Documentation
¶
Index ¶
- Variables
- type Server
- func (s *Server) AuthorizeURL(ctx context.Context, req *auth.AuthorizeURLRequest) (*auth.AuthorizeURLResponse, error)
- func (s *Server) Callback(ctx context.Context, req *auth.CallbackRequest) (_ *auth.CallbackResponse, err error)
- func (s *Server) RegisterGRPC(server *grpc.Server)
- func (s *Server) SkipsAuthentication(ctx context.Context) bool
Constants ¶
This section is empty.
Variables ¶
var PKCEVerifier, _ = capoidc.NewCodeVerifier()
PCKEVerifier is a code verifier used for a PKCE flow during OIDC authentication. This value is declared outside the scope of the function because of consistency throughout the authenciation legs of OIDC.
Functions ¶
This section is empty.
Types ¶
type Server ¶
type Server struct {
auth.UnimplementedAuthenticationMethodOIDCServiceServer
// contains filtered or unexported fields
}
Server is the core OIDC server implementation for Flipt. It supports two primary operations: - AuthorizeURL - Callback These are two legs of the OIDC/OAuth flow. Step 1 is Flipt establishes a URL directed at the delegated authentication service (e.g. Google). The URL is configured using the client ID configured for the provided, a state parameter used to prevent CSRF attacks and a callback URL directing back to the Callback operation. Step 2 the user-agent navigates to the authorizer and establishes authenticity with them. Once established they're redirected to the Callback operation with an authenticity code. Step 3 the Callback operation uses this "code" and exchanges with the authorization service for an ID Token. The validity of the response is checked (signature verified) and then the identity details contained in this response are used to create a temporary Flipt client token. This client token can be used to access the rest of the Flipt API. Given the user-agent is requestin using HTTP the token is instead established as an HTTP cookie.
func NewServer ¶
func NewServer( logger *zap.Logger, store storageauth.Store, config config.AuthenticationConfig, ) *Server
func (*Server) AuthorizeURL ¶
func (s *Server) AuthorizeURL(ctx context.Context, req *auth.AuthorizeURLRequest) (*auth.AuthorizeURLResponse, error)
AuthorizeURL constructs and returns a URL directed at the requested OIDC provider based on our internal oauth2 client configuration. The operation is configured to return a URL which ultimately redirects to the callback operation below.
func (*Server) Callback ¶
func (s *Server) Callback(ctx context.Context, req *auth.CallbackRequest) (_ *auth.CallbackResponse, err error)
Callback attempts to authenticate a callback request from a delegated authorization service. Given the request includes a "state" parameter then the requests metadata is interrogated for the "flipt_client_state" metadata key. This entry must exist and the value match the request state. The provided code is exchanged with the associated authorization service provider for an "id_token". We verify the retrieved "id_token" is valid and for our client. Once verified we extract the users associated email address. Given all this completes successfully then we established an associated clientToken in the backing authentication store with the identity information retrieved as metadata.
func (*Server) RegisterGRPC ¶
RegisterGRPC registers the server as an Server on the provided grpc server.
Source Files
Directories