Documentation
¶
Index ¶
- Constants
- func WithAuthServerMetadata(metadata *AuthorizationServerMetadata) func(*providerOptions)
- type AuthClient
- type AuthClientOption
- func WithClientSecretBasicAuth(clientID, clientSecret, scope string) AuthClientOption
- func WithClientSecretJwtAuth(clientID, clientSecret, scope, issuer, aud, signingMethod string) AuthClientOption
- func WithClientSecretPostAuth(clientID, clientSecret, scope string) AuthClientOption
- func WithKeyPairAuth(clientID, issuer, audience string, privKey *rsa.PrivateKey, publicKey []byte, ...) AuthClientOption
- func WithQueryParams(queryParams map[string]string) AuthClientOption
- func WithRequestHeaders(hdr map[string]string) AuthClientOption
- func WithServerName(serverName string) AuthClientOption
- func WithTLSClientAuth(clientID, scope string) AuthClientOption
- type AuthorizationServerMetadata
- type ClientBuilder
- type ClientMetadata
- type ConfigOption
- type IDPClient
- type IDPEngageLifecycle
- type IdPRegistry
- type IdpRegistryOption
- type KeyReader
- type LifecycleOption
- type MTLSEndPointAlias
- type MockIDPServer
- type Provider
- type ProviderRegistry
- type ProviderType
- type Scopes
- type Time
Constants ¶
View Source
const ( TypeGeneric = "generic" TypeOkta = "okta" TypeKeycloak = "keycloak" )
Provider type string const
View Source
const ( GrantTypeAuthorizationCode = "authorization_code" GrantTypeImplicit = "implicit" GrantTypeClientCredentials = "client_credentials" GrantTypeRefreshToken = "refresh_token" GrantTypeSaml2Bearer = "urn:ietf:params:oauth:grant-type:saml2-bearer" GrantTypePassword = "password" GrantTypeIntegratedWindowsAuth = "iwa:ntlm" // NTLM GrantTypeJWTBearer = "urn:ietf:params:oauth:grant-type:jwt-bearer" AuthResponseToken = "token" AuthResponseCode = "code" TLSClientAuthSubjectDN = "tls_client_auth_subject_dn" TLSClientAuthSanDNS = "tls_client_auth_san_dns" TLSClientAuthSanEmail = "tls_client_auth_san_email" TLSClientAuthSanIP = "tls_client_auth_san_ip" TLSClientAuthSanURI = "tls_client_auth_san_uri" )
View Source
const ( SigningMethodRS256 = "RS256" SigningMethodRS384 = "RS384" SigningMethodRS512 = "RS512" SigningMethodES256 = "ES256" SigningMethodES384 = "ES384" SigningMethodES512 = "ES512" SigningMethodPS256 = "PS256" SigningMethodPS384 = "PS384" SigningMethodPS512 = "PS512" SigningMethodHS256 = "HS256" SigningMethodHS384 = "HS384" SigningMethodHS512 = "HS512" )
Variables ¶
This section is empty.
Functions ¶
func WithAuthServerMetadata ¶ added in v1.1.91
func WithAuthServerMetadata(metadata *AuthorizationServerMetadata) func(*providerOptions)
Types ¶
type AuthClient ¶
type AuthClient interface {
GetToken() (string, error)
FetchToken(useCachedToken bool) (string, error)
}
AuthClient - Interface representing the auth Client
func NewAuthClient ¶
func NewAuthClient(tokenURL string, apiClient api.Client, opts ...AuthClientOption) (AuthClient, error)
NewAuthClient - create a new auth client with client options
type AuthClientOption ¶
type AuthClientOption func(*authClientOptions)
AuthClientOption - configures auth client.
func WithClientSecretBasicAuth ¶ added in v1.1.61
func WithClientSecretBasicAuth(clientID, clientSecret, scope string) AuthClientOption
WithClientSecretBasicAuth - sets up to use client secret basic authenticator
func WithClientSecretJwtAuth ¶ added in v1.1.61
func WithClientSecretJwtAuth(clientID, clientSecret, scope, issuer, aud, signingMethod string) AuthClientOption
WithClientSecretJwtAuth - sets up to use client secret authenticator
func WithClientSecretPostAuth ¶ added in v1.1.61
func WithClientSecretPostAuth(clientID, clientSecret, scope string) AuthClientOption
WithClientSecretPostAuth - sets up to use client secret authenticator
func WithKeyPairAuth ¶
func WithKeyPairAuth(clientID, issuer, audience string, privKey *rsa.PrivateKey, publicKey []byte, scope, signingMethod string) AuthClientOption
WithKeyPairAuth - sets up to use public/private key pair authenticator
func WithQueryParams ¶ added in v1.1.86
func WithQueryParams(queryParams map[string]string) AuthClientOption
WithQueryParams - sets up the additional query params in auth client
func WithRequestHeaders ¶ added in v1.1.86
func WithRequestHeaders(hdr map[string]string) AuthClientOption
WithRequestHeaders - sets up the additional request headers in auth client
func WithServerName ¶
func WithServerName(serverName string) AuthClientOption
WithServerName - sets up the server name in auth client
func WithTLSClientAuth ¶ added in v1.1.61
func WithTLSClientAuth(clientID, scope string) AuthClientOption
WithTLSClientAuth - sets up to use tls_client_auth and self_signed_tls_client_auth authenticator
type AuthorizationServerMetadata ¶
type AuthorizationServerMetadata struct {
Issuer string `json:"issuer,omitempty"`
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"`
PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
SubjectTypeSupported []string `json:"subject_types_supported,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
TokenEndpointAuthMethodSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
MTLSEndPointAlias *MTLSEndPointAlias `json:"mtls_endpoint_aliases,omitempty"`
}
AuthorizationServerMetadata - OAuth metadata from IdP
func FetchMetadata ¶ added in v1.1.100
func FetchMetadata(apiClient coreapi.Client, metadataURL string) (*AuthorizationServerMetadata, error)
type ClientBuilder ¶
type ClientBuilder interface {
SetClientName(string) ClientBuilder
SetScopes([]string) ClientBuilder
SetGrantTypes([]string) ClientBuilder
SetResponseType([]string) ClientBuilder
SetTokenEndpointAuthMethod(tokenAuthMethod string) ClientBuilder
SetRedirectURIs([]string) ClientBuilder
SetLogoURI(string) ClientBuilder
SetJWKSURI(string) ClientBuilder
SetJWKS([]byte) ClientBuilder
SetCertificateMetadata(certificateMetaddata string) ClientBuilder
SetTLSClientAuthSanDNS(tlsClientAuthSanDNS string) ClientBuilder
SetTLSClientAuthSanEmail(tlsClientAuthSanEmail string) ClientBuilder
SetTLSClientAuthSanIP(tlsClientAuthSanIP string) ClientBuilder
SetTLSClientAuthSanURI(tlsClientAuthSanURI string) ClientBuilder
SetExtraProperties(map[string]interface{}) ClientBuilder
Build() (ClientMetadata, error)
}
ClientBuilder - Builder for IdP client representation
func NewClientMetadataBuilder ¶
func NewClientMetadataBuilder() ClientBuilder
NewClientMetadataBuilder - create a new instance of builder to construct client metadata
type ClientMetadata ¶
type ClientMetadata interface {
GetClientName() string
GetClientID() string
GetClientSecret() string
GetClientIDIssuedAt() *time.Time
GetClientSecretExpiresAt() *time.Time
GetScopes() []string
GetGrantTypes() []string
GetTokenEndpointAuthMethod() string
GetResponseTypes() []string
GetClientURI() string
GetRedirectURIs() []string
GetLogoURI() string
GetJwksURI() string
GetJwks() map[string]interface{}
GetExtraProperties() map[string]interface{}
GetTLSClientAuthSanDNS() string
GetTLSClientAuthSanEmail() string
GetTLSClientAuthSanIP() string
GetTLSClientAuthSanURI() string
GetRegistrationAccessToken() string
GetRegistrationClientURI() string
}
ClientMetadata - Interface for IdP client metadata representation
type ConfigOption ¶ added in v1.1.91
type IDPClient ¶ added in v1.1.142
type IDPClient interface {
GetAPIV1ResourceInstances(query map[string]string, URL string) ([]*apiv1.ResourceInstance, error)
CreateOrUpdateResource(ri apiv1.Interface) (*apiv1.ResourceInstance, error)
CreateSubResource(rm apiv1.ResourceMeta, subs map[string]interface{}) error
}
IDPClient is the subset of apic.Client used by the IdP lifecycle manager, defined here to avoid a circular import with pkg/apic.
type IDPEngageLifecycle ¶ added in v1.1.142
type IDPEngageLifecycle interface {
// CreateEngageResourcesFromMetadata creates or reuses IdentityProvider and IdentityProviderMetadata
// resources in Engage using pre-resolved metadata — no Provider or outbound HTTP fetch required.
// Returns the Engage IdentityProvider resource name.
CreateEngageResourcesFromMetadata(idpLogger log.FieldLogger, idpCfg corecfg.IDPConfig, idpType, idpName string, metadata *AuthorizationServerMetadata, baseURL string, envPolicies management.EnvironmentPoliciesCredentials) (string, error)
}
IDPEngageLifecycle manages IdentityProvider and IdentityProviderMetadata resources in Engage.
func NewIDPEngageLifecycle ¶ added in v1.1.142
func NewIDPEngageLifecycle(client IDPClient, cache idpCache, opts ...LifecycleOption) IDPEngageLifecycle
NewIDPEngageLifecycle returns an IDPEngageLifecycle backed by the given Engage client.
type IdPRegistry ¶ added in v1.1.91
type IdPRegistry interface {
// RegisterProvider - registers the provider using the config
RegisterProvider(ctx context.Context, idp corecfg.IDPConfig, tlsCfg corecfg.TLSConfig, proxyURL string, clientTimeout time.Duration) error
// RegisterProviderWithMetadata - registers the provider using agent-supplied metadata, no outbound HTTP fetch
RegisterProviderWithMetadata(ctx context.Context, idp corecfg.IDPConfig, metadata *AuthorizationServerMetadata, tlsCfg corecfg.TLSConfig, proxyURL string, clientTimeout time.Duration) error
// UnregisterProvider - un-registers the provider
UnregisterProvider(ctx context.Context, provider Provider) error
// GetProviderByName - returns the provider from registry based on the name
GetProviderByName(ctx context.Context, name string, opts ...ConfigOption) (Provider, error)
// GetProviderByIssuer - returns the provider from registry based on the IDP issuer
GetProviderByIssuer(ctx context.Context, issuer string, opts ...ConfigOption) (Provider, error)
// GetProviderByTokenEndpoint - returns the provider from registry based on the IDP token endpoint
GetProviderByTokenEndpoint(ctx context.Context, tokenEndpoint string, opts ...ConfigOption) (Provider, error)
// GetProviderByAuthorizationEndpoint - returns the provider from registry based on the IDP authorization endpoint
GetProviderByAuthorizationEndpoint(ctx context.Context, authEndpoint string, opts ...ConfigOption) (Provider, error)
// GetProviderByMetadataURL - returns the provider from registry based on the IDP metadata URL
GetProviderByMetadataURL(ctx context.Context, metadataURL string, opts ...ConfigOption) (Provider, error)
// GetIDPResourceName - returns the Engage IdentityProvider resource name for a given metadata URL
GetIDPResourceName(metadataURL string) (string, bool)
}
func NewIdpRegistry ¶ added in v1.1.91
func NewIdpRegistry(opts ...IdpRegistryOption) IdPRegistry
NewProviderRegistry - create a new provider registry
type IdpRegistryOption ¶ added in v1.1.91
type IdpRegistryOption func(r *idpRegistry)
func WithProviderRegistry ¶ added in v1.1.91
func WithProviderRegistry(providerRegistry ProviderRegistry) IdpRegistryOption
type KeyReader ¶ added in v1.1.61
type KeyReader interface {
GetPrivateKey() (*rsa.PrivateKey, error)
GetPublicKey() ([]byte, error)
}
func NewKeyReader ¶ added in v1.1.61
type LifecycleOption ¶ added in v1.1.142
type LifecycleOption func(*idpEngageLifecycle)
LifecycleOption configures an idpEngageLifecycle.
type MTLSEndPointAlias ¶ added in v1.1.61
type MockIDPServer ¶
type MockIDPServer interface {
GetMetadataURL() string
GetIssuer() string
GetTokenURL() string
GetAuthEndpoint() string
GetRegistrationEndpoint() string
GetUnregisterEndpoint() string
SetMetadataResponseCode(statusCode int)
SetTokenResponse(accessToken string, expiry time.Duration, statusCode int)
SetRegistrationResponseCode(statusCode int)
SetUseRegistrationAccessToken(useRegistrationAccessToken bool)
SetClientID(clientID string)
GetTokenRequestHeaders() http.Header
GetTokenQueryParams() url.Values
GetTokenRequestValues() url.Values
GetRequestHeaders() http.Header
GetQueryParams() url.Values
Close()
}
MockIDPServer - interface for mock IDP server
func NewMockIDPServer ¶
func NewMockIDPServer() MockIDPServer
NewMockIDPServer - creates a new mock IDP server for tests
type Provider ¶
type Provider interface {
GetName() string
GetTitle() string
GetIssuer() string
GetTokenEndpoint() string
GetMTLSTokenEndpoint() string
GetAuthorizationEndpoint() string
GetSupportedScopes() []string
GetSupportedGrantTypes() []string
GetSupportedTokenAuthMethods() []string
GetSupportedResponseMethod() []string
RegisterClient(clientMetadata ClientMetadata) (ClientMetadata, error)
UnregisterClient(clientID, accessToken, registrationClientURI string) error
Validate() error
GetConfig() corecfg.IDPConfig
GetMetadata() *AuthorizationServerMetadata
GetIDPResourceName() string
}
Provider - interface for external IdP provider
type ProviderRegistry ¶
type ProviderRegistry interface {
// RegisterProvider - registers the provider using the config
RegisterProvider(idp corecfg.IDPConfig, tlsCfg corecfg.TLSConfig, proxyURL string, clientTimeout time.Duration) error
// RegisterProviderWithMetadata - registers the provider using agent-supplied metadata, bypassing outbound HTTP fetch
RegisterProviderWithMetadata(idp corecfg.IDPConfig, metadata *AuthorizationServerMetadata, tlsCfg corecfg.TLSConfig, proxyURL string, clientTimeout time.Duration) error
// GetProviderByName - returns the provider from registry based on the name
GetProviderByName(name string) (Provider, error)
// GetProviderByIssuer - returns the provider from registry based on the IDP issuer
GetProviderByIssuer(issuer string) (Provider, error)
// GetProviderByTokenEndpoint - returns the provider from registry based on the IDP token endpoint
GetProviderByTokenEndpoint(tokenEndpoint string) (Provider, error)
// GetProviderByAuthorizationEndpoint - returns the provider from registry based on the IDP authorization endpoint
GetProviderByAuthorizationEndpoint(authEndpoint string) (Provider, error)
// GetProviderByMetadataURL - returns the provider from registry based on the IDP metadata URL
GetProviderByMetadataURL(metadataURL string) (Provider, error)
// SetIDPResourceName - stores the Engage IdentityProvider resource name for a given metadata URL
SetIDPResourceName(metadataURL, resourceName string)
// GetIDPResourceName - returns the Engage IdentityProvider resource name for a given metadata URL
GetIDPResourceName(metadataURL string) (string, bool)
}
ProviderRegistry - interface for provider registry
func NewProviderRegistry ¶
func NewProviderRegistry() ProviderRegistry
NewProviderRegistry - create a new provider registry
type ProviderType ¶
type ProviderType int
ProviderType - type of provider
const ( Generic ProviderType = iota + 1 Okta KeyCloak )
Provider types
type Scopes ¶
type Scopes []string
Scopes - type for serializing scopes in client representation
func (*Scopes) MarshalJSON ¶
MarshalJSON - serializes the scopes in array as space separated string
func (*Scopes) UnmarshalJSON ¶
UnmarshalJSON - deserializes the scopes from space separated string to array
Source Files
¶
- authclient.go
- authservermetadata.go
- clientmetadata.go
- clientmetadatabuilder.go
- clientsecretbasicauthenticator.go
- clientsecretjwtauthenticator.go
- clientsecretpostauthenticator.go
- constants.go
- genericprovider.go
- idplifecycle.go
- idpregistry.go
- keypairauthenticator.go
- keyreader.go
- mockidpserver.go
- oktaprovider.go
- provider.go
- providerregistry.go
- scopes.go
- tlsclientauthenticator.go
Directories
Click to show internal directories.
Click to hide internal directories.