Documentation
¶
Overview ¶
Package auth provides gRPC credential helpers for authenticating Chainguard API requests using OIDC tokens, file-based tokens, or tokens stored in context values.
Index ¶
- func ExtractEmail(token string) (email string, verified bool, err error)
- func ExtractExpiry(token string) (time.Time, error)
- func ExtractIssuer(token string) (string, error)
- func ExtractIssuerAndSubject(token string) (string, string, error)
- func ExtractRefreshExpiry(token string) (time.Time, error)
- func GetToken(ctx context.Context) string
- func NewChainctlTokenSource(ctx context.Context, opts ...Option) oauth2.TokenSource
- func NewFromContext(_ context.Context, requireTransportSecurity bool) credentials.PerRPCCredentials
- func NewFromFile(ctx context.Context, path string, requireTransportSecurity bool) credentials.PerRPCCredentials
- func NewFromToken(_ context.Context, token string, requireTransportSecurity bool) credentials.PerRPCCredentials
- func NormalizeIssuer(issuer string) string
- func WithToken(ctx context.Context, authz string) context.Context
- type Actor
- type Option
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractEmail ¶ added in v0.1.16
func ExtractIssuer ¶
func ExtractRefreshExpiry ¶ added in v0.1.20
func GetToken ¶
GetToken fetches the token from the context.
Example ¶
ExampleGetToken demonstrates retrieving a token from a context that has none.
package main
import (
"context"
"fmt"
"chainguard.dev/sdk/auth"
)
func main() {
ctx := context.Background()
fmt.Println(auth.GetToken(ctx) == "")
}
Output: true
func NewChainctlTokenSource ¶ added in v0.1.33
func NewChainctlTokenSource(ctx context.Context, opts ...Option) oauth2.TokenSource
func NewFromContext ¶
func NewFromContext(_ context.Context, requireTransportSecurity bool) credentials.PerRPCCredentials
NewFromContext creates a new credentials.PerRPCCredentials based on a token stored in context. This allows callers to provide a token for each RPC.
func NewFromFile ¶
func NewFromFile(ctx context.Context, path string, requireTransportSecurity bool) credentials.PerRPCCredentials
NewFromFile attempts to create a new credentials.PerRPCCredentials based on the provided file. Returns nil if not found.
Example ¶
ExampleNewFromFile demonstrates creating credentials from a token file path.
package main
import (
"context"
"fmt"
"chainguard.dev/sdk/auth"
)
func main() {
ctx := context.Background()
// Returns nil when the file does not exist.
cred := auth.NewFromFile(ctx, "/nonexistent/token", false)
fmt.Println(cred == nil)
}
Output: true
func NewFromToken ¶
func NewFromToken(_ context.Context, token string, requireTransportSecurity bool) credentials.PerRPCCredentials
NewFromToken attempts to create a new credentials.PerRPCCredentials based on provided OIDC token.
func NormalizeIssuer ¶
NormalizeIssuer massages an issuer string into a canonical form, such as attaching a scheme when certain "special" vendors omit them.
Types ¶
type Actor ¶
type Actor struct {
Audience string `json:"aud"`
Issuer string `json:"iss"`
Subject string `json:"sub"`
}
func ExtractActor ¶
type Option ¶ added in v0.1.33
type Option func(*options)
func WithAudience ¶ added in v0.1.33
func WithIssuer ¶ added in v0.1.33
Directories
¶
| Path | Synopsis |
|---|---|
|
Package aws provides utilities for generating and verifying Chainguard tokens backed by AWS identity credentials via the AWS STS GetCallerIdentity API.
|
Package aws provides utilities for generating and verifying Chainguard tokens backed by AWS identity credentials via the AWS STS GetCallerIdentity API. |
|
Package deviceflow implements the OAuth 2.0 Device Authorization Grant (RFC 8628) for obtaining OIDC identity tokens in headless or constrained-input environments.
|
Package deviceflow implements the OAuth 2.0 Device Authorization Grant (RFC 8628) for obtaining OIDC identity tokens in headless or constrained-input environments. |
|
Package ggcr provides authentication integration between Chainguard identity tokens and the go-containerregistry library for accessing the cgr.dev container registry.
|
Package ggcr provides authentication integration between Chainguard identity tokens and the go-containerregistry library for accessing the cgr.dev container registry. |
|
Package headless provides ECDH-based encryption utilities for the Chainguard headless login flow, enabling secure delivery of OIDC identity tokens to CLI clients without a browser redirect.
|
Package headless provides ECDH-based encryption utilities for the Chainguard headless login flow, enabling secure delivery of OIDC identity tokens to CLI clients without a browser redirect. |
|
Package login implements browser-based and headless OIDC login flows for Chainguard clients, returning access and refresh tokens.
|
Package login implements browser-based and headless OIDC login flows for Chainguard clients, returning access and refresh tokens. |
|
Package token manages the on-disk cache of Chainguard OIDC access and refresh tokens, organized by audience and optional alias.
|
Package token manages the on-disk cache of Chainguard OIDC access and refresh tokens, organized by audience and optional alias. |