server

package
v1.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 19, 2026 License: Apache-2.0 Imports: 61 Imported by: 3

Documentation

Overview

Package server implements an OpenID Connect server with federated logins.

Index

Constants

View Source 
const (
	// ErrMsgLoginError is a generic login error message shown to users.
	// Used when authentication fails due to internal server errors.
	ErrMsgLoginError = "Login error. Please contact your administrator or try again later."

	// ErrMsgAuthenticationFailed is shown when callback/SAML authentication fails.
	ErrMsgAuthenticationFailed = "Authentication failed. Please contact your administrator or try again later."

	// ErrMsgInternalServerError is a generic internal server error message.
	ErrMsgInternalServerError = "Internal server error. Please contact your administrator or try again later."

	// ErrMsgDatabaseError is shown when database operations fail.
	ErrMsgDatabaseError = "A database error occurred. Please try again later."

	// ErrMsgInvalidRequest is shown when request parsing fails.
	ErrMsgInvalidRequest = "Invalid request. Please try again."

	// ErrMsgMethodNotAllowed is shown when an unsupported HTTP method is used.
	ErrMsgMethodNotAllowed = "Method not allowed."

	// ErrMsgNotInRequiredGroups is shown when a user authenticates successfully
	// but is not a member of any of the groups required by the connector.
	ErrMsgNotInRequiredGroups = "You are not a member of any of the required groups to authenticate."
)
View Source 
const (
	RequestKeyRequestID logRequestKey = "request_id"
	RequestKeyRemoteIP  logRequestKey = "client_remote_addr"
)
View Source 
const LocalConnector = "local"

LocalConnector is the local passwordDB connector which is an internal connector maintained by the server.

Variables

View Source 
var ConnectorsConfig = map[string]func() ConnectorConfig{
	"keystone":        func() ConnectorConfig { return new(keystone.Config) },
	"mockCallback":    func() ConnectorConfig { return new(mock.CallbackConfig) },
	"mockPassword":    func() ConnectorConfig { return new(mock.PasswordConfig) },
	"ldap":            func() ConnectorConfig { return new(ldap.Config) },
	"gitea":           func() ConnectorConfig { return new(gitea.Config) },
	"github":          func() ConnectorConfig { return new(github.Config) },
	"gitlab":          func() ConnectorConfig { return new(gitlab.Config) },
	"google":          func() ConnectorConfig { return new(google.Config) },
	"oidc":            func() ConnectorConfig { return new(oidc.Config) },
	"oauth":           func() ConnectorConfig { return new(oauth.Config) },
	"saml":            func() ConnectorConfig { return new(saml.Config) },
	"authproxy":       func() ConnectorConfig { return new(authproxy.Config) },
	"linkedin":        func() ConnectorConfig { return new(linkedin.Config) },
	"microsoft":       func() ConnectorConfig { return new(microsoft.Config) },
	"bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) },
	"openshift":       func() ConnectorConfig { return new(openshift.Config) },
	"atlassian-crowd": func() ConnectorConfig { return new(atlassiancrowd.Config) },
	"cloudfoundry":    func() ConnectorConfig { return new(cloudfoundry.Config) },

	"samlExperimental": func() ConnectorConfig { return new(saml.Config) },
}

ConnectorsConfig variable provides an easy way to return a config struct depending on the connector type.

Functions

func NewAPI 

func NewAPI(s storage.Storage, logger *slog.Logger, version string, server *Server) api.DexServer

NewAPI returns a server which implements the gRPC API interface.

func WithRemoteIP added in v1.9.0 

func WithRemoteIP(ctx context.Context, ip string) context.Context

func WithRequestID added in v1.9.0 

func WithRequestID(ctx context.Context) context.Context

Types

type Config 

type Config struct {
	Issuer string

	// The backing persistence layer.
	Storage storage.Storage

	AllowedGrantTypes []string

	// Valid values are "code" to enable the code flow and "token" to enable the implicit
	// flow. If no response types are supplied this value defaults to "code".
	SupportedResponseTypes []string

	// Headers is a map of headers to be added to the all responses.
	Headers http.Header

	// Header to extract real ip from.
	RealIPHeader       string
	TrustedRealIPCIDRs []netip.Prefix

	// List of allowed origins for CORS requests on discovery, token and keys endpoint.
	// If none are indicated, CORS requests are disabled. Passing in "*" will allow any
	// domain.
	AllowedOrigins []string

	// List of allowed headers for CORS requests on discovery, token, and keys endpoint.
	AllowedHeaders []string

	// If enabled, the server won't prompt the user to approve authorization requests.
	// Logging in implies approval.
	SkipApprovalScreen bool

	// If enabled, the connectors selection page will always be shown even if there's only one
	AlwaysShowLoginScreen bool

	IDTokensValidFor       time.Duration // Defaults to 24 hours
	AuthRequestsValidFor   time.Duration // Defaults to 24 hours
	DeviceRequestsValidFor time.Duration // Defaults to 5 minutes

	// Refresh token expiration settings
	RefreshTokenPolicy *RefreshTokenPolicy

	// If set, the server will use this connector to handle password grants
	PasswordConnector string

	GCFrequency time.Duration // Defaults to 5 minutes

	// If specified, the server will use this function for determining time.
	Now func() time.Time

	Web WebConfig

	Logger *slog.Logger

	// Signer is used to sign tokens.
	Signer signer.Signer

	PrometheusRegistry *prometheus.Registry

	HealthChecker gosundheit.Health

	// If enabled, the server will continue starting even if some connectors fail to initialize.
	// This allows the server to operate with a subset of connectors if some are misconfigured.
	ContinueOnConnectorFailure bool
}

Config holds the server's configuration options.

Multiple servers using the same storage are expected to be configured identically.

type Connector 

type Connector struct {
	ResourceVersion string
	Connector       connector.Connector
}

Connector is a connector with resource version metadata.

type ConnectorConfig 

type ConnectorConfig interface {
	Open(id string, logger *slog.Logger) (connector.Connector, error)
}

ConnectorConfig is a configuration that can open a connector.

type Introspection added in v1.9.0 

type Introspection struct {
	// Boolean indicator of whether or not the presented token
	// is currently active.  The specifics of a token's "active" state
	// will vary depending on the implementation of the authorization
	// server and the information it keeps about its tokens, but a "true"
	// value return for the "active" property will generally indicate
	// that a given token has been issued by this authorization server,
	// has not been revoked by the resource owner, and is within its
	// given time window of validity (e.g., after its issuance time and
	// before its expiration time).
	Active bool `json:"active"`

	// JSON string containing a space-separated list of
	// scopes associated with this token.
	Scope string `json:"scope,omitempty"`

	// Client identifier for the OAuth 2.0 client that
	// requested this token.
	ClientID string `json:"client_id"`

	// Subject of the token, as defined in JWT [RFC7519].
	// Usually a machine-readable identifier of the resource owner who
	// authorized this token.
	Subject string `json:"sub"`

	// Integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token will expire.
	Expiry int64 `json:"exp"`

	// Integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token was
	// originally issued.
	IssuedAt int64 `json:"iat"`

	// Integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token is not to be
	// used before.
	NotBefore int64 `json:"nbf"`

	// Human-readable identifier for the resource owner who
	// authorized this token.
	Username string `json:"username,omitempty"`

	// Service-specific string identifier or list of string
	// identifiers representing the intended audience for this token, as
	// defined in JWT
	Audience audience `json:"aud"`

	// String representing the issuer of this token, as
	// defined in JWT
	Issuer string `json:"iss"`

	// String identifier for the token, as defined in JWT [RFC7519].
	JwtTokenID string `json:"jti,omitempty"`

	// TokenType is the introspected token's type, typically `bearer`.
	TokenType string `json:"token_type"`

	// TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.
	TokenUse string `json:"token_use"`

	// Extra is arbitrary data set from the token claims.
	Extra IntrospectionExtra `json:"ext,omitempty"`
}

Introspection contains an access token's session data as specified by [IETF RFC 7662](https://tools.ietf.org/html/rfc7662)

type IntrospectionExtra added in v1.9.0 

type IntrospectionExtra struct {
	AuthorizingParty string `json:"azp,omitempty"`

	Email         string `json:"email,omitempty"`
	EmailVerified *bool  `json:"email_verified,omitempty"`

	Groups []string `json:"groups,omitempty"`

	Name              string `json:"name,omitempty"`
	PreferredUsername string `json:"preferred_username,omitempty"`

	FederatedIDClaims *federatedIDClaims `json:"federated_claims,omitempty"`
}

type RefreshTokenPolicy added in v0.8.0 

type RefreshTokenPolicy struct {
	// contains filtered or unexported fields
}

func NewRefreshTokenPolicy added in v0.8.0 

func NewRefreshTokenPolicy(logger *slog.Logger, rotation bool, validIfNotUsedFor, absoluteLifetime, reuseInterval string) (*RefreshTokenPolicy, error)

func (*RefreshTokenPolicy) AllowedToReuse added in v0.8.0 

func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool

func (*RefreshTokenPolicy) CompletelyExpired added in v0.8.0 

func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool

func (*RefreshTokenPolicy) ExpiredBecauseUnused added in v0.8.0 

func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool

func (*RefreshTokenPolicy) RotationEnabled added in v0.8.0 

func (r *RefreshTokenPolicy) RotationEnabled() bool

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is the top level object.

func NewServer 

func NewServer(ctx context.Context, c Config) (*Server, error)

NewServer constructs a server from the provided config.

func (*Server) OpenConnector 

func (s *Server) OpenConnector(conn storage.Connector) (Connector, error)

OpenConnector updates server connector map with specified connector object.

func (*Server) ServeHTTP 

func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)

type TokenTypeEnum added in v1.9.0 

type TokenTypeEnum int
const (
	AccessToken TokenTypeEnum = iota
	RefreshToken
)

func (TokenTypeEnum) String added in v1.9.0 

func (t TokenTypeEnum) String() string

type WebConfig 

type WebConfig struct {
	// A file path to static web assets.
	//
	// It is expected to contain the following directories:
	//
	//   * static - Static static served at "( issuer URL )/static".
	//   * templates - HTML templates controlled by dex.
	//   * themes/(theme) - Static static served at "( issuer URL )/theme".
	Dir string

	// Alternative way to programmatically configure static web assets.
	// If Dir is specified, WebFS is ignored.
	// It's expected to contain the same files and directories as mentioned above.
	//
	// Note: this is experimental. Might get removed without notice!
	WebFS fs.FS

	// Defaults to "( issuer URL )/theme/logo.png"
	LogoURL string

	// Defaults to "dex"
	Issuer string

	// Defaults to "light"
	Theme string

	// Map of extra values passed into the templates
	Extra map[string]string
}

WebConfig holds the server's frontend templates and asset configuration.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.