README
¶
Stratify SaaS Platform - Public SDK - Auth
Note that Auth is a "package group". This is to say that, if you wish to implement any custom Auth interface defined herein, then you must do so for ALL of the interfaces defined under Auth. They should also be structured in the same way with separation of Session, Identity, and outer Auth packages in order to maintain a secure handling model that does not allow for external code to tamper with or gain access to credentials in some hacky, unorthodox path. It is essential for any implementation to force all access through the outer Auth package interface, and leverage dependency injection to ensure that the runtime access paths are secure and cannot be circumvented.
Our Auth model bears a number of small components that must all integrate with each other for a
given implementation in order to provide a functioning and secure system. We approach this with
an abstraction that we hope will accommodate any number of single-factor authentication schemes,
with an expectation to expand into multi-factor auth as a fast follow-on. At a minimum, we know
that this model will be adequate to suport common HTTP authentication schemes.
Please reference our Glossary of Terms as needed:
- https://github.com/DigiStratum/StratifyPlatform-SDK/wiki/Stratify-SaaS-Platform---Glossary-of-Terms
Reference Sources: - https://docs.oracle.com/cd/E13222_01/wls/docs90/secintro/realm_chap.html
- https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system
- (From https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml)
- Basic [RFC7617] https://www.iana.org/go/rfc7617
- Bearer [RFC6750] https://www.iana.org/go/rfc6750
- Digest [RFC7616] https://www.iana.org/go/rfc7616
New thinking on Authorization:
- Authorization should be distributed, not consolidated:
- Server can generally validate that a given Identity should have permission to make a request to a given module/endpoint/method based on some permission map and lookup of identity role/permissions - it returns 403 if this check fails
- Module/Endpoint can validate that the Identity should have access to specific primary and/or supporting resources and that the intent of the module/endpoint implementation matches up with the Identity's profile and/or resource access/ownership - it returns 403 if any of these checks fail
Documentation
¶
Index ¶
- type Auth
- func (r *Auth) Authenticate(credential identsdk.CredentialIfc) (sesssdk.SessionIfc, error)
- func (r *Auth) AuthorizeSessionRequest(sessionId sesssdk.SessionId, requestMetadata metadata.MetadataIfc) (bool, error)
- func (r *Auth) CheckIDPIdentity(identity identsdk.IdentityIfc) bool
- func (r *Auth) GetSessionIdentity(sessionId sesssdk.SessionId) (identsdk.IdentityIfc, error)
- func (r *Auth) Start() error
- type AuthFactory
- type AuthIfc
- type AuthorizorIfc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Auth ¶
type Auth struct {
// Embedded struct(s)
*dep.DependencyInjectable
*startable.Startable
// contains filtered or unexported fields
}
Exported to support embedding
func (*Auth) Authenticate ¶
func (r *Auth) Authenticate(credential identsdk.CredentialIfc) (sesssdk.SessionIfc, error)
Authenticate Credential, return (Session, nil) on success, or (nil, error)
func (*Auth) AuthorizeSessionRequest ¶
func (r *Auth) AuthorizeSessionRequest(sessionId sesssdk.SessionId, requestMetadata metadata.MetadataIfc) (bool, error)
Authorize Session for action against Resource; return (true, nil) on success, or (false, error)
func (*Auth) CheckIDPIdentity ¶
func (r *Auth) CheckIDPIdentity(identity identsdk.IdentityIfc) bool
Check this Identity against the IDP
func (*Auth) GetSessionIdentity ¶
Get the identity for the Session
type AuthFactory ¶
A Factory function to unpack provided Config into an initialized Auth package
type AuthIfc ¶
type AuthIfc interface {
// Embedded interface(s)
dep.DependencyInjectableIfc
startable.StartableIfc
// Our own interface
// Authenticate Credentiail (convert a Credential into a Session)
Authenticate(credential identsdk.CredentialIfc) (sesssdk.SessionIfc, error)
// Get Session Identity (convert a Session into an Identity)
GetSessionIdentity(sessionId sesssdk.SessionId) (identsdk.IdentityIfc, error)
// Is the Identity for the Session with this sessionId Authorized for the given Resource?
AuthorizeSessionRequest(sessionId sesssdk.SessionId, requestMetadata metadata.MetadataIfc) (bool, error)
// Check this Identity against the IDP
CheckIDPIdentity(identity identsdk.IdentityIfc) bool
}
type AuthorizorIfc ¶
type AuthorizorIfc interface {
// Embedded Interface(s)
startable.StartableIfc
// Our own interface
// Is this Identity's Grants Authorized for the given Resource?
IsAuthorized(identity identsdk.IdentityIfc, requestMetadata metadata.MetadataIfc) (bool, error)
}
Source Files
Directories