Documentation
¶
Index ¶
Constants ¶
const ( // DefaultClientID is the default OAuth client ID for public clients DefaultClientID = "abctl" // CallbackPath is the OAuth callback path CallbackPath = "/callback" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client provides an HTTP client with automatic token management. Thread-safe for concurrent use by multiple goroutines/services. The mutex (mu) protects credentials during refresh operations when multiple API calls might trigger refresh simultaneously.
func NewClient ¶
func NewClient(provider *Provider, clientID string, credentials *Credentials) *Client
NewClient creates a new authenticated HTTP client. Designed for reuse across multiple services making concurrent API calls.
func (*Client) Do ¶
Do performs an authenticated HTTP request with automatic token refresh. Thread-safe and handles concurrent requests. If token is expired, it will refresh once and retry the request.
func (*Client) GetCredentials ¶
func (c *Client) GetCredentials() *Credentials
GetCredentials returns a copy of the current credentials
type Credentials ¶
type Credentials struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token,omitempty"`
TokenType string `json:"token_type"`
ExpiresAt time.Time `json:"expires_at"`
}
Credentials stores authentication tokens and metadata
func CredentialsFromJSON ¶
func CredentialsFromJSON(data []byte) (*Credentials, error)
CredentialsFromJSON deserializes credentials from JSON
func EnsureValidAuth ¶
func EnsureValidAuth(ctx context.Context, k8sClient k8s.Client, namespace string) (*Credentials, error)
EnsureValidAuth loads credentials and refreshes if expired
func (*Credentials) IsExpired ¶
func (c *Credentials) IsExpired() bool
IsExpired checks if the access token has expired
func (*Credentials) ToJSON ¶
func (c *Credentials) ToJSON() ([]byte, error)
ToJSON serializes credentials to JSON
type Flow ¶
type Flow struct {
Provider *Provider
ClientID string
RedirectPort int
// contains filtered or unexported fields
}
Flow manages the OAuth2/OIDC authorization flow. Uses channels and goroutines to handle async browser-based OAuth callbacks while maintaining a timeout. This pattern is necessary because we need to serve HTTP callbacks while the main thread waits for authentication to complete.
func NewFlow ¶
NewFlow creates a new OAuth flow with PKCE. The flow is designed to be reusable across different service contexts.
func (*Flow) Authenticate ¶
func (f *Flow) Authenticate(ctx context.Context) (*Credentials, error)
Authenticate performs the OAuth flow and returns credentials. Uses goroutines and channels to handle the OAuth callback asynchronously because we need to run an HTTP server for the callback while also enforcing a timeout on the overall authentication process.
type Provider ¶
type Provider struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
}
Provider represents an OAuth2/OIDC provider configuration
type TokenResponse ¶
type TokenResponse struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
RefreshToken string `json:"refresh_token,omitempty"`
IDToken string `json:"id_token,omitempty"`
}
TokenResponse represents an OAuth2 token response
func ExchangeCodeForTokens ¶
func ExchangeCodeForTokens(ctx context.Context, provider *Provider, clientID, code, redirectURI, codeVerifier string) (*TokenResponse, error)
ExchangeCodeForTokens exchanges an authorization code for tokens
func RefreshAccessToken ¶
func RefreshAccessToken(ctx context.Context, provider *Provider, clientID, refreshToken string) (*TokenResponse, error)
RefreshAccessToken uses a refresh token to get a new access token
Source Files