Documentation
¶
Overview ¶
Package server implements an OpenID Connect server with federated logins.
Index ¶
- Constants
- Variables
- func NewAPI(s storage.Storage, logger *slog.Logger, version string, server *Server) api.DexServer
- func WithRemoteIP(ctx context.Context, ip string) context.Context
- func WithRequestID(ctx context.Context) context.Context
- type Config
- type Connector
- type ConnectorConfig
- type Introspection
- type IntrospectionExtra
- type RefreshTokenPolicy
- type Server
- type TokenTypeEnum
- type WebConfig
Constants ¶
View Source
const ( RequestKeyRequestID logRequestKey = "request_id" RequestKeyRemoteIP logRequestKey = "client_remote_addr" )
View Source
const LocalConnector = "local"
LocalConnector is the local passwordDB connector which is an internal connector maintained by the server.
Variables ¶
View Source
var ConnectorsConfig = map[string]func() ConnectorConfig{ "keystone": func() ConnectorConfig { return new(keystone.Config) }, "mockCallback": func() ConnectorConfig { return new(mock.CallbackConfig) }, "mockPassword": func() ConnectorConfig { return new(mock.PasswordConfig) }, "ldap": func() ConnectorConfig { return new(ldap.Config) }, "gitea": func() ConnectorConfig { return new(gitea.Config) }, "github": func() ConnectorConfig { return new(github.Config) }, "gitlab": func() ConnectorConfig { return new(gitlab.Config) }, "google": func() ConnectorConfig { return new(google.Config) }, "oidc": func() ConnectorConfig { return new(oidc.Config) }, "oauth": func() ConnectorConfig { return new(oauth.Config) }, "saml": func() ConnectorConfig { return new(saml.Config) }, "authproxy": func() ConnectorConfig { return new(authproxy.Config) }, "linkedin": func() ConnectorConfig { return new(linkedin.Config) }, "microsoft": func() ConnectorConfig { return new(microsoft.Config) }, "bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) }, "openshift": func() ConnectorConfig { return new(openshift.Config) }, "atlassian-crowd": func() ConnectorConfig { return new(atlassiancrowd.Config) }, "cloudfoundry": func() ConnectorConfig { return new(cloudfoundry.Config) }, "samlExperimental": func() ConnectorConfig { return new(saml.Config) }, }
ConnectorsConfig variable provides an easy way to return a config struct depending on the connector type.
Functions ¶
func WithRemoteIP ¶ added in v1.9.0
Types ¶
type Config ¶
type Config struct {
Issuer string
// The backing persistence layer.
Storage storage.Storage
AllowedGrantTypes []string
// Valid values are "code" to enable the code flow and "token" to enable the implicit
// flow. If no response types are supplied this value defaults to "code".
SupportedResponseTypes []string
// Headers is a map of headers to be added to the all responses.
Headers http.Header
// Header to extract real ip from.
RealIPHeader string
TrustedRealIPCIDRs []netip.Prefix
// List of allowed origins for CORS requests on discovery, token and keys endpoint.
// If none are indicated, CORS requests are disabled. Passing in "*" will allow any
// domain.
AllowedOrigins []string
// List of allowed headers for CORS requests on discovery, token, and keys endpoint.
AllowedHeaders []string
// If enabled, the server won't prompt the user to approve authorization requests.
// Logging in implies approval.
SkipApprovalScreen bool
// If enabled, the connectors selection page will always be shown even if there's only one
AlwaysShowLoginScreen bool
RotateKeysAfter time.Duration // Defaults to 6 hours.
IDTokensValidFor time.Duration // Defaults to 24 hours
AuthRequestsValidFor time.Duration // Defaults to 24 hours
DeviceRequestsValidFor time.Duration // Defaults to 5 minutes
// Refresh token expiration settings
RefreshTokenPolicy *RefreshTokenPolicy
// If set, the server will use this connector to handle password grants
PasswordConnector string
GCFrequency time.Duration // Defaults to 5 minutes
// If specified, the server will use this function for determining time.
Now func() time.Time
Web WebConfig
Logger *slog.Logger
PrometheusRegistry *prometheus.Registry
HealthChecker gosundheit.Health
}
Config holds the server's configuration options.
Multiple servers using the same storage are expected to be configured identically.
type ConnectorConfig ¶
type ConnectorConfig interface {
Open(id string, logger *slog.Logger) (connector.Connector, error)
}
ConnectorConfig is a configuration that can open a connector.
type Introspection ¶ added in v1.9.0
type Introspection struct {
// Boolean indicator of whether or not the presented token
// is currently active. The specifics of a token's "active" state
// will vary depending on the implementation of the authorization
// server and the information it keeps about its tokens, but a "true"
// value return for the "active" property will generally indicate
// that a given token has been issued by this authorization server,
// has not been revoked by the resource owner, and is within its
// given time window of validity (e.g., after its issuance time and
// before its expiration time).
Active bool `json:"active"`
// JSON string containing a space-separated list of
// scopes associated with this token.
Scope string `json:"scope,omitempty"`
// Client identifier for the OAuth 2.0 client that
// requested this token.
ClientID string `json:"client_id"`
// Subject of the token, as defined in JWT [RFC7519].
// Usually a machine-readable identifier of the resource owner who
// authorized this token.
Subject string `json:"sub"`
// Integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token will expire.
Expiry int64 `json:"exp"`
// Integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token was
// originally issued.
IssuedAt int64 `json:"iat"`
// Integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token is not to be
// used before.
NotBefore int64 `json:"nbf"`
// Human-readable identifier for the resource owner who
// authorized this token.
Username string `json:"username,omitempty"`
// Service-specific string identifier or list of string
// identifiers representing the intended audience for this token, as
// defined in JWT
Audience audience `json:"aud"`
// String representing the issuer of this token, as
// defined in JWT
Issuer string `json:"iss"`
// String identifier for the token, as defined in JWT [RFC7519].
JwtTokenID string `json:"jti,omitempty"`
// TokenType is the introspected token's type, typically `bearer`.
TokenType string `json:"token_type"`
// TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.
TokenUse string `json:"token_use"`
// Extra is arbitrary data set from the token claims.
Extra IntrospectionExtra `json:"ext,omitempty"`
}
Introspection contains an access token's session data as specified by [IETF RFC 7662](https://tools.ietf.org/html/rfc7662)
type IntrospectionExtra ¶ added in v1.9.0
type IntrospectionExtra struct {
AuthorizingParty string `json:"azp,omitempty"`
Email string `json:"email,omitempty"`
EmailVerified *bool `json:"email_verified,omitempty"`
Groups []string `json:"groups,omitempty"`
Name string `json:"name,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
FederatedIDClaims *federatedIDClaims `json:"federated_claims,omitempty"`
}
type RefreshTokenPolicy ¶ added in v0.8.0
type RefreshTokenPolicy struct {
// contains filtered or unexported fields
}
func NewRefreshTokenPolicy ¶ added in v0.8.0
func (*RefreshTokenPolicy) AllowedToReuse ¶ added in v0.8.0
func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool
func (*RefreshTokenPolicy) CompletelyExpired ¶ added in v0.8.0
func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool
func (*RefreshTokenPolicy) ExpiredBecauseUnused ¶ added in v0.8.0
func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool
func (*RefreshTokenPolicy) RotationEnabled ¶ added in v0.8.0
func (r *RefreshTokenPolicy) RotationEnabled() bool
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the top level object.
func NewServerWithKey ¶
NewServerWithKey constructs a server from the provided config and a static signing key.
func (*Server) OpenConnector ¶
OpenConnector updates server connector map with specified connector object.
type TokenTypeEnum ¶ added in v1.9.0
type TokenTypeEnum int
const ( AccessToken TokenTypeEnum = iota RefreshToken )
func (TokenTypeEnum) String ¶ added in v1.9.0
func (t TokenTypeEnum) String() string
type WebConfig ¶
type WebConfig struct {
// A file path to static web assets.
//
// It is expected to contain the following directories:
//
// * static - Static static served at "( issuer URL )/static".
// * templates - HTML templates controlled by dex.
// * themes/(theme) - Static static served at "( issuer URL )/theme".
Dir string
// Alternative way to programmatically configure static web assets.
// If Dir is specified, WebFS is ignored.
// It's expected to contain the same files and directories as mentioned above.
//
// Note: this is experimental. Might get removed without notice!
WebFS fs.FS
// Defaults to "( issuer URL )/theme/logo.png"
LogoURL string
// Defaults to "dex"
Issuer string
// Defaults to "light"
Theme string
// Map of extra values passed into the templates
Extra map[string]string
}
WebConfig holds the server's frontend templates and asset configuration.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.