Documentation ¶
Index ¶
- type OIDCIssuer
- type OIDCIssuerVerifier
- type OIDCToken
- type OpenIDClient
- func (o *OpenIDClient) AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string
- func (o *OpenIDClient) Exchange(ctx context.Context, code string) (OIDCToken, error)
- func (o *OpenIDClient) Extract(rq *http.Request) (string, error)
- func (o *OpenIDClient) Verify(ctx context.Context, token string) (TokenClaims, error)
- type ServiceAccountAuthClient
- type TokenClaims
- type TokenExtractor
- type TokenExtractorPlugins
- type TokenExtractorVerifier
- type TokenVerifier
- type TokenVerifierPlugins
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type OIDCIssuer ¶
type OIDCIssuer interface { // AuthCodeURL returns a URL to OpenID provider's consent page // that asks for permissions for the required scopes explicitly. // // state is a token to protect the user from CSRF attacks. You must // always provide a non-zero string and validate that it matches the // the state query parameter on your redirect callback. // See http://tools.ietf.org/html/rfc6749#section-10.12 for more info. AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string // Exchange converts an authorization code into a token. Exchange(ctx context.Context, code string) (OIDCToken, error) }
OIDCIssuer exposes methods for getting OIDC tokens
type OIDCIssuerVerifier ¶
type OIDCIssuerVerifier interface { OIDCIssuer TokenVerifier }
OIDCIssuerVerifier combines OIDCIssuer and TokenVerifier
type OIDCToken ¶
type OIDCToken struct { // AccessToken is the token that authorizes and authenticates // the requests. AccessToken string // RefreshToken is a token that's used by the application // (as opposed to the user) to refresh the access token // if it expires. RefreshToken string // Expiry is the optional expiration time of the access token. // // If zero, TokenSource implementations will reuse the same // token forever and RefreshToken or equivalent // mechanisms for that TokenSource will not be used. Expiry time.Time // IDToken is the token that contains claims about authenticated user // // Users should use TokenVerifier.Verify method to verify and extract claim from the token IDToken string }
OIDCToken represents the credentials used to authorize the requests to access protected resources on the OAuth 2.0 provider's backend.
type OpenIDClient ¶
type OpenIDClient struct {
// contains filtered or unexported fields
}
OpenIDClient implements OIDCIssuerVerifier and TokenExtractorVerifier
func NewOpenIDClient ¶
func NewOpenIDClient(issuer, clientID, clientSecret, redirectURI string, extractor TokenExtractor, insecureSkipVerify bool, rootCertificates *x509.CertPool) (*OpenIDClient, error)
NewOpenIDClient returns an authentication middleware which authenticates against an openID server. If rootCertificates is nil, the host's root CAs will be used.
func (*OpenIDClient) AuthCodeURL ¶
func (o *OpenIDClient) AuthCodeURL(state string, offlineAsScope bool, scopes ...string) string
AuthCodeURL returns a URL to OpenID provider's consent page that asks for permissions for the required scopes explicitly.
State is a token to protect the user from CSRF attacks. You must always provide a non-zero string and validate that it matches the the state query parameter on your redirect callback. See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
func (*OpenIDClient) Extract ¶
func (o *OpenIDClient) Extract(rq *http.Request) (string, error)
Extractor knows how to extract the ID token from the request
func (*OpenIDClient) Verify ¶
func (o *OpenIDClient) Verify(ctx context.Context, token string) (TokenClaims, error)
Verify parses a raw ID Token, verifies it's been signed by the provider, performs any additional checks depending on the Config, and returns the payload as TokenClaims.
type ServiceAccountAuthClient ¶
type ServiceAccountAuthClient struct {
// contains filtered or unexported fields
}
ServiceAccountAuthClient implements TokenExtractorVerifier interface
func NewServiceAccountAuthClient ¶
func NewServiceAccountAuthClient(headerBearerTokenExtractor TokenExtractor, jwtTokenAuthenticator serviceaccount.TokenAuthenticator, saTokenProvider provider.PrivilegedServiceAccountTokenProvider) *ServiceAccountAuthClient
NewServiceAccountAuthClient returns a client that knows how to read and verify service account's tokens
func (*ServiceAccountAuthClient) Extract ¶
func (s *ServiceAccountAuthClient) Extract(rq *http.Request) (string, error)
Extractor knows how to extract the ID token from the request
func (*ServiceAccountAuthClient) Verify ¶
func (s *ServiceAccountAuthClient) Verify(ctx context.Context, token string) (TokenClaims, error)
Verify parses a raw ID Token, verifies it's been signed by the provider, performs any additional checks depending on the Config, and returns the payload as TokenClaims.
type TokenClaims ¶
type TokenClaims struct { Name string Email string Subject string Groups []string Expiry apiv1.Time }
TokenClaims holds various claims extracted from the id_token
type TokenExtractor ¶
type TokenExtractor interface { // Extract gets a token from the given HTTP request Extract(r *http.Request) (string, error) }
TokenExtractor is an interface that knows how to extract a token
func NewCombinedExtractor ¶
func NewCombinedExtractor(extractors ...TokenExtractor) TokenExtractor
NewCombinedExtractor returns an token extractor which tries a list of token extractors until it finds a token
func NewCookieHeaderBearerTokenExtractor ¶
func NewCookieHeaderBearerTokenExtractor(header string) TokenExtractor
func NewHeaderBearerTokenExtractor ¶
func NewHeaderBearerTokenExtractor(header string) TokenExtractor
NewHeaderBearerTokenExtractor returns a token extractor which extracts the token from the given header
func NewQueryParamBearerTokenExtractor ¶
func NewQueryParamBearerTokenExtractor(header string) TokenExtractor
NewQueryParamBearerTokenExtractor returns a token extractor which extracts the token from the given query parameter
type TokenExtractorPlugins ¶
type TokenExtractorPlugins struct {
// contains filtered or unexported fields
}
TokenExtractorPlugins implements TokenExtractor by calling registered plugins for a token extraction
func NewTokenExtractorPlugins ¶
func NewTokenExtractorPlugins(plugins []TokenExtractor) *TokenExtractorPlugins
NewTokenExtractorPlugins creates a new instance of TokenExtractorPlugins with the given plugins
func (*TokenExtractorPlugins) Extract ¶
func (p *TokenExtractorPlugins) Extract(r *http.Request) (string, error)
Extract calls all registered plugins to get a token from the given request. This method stops when a token has been found and doesn't try remaining plugins. If all plugins were checked an error is returned.
type TokenExtractorVerifier ¶
type TokenExtractorVerifier interface { TokenVerifier TokenExtractor }
TokenExtractorVerifier combines TokenVerifier and TokenExtractor interfaces
type TokenVerifier ¶
type TokenVerifier interface { // Verify parses a raw ID Token, verifies it's been signed by the provider, performs // any additional checks depending on the Config, and returns the payload as TokenClaims. Verify(ctx context.Context, token string) (TokenClaims, error) }
TokenVerifier knows how to verify a token
type TokenVerifierPlugins ¶
type TokenVerifierPlugins struct {
// contains filtered or unexported fields
}
TokenVerifierPlugins implements TokenVerifier interface by calling registered plugins for a token verification
func NewTokenVerifierPlugins ¶
func NewTokenVerifierPlugins(plugins []TokenVerifier) *TokenVerifierPlugins
NewTokenVerifierPlugins creates a new instance of TokenVerifierPlugins with the given plugins
func (*TokenVerifierPlugins) Verify ¶
func (p *TokenVerifierPlugins) Verify(ctx context.Context, token string) (TokenClaims, error)
Verify calls all registered plugins to check the given token. This method stops when a token has been validated and doesn't try remaining plugins. If all plugins were checked an error is returned.