Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DynamicTLSCertProvider ¶
type DynamicTLSCertProvider interface { SetIssuerHostToTLSCertMap(issuerToJWKSMap map[string]*tls.Certificate) SetDefaultTLSCert(certificate *tls.Certificate) GetTLSCert(lowercaseIssuerHostName string) *tls.Certificate GetDefaultTLSCert() *tls.Certificate }
func NewDynamicTLSCertProvider ¶
func NewDynamicTLSCertProvider() DynamicTLSCertProvider
type DynamicUpstreamIDPProvider ¶ added in v0.3.0
type DynamicUpstreamIDPProvider interface { SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI) GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI) GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI SetActiveDirectoryIdentityProviders(adIDPs []UpstreamLDAPIdentityProviderI) GetActiveDirectoryIdentityProviders() []UpstreamLDAPIdentityProviderI }
func NewDynamicUpstreamIDPProvider ¶ added in v0.3.0
func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider
type FederationDomainIssuer ¶ added in v0.3.0
type FederationDomainIssuer struct {
// contains filtered or unexported fields
}
FederationDomainIssuer represents all of the settings and state for a downstream OIDC provider as defined by a FederationDomain.
func NewFederationDomainIssuer ¶ added in v0.3.0
func NewFederationDomainIssuer(issuer string) (*FederationDomainIssuer, error)
func (*FederationDomainIssuer) Issuer ¶ added in v0.3.0
func (p *FederationDomainIssuer) Issuer() string
func (*FederationDomainIssuer) IssuerHost ¶ added in v0.3.0
func (p *FederationDomainIssuer) IssuerHost() string
func (*FederationDomainIssuer) IssuerPath ¶ added in v0.3.0
func (p *FederationDomainIssuer) IssuerPath() string
type RefreshAttributes ¶ added in v0.20.0
type RefreshAttributes struct { Username string Subject string DN string Groups []string AdditionalAttributes map[string]string GrantedScopes []string }
RefreshAttributes contains information about the user from the original login request and previous refreshes.
type RetryableRevocationError ¶ added in v0.13.0
type RetryableRevocationError struct {
// contains filtered or unexported fields
}
func NewRetryableRevocationError ¶ added in v0.13.0
func NewRetryableRevocationError(wrapped error) RetryableRevocationError
func (RetryableRevocationError) Error ¶ added in v0.13.0
func (e RetryableRevocationError) Error() string
func (RetryableRevocationError) Unwrap ¶ added in v0.13.0
func (e RetryableRevocationError) Unwrap() error
type RevocableTokenType ¶ added in v0.13.0
type RevocableTokenType string
const ( RefreshTokenType RevocableTokenType = "refresh_token" AccessTokenType RevocableTokenType = "access_token" )
These strings correspond to the token types defined by https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
type UpstreamLDAPIdentityProviderI ¶ added in v0.9.0
type UpstreamLDAPIdentityProviderI interface { // GetName returns a name for this upstream provider. GetName() string // GetURL returns a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234". // This URL is not used for connecting to the provider, but rather is used for creating a globally unique user // identifier by being combined with the user's UID, since user UIDs are only unique within one provider. GetURL() *url.URL // GetResourceUID returns the Kubernetes resource ID GetResourceUID() types.UID // UserAuthenticator adds an interface method for performing user authentication against the upstream LDAP provider. authenticators.UserAuthenticator // PerformRefresh performs a refresh against the upstream LDAP identity provider PerformRefresh(ctx context.Context, storedRefreshAttributes RefreshAttributes) (groups []string, err error) }
type UpstreamOIDCIdentityProviderI ¶ added in v0.3.0
type UpstreamOIDCIdentityProviderI interface { // GetName returns a name for this upstream provider, which will be used as a component of the path for the // callback endpoint hosted by the Supervisor. GetName() string // GetClientID returns the OAuth client ID registered with the upstream provider to be used in the authorization code flow. GetClientID() string // GetResourceUID returns the Kubernetes resource ID GetResourceUID() types.UID // GetAuthorizationURL returns the Authorization Endpoint fetched from discovery. GetAuthorizationURL() *url.URL // HasUserInfoURL returns whether there is a non-empty value for userinfo_endpoint fetched from discovery. HasUserInfoURL() bool // GetScopes returns the scopes to request in authorization (authcode or password grant) flow. GetScopes() []string // GetUsernameClaim returns the ID Token username claim name. May return empty string, in which case we // will use some reasonable defaults. GetUsernameClaim() string // GetGroupsClaim returns the ID Token groups claim name. May return empty string, in which case we won't // try to read groups from the upstream provider. GetGroupsClaim() string // AllowsPasswordGrant returns true if a client should be allowed to use the resource owner password credentials grant // flow with this upstream provider. When false, it should not be allowed. AllowsPasswordGrant() bool // GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests. GetAdditionalAuthcodeParams() map[string]string // GetAdditionalClaimMappings returns additional claims to be mapped from the upstream ID token. GetAdditionalClaimMappings() map[string]string // PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and // token validation. Returns the validated raw tokens as well as the parsed claims of the ID token. PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error) // ExchangeAuthcodeAndValidateTokens performs upstream OIDC authorization code exchange and token validation. // Returns the validated raw tokens as well as the parsed claims of the ID token. ExchangeAuthcodeAndValidateTokens( ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce, redirectURI string, ) (*oidctypes.Token, error) // PerformRefresh will call the provider's token endpoint to perform a refresh grant. The provider may or may not // return a new ID or refresh token in the response. If it returns an ID token, then use ValidateToken to // validate the ID token. PerformRefresh(ctx context.Context, refreshToken string) (*oauth2.Token, error) // RevokeToken will attempt to revoke the given token, if the provider has a revocation endpoint. // It may return an error wrapped by a RetryableRevocationError, which is an error indicating that it may // be worth trying to revoke the same token again later. Any other error returned should be assumed to // represent an error such that it is not worth retrying revocation later, even though revocation failed. RevokeToken(ctx context.Context, token string, tokenType RevocableTokenType) error // ValidateTokenAndMergeWithUserInfo will validate the ID token. It will also merge the claims from the userinfo endpoint response // into the ID token's claims, if the provider offers the userinfo endpoint. It returns the validated/updated // tokens, or an error. ValidateTokenAndMergeWithUserInfo(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce, requireIDToken bool, requireUserInfo bool) (*oidctypes.Token, error) }
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package csp defines helpers related to HTML Content Security Policies.
|
Package csp defines helpers related to HTML Content Security Policies. |
Package formposthtml defines HTML templates used by the Supervisor.
|
Package formposthtml defines HTML templates used by the Supervisor. |
Click to show internal directories.
Click to hide internal directories.