Documentation ¶
Overview ¶
Package oidc provides all the elements needed to support OAuth and OpenID Connect workflows using Storj as an identity provider and resource server.
Index ¶
- Constants
- type ClientStore
- type DB
- type Endpoint
- func (e *Endpoint) AuthorizeUser(w http.ResponseWriter, r *http.Request)
- func (e *Endpoint) GetClient(w http.ResponseWriter, r *http.Request)
- func (e *Endpoint) Tokens(w http.ResponseWriter, r *http.Request)
- func (e *Endpoint) UserInfo(w http.ResponseWriter, r *http.Request)
- func (e *Endpoint) WellKnownConfiguration(w http.ResponseWriter, r *http.Request)
- type GenerateService
- type MacaroonAccessGenerate
- type OAuthClient
- type OAuthClients
- type OAuthCode
- type OAuthCodes
- type OAuthToken
- type OAuthTokenKind
- type OAuthTokens
- type ProviderConfig
- type Service
- type TokenStore
- func (t *TokenStore) Create(ctx context.Context, info oauth2.TokenInfo) (err error)
- func (t *TokenStore) GetByAccess(ctx context.Context, access string) (_ oauth2.TokenInfo, err error)
- func (t *TokenStore) GetByCode(ctx context.Context, code string) (_ oauth2.TokenInfo, err error)
- func (t *TokenStore) GetByRefresh(ctx context.Context, refresh string) (_ oauth2.TokenInfo, err error)
- func (t *TokenStore) RemoveByAccess(ctx context.Context, access string) (err error)
- func (t *TokenStore) RemoveByCode(ctx context.Context, code string) (err error)
- func (t *TokenStore) RemoveByRefresh(ctx context.Context, refresh string) (err error)
- type UUIDAuthorizeGenerate
- type UserInfo
Constants ¶
const ( // KindUnknown is used to represent an entry for which we do not recognize the value. KindUnknown = 0 // KindAccessToken represents an access token within the database. KindAccessToken = 1 // KindRefreshToken represents a refresh token within the database. KindRefreshToken = 2 // KindRESTTokenV0 represents a REST token within the database. KindRESTTokenV0 = 3 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClientStore ¶ added in v1.51.2
type ClientStore struct {
// contains filtered or unexported fields
}
ClientStore provides a simple adapter for the oauth implementation.
type DB ¶
type DB interface { // OAuthClients returns an API for the oauthclients repository. OAuthClients() OAuthClients // OAuthCodes returns an API for the oauthcodes repository. OAuthCodes() OAuthCodes // OAuthTokens returns an API for the oauthtokens repository. OAuthTokens() OAuthTokens }
DB defines a collection of resources that fall under the scope of OIDC and OAuth operations.
architecture: Database
type Endpoint ¶ added in v1.51.1
type Endpoint struct {
// contains filtered or unexported fields
}
Endpoint implements an OpenID Connect (OIDC) Identity Provider. It grants client applications access to resources in the Storj network on behalf of the end user.
architecture: Endpoint
func NewEndpoint ¶ added in v1.51.1
func NewEndpoint( nodeURL storj.NodeURL, externalAddress string, log *zap.Logger, oidcService *Service, service *console.Service, codeExpiry, accessTokenExpiry, refreshTokenExpiry time.Duration, ) *Endpoint
NewEndpoint constructs an OpenID identity provider.
func (*Endpoint) AuthorizeUser ¶ added in v1.51.1
func (e *Endpoint) AuthorizeUser(w http.ResponseWriter, r *http.Request)
AuthorizeUser is called from an authenticated context granting the requester access to the application. We redirect back to the client application with the provided state and obtained code.
func (*Endpoint) GetClient ¶ added in v1.54.1
func (e *Endpoint) GetClient(w http.ResponseWriter, r *http.Request)
GetClient returns non-sensitive information about an OAuthClient. This information is used to initially verify client applications who are requesting information on behalf of a user.
func (*Endpoint) Tokens ¶ added in v1.51.1
func (e *Endpoint) Tokens(w http.ResponseWriter, r *http.Request)
Tokens exchanges unexpired refresh tokens or codes provided by AuthorizeUser for the associated set of tokens.
func (*Endpoint) UserInfo ¶ added in v1.51.1
func (e *Endpoint) UserInfo(w http.ResponseWriter, r *http.Request)
UserInfo uses the provided access token to look up the associated user information.
func (*Endpoint) WellKnownConfiguration ¶ added in v1.51.1
func (e *Endpoint) WellKnownConfiguration(w http.ResponseWriter, r *http.Request)
WellKnownConfiguration renders the identity provider configuration that points clients to various endpoints.
type GenerateService ¶ added in v1.51.1
type GenerateService interface { GetAPIKeyInfoByName(context.Context, uuid.UUID, string) (*console.APIKeyInfo, error) CreateAPIKey(context.Context, uuid.UUID, string) (*console.APIKeyInfo, *macaroon.APIKey, error) GetUser(ctx context.Context, id uuid.UUID) (u *console.User, err error) }
GenerateService defines the minimal interface needed to generate macaroon based api keys.
type MacaroonAccessGenerate ¶ added in v1.51.1
type MacaroonAccessGenerate struct {
Service GenerateService
}
MacaroonAccessGenerate provides an access_token and refresh_token generator using Storj's Macaroons.
func (*MacaroonAccessGenerate) Token ¶ added in v1.51.1
func (a *MacaroonAccessGenerate) Token(ctx context.Context, data *oauth2.GenerateBasic, isGenRefresh bool) (access, refresh string, err error)
Token issues access and refresh tokens that are backed by storj's Macaroons. This expects several scopes to be set on the request. The following describes the available scopes supported by the macaroon style of access token.
project:<projectId> - required, scopes operations to a single project (one) bucket:<name> - optional, scopes operations to one or many buckets (repeatable) object:list - optional, allows listing object data object:read - optional, allows reading object data object:write - optional, allows writing object data object:delete - optional, allows deleting object data
In OAuth2.0, access_tokens are short-lived tokens that authorize operations to be performed on behalf of an end user. refresh_tokens are longer lived tokens that allow you to obtain new authorization tokens.
type OAuthClient ¶
type OAuthClient struct { ID uuid.UUID `json:"id"` Secret []byte `json:"secret"` UserID uuid.UUID `json:"userID"` RedirectURL string `json:"redirectURL"` AppName string `json:"appName"` AppLogoURL string `json:"appLogoURL"` }
OAuthClient defines a concrete representation of an oauth client.
func (OAuthClient) GetDomain ¶
func (o OAuthClient) GetDomain() string
GetDomain returns the allowed redirect url associated with the client.
func (OAuthClient) GetSecret ¶
func (o OAuthClient) GetSecret() string
GetSecret returns the clients secret.
func (OAuthClient) GetUserID ¶
func (o OAuthClient) GetUserID() string
GetUserID returns the owners' user id.
type OAuthClients ¶
type OAuthClients interface { // Get returns the OAuthClient associated with the provided id. Get(ctx context.Context, id uuid.UUID) (OAuthClient, error) // Create creates a new OAuthClient. Create(ctx context.Context, client OAuthClient) error // Update modifies information for the provided OAuthClient. Update(ctx context.Context, client OAuthClient) error // Delete deletes the identified client from the database. Delete(ctx context.Context, id uuid.UUID) error }
OAuthClients defines an interface for creating, updating, and obtaining information about oauth clients known to our system.
type OAuthCode ¶
type OAuthCode struct { ClientID uuid.UUID UserID uuid.UUID Scope string RedirectURL string Challenge string ChallengeMethod string Code string CreatedAt time.Time ExpiresAt time.Time ClaimedAt *time.Time }
OAuthCode represents a code stored within our database.
type OAuthCodes ¶
type OAuthCodes interface { // Get retrieves the OAuthCode for the specified code. Implementations should only return unexpired, unclaimed // codes. Once a code has been claimed, it should be marked as such to prevent future calls from exchanging the // value for an access tokens. Get(ctx context.Context, code string) (OAuthCode, error) // Create creates a new OAuthCode. Create(ctx context.Context, code OAuthCode) error // Claim marks that the provided code has been claimed and should not be issued to another caller. Claim(ctx context.Context, code string) error }
OAuthCodes defines a set of operations allowed to be performed against oauth codes.
type OAuthToken ¶
type OAuthToken struct { ClientID uuid.UUID UserID uuid.UUID Scope string Kind OAuthTokenKind Token string CreatedAt time.Time ExpiresAt time.Time }
OAuthToken represents a token stored within our database (either access / refresh).
type OAuthTokenKind ¶
type OAuthTokenKind int8
OAuthTokenKind defines an enumeration of different types of supported tokens.
type OAuthTokens ¶
type OAuthTokens interface { // Get retrieves the OAuthToken for the specified kind and token value. This can be used to look up either refresh // or access tokens that have not expired. Get(ctx context.Context, kind OAuthTokenKind, token string) (OAuthToken, error) // Create creates a new OAuthToken. If the token already exists, no value is modified and nil is returned. Create(ctx context.Context, token OAuthToken) error // RevokeRESTTokenV0 revokes a v0 rest token by setting its expires_at time to zero. RevokeRESTTokenV0(ctx context.Context, token string) error }
OAuthTokens defines a set of operations that ca be performed against oauth tokens.
type ProviderConfig ¶ added in v1.51.1
type ProviderConfig struct { NodeURL string `json:"node_url"` Issuer string `json:"issuer"` AuthURL string `json:"authorization_endpoint"` TokenURL string `json:"token_endpoint"` UserInfoURL string `json:"userinfo_endpoint"` }
ProviderConfig defines a subset of elements used by OIDC to auto-discover endpoints.
type Service ¶ added in v1.51.1
type Service struct {
// contains filtered or unexported fields
}
Service provides common implementations for managing clients and tokens.
architecture: Service
func NewService ¶ added in v1.51.1
NewService constructs a service for handling various OAuth and OIDC operations.
func (*Service) ClientStore ¶ added in v1.51.1
func (s *Service) ClientStore() *ClientStore
ClientStore returns a store used to lookup oauth clients from the consent flow.
func (*Service) TokenStore ¶ added in v1.51.1
func (s *Service) TokenStore() *TokenStore
TokenStore returns a store used to manage access tokens during the consent flow.
type TokenStore ¶ added in v1.51.2
type TokenStore struct {
// contains filtered or unexported fields
}
TokenStore provides a simple adapter for the oauth implementation.
func (*TokenStore) Create ¶ added in v1.51.2
func (t *TokenStore) Create(ctx context.Context, info oauth2.TokenInfo) (err error)
Create creates a new token with the given info.
func (*TokenStore) GetByAccess ¶ added in v1.51.2
func (t *TokenStore) GetByAccess(ctx context.Context, access string) (_ oauth2.TokenInfo, err error)
GetByAccess uses access token to find token information.
func (*TokenStore) GetByCode ¶ added in v1.51.2
func (t *TokenStore) GetByCode(ctx context.Context, code string) (_ oauth2.TokenInfo, err error)
GetByCode uses authorization code to find token information.
func (*TokenStore) GetByRefresh ¶ added in v1.51.2
func (t *TokenStore) GetByRefresh(ctx context.Context, refresh string) (_ oauth2.TokenInfo, err error)
GetByRefresh uses refresh token to find token information.
func (*TokenStore) RemoveByAccess ¶ added in v1.51.2
func (t *TokenStore) RemoveByAccess(ctx context.Context, access string) (err error)
RemoveByAccess deletes token by access token.
func (*TokenStore) RemoveByCode ¶ added in v1.51.2
func (t *TokenStore) RemoveByCode(ctx context.Context, code string) (err error)
RemoveByCode deletes token by authorization code.
func (*TokenStore) RemoveByRefresh ¶ added in v1.51.2
func (t *TokenStore) RemoveByRefresh(ctx context.Context, refresh string) (err error)
RemoveByRefresh deletes token by refresh token.
type UUIDAuthorizeGenerate ¶ added in v1.51.1
type UUIDAuthorizeGenerate struct{}
UUIDAuthorizeGenerate generates an auth code using Storj's uuid.
type UserInfo ¶ added in v1.51.1
type UserInfo struct { Subject uuid.UUID `json:"sub"` Email string `json:"email"` EmailVerified bool `json:"email_verified"` Project string `json:"project"` Buckets []string `json:"buckets"` Cubbyhole string `json:"cubbyhole"` }
UserInfo provides a semi-standard object for common user information. The "cubbyhole" value is used to share the derived encryption key between client applications. In order to obtain it, the requesting client must decrypt the value using the key they provided when redirecting the user to login.