Documentation
¶
Index ¶
- Constants
- Variables
- func ConsumePKCECookie(w http.ResponseWriter, r *http.Request, secure bool) (string, bool)
- func ConsumeStateCookie(w http.ResponseWriter, r *http.Request, secure bool) (string, bool)
- func GeneratePKCE() (verifier, challenge string, err error)
- func GenerateState() (string, error)
- func MapExternalRoles(external []string, mappings []RoleMapping) []string
- func SetPKCECookie(w http.ResponseWriter, verifier string, secure bool)
- func SetStateCookie(w http.ResponseWriter, state string, secure bool)
- type Claims
- type Config
- type RoleMapping
- type Service
Constants ¶
const Provider = "oidc"
Provider is the identity.Principal.Provider value for OIDC-authenticated principals.
Variables ¶
var ( ErrNoRolesMapped = errors.New("oidc: no internal roles mapped for this user") ErrGroupNotAllowed = errors.New("oidc: user is not a member of any allowed group") ErrInvalidState = errors.New("oidc: invalid or missing state parameter") )
Sentinel errors returned by Service.
Functions ¶
func ConsumePKCECookie ¶
ConsumePKCECookie reads the PKCE verifier cookie and immediately clears it. Returns ("", false) when the cookie is absent.
func ConsumeStateCookie ¶
ConsumeStateCookie reads the state cookie and immediately clears it by setting MaxAge = -1. Returns ("", false) when the cookie is absent.
func GeneratePKCE ¶
GeneratePKCE returns a PKCE (RFC 7636) verifier and its S256 challenge. verifier is stored server-side (in a cookie); challenge is sent to the provider.
func GenerateState ¶
GenerateState returns a cryptographically secure random state string for inclusion in the OIDC authorization request.
func MapExternalRoles ¶
func MapExternalRoles(external []string, mappings []RoleMapping) []string
MapExternalRoles maps external group identifiers to MIDAS canonical roles using explicit mappings only. Unknown groups are silently ignored. Output is deduplicated, deterministically sorted, and passed through identity.NormalizeRoles to ensure canonical form.
func SetPKCECookie ¶
func SetPKCECookie(w http.ResponseWriter, verifier string, secure bool)
SetPKCECookie stores the PKCE verifier in an HttpOnly cookie.
func SetStateCookie ¶
func SetStateCookie(w http.ResponseWriter, state string, secure bool)
SetStateCookie writes the CSRF state to an HttpOnly cookie. The cookie expires after 10 minutes — sufficient for any interactive login.
Types ¶
type Config ¶
type Config struct {
ProviderName string
IssuerURL string
AuthURL string
TokenURL string
ClientID string
ClientSecret string
RedirectURL string
Scopes []string
SubjectClaim string
UsernameClaim string
GroupsClaim string
DomainHint string
AllowedGroups []string
RoleMappings []RoleMapping
DenyIfNoRoles bool
UsePKCE bool
}
Config holds runtime OIDC configuration passed to NewService. This mirrors config.PlatformOIDCConfig; main.go converts between them.
type RoleMapping ¶
RoleMapping maps a single external group identifier to a MIDAS canonical role.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service provides OIDC authorization code flow for platform/Explorer login. It handles the redirect, code exchange, token validation, and principal construction. Session creation is delegated to localiam (see httpapi).
func NewService ¶
NewService initialises an OIDCService by performing OIDC discovery against cfg.IssuerURL. Returns an error if discovery fails or the config is invalid. The provided context is used only during initialisation.
func (*Service) AuthURL ¶
AuthURL returns the authorization URL to redirect the user to. state is the CSRF token. pkceChallenge is included when cfg.UsePKCE is true (pass an empty string to skip PKCE regardless of config).
func (*Service) BuildPrincipal ¶
BuildPrincipal converts OIDC claims to a MIDAS *identity.Principal. It enforces AllowedGroups and DenyIfNoRoles per configuration. Returns ErrGroupNotAllowed or ErrNoRolesMapped on policy denial.
Source Files