auth.CallbackRequest) (_ *auth.CallbackResponse, err error)

Callback attempts to authenticate a callback request from a delegated authorization service. Given the request includes a "state" parameter then the requests metadata is interrogated for the "flipt_client_state" metadata key. This entry must exist and the value match the request state. The provided code is exchanged with the associated authorization service provider for an "id_token". We verify the retrieved "id_token" is valid and for our client. Once verified we extract the users associated email address. Given all this completes successfully then we established an associated clientToken in the backing authentication store with the identity information retrieved as metadata.

func (*Server) RegisterGRPC

func (s *Server) RegisterGRPC(server *grpc.Server)

RegisterGRPC registers the server as an Server on the provided grpc server.

func (*Server) SkipsAuthentication

func (s *Server) SkipsAuthentication(ctx context.Context) bool

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL