pop

package

v0.2.16 Latest Latest Go to latest Published: Mar 10, 2026 License: MIT Imports: 21 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Azure/kubelogin

Links

Open Source Insights

Documentation ¶

Index ¶

func AcquirePoPTokenByUsernamePassword(ctx context.Context, popClaims map[string]string, scopes []string, ...) (string, int64, error)
func AcquirePoPTokenConfidential(ctx context.Context, popClaims map[string]string, scopes []string, ...) (string, int64, error)
func AcquirePoPTokenInteractive(ctx context.Context, popClaims map[string]string, scopes []string, ...) (string, int64, error)
func NewConfidentialClient(cred confidential.Credential, msalOptions *MsalClientOptions, ...) (confidential.Client, error)
func NewPublicClient(msalOptions *MsalClientOptions, options ...PublicClientOption) (public.Client, error)
type ConfidentialClientOption
- func WithCustomCacheConfidential(cache cache.ExportReplace) ConfidentialClientOption
type ConfidentialClientOptions
type MsalClientOptions
type PoPAuthenticationScheme
type PoPKey
type PublicClientOption
- func WithCustomCachePublic(cache cache.ExportReplace) PublicClientOption
type PublicClientOptions
type SwKey

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AcquirePoPTokenByUsernamePassword ¶ added in v0.1.1

func AcquirePoPTokenByUsernamePassword(
	ctx context.Context,
	popClaims map[string]string,
	scopes []string,
	client public.Client,
	username,
	password string,
	msalOptions *MsalClientOptions,
	popKey PoPKey,
) (string, int64, error)

AcquirePoPTokenByUsernamePassword acquires a PoP token using MSAL's username/password login flow with user-specific caching. It first tries to acquire a token silently from cache for the specific username, and only falls back to username/password login if needed. Uses the provided PoP key for proper token caching. If the cache contains tokens for a different user, it clears the cache and authenticates with the provided credentials. This flow does not require user interaction as credentials have already been provided.

func AcquirePoPTokenConfidential ¶

func AcquirePoPTokenConfidential(
	ctx context.Context,
	popClaims map[string]string,
	scopes []string,
	client confidential.Client,
	tenantID string,
	popKey PoPKey,
) (string, int64, error)

AcquirePoPTokenConfidential acquires a PoP token using MSAL's confidential login flow. It first tries to acquire a token silently from cache, and only falls back to credential-based login if needed. Uses the provided PoP key for token acquisition and caching. This flow does not require user interaction as the credentials for the request have already been provided.

func AcquirePoPTokenInteractive ¶

func AcquirePoPTokenInteractive(
	ctx context.Context,
	popClaims map[string]string,
	scopes []string,
	client public.Client,
	msalOptions *MsalClientOptions,
	popKey PoPKey,
) (string, int64, error)

AcquirePoPTokenInteractive acquires a PoP token using MSAL's interactive login flow with caching. First attempts silent token acquisition if a single account is cached. Uses the provided PoP key for proper token caching. Falls back to interactive authentication if silent acquisition fails or no accounts are cached.

func NewConfidentialClient ¶ added in v0.2.9

func NewConfidentialClient(
	cred confidential.Credential,
	msalOptions *MsalClientOptions,
	options ...ConfidentialClientOption,
) (confidential.Client, error)

NewConfidentialClient creates a new confidential client with default options

func NewPublicClient ¶ added in v0.2.11

func NewPublicClient(
	msalOptions *MsalClientOptions,
	options ...PublicClientOption,
) (public.Client, error)

NewPublicClient creates a new public client with default options

Types ¶

type ConfidentialClientOption ¶ added in v0.2.9

type ConfidentialClientOption func(*ConfidentialClientOptions)

ConfidentialClientOption defines a functional option for configuring a confidential client

func WithCustomCacheConfidential ¶ added in v0.2.11

func WithCustomCacheConfidential(cache cache.ExportReplace) ConfidentialClientOption

WithCustomCacheConfidential adds a custom cache to the confidential client

type ConfidentialClientOptions ¶ added in v0.2.11

type ConfidentialClientOptions struct {
	Cache cache.ExportReplace
}

ConfidentialClientOptions holds options for creating a confidential client

type MsalClientOptions ¶ added in v0.1.7

type MsalClientOptions struct {
	Authority                string
	ClientID                 string
	TenantID                 string
	DisableInstanceDiscovery bool
	Options                  azcore.ClientOptions
}

type PoPAuthenticationScheme ¶

type PoPAuthenticationScheme struct {
	// host is the u claim we will add on the pop token
	Host   string
	PoPKey PoPKey
}

PoPAuthenticationScheme is a PoP token implementation of the MSAL AuthenticationScheme interface used by the Azure Arc Platform team. This implementation will only use the passed-in u-claim (representing the ARM ID of the cluster/host); other claims passed in during a PoP token request will be disregarded

func (*PoPAuthenticationScheme) AccessTokenType ¶

func (as *PoPAuthenticationScheme) AccessTokenType() string

AccessTokenType returns the PoP access token type

func (*PoPAuthenticationScheme) FormatAccessToken ¶

func (as *PoPAuthenticationScheme) FormatAccessToken(accessToken string) (string, error)

FormatAccessToken takes an access token, formats it as a PoP token, and returns it as a base-64 encoded string

func (*PoPAuthenticationScheme) FormatAccessTokenWithOptions ¶

func (as *PoPAuthenticationScheme) FormatAccessTokenWithOptions(accessToken, nonce string, timestamp int64) (string, error)

FormatAccessTokenWithOptions takes an access token, nonce, and timestamp, formats the token as a PoP token containing the given fields, and returns it as a base-64 encoded string

func (*PoPAuthenticationScheme) KeyID ¶

func (as *PoPAuthenticationScheme) KeyID() string

KeyID returns the key used to sign the PoP token

func (*PoPAuthenticationScheme) TokenRequestParams ¶

func (as *PoPAuthenticationScheme) TokenRequestParams() map[string]string

TokenRequestParams returns the params to use when sending a request for a PoP token

type PoPKey ¶

type PoPKey interface {
	// encryption/signature algo
	Alg() string
	// kid
	KeyID() string
	// jwk that can be embedded in JWT w/ PoP token's cnf claim
	JWK() string
	// https://tools.ietf.org/html/rfc7638 compliant jwk thumbprint
	JWKThumbprint() string
	// req_cnf claim that can be included in access token request to AAD
	ReqCnf() string
	// sign payload using private key
	Sign([]byte) ([]byte, error)
}

PoPKey is a generic interface for PoP key properties and methods

type PublicClientOption ¶ added in v0.2.11

type PublicClientOption func(*PublicClientOptions)

PublicClientOption defines a functional option for configuring a public client

func WithCustomCachePublic ¶ added in v0.2.11

func WithCustomCachePublic(cache cache.ExportReplace) PublicClientOption

WithCustomCachePublic adds a custom cache to the confidential client

type PublicClientOptions ¶ added in v0.2.11

type PublicClientOptions struct {
	Cache cache.ExportReplace
}

PublicClientOptions holds options for creating a public client

type SwKey ¶ added in v0.1.5

type SwKey struct {
	// contains filtered or unexported fields
}

software based pop key implementation of PoPKey

func GetPoPKeyByPolicy ¶ added in v0.2.12

func GetPoPKeyByPolicy(cacheDir string) (*SwKey, error)

GetPoPKeyByPolicy returns a PoP key based on cache directory availability. Uses persistent key storage when cacheDir is provided, ephemeral keys otherwise. This centralizes the key selection logic used across all PoP credential implementations.

func GetSwPoPKey ¶

func GetSwPoPKey() (*SwKey, error)

GetSwPoPKey generates a new PoP key returns it

func GetSwPoPKeyPersistent ¶ added in v0.2.11

func GetSwPoPKeyPersistent(cacheDir string) (*SwKey, error)

GetSwPoPKeyPersistent loads or generates a persistent PoP key for token caching. This ensures the same PoP key is used across multiple kubelogin invocations, which is required for PoP token caching with MSAL to work correctly.

This implementation uses platform-specific secure storage exclusively: - Linux: Kernel keyrings with encrypted files - macOS: macOS Keychain - Windows: Windows Credential Manager

func GetSwPoPKeyWithRSAKey ¶

func GetSwPoPKeyWithRSAKey(rsaKey *rsa.PrivateKey) (*SwKey, error)

func (*SwKey) Alg ¶ added in v0.1.5

func (swk *SwKey) Alg() string

Alg returns the algorithm used to encrypt/sign the SwKey

func (*SwKey) JWK ¶ added in v0.1.5

func (swk *SwKey) JWK() string

JWK returns the JSON Web Key of the given SwKey

func (*SwKey) JWKThumbprint ¶ added in v0.1.5

func (swk *SwKey) JWKThumbprint() string

JWKThumbprint returns the JWK thumbprint of the given SwKey

func (*SwKey) KeyID ¶ added in v0.1.5

func (swk *SwKey) KeyID() string

KeyID returns the keyID of the SwKey, representing the key used to sign the SwKey

func (*SwKey) ReqCnf ¶ added in v0.1.5

func (swk *SwKey) ReqCnf() string

ReqCnf returns the req_cnf claim to send to AAD for the given SwKey

func (*SwKey) Sign ¶ added in v0.1.5

func (swk *SwKey) Sign(payload []byte) ([]byte, error)

Sign uses the given SwKey to sign the given payload and returns the signed payload

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cache Linux-specific PoP cache implementation using kernel keyrings for secure storage.	Linux-specific PoP cache implementation using kernel keyrings for secure storage.
internal/aescbc
internal/jwe

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL