oidc

package

v7.10.0 Latest Latest Go to latest Published: May 3, 2026 License: GPL-3.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/devantler-tech/ksail

Links

Open Source Insights

Documentation ¶

Overview ¶

Package oidc implements OIDC authentication for Kubernetes clusters. It provides a native exec credential plugin that replaces kubelogin, using the authorization code flow with PKCE for secure token acquisition.

Index ¶

Variables
func CacheDir() (string, error)
func CacheKey(issuerURL, clientID string, scopes []string) string
func ExecCredentialJSON(idToken string, expiry time.Time) ([]byte, error)
func SaveCachedToken(cacheDir, key string, token *TokenResult) error
type Authenticator
- func (a *Authenticator) Authenticate(ctx context.Context) (*TokenResult, error)
- func (a *Authenticator) RefreshToken(ctx context.Context, refreshToken string) (*TokenResult, error)
type CachedToken
- func LoadCachedToken(cacheDir, key string) *CachedToken
type TokenResult

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrAuthenticationFailed = errors.New("OIDC authentication failed")

ErrAuthenticationFailed is returned when the OIDC authentication flow fails.

View Source

var ErrUnsupportedPlatform = errors.New("unsupported platform")

ErrUnsupportedPlatform is returned when the runtime OS is not supported for browser opening.

Functions ¶

func CacheDir ¶

func CacheDir() (string, error)

CacheDir returns the default token cache directory. Returns an error if the user's home directory cannot be determined.

func CacheKey ¶

func CacheKey(issuerURL, clientID string, scopes []string) string

CacheKey generates a deterministic cache key from the OIDC parameters. Scopes are sorted to ensure consistent keys regardless of input order. Fields are separated with null bytes to prevent collision between adjacent values.

func ExecCredentialJSON ¶

func ExecCredentialJSON(idToken string, expiry time.Time) ([]byte, error)

ExecCredentialJSON generates the ExecCredential JSON output for kubectl.

func SaveCachedToken ¶

func SaveCachedToken(cacheDir, key string, token *TokenResult) error

SaveCachedToken persists a token result to the cache directory.

Types ¶

type Authenticator ¶

type Authenticator struct {
	IssuerURL   string
	ClientID    string
	ExtraScopes []string
	CAFile      string
}

Authenticator handles the OIDC authorization code flow with PKCE.

func (*Authenticator) Authenticate ¶

func (a *Authenticator) Authenticate(ctx context.Context) (*TokenResult, error)

Authenticate performs the OIDC authorization code flow with PKCE. It starts a local HTTP server, opens the browser to the OIDC provider, and waits for the callback with the authorization code.

func (*Authenticator) RefreshToken ¶

func (a *Authenticator) RefreshToken(
	ctx context.Context,
	refreshToken string,
) (*TokenResult, error)

RefreshToken attempts to refresh an expired token using the refresh token.

type CachedToken ¶

type CachedToken struct {
	IDToken      string    `json:"idToken"`
	RefreshToken string    `json:"refreshToken,omitempty"`
	Expiry       time.Time `json:"expiry"`
}

CachedToken represents a cached OIDC token on disk.

func LoadCachedToken ¶

func LoadCachedToken(cacheDir, key string) *CachedToken

LoadCachedToken loads a cached token from disk. Returns nil if no cached token exists or it cannot be read.

type TokenResult ¶

type TokenResult struct {
	IDToken      string    `json:"idToken"`
	RefreshToken string    `json:"refreshToken,omitempty"`
	Expiry       time.Time `json:"expiry"`
}

TokenResult holds the tokens returned by the OIDC provider.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL