Documentation
¶
Index ¶
- Constants
- Variables
- func AppendClaimsAuthenticationRequestParameter(opts []oauth2.AuthCodeOption, requestedClaims map[string]*oidc.Claim) []oauth2.AuthCodeOption
- func FormatAccessTokenCacheKey(sub string) string
- func FormatUserInfoResponseCacheKey(sub string) string
- func GetScopesOrDefault(scopes []string) []string
- func ImplicitFlowURL(c *oauth2.Config, state string, opts ...oauth2.AuthCodeOption) (string, error)
- func InferGrantType(oidcConf *OIDCConfiguration) string
- func OfflineAccess(scopes []string) bool
- type ClaimsRequest
- type ClientApp
- func (a *ClientApp) GetUserInfo(actualClaims jwt.MapClaims, issuerURL, userInfoPath string) (jwt.MapClaims, bool, error)
- func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request)
- func (a *ClientApp) HandleLogin(w http.ResponseWriter, r *http.Request)
- func (a *ClientApp) SetGroupsFromUserInfo(claims jwt.Claims, sessionManagerClaimsIssuer string) (jwt.MapClaims, error)
- type OIDCConfiguration
- type Provider
Constants ¶
const ( GrantTypeAuthorizationCode = "authorization_code" GrantTypeImplicit = "implicit" ResponseTypeCode = "code" UserInfoResponseCachePrefix = "userinfo_response" AccessTokenCachePrefix = "access_token" )
Variables ¶
var ErrInvalidRedirectURL = errors.New("invalid return URL")
Functions ¶
func AppendClaimsAuthenticationRequestParameter ¶
func AppendClaimsAuthenticationRequestParameter(opts []oauth2.AuthCodeOption, requestedClaims map[string]*oidc.Claim) []oauth2.AuthCodeOption
AppendClaimsAuthenticationRequestParameter appends a OIDC claims authentication request parameter to `opts` with the `requestedClaims`
func FormatAccessTokenCacheKey ¶ added in v3.2.2
formatAccessTokenCacheKey returns the key which is used to store the accessToken of a user in cache
func FormatUserInfoResponseCacheKey ¶ added in v3.2.2
formatUserInfoResponseCacheKey returns the key which is used to store userinfo of user in cache
func GetScopesOrDefault ¶
func ImplicitFlowURL ¶
ImplicitFlowURL is an adaptation of oauth2.Config::AuthCodeURL() which returns a URL appropriate for an OAuth2 implicit login flow (as opposed to authorization code flow).
func InferGrantType ¶
func InferGrantType(oidcConf *OIDCConfiguration) string
InferGrantType infers the proper grant flow depending on the OAuth2 client config and OIDC configuration. Returns either: "authorization_code" or "implicit"
func OfflineAccess ¶
OfflineAccess returns whether or not 'offline_access' is a supported scope
Types ¶
type ClaimsRequest ¶
type ClientApp ¶
type ClientApp struct {
// contains filtered or unexported fields
}
func NewClientApp ¶
func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTLSConfig *dex.DexTLSConfig, baseHRef string, cacheClient cache.CacheClient) (*ClientApp, error)
NewClientApp will register the Argo CD client app (either via Dex or external OIDC) and return an object which has HTTP handlers for handling the HTTP responses for login and callback
func (*ClientApp) GetUserInfo ¶
func (a *ClientApp) GetUserInfo(actualClaims jwt.MapClaims, issuerURL, userInfoPath string) (jwt.MapClaims, bool, error)
GetUserInfo queries the IDP userinfo endpoint for claims
func (*ClientApp) HandleCallback ¶
func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request)
HandleCallback is the callback handler for an OAuth2 login flow
func (*ClientApp) HandleLogin ¶
func (a *ClientApp) HandleLogin(w http.ResponseWriter, r *http.Request)
HandleLogin formulates the proper OAuth2 URL (auth code or implicit) and redirects the user to the IDp login & consent page
func (*ClientApp) SetGroupsFromUserInfo ¶ added in v3.2.2
func (a *ClientApp) SetGroupsFromUserInfo(claims jwt.Claims, sessionManagerClaimsIssuer string) (jwt.MapClaims, error)
SetGroupsFromUserInfo takes a claims object and adds groups claim from userinfo endpoint if available This is required by some SSO implementations as they don't provide the groups claim in the ID token If querying the UserInfo endpoint fails, we return an error to indicate the session is invalid we assume that everywhere in argocd jwt.MapClaims is used as type for interface jwt.Claims otherwise this would cause a panic
type OIDCConfiguration ¶
type OIDCConfiguration struct {
Issuer string `json:"issuer"`
ScopesSupported []string `json:"scopes_supported"`
ResponseTypesSupported []string `json:"response_types_supported"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
}
OIDCConfiguration holds a subset of interested fields from the OIDC configuration spec
func ParseConfig ¶
func ParseConfig(provider *gooidc.Provider) (*OIDCConfiguration, error)
ParseConfig parses the OIDC Config into the concrete datastructure
type Provider ¶
type Provider interface {
Endpoint() (*oauth2.Endpoint, error)
ParseConfig() (*OIDCConfiguration, error)
Verify(tokenString string, argoSettings *settings.ArgoCDSettings) (*gooidc.IDToken, error)
}
Provider is a wrapper around go-oidc provider to also provide the following features: 1. lazy initialization/querying of the provider 2. automatic detection of change in signing keys 3. convenience function for verifying tokens We have to initialize the provider lazily since Argo CD can be an OIDC client to itself (in the case of dex reverse proxy), which presents a chicken-and-egg problem of (1) serving dex over HTTP, and (2) querying the OIDC provider (ourself) to initialize the OIDC client.
Source Files