auth

package
v0.1.101 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 2, 2026 License: Apache-2.0 Imports: 12 Imported by: 2

Documentation

Overview

Package auth provides gRPC credential helpers for authenticating Chainguard API requests using OIDC tokens, file-based tokens, or tokens stored in context values.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExtractEmail added in v0.1.16

func ExtractEmail(token string) (email string, verified bool, err error)

func ExtractExpiry

func ExtractExpiry(token string) (time.Time, error)

func ExtractIssuer

func ExtractIssuer(token string) (string, error)

func ExtractIssuerAndSubject

func ExtractIssuerAndSubject(token string) (string, string, error)

func ExtractRefreshExpiry added in v0.1.20

func ExtractRefreshExpiry(token string) (time.Time, error)

func GetToken

func GetToken(ctx context.Context) string

GetToken fetches the token from the context.

Example

ExampleGetToken demonstrates retrieving a token from a context that has none.

package main

import (
	"context"
	"fmt"

	"chainguard.dev/sdk/auth"
)

func main() {
	ctx := context.Background()
	fmt.Println(auth.GetToken(ctx) == "")
}
Output:
true

func NewChainctlTokenSource added in v0.1.33

func NewChainctlTokenSource(ctx context.Context, opts ...Option) oauth2.TokenSource

func NewFromContext

func NewFromContext(_ context.Context, requireTransportSecurity bool) credentials.PerRPCCredentials

NewFromContext creates a new credentials.PerRPCCredentials based on a token stored in context. This allows callers to provide a token for each RPC.

func NewFromFile

func NewFromFile(ctx context.Context, path string, requireTransportSecurity bool) credentials.PerRPCCredentials

NewFromFile attempts to create a new credentials.PerRPCCredentials based on the provided file. Returns nil if not found.

Example

ExampleNewFromFile demonstrates creating credentials from a token file path.

package main

import (
	"context"
	"fmt"

	"chainguard.dev/sdk/auth"
)

func main() {
	ctx := context.Background()
	// Returns nil when the file does not exist.
	cred := auth.NewFromFile(ctx, "/nonexistent/token", false)
	fmt.Println(cred == nil)
}
Output:
true

func NewFromToken

func NewFromToken(_ context.Context, token string, requireTransportSecurity bool) credentials.PerRPCCredentials

NewFromToken attempts to create a new credentials.PerRPCCredentials based on provided OIDC token.

func NormalizeIssuer

func NormalizeIssuer(issuer string) string

NormalizeIssuer massages an issuer string into a canonical form, such as attaching a scheme when certain "special" vendors omit them.

func WithToken

func WithToken(ctx context.Context, authz string) context.Context

WithToken associates the token with the returned context.

Types

type Actor

type Actor struct {
	Audience string `json:"aud"`
	Issuer   string `json:"iss"`
	Subject  string `json:"sub"`
}

func ExtractActor

func ExtractActor(token string) (*Actor, error)

type Option added in v0.1.33

type Option func(*options)

func WithAudience added in v0.1.33

func WithAudience(aud string) Option

func WithIssuer added in v0.1.33

func WithIssuer(iss string) Option

Directories

Path Synopsis
Package aws provides utilities for generating and verifying Chainguard tokens backed by AWS identity credentials via the AWS STS GetCallerIdentity API.
Package aws provides utilities for generating and verifying Chainguard tokens backed by AWS identity credentials via the AWS STS GetCallerIdentity API.
Package deviceflow implements the OAuth 2.0 Device Authorization Grant (RFC 8628) for obtaining OIDC identity tokens in headless or constrained-input environments.
Package deviceflow implements the OAuth 2.0 Device Authorization Grant (RFC 8628) for obtaining OIDC identity tokens in headless or constrained-input environments.
Package ggcr provides authentication integration between Chainguard identity tokens and the go-containerregistry library for accessing the cgr.dev container registry.
Package ggcr provides authentication integration between Chainguard identity tokens and the go-containerregistry library for accessing the cgr.dev container registry.
Package headless provides ECDH-based encryption utilities for the Chainguard headless login flow, enabling secure delivery of OIDC identity tokens to CLI clients without a browser redirect.
Package headless provides ECDH-based encryption utilities for the Chainguard headless login flow, enabling secure delivery of OIDC identity tokens to CLI clients without a browser redirect.
Package login implements browser-based and headless OIDC login flows for Chainguard clients, returning access and refresh tokens.
Package login implements browser-based and headless OIDC login flows for Chainguard clients, returning access and refresh tokens.
Package token manages the on-disk cache of Chainguard OIDC access and refresh tokens, organized by audience and optional alias.
Package token manages the on-disk cache of Chainguard OIDC access and refresh tokens, organized by audience and optional alias.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL