authentication

package

v1.1.0 Latest Latest Go to latest Published: Mar 17, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/NVIDIA/ncx-infra-controller-rest

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func Auth(dbSession *cdb.Session, tc temporalClient.Client, ...) echo.MiddlewareFunc
func AuthProcessor(c echo.Context, joCfg *config.JWTOriginConfig) *util.APIError
func CreateMockKeycloakServer(config MockKeycloakServerConfig) *httptest.Server
type KeycloakAuthService
- func NewKeycloakAuthService(keycloakConfig *config.KeycloakConfig) *KeycloakAuthService
- func NewKeycloakAuthServiceWithClient(keycloakConfig *config.KeycloakConfig, client *gocloak.GoCloak) *KeycloakAuthService
type MockKeycloakServerConfig
- func DefaultMockServerConfig() MockKeycloakServerConfig
type TestMockResponses
- func GetDefaultMockResponses() TestMockResponses

Constants ¶

View Source

const (
	GrantTypeAuthorizationCode = "authorization_code"
	ClientScopes               = "openid"
	LoginResponseType          = "code"
)

Variables ¶

View Source

var DefaultMockResponses = GetDefaultMockResponses()

DefaultMockResponses provides standard mock responses for tests (backward compatibility)

Functions ¶

func Auth ¶

func Auth(dbSession *cdb.Session, tc temporalClient.Client, joCfg *config.JWTOriginConfig, encCfg *commonConfig.PayloadEncryptionConfig, kcfg *config.KeycloakConfig) echo.MiddlewareFunc

Auth middleware reviews request parameters and validates authentication

func AuthProcessor ¶

func AuthProcessor(c echo.Context, joCfg *config.JWTOriginConfig) *util.APIError

AuthProcessor validates auth header forwarded by NGC KAS and gets or creates/updates user record

func CreateMockKeycloakServer ¶

func CreateMockKeycloakServer(config MockKeycloakServerConfig) *httptest.Server

CreateMockKeycloakServer creates a consolidated mock Keycloak server

Types ¶

type KeycloakAuthService ¶

type KeycloakAuthService struct {
	// contains filtered or unexported fields
}

KeycloakAuthService handles Keycloak OAuth 2.0 authentication flows

func NewKeycloakAuthService ¶

func NewKeycloakAuthService(keycloakConfig *config.KeycloakConfig) *KeycloakAuthService

NewKeycloakAuthService creates a new Keycloak authentication service

func NewKeycloakAuthServiceWithClient ¶

func NewKeycloakAuthServiceWithClient(keycloakConfig *config.KeycloakConfig, client *gocloak.GoCloak) *KeycloakAuthService

NewKeycloakAuthServiceWithClient creates a new Keycloak authentication service with a custom client

func (*KeycloakAuthService) ClientCredentialsAuth ¶

func (k *KeycloakAuthService) ClientCredentialsAuth(ctx context.Context, clientID, clientSecret string) (*model.APITokenResponse, error)

ClientCredentialsAuth performs client credentials authentication flow

func (*KeycloakAuthService) ExchangeCodeForTokens ¶

func (k *KeycloakAuthService) ExchangeCodeForTokens(ctx context.Context, code string, redirectURI string, codeVerifier string) (*model.APITokenResponse, error)

ExchangeCodeForTokens exchanges authorization code for access and refresh tokens For confidential clients, we use standard OAuth flow without PKCE The codeVerifier parameter is ignored for confidential clients

func (*KeycloakAuthService) GetUserInfo ¶

func (k *KeycloakAuthService) GetUserInfo(ctx context.Context, accessToken string) (*gocloak.UserInfo, error)

GetUserInfo fetches user information using the access token

func (*KeycloakAuthService) InitiateAuthFlow ¶

func (k *KeycloakAuthService) InitiateAuthFlow(ctx context.Context, email, redirectURI string) (*model.APILoginResponse, error)

InitiateAuthFlow starts the OAuth 2.0 authentication flow It uses the realm admin credentials to query Keycloak admin API, finds the IDP alias for the domain, and returns the public Keycloak authorization URL with kc_idp_hint.

func (*KeycloakAuthService) IsServiceAccountEnabled ¶

func (k *KeycloakAuthService) IsServiceAccountEnabled() bool

IsServiceAccountEnabled returns whether service accounts (client credentials) are enabled

func (*KeycloakAuthService) Logout ¶

func (k *KeycloakAuthService) Logout(ctx context.Context, refreshToken string) error

Logout logs out a user by revoking the refresh token

func (*KeycloakAuthService) RefreshAccessToken ¶

func (k *KeycloakAuthService) RefreshAccessToken(ctx context.Context, refreshToken string) (*model.APITokenResponse, error)

RefreshAccessToken refreshes an access token using refresh token

type MockKeycloakServerConfig ¶

type MockKeycloakServerConfig struct {
	Responses        TestMockResponses
	ValidCredentials map[string]string // username -> password
	ValidTokens      map[string]bool   // token -> valid
	ValidCodes       map[string]bool   // code -> valid
}

MockKeycloakServerConfig configures the mock server behavior

func DefaultMockServerConfig ¶

func DefaultMockServerConfig() MockKeycloakServerConfig

DefaultMockServerConfig provides a standard configuration

type TestMockResponses ¶

type TestMockResponses struct {
	AdminLogin string
	IDPs       string
	Token      string
	UserInfo   string
	JWKS       string
}

TestMockResponses contains all mock response data

func GetDefaultMockResponses ¶

func GetDefaultMockResponses() TestMockResponses

GetDefaultMockResponses provides standard mock responses for tests This generates JWKS dynamically based on the consistent test RSA key

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL