tokenexchange

package

v0.29.21 Latest Latest Go to latest Published: Apr 2, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/deckhouse/deckhouse-cli

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type Client
- func NewClient(cfg *Config) (*Client, error)
- func (c *Client) Exchange() (*Response, error)
type Config
- func (c *Config) Validate() error
type ErrorResponse
type Response

Constants ¶

View Source

const (
	// OAuth 2.0 Token Exchange grant type (RFC 8693)
	GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange"

	// Token types
	TokenTypeIDToken     = "urn:ietf:params:oauth:token-type:id_token"
	TokenTypeAccessToken = "urn:ietf:params:oauth:token-type:access_token"

	// Default scope for Kubernetes access
	DefaultScope = "openid profile email groups audience:server:client_id:kubernetes"

	// HTTP client timeout
	DefaultTimeout = 30 * time.Second
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client performs token exchange operations with Dex.

func NewClient ¶

func NewClient(cfg *Config) (*Client, error)

NewClient creates a new token exchange client with the given configuration.

func (*Client) Exchange ¶

func (c *Client) Exchange() (*Response, error)

Exchange performs the token exchange and returns the response.

type Config ¶

type Config struct {
	// DexURL is the base URL of the Dex server (e.g., https://dex.example.com)
	DexURL string

	// ClientID is the OAuth2 client ID registered in Dex
	ClientID string

	// ClientSecret is the OAuth2 client secret
	ClientSecret string

	// SubjectToken is the token from the IdP to exchange
	SubjectToken string

	// SubjectTokenType is the type of the subject token (id_token or access_token)
	SubjectTokenType string

	// ConnectorID is the Dex connector identifier
	ConnectorID string

	// Scope is the OAuth2 scope for the requested token
	Scope string

	// RequestedTokenType is the type of token to request (id_token or access_token)
	RequestedTokenType string

	// InsecureSkipVerify skips TLS certificate verification
	InsecureSkipVerify bool

	// CAFile is the path to a CA certificate file for TLS verification
	CAFile string
}

Config holds the configuration for token exchange request.

func (*Config) Validate ¶

func (c *Config) Validate() error

Validate checks that all required configuration fields are set.

type ErrorResponse ¶

type ErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
}

ErrorResponse represents an OAuth2 error response. See RFC 6749 Section 5.2: https://www.rfc-editor.org/rfc/rfc6749#section-5.2

type Response ¶

type Response struct {
	AccessToken     string `json:"access_token"`
	IssuedTokenType string `json:"issued_token_type"`
	TokenType       string `json:"token_type"`
	ExpiresIn       int    `json:"expires_in"`
}

Response represents the token exchange response from Dex. See RFC 8693 Section 2.2.1: https://www.rfc-editor.org/rfc/rfc8693.html#section-2.2.1

Source Files ¶

View all Source files

tokenexchange.go

Directories ¶

Path	Synopsis
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL