Documentation ¶
Index ¶
Constants ¶
const ( StorageMetadataClaims = "io.flipt.auth.claims" StorageMetadataEmail = "io.flipt.auth.email" StorageMetadataName = "io.flipt.auth.name" )
Variables ¶
This section is empty.
Functions ¶
func CallbackValidateState ¶
CallbackValidateState validates the state for the callback request on both OIDC and GitHub as an OAuth provider.
func ForwardCookies ¶
ForwardCookies parses particular http cookies (Flipts state and client token) and forwards them as grpc metadata entries. This allows us to abstract away http constructs from the internal gRPC implementation.
Types ¶
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware contains various extensions for appropriate integration of the OIDC services behind gRPC gateway. This includes forwarding cookies as gRPC metadata, adapting callback responses to http cookies, and establishing appropriate state parameters for csrf provention during the oauth/oidc flow.
func NewHTTPMiddleware ¶
func NewHTTPMiddleware(config config.AuthenticationSession) Middleware
NewHTTPMiddleware constructs and configures a new oidc HTTP middleware from the supplied authentication configuration struct.
func (Middleware) ForwardResponseOption ¶
func (m Middleware) ForwardResponseOption(ctx context.Context, w http.ResponseWriter, resp proto.Message) error
ForwardResponseOption is a grpc gateway forward response option function implementation. The purpose of which is to intercept outgoing Callback operation responses. When intercepted the resulting clientToken is stripped from the response payload and instead added to a response header cookie (Set-Cookie). This ensures a secure browser session can be established. The user-agent is then redirected to the root of the domain.
func (Middleware) Handler ¶
func (m Middleware) Handler(next http.Handler) http.Handler
Handler is a http middleware used to decorate the OIDC provider gateway handler. The middleware intercepts authorize attempts and automatically establishes an appropriate state parameter. It does so by wrapping any provided state parameter in a JSON object with an additional cryptographically-random generated security token. The payload is then encoded in base64 and added back to the state query param. The payload is then also encoded as a http cookie which is bound to the callback path.