candid

package module
v1.12.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 20, 2025 License: AGPL-3.0 Imports: 18 Imported by: 2

README

Candid Identity service

The Candid server provides a macaroon-based authentication service.

Installation

The easiest way to start using the candid service is with the snap:

snap install candid

The configuration file used by the snap can be found in /var/snap/candid/current/config.yaml.

Development

Requirements

Candid requires go1.23 or later to build. This is available in the go snap:

snap install go

Go will additionally require installing the following packages in order that it can fetch and build candid dependencies:

apt install build-essential bzr git
Source

Get the source from github.com/canonical/candid.

git clone https://github.com/canonical/candid

It is recommended that you check out the source outside of any $GOPATH ($HOME/go by default). If you do wish to check out into a $GOPATH then you will need to set the environment variable GO111MODULE=on.

Testing

The store/mgostore component additionally requires a running mongodb server, this may be running on a different system. The location of the mongodb server should be specified in an environment variable called MGOCONNECTIONSTRING, if this does not exist then the standard port (27017) on localhost will be assumed. To disable testing of store/mgostore completely then set the environment variable MGOTESTDISABLE=1.

The store/sqlstore component additionally requires a running postgresql, this may be running on a different system. The posgresql system to use is specified using the standard postgresql environment variables. To skip running postgresql tests set the environment variable PGTESTDISABLE=1.

Tests are run by running make check in the root of the source tree. The tests for a single package can be run by running go test in the package directory.

Documentation

Index

Constants

View Source 
const (
	Debug      = "debug"
	Discharger = "discharger"
	V1         = "v1"
)

Versions of the API that can be served.

Variables

View Source 
var ResourceFS embed.FS

ResourceFS contains embeded resource files (templates and static content).

Functions

func Versions 

func Versions() []string

Versions returns all known API version strings in alphabetical order.

Types

type HandlerCloser 

type HandlerCloser interface {
	http.Handler
	Close()
}

func NewServer 

func NewServer(params ServerParams, serveVersions ...string) (HandlerCloser, error)

NewServer returns a new handler that handles identity service requests and stores its data in the given database. The handler will serve the specified versions of the API.

type ServerParams 

type ServerParams struct {
	// MeetingStore holds the storage that will be used to store
	// rendezvous information.
	MeetingStore meeting.Store

	// ProviderDataStore holds the storeage that can be used by
	// identity providers to store data that is not associated with
	// an individual identity.
	ProviderDataStore store.ProviderDataStore

	// RootKeyStore holds the root key store that will be used to
	// store macaroon root keys within the identity server.
	RootKeyStore bakery.RootKeyStore

	// Store holds the identities store for the identity server.
	Store store.Store

	// AdminPassword holds the password for admin login.
	AdminPassword string

	// Key holds the keypair to use with the bakery service.
	Key *bakery.KeyPair

	// Location holds a URL representing the externally accessible
	// base URL of the service, without a trailing slash.
	Location string

	// PrivateAddr should hold a dialable address that will be used
	// for communication between identity servers. Note that this
	// should not contain a port.
	PrivateAddr string

	// IdentityProviders contains the set of identity providers that
	// should be initialised by the service.
	IdentityProviders []idp.IdentityProvider

	// MFAAuthenticator holds the multi-factor authenticator.
	MFAAuthenticator *mfa.Authenticator

	// DebugTeams contains the set of launchpad teams that may access
	// the restricted debug endpoints.
	// TODO remove this.
	DebugTeams []string

	// AdminAgentPublicKey contains the public key of the admin agent.
	AdminAgentPublicKey *bakery.PublicKey

	// StaticFileSystem contains an http.FileSystem that can be used
	// to serve static files.
	StaticFileSystem http.FileSystem

	// Template contains a set of templates that are used to generate
	// html output.
	Template *template.Template

	// DebugStatusCheckerFuncs contains functions that will be
	// executed as part of a /debug/status check.
	DebugStatusCheckerFuncs []debugstatus.CheckerFunc

	// RendezvousTimeout holds the time after which an interactive discharge wait
	// request will time out.
	RendezvousTimeout time.Duration

	// ACLStore holds the ACLStore for the identity server.
	ACLStore aclstore.ACLStore

	// RedirectLoginTrustedURLs contains a list of URLs that are
	// trusted to be used as return_to URLs during an interactive
	// login.
	RedirectLoginTrustedURLs []string

	// RedirectLoginTrustedDomains contains a list of domain names that
	// are fully trusted to be used as return_to URLs during an
	// interactive login. If the domain starts with the sequence "*."
	// then all subdomains of the subsequent domain will be trusted.
	RedirectLoginTrustedDomains []string

	// APIMacaroonTimeout is the maximum life of an API macaroon.
	APIMacaroonTimeout time.Duration

	// DischargeMacaroonTimeout is the maximum life of a Discharge
	// macaroon.
	DischargeMacaroonTimeout time.Duration

	// DischargeTokenTimeout is the maximum life of a Discharge
	// token.
	DischargeTokenTimeout time.Duration

	// SkipLocationForCookiePaths instructs if the Cookie Paths are to
	// be set relative to the Location Path or not.
	SkipLocationForCookiePaths bool

	// EnableEmailLogin enables the login with email address link on the
	// authentication required page.
	EnableEmailLogin bool
}

ServerParams contains configuration parameters for a server.

Source Files

View all Source files

Directories

Path Synopsis
redirect
Package redirect implements redirection based login.
 Package redirect implements redirection based login.
ussodischarge
Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
 Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
ussologin
Package ussologin defines functionality used for allowing clients to authenticate with the Candid server using USSO OAuth.
 Package ussologin defines functionality used for allowing clients to authenticate with the Candid server using USSO OAuth.
Package candidtest provides an inmemory candid service for use in tests.
 Package candidtest provides an inmemory candid service for use in tests.
cmd
candid command
candid/internal/admincmd
candidsrv command
migrate-db command
migrate-db/internal
migrate-db/internal/mongodoc
The config package defines configuration parameters for the id server.
 The config package defines configuration parameters for the id server.
idp
Package idp defines the API provided by all identity providers.
 Package idp defines the API provided by all identity providers.
adfs
Package adfs is an identity provider that authenticates with an ADFS service.
 Package adfs is an identity provider that authenticates with an ADFS service.
agent
Package agent is an identity provider that uses the agent authentication scheme.
 Package agent is an identity provider that uses the agent authentication scheme.
azure
Package azure is an identity provider that authenticates with azure.
 Package azure is an identity provider that authenticates with azure.
google
Package google is an identity provider that authenticates with google.
 Package google is an identity provider that authenticates with google.
idptest
idputil
Package idputil contains utility routines common to many identity providers.
 Package idputil contains utility routines common to many identity providers.
idputil/msgraph
Package msgraph contains Microsoft Graph API utility routines common to Azure and ADFS providers.
 Package msgraph contains Microsoft Graph API utility routines common to Azure and ADFS providers.
idputil/secret
keycloak
Package keycloak is an identity provider that authenticates with keycloak oidc.
 Package keycloak is an identity provider that authenticates with keycloak oidc.
keystone
Package keystone contains identity providers that validate against keystone servers.
 Package keystone contains identity providers that validate against keystone servers.
keystone/internal/keystone
Package keystone implements a keystone client.
 Package keystone implements a keystone client.
keystone/internal/mockkeystone
ldap
Package ldap contains identity providers that validate against ldap servers.
 Package ldap contains identity providers that validate against ldap servers.
openid
Package openid provides identity providers that use OpenID to determine the identity.
 Package openid provides identity providers that use OpenID to determine the identity.
static
Package static contains identity providers that validate against a static list of users.
 Package static contains identity providers that validate against a static list of users.
usso
Pacakge usso is an identity provider that authenticates against Ubuntu SSO using OpenID.
 Pacakge usso is an identity provider that authenticates against Ubuntu SSO using OpenID.
usso/internal/kvnoncestore
Package kvnoncestore is an openid.NonceStore that is backed by a store.KeyValueStore.
 Package kvnoncestore is an openid.NonceStore that is backed by a store.KeyValueStore.
usso/internal/mockusso
usso/ussodischarge
Pacakge ussodischarge is an identity provider that authenticates against Ubuntu SSO using Ubuntu SSO's macaroon protocol.
 Pacakge ussodischarge is an identity provider that authenticates against Ubuntu SSO using Ubuntu SSO's macaroon protocol.
usso/ussodischarge/cmd/login command
login is a simple tool that can be used to test the Ubuntu SSO discharge login protocol.
 login is a simple tool that can be used to test the Ubuntu SSO discharge login protocol.
usso/ussooauth
Pacakge ussooauth is an identity provider that authenticates against Ubuntu SSO using OAuth.
 Pacakge ussooauth is an identity provider that authenticates against Ubuntu SSO using OAuth.
internal
auth
auth/httpauth
candidtest
Package candidtest provides suites and functions useful for testing the identity manager.
 Package candidtest provides suites and functions useful for testing the identity manager.
debug
debugstatus
debugstatus contains the removed contents of the deprecated github.com/juju/juju/utils/v2/debugstatus package.
 debugstatus contains the removed contents of the deprecated github.com/juju/juju/utils/v2/debugstatus package.
discharger
Package discharger serves all of the endpoints related to discharging macaroon and logging in.
 Package discharger serves all of the endpoints related to discharging macaroon and logging in.
discharger/internal
identity
mfa
Package mfa contains implementation of a handler for multi-factor authentication with WebAuthn.
 Package mfa contains implementation of a handler for multi-factor authentication with WebAuthn.
monitoring
v1
Package meeting provides a way for one thread of control to wait for information provided by another thread.
 Package meeting provides a way for one thread of control to wait for information provided by another thread.
memstore
Package memstore provides an in-memory implementation of the store.
 Package memstore provides an in-memory implementation of the store.
mgostore
sqlstore
storetest
Package testing provides useful tools for testing Store implementations.
 Package testing provides useful tools for testing Store implementations.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.