Documentation ¶
Overview ¶
oidc implements the authenticator.Token interface using the OpenID Connect protocol.
config := oidc.Options{ IssuerURL: "https://accounts.google.com", ClientID: os.Getenv("GOOGLE_CLIENT_ID"), UsernameClaim: "email", } tokenAuthenticator, err := oidc.New(config)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AllValidSigningAlgorithms ¶ added in v0.30.0
func AllValidSigningAlgorithms() []string
func RegisterMetrics ¶ added in v0.30.0
func RegisterMetrics()
Types ¶
type AuthenticatorTokenWithHealthCheck ¶ added in v0.30.0
type AuthenticatorTokenWithHealthCheck interface { authenticator.Token HealthCheck() error }
func New ¶
func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error)
New returns an authenticator that is asynchronously initialized when opts.KeySet is not set. The input lifecycleCtx is used to: - terminate background goroutines that are needed for asynchronous initialization - as the base context for any requests that are made (i.e. for key fetching) Thus, once the lifecycleCtx is canceled, the authenticator must not be used. A caller may check if the authenticator is healthy by calling the HealthCheck method.
type CAContentProvider ¶ added in v0.22.0
type CAContentProvider interface {
CurrentCABundleContent() []byte
}
Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.
type Options ¶
type Options struct { // JWTAuthenticator is the authenticator that will be used to verify the JWT. JWTAuthenticator apiserver.JWTAuthenticator // Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer. // Mutually exclusive with JWTAuthenticator.Issuer.DiscoveryURL. KeySet oidc.KeySet // PEM encoded root certificate contents of the provider. Mutually exclusive with Client. CAContentProvider CAContentProvider // Optional http.Client used to make all requests to the remote issuer. Mutually exclusive with CAContentProvider. Client *http.Client // Optional CEL compiler used to compile the CEL expressions. This is useful to use a shared instance // of the compiler as these compilers holding a CEL environment are expensive to create. If not provided, // a default compiler will be created. // Note: the compiler construction depends on feature gates and the compatibility version to be initialized. Compiler authenticationcel.Compiler // SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that // can be used by the provider to sign tokens. // // https://tools.ietf.org/html/rfc7518#section-3.1 // // This value defaults to RS256, the value recommended by the OpenID Connect // spec: // // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation SupportedSigningAlgs []string DisallowedIssuers []string // contains filtered or unexported fields }
Click to show internal directories.
Click to hide internal directories.