oidc

package
v1.110.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 6, 2024 License: AGPL-3.0 Imports: 19 Imported by: 0

Documentation

Overview

Package oidc provides all the elements needed to support OAuth and OpenID Connect workflows using Storj as an identity provider and resource server.

Index

Constants

View Source
const (
	// KindUnknown is used to represent an entry for which we do not recognize the value.
	KindUnknown = 0
	// KindAccessToken represents an access token within the database.
	KindAccessToken = 1
	// KindRefreshToken represents a refresh token within the database.
	KindRefreshToken = 2
	// KindRESTTokenV0 represents a REST token within the database.
	KindRESTTokenV0 = 3
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ClientStore added in v1.51.2

type ClientStore struct {
	// contains filtered or unexported fields
}

ClientStore provides a simple adapter for the oauth implementation.

func (*ClientStore) GetByID added in v1.51.2

func (c *ClientStore) GetByID(ctx context.Context, id string) (_ oauth2.ClientInfo, err error)

GetByID returns client information by id.

type DB

type DB interface {
	// OAuthClients returns an API for the oauthclients repository.
	OAuthClients() OAuthClients
	// OAuthCodes returns an API for the oauthcodes repository.
	OAuthCodes() OAuthCodes
	// OAuthTokens returns an API for the oauthtokens repository.
	OAuthTokens() OAuthTokens
}

DB defines a collection of resources that fall under the scope of OIDC and OAuth operations.

architecture: Database

func NewDB

func NewDB(dbxdb *dbx.DB) DB

NewDB constructs a database using the provided dbx db.

type Endpoint added in v1.51.1

type Endpoint struct {
	// contains filtered or unexported fields
}

Endpoint implements an OpenID Connect (OIDC) Identity Provider. It grants client applications access to resources in the Storj network on behalf of the end user.

architecture: Endpoint

func NewEndpoint added in v1.51.1

func NewEndpoint(
	nodeURL storj.NodeURL, externalAddress string, log *zap.Logger,
	oidcService *Service, service *console.Service,
	codeExpiry, accessTokenExpiry, refreshTokenExpiry time.Duration,
) *Endpoint

NewEndpoint constructs an OpenID identity provider.

func (*Endpoint) AuthorizeUser added in v1.51.1

func (e *Endpoint) AuthorizeUser(w http.ResponseWriter, r *http.Request)

AuthorizeUser is called from an authenticated context granting the requester access to the application. We redirect back to the client application with the provided state and obtained code.

func (*Endpoint) GetClient added in v1.54.1

func (e *Endpoint) GetClient(w http.ResponseWriter, r *http.Request)

GetClient returns non-sensitive information about an OAuthClient. This information is used to initially verify client applications who are requesting information on behalf of a user.

func (*Endpoint) Tokens added in v1.51.1

func (e *Endpoint) Tokens(w http.ResponseWriter, r *http.Request)

Tokens exchanges unexpired refresh tokens or codes provided by AuthorizeUser for the associated set of tokens.

func (*Endpoint) UserInfo added in v1.51.1

func (e *Endpoint) UserInfo(w http.ResponseWriter, r *http.Request)

UserInfo uses the provided access token to look up the associated user information.

func (*Endpoint) WellKnownConfiguration added in v1.51.1

func (e *Endpoint) WellKnownConfiguration(w http.ResponseWriter, r *http.Request)

WellKnownConfiguration renders the identity provider configuration that points clients to various endpoints.

type GenerateService added in v1.51.1

type GenerateService interface {
	GetAPIKeyInfoByName(context.Context, uuid.UUID, string) (*console.APIKeyInfo, error)
	CreateAPIKey(context.Context, uuid.UUID, string, macaroon.APIKeyVersion) (*console.APIKeyInfo, *macaroon.APIKey, error)
	GetUser(ctx context.Context, id uuid.UUID) (u *console.User, err error)
}

GenerateService defines the minimal interface needed to generate macaroon based api keys.

type MacaroonAccessGenerate added in v1.51.1

type MacaroonAccessGenerate struct {
	Service GenerateService
}

MacaroonAccessGenerate provides an access_token and refresh_token generator using Storj's Macaroons.

func (*MacaroonAccessGenerate) Token added in v1.51.1

func (a *MacaroonAccessGenerate) Token(ctx context.Context, data *oauth2.GenerateBasic, isGenRefresh bool) (access, refresh string, err error)

Token issues access and refresh tokens that are backed by storj's Macaroons. This expects several scopes to be set on the request. The following describes the available scopes supported by the macaroon style of access token.

project:<projectId>  - required, scopes operations to a single project (one)
bucket:<name>        - optional, scopes operations to one or many buckets (repeatable)
object:list          - optional, allows listing object data
object:read          - optional, allows reading object data
object:write         - optional, allows writing object data
object:delete        - optional, allows deleting object data

In OAuth2.0, access_tokens are short-lived tokens that authorize operations to be performed on behalf of an end user. refresh_tokens are longer lived tokens that allow you to obtain new authorization tokens.

type OAuthClient

type OAuthClient struct {
	ID          uuid.UUID `json:"id"`
	Secret      []byte    `json:"secret"`
	UserID      uuid.UUID `json:"userID"`
	RedirectURL string    `json:"redirectURL"`
	AppName     string    `json:"appName"`
	AppLogoURL  string    `json:"appLogoURL"`
}

OAuthClient defines a concrete representation of an oauth client.

func (OAuthClient) GetDomain

func (o OAuthClient) GetDomain() string

GetDomain returns the allowed redirect url associated with the client.

func (OAuthClient) GetID

func (o OAuthClient) GetID() string

GetID returns the clients id.

func (OAuthClient) GetSecret

func (o OAuthClient) GetSecret() string

GetSecret returns the clients secret.

func (OAuthClient) GetUserID

func (o OAuthClient) GetUserID() string

GetUserID returns the owners' user id.

type OAuthClients

type OAuthClients interface {
	// Get returns the OAuthClient associated with the provided id.
	Get(ctx context.Context, id uuid.UUID) (OAuthClient, error)

	// Create creates a new OAuthClient.
	Create(ctx context.Context, client OAuthClient) error

	// Update modifies information for the provided OAuthClient.
	Update(ctx context.Context, client OAuthClient) error

	// Delete deletes the identified client from the database.
	Delete(ctx context.Context, id uuid.UUID) error
}

OAuthClients defines an interface for creating, updating, and obtaining information about oauth clients known to our system.

type OAuthCode

type OAuthCode struct {
	ClientID        uuid.UUID
	UserID          uuid.UUID
	Scope           string
	RedirectURL     string
	Challenge       string
	ChallengeMethod string
	Code            string
	CreatedAt       time.Time
	ExpiresAt       time.Time
	ClaimedAt       *time.Time
}

OAuthCode represents a code stored within our database.

type OAuthCodes

type OAuthCodes interface {
	// Get retrieves the OAuthCode for the specified code. Implementations should only return unexpired, unclaimed
	// codes. Once a code has been claimed, it should be marked as such to prevent future calls from exchanging the
	// value for an access tokens.
	Get(ctx context.Context, code string) (OAuthCode, error)

	// Create creates a new OAuthCode.
	Create(ctx context.Context, code OAuthCode) error

	// Claim marks that the provided code has been claimed and should not be issued to another caller.
	Claim(ctx context.Context, code string) error
}

OAuthCodes defines a set of operations allowed to be performed against oauth codes.

type OAuthToken

type OAuthToken struct {
	ClientID  uuid.UUID
	UserID    uuid.UUID
	Scope     string
	Kind      OAuthTokenKind
	Token     string
	CreatedAt time.Time
	ExpiresAt time.Time
}

OAuthToken represents a token stored within our database (either access / refresh).

type OAuthTokenKind

type OAuthTokenKind int8

OAuthTokenKind defines an enumeration of different types of supported tokens.

type OAuthTokens

type OAuthTokens interface {
	// Get retrieves the OAuthToken for the specified kind and token value. This can be used to look up either refresh
	// or access tokens that have not expired.
	Get(ctx context.Context, kind OAuthTokenKind, token string) (OAuthToken, error)

	// Create creates a new OAuthToken. If the token already exists, no value is modified and nil is returned.
	Create(ctx context.Context, token OAuthToken) error

	// RevokeRESTTokenV0 revokes a v0 rest token by setting its expires_at time to zero.
	RevokeRESTTokenV0(ctx context.Context, token string) error
}

OAuthTokens defines a set of operations that ca be performed against oauth tokens.

type ProviderConfig added in v1.51.1

type ProviderConfig struct {
	NodeURL     string `json:"node_url"`
	Issuer      string `json:"issuer"`
	AuthURL     string `json:"authorization_endpoint"`
	TokenURL    string `json:"token_endpoint"`
	UserInfoURL string `json:"userinfo_endpoint"`
}

ProviderConfig defines a subset of elements used by OIDC to auto-discover endpoints.

type Service added in v1.51.1

type Service struct {
	// contains filtered or unexported fields
}

Service provides common implementations for managing clients and tokens.

architecture: Service

func NewService added in v1.51.1

func NewService(db DB) *Service

NewService constructs a service for handling various OAuth and OIDC operations.

func (*Service) ClientStore added in v1.51.1

func (s *Service) ClientStore() *ClientStore

ClientStore returns a store used to lookup oauth clients from the consent flow.

func (*Service) TokenStore added in v1.51.1

func (s *Service) TokenStore() *TokenStore

TokenStore returns a store used to manage access tokens during the consent flow.

type TokenStore added in v1.51.2

type TokenStore struct {
	// contains filtered or unexported fields
}

TokenStore provides a simple adapter for the oauth implementation.

func (*TokenStore) Create added in v1.51.2

func (t *TokenStore) Create(ctx context.Context, info oauth2.TokenInfo) (err error)

Create creates a new token with the given info.

func (*TokenStore) GetByAccess added in v1.51.2

func (t *TokenStore) GetByAccess(ctx context.Context, access string) (_ oauth2.TokenInfo, err error)

GetByAccess uses access token to find token information.

func (*TokenStore) GetByCode added in v1.51.2

func (t *TokenStore) GetByCode(ctx context.Context, code string) (_ oauth2.TokenInfo, err error)

GetByCode uses authorization code to find token information.

func (*TokenStore) GetByRefresh added in v1.51.2

func (t *TokenStore) GetByRefresh(ctx context.Context, refresh string) (_ oauth2.TokenInfo, err error)

GetByRefresh uses refresh token to find token information.

func (*TokenStore) RemoveByAccess added in v1.51.2

func (t *TokenStore) RemoveByAccess(ctx context.Context, access string) (err error)

RemoveByAccess deletes token by access token.

func (*TokenStore) RemoveByCode added in v1.51.2

func (t *TokenStore) RemoveByCode(ctx context.Context, code string) (err error)

RemoveByCode deletes token by authorization code.

func (*TokenStore) RemoveByRefresh added in v1.51.2

func (t *TokenStore) RemoveByRefresh(ctx context.Context, refresh string) (err error)

RemoveByRefresh deletes token by refresh token.

type UUIDAuthorizeGenerate added in v1.51.1

type UUIDAuthorizeGenerate struct{}

UUIDAuthorizeGenerate generates an auth code using Storj's uuid.

func (*UUIDAuthorizeGenerate) Token added in v1.51.1

func (a *UUIDAuthorizeGenerate) Token(ctx context.Context, data *oauth2.GenerateBasic) (string, error)

Token returns a new authorization code.

type UserInfo added in v1.51.1

type UserInfo struct {
	Subject       uuid.UUID `json:"sub"`
	Email         string    `json:"email"`
	EmailVerified bool      `json:"email_verified"`

	Project   string   `json:"project"`
	Buckets   []string `json:"buckets"`
	Cubbyhole string   `json:"cubbyhole"`
}

UserInfo provides a semi-standard object for common user information. The "cubbyhole" value is used to share the derived encryption key between client applications. In order to obtain it, the requesting client must decrypt the value using the key they provided when redirecting the user to login.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL