auth

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 18, 2026 License: MIT Imports: 31 Imported by: 0

Documentation

Overview

Package auth provides utilities for authenticating requests.

Authentication is delegated to an identity provider, which is responsible for verifying the identity of the client and returning an identity token. The identity token is then signed and returned to the client as a JWT — either as a cookie or in the response.

The client then uses the cookie, or token, to authenticate future requests.

Identity Providers should implement the LoginHandler interface, and register it with AddLoginHandler. This will hook the provider into the Login endpoint and allow it to handle login requests.

Observe the google or magiclink example for a complete example of how to use this package.

Index

Constants

View Source 
const (
	LoginEvent      = "auth.login"
	LogoutEvent     = "auth.logout"
	DelegationEvent = "auth.delegation"
)
View Source 
const (
	AuthService_Login_FullMethodName          = "/prefab.auth.AuthService/Login"
	AuthService_Logout_FullMethodName         = "/prefab.auth.AuthService/Logout"
	AuthService_Identity_FullMethodName       = "/prefab.auth.AuthService/Identity"
	AuthService_AssumeIdentity_FullMethodName = "/prefab.auth.AuthService/AssumeIdentity"
)
View Source 
const (
	// DelegationAction is the authz action required to assume identities.
	// When using the authz plugin, admins must be granted this action to use AssumeIdentity.
	DelegationAction = "auth.assume_identity"

	// DelegationResource is a synthetic resource type for delegation authorization.
	// Used with authz plugin to check if a user has permission to assume identities.
	DelegationResource = "auth:delegation"
)
View Source 
const IdentityTokenCookieName = "pf-id"

Cookie name used for storing the prefab identity token.

View Source 
const PluginName = "auth"

Constant name for identifying the core auth plugin.

Variables

View Source 
var (
	// No identity was found within the incoming context.
	ErrNotFound = errors.NewC("identity not found", codes.Unauthenticated)

	// The token's expiration date was in the past.
	ErrExpired = errors.NewC("token has expired", codes.Unauthenticated)

	// The token was not signed correctly.
	ErrInvalidToken = errors.NewC("token is invalid", codes.InvalidArgument)

	// Invalid authorization header.
	ErrInvalidHeader = errors.NewC("bad authorization header", codes.InvalidArgument)

	// Identity token has been revoked or blocked.
	ErrRevoked = errors.NewC("token has been revoked", codes.Unauthenticated)
)
View Source 
var AuthService_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "prefab.auth.AuthService",
	HandlerType: (*AuthServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Login",
			Handler:    _AuthService_Login_Handler,
		},
		{
			MethodName: "Logout",
			Handler:    _AuthService_Logout_Handler,
		},
		{
			MethodName: "Identity",
			Handler:    _AuthService_Identity_Handler,
		},
		{
			MethodName: "AssumeIdentity",
			Handler:    _AuthService_AssumeIdentity_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "plugins/auth/authservice.proto",
}

AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var File_plugins_auth_authservice_proto protoreflect.FileDescriptor

Functions

func GetDelegator added in v0.4.0 

func GetDelegator(identity Identity) (sub, provider, sessionID string, ok bool)

GetDelegator returns the original admin's details when an identity has been delegated. Returns ok=false if the identity is not delegated.

func IdentityToken 

func IdentityToken(ctx context.Context, identity Identity) (string, error)

IdentityToken creates a signed JWT for the given identity.

func IsBlocked 

func IsBlocked(ctx context.Context, key string) (bool, error)

IsBlocked checks if a token is blocked.

func IsDelegated added in v0.4.0 

func IsDelegated(identity Identity) bool

IsDelegated returns true if the identity was assumed by an admin user.

func MaybeBlock 

func MaybeBlock(ctx context.Context, key string) error

MaybeBlock adds a token to the blocklist if a blocklist is present in the context.

func RegisterAuthServiceHandler 

func RegisterAuthServiceHandler(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error

RegisterAuthServiceHandler registers the http handlers for service AuthService to "mux". The handlers forward requests to the grpc endpoint over "conn".

func RegisterAuthServiceHandlerClient 

func RegisterAuthServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux, client AuthServiceClient) error

RegisterAuthServiceHandlerClient registers the http handlers for service AuthService to "mux". The handlers forward requests to the grpc endpoint over the given implementation of "AuthServiceClient". Note: the gRPC framework executes interceptors within the gRPC handler. If the passed in "AuthServiceClient" doesn't go through the normal gRPC flow (creating a gRPC client etc.) then it will be up to the passed in "AuthServiceClient" to call the correct interceptors. This client ignores the HTTP middlewares.

func RegisterAuthServiceHandlerFromEndpoint 

func RegisterAuthServiceHandlerFromEndpoint(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) (err error)

RegisterAuthServiceHandlerFromEndpoint is same as RegisterAuthServiceHandler but automatically dials to "endpoint" and closes the connection when "ctx" gets done.

func RegisterAuthServiceHandlerServer 

func RegisterAuthServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux, server AuthServiceServer) error

RegisterAuthServiceHandlerServer registers the http handlers for service AuthService to "mux". UnaryRPC :call AuthServiceServer directly. StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906. Note that using this registration option will cause many gRPC library features to stop working. Consider using RegisterAuthServiceHandlerFromEndpoint instead. GRPC interceptors will not work for this type of registration. To use interceptors, you must use the "runtime.WithMiddlewares" option in the "runtime.NewServeMux" call.

func RegisterAuthServiceServer 

func RegisterAuthServiceServer(s grpc.ServiceRegistrar, srv AuthServiceServer)

func SendIdentityCookie 

func SendIdentityCookie(ctx context.Context, token string) error

SendIdentityCookie attaches the token to the outgoing GRPC metadata such that it will be propagated as a `Set-Cookie` HTTP header by the Gateway.

func SigningKeyFromContext added in v0.4.0 

func SigningKeyFromContext(ctx context.Context) []byte

SigningKeyFromContext returns the JWT signing key from context. This is exported for use by plugins that need to create their own tokens.

func WithBlockist 

func WithBlockist(ctx context.Context, bl Blocklist) context.Context

WithBlockist adds a blocklist to the context.

func WithIdentityExtractors 

func WithIdentityExtractors(ctx context.Context, providers ...IdentityExtractor) context.Context

WithIdentityExtractors attaches a list of identity providers to the context.

func WithIdentityExtractorsForTest 

func WithIdentityExtractorsForTest(ctx context.Context) context.Context

WithIdentityExtractorsForTest returns a context with the default identity extractors attached. This is useful for testing, where we want to simulate a request with a given identity.

func WithIdentityForTest 

func WithIdentityForTest(ctx context.Context, identity Identity) context.Context

WithIdentityForTest creates a new context with the given identity attached. This is useful for testing, where we want to simulate a request with a given identity.

Types

type AdminChecker added in v0.4.0 

type AdminChecker func(ctx context.Context, identity Identity) (bool, error)

AdminChecker is a function that determines if an identity has admin privileges for identity delegation. This is used as a fallback when the authz plugin is not available, or can be provided as a custom implementation.

When the authz plugin is available, an AdminChecker is automatically created that wraps the authz.Authorize method to check for the DelegationAction permission.

Return true if the identity is an admin, false otherwise. Return an error if the check cannot be completed.

type AssumeIdentityRequest added in v0.4.0 

type AssumeIdentityRequest struct {

	// Target user's identity provider (e.g., "google")
	Provider string `protobuf:"bytes,1,opt,name=provider,proto3" json:"provider,omitempty"`
	// Target user's subject identifier
	Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"`
	// Reason for assuming this identity (required for audit trail)
	Reason string `protobuf:"bytes,3,opt,name=reason,proto3" json:"reason,omitempty"`
	// contains filtered or unexported fields
}

Request to assume another user's identity.

func (*AssumeIdentityRequest) Descriptor deprecated added in v0.4.0 

func (*AssumeIdentityRequest) Descriptor() ([]byte, []int)

Deprecated: Use AssumeIdentityRequest.ProtoReflect.Descriptor instead.

func (*AssumeIdentityRequest) GetProvider added in v0.4.0 

func (x *AssumeIdentityRequest) GetProvider() string

func (*AssumeIdentityRequest) GetReason added in v0.4.0 

func (x *AssumeIdentityRequest) GetReason() string

func (*AssumeIdentityRequest) GetSubject added in v0.4.0 

func (x *AssumeIdentityRequest) GetSubject() string

func (*AssumeIdentityRequest) ProtoMessage added in v0.4.0 

func (*AssumeIdentityRequest) ProtoMessage()

func (*AssumeIdentityRequest) ProtoReflect added in v0.4.0 

func (x *AssumeIdentityRequest) ProtoReflect() protoreflect.Message

func (*AssumeIdentityRequest) Reset added in v0.4.0 

func (x *AssumeIdentityRequest) Reset()

func (*AssumeIdentityRequest) String added in v0.4.0 

func (x *AssumeIdentityRequest) String() string

type AssumeIdentityResponse added in v0.4.0 

type AssumeIdentityResponse struct {

	// JWT token with the assumed identity and delegation metadata
	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
	// contains filtered or unexported fields
}

Response containing the delegated identity token.

func (*AssumeIdentityResponse) Descriptor deprecated added in v0.4.0 

func (*AssumeIdentityResponse) Descriptor() ([]byte, []int)

Deprecated: Use AssumeIdentityResponse.ProtoReflect.Descriptor instead.

func (*AssumeIdentityResponse) GetToken added in v0.4.0 

func (x *AssumeIdentityResponse) GetToken() string

func (*AssumeIdentityResponse) ProtoMessage added in v0.4.0 

func (*AssumeIdentityResponse) ProtoMessage()

func (*AssumeIdentityResponse) ProtoReflect added in v0.4.0 

func (x *AssumeIdentityResponse) ProtoReflect() protoreflect.Message

func (*AssumeIdentityResponse) Reset added in v0.4.0 

func (x *AssumeIdentityResponse) Reset()

func (*AssumeIdentityResponse) String added in v0.4.0 

func (x *AssumeIdentityResponse) String() string

type AuthEvent 

type AuthEvent struct {
	Identity  Identity
	Timestamp time.Time // When the event occurred
}

AuthEvent is an event that is emitted when an authentication event occurs.

func NewAuthEvent added in v0.4.0 

func NewAuthEvent(identity Identity) AuthEvent

NewAuthEvent creates an AuthEvent with the current timestamp.

type AuthOption 

type AuthOption func(*AuthPlugin)

AuthOptions allow configuration of the AuthPlugin.

func WithAdminChecker added in v0.4.0 

func WithAdminChecker(checker AdminChecker) AuthOption

WithAdminChecker configures a custom function to check if an identity has admin privileges for delegation. This is used as a fallback when the authz plugin is not available. If neither authz plugin nor admin checker is configured, all delegation requests will fail.

func WithBlocklist 

func WithBlocklist(bl Blocklist) AuthOption

WithBlockist configures a custom blocklist to use for token revocation. Tokens can be revoked by application code and will be revoked during Logout. The blocklist is checked during token validation.

func WithDelegationEnabled added in v0.4.0 

func WithDelegationEnabled(enabled bool) AuthOption

WithDelegationEnabled enables or disables identity delegation (admin assume user).

func WithDelegationExpiration added in v0.4.0 

func WithDelegationExpiration(expiration time.Duration) AuthOption

WithDelegationExpiration sets a custom expiration duration for delegated tokens. If not set, delegated tokens use the same expiration as regular tokens (auth.expiration). It's recommended to use shorter durations for delegated tokens (e.g., 1h) for security.

func WithDelegationRequireReason added in v0.4.0 

func WithDelegationRequireReason(required bool) AuthOption

WithDelegationRequireReason sets whether a reason is required for delegation. Defaults to true for security and audit purposes.

func WithExpiration 

func WithExpiration(expiration time.Duration) AuthOption

WithExpiration sets the expiration to use when signing JWT tokens.

func WithIdentityValidator added in v0.4.0 

func WithIdentityValidator(validator IdentityValidator) AuthOption

WithIdentityValidator configures a custom validation function that checks if a target identity exists and is valid before allowing delegation. This allows applications to prevent delegation to non-existent or suspended users.

func WithSigningKey 

func WithSigningKey(signingKey string) AuthOption

WithSigningKey sets the signing key to use when signing JWT tokens.

type AuthPlugin 

type AuthPlugin struct {
	// contains filtered or unexported fields
}

AuthPlugin exposes plugin interfaces that register and manage the AuthService and related functionality.

func Plugin 

func Plugin(opts ...AuthOption) *AuthPlugin

Plugin returns a new AuthPlugin.

func (*AuthPlugin) AddIdentityExtractor 

func (ap *AuthPlugin) AddIdentityExtractor(provider IdentityExtractor)

AddIdentityExtractor can be called by other plugins to register identity extractors which will be used to authenticate requests.

The AuthPlugin assumes that any identity returned by an extractor has been verified, and will not perform any additional verification. Extractors should return ErrNotFound if no identity is observed.

func (*AuthPlugin) AddLoginHandler 

func (ap *AuthPlugin) AddLoginHandler(provider string, h LoginHandler)

AddLoginHandler can be called by other plugins to register login handlers.

func (*AuthPlugin) Init 

func (ap *AuthPlugin) Init(ctx context.Context, r *prefab.Registry) error

From prefab.InitializablePlugin.

func (*AuthPlugin) Name 

func (ap *AuthPlugin) Name() string

From prefab.Plugin.

func (*AuthPlugin) OptDeps 

func (ap *AuthPlugin) OptDeps() []string

From prefab.OptionalDependentPlugin.

func (*AuthPlugin) PrependIdentityExtractor added in v0.4.0 

func (ap *AuthPlugin) PrependIdentityExtractor(provider IdentityExtractor)

PrependIdentityExtractor inserts an extractor at the front of the chain, giving it priority over the default JWT-header and cookie extractors. Use this when the extractor has authoritative knowledge about a credential scheme it can recognize — e.g., an OAuth plugin that should definitively accept or reject opaque bearer tokens rather than letting the request fall through to cookie-based authentication when the bearer is invalid.

func (*AuthPlugin) ServerOptions 

func (ap *AuthPlugin) ServerOptions() []prefab.ServerOption

From prefab.OptionProvider.

type AuthServiceClient 

type AuthServiceClient interface {
	// Login allows a client to provide credentials which can be used to
	// authenticate the client's identity. POST is preferred, some providers need
	// credentials to be passed as GET.
	Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error)
	// Logout clears the prefab id cookie. It should be noted that by default the
	// identity token will remain valid until its expiry. Token invalidatation is
	// supported via the addition of a blocklist.
	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
	// Identity returns information about the authenticated user.
	Identity(ctx context.Context, in *IdentityRequest, opts ...grpc.CallOption) (*IdentityResponse, error)
	// AssumeIdentity allows admin users to assume another user's identity.
	// Requires delegation to be enabled and the caller to have admin privileges.
	AssumeIdentity(ctx context.Context, in *AssumeIdentityRequest, opts ...grpc.CallOption) (*AssumeIdentityResponse, error)
}

AuthServiceClient is the client API for AuthService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewAuthServiceClient 

func NewAuthServiceClient(cc grpc.ClientConnInterface) AuthServiceClient

type AuthServiceServer 

type AuthServiceServer interface {
	// Login allows a client to provide credentials which can be used to
	// authenticate the client's identity. POST is preferred, some providers need
	// credentials to be passed as GET.
	Login(context.Context, *LoginRequest) (*LoginResponse, error)
	// Logout clears the prefab id cookie. It should be noted that by default the
	// identity token will remain valid until its expiry. Token invalidatation is
	// supported via the addition of a blocklist.
	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
	// Identity returns information about the authenticated user.
	Identity(context.Context, *IdentityRequest) (*IdentityResponse, error)
	// AssumeIdentity allows admin users to assume another user's identity.
	// Requires delegation to be enabled and the caller to have admin privileges.
	AssumeIdentity(context.Context, *AssumeIdentityRequest) (*AssumeIdentityResponse, error)
	// contains filtered or unexported methods
}

AuthServiceServer is the server API for AuthService service. All implementations must embed UnimplementedAuthServiceServer for forward compatibility.

func New 

func New() AuthServiceServer

type AuthorizeParams added in v0.4.0 

type AuthorizeParams struct {
	// ObjectKey identifies the type of resource (e.g., "auth:delegation")
	ObjectKey string

	// ObjectID is the specific resource instance, if applicable
	ObjectID any

	// Scope limits the authorization check to a specific scope
	Scope string

	// Action is the operation being performed (e.g., "auth.assume_identity")
	Action string

	// DefaultEffect specifies what to do if no policy matches (0=Deny, 1=Allow)
	DefaultEffect int

	// Info provides additional context for logging/debugging
	Info string
}

AuthorizeParams mirrors authz.AuthorizeParams to avoid import cycle. This struct is passed to Authorizer.Authorize() for delegation permission checks.

When checking delegation permissions, use:

  • ObjectKey: DelegationResource ("auth:delegation")
  • Action: DelegationAction ("auth.assume_identity")
  • DefaultEffect: 0 (Deny - fail closed)

type Authorizer added in v0.4.0 

type Authorizer interface {
	// Authorize checks if the current user (from context) has permission to perform
	// the specified action on the specified resource.
	//
	// The params argument should be an AuthorizeParams struct. It's declared as any
	// to avoid import cycles between auth and authz plugins.
	//
	// Returns nil if authorized, or an error with codes.PermissionDenied if denied.
	Authorize(ctx context.Context, params any) error
}

Authorizer is an interface for authorization plugins that can verify permissions. This allows the auth plugin to use the authz plugin for delegation authorization without creating an import cycle.

The authz plugin implements this interface, allowing the auth plugin to check if a user has permission to assume other identities.

type BlockedToken 

type BlockedToken struct {
	Key string
}

BlockedToken is a model for storing blocked tokens.

func (*BlockedToken) PK 

func (bt *BlockedToken) PK() string

Implements storage.Model.

type Blocklist 

type Blocklist interface {
	// IsBlocked checks if a token with the given key is blocked.
	IsBlocked(ctx context.Context, key string) (bool, error)

	// Block adds a token to the blocklist. Key can be the token itself or a
	// unique ID.
	Block(ctx context.Context, key string) error
}

Blocklist is an interface for managed blocked tokens. By default identity tokens are valid until they expire. This interface allows applications to block tokens before they expire.

All methods accept a context.Context as the first parameter to enable proper cancellation, timeout, and tracing support through to the underlying storage.

func NewBlocklist 

func NewBlocklist(store storage.Store) Blocklist

NewBlocklist creates a basic implementation of the blocklist interface, backed via a storage.Store.

type Claims 

type Claims struct {
	// Standard public JWT claims per https://www.iana.org/assignments/jwt/jwt.xhtml
	jwt.RegisteredClaims
	Name          string           `json:"name"`
	Email         string           `json:"email"`
	EmailVerified bool             `json:"email_verified"`
	AuthTime      *jwt.NumericDate `json:"auth_time,omitempty"`

	// Custom claims.
	Provider string `json:"idp"`

	// Delegation claims (optional, only present when identity was assumed).
	DelegatorSub       string `json:"delegator_sub,omitempty"`
	DelegatorProvider  string `json:"delegator_provider,omitempty"`
	DelegatorSessionID string `json:"delegator_session_id,omitempty"`
	DelegationReason   string `json:"delegation_reason,omitempty"`
	DelegatedAt        int64  `json:"delegated_at,omitempty"`
}

Claims registered as part of a prefab identity token.

func (*Claims) Validate 

func (c *Claims) Validate() error

type ConfigRequest 

type ConfigRequest struct {
	// contains filtered or unexported fields
}

Empty request object.

func (*ConfigRequest) Descriptor deprecated 

func (*ConfigRequest) Descriptor() ([]byte, []int)

Deprecated: Use ConfigRequest.ProtoReflect.Descriptor instead.

func (*ConfigRequest) ProtoMessage 

func (*ConfigRequest) ProtoMessage()

func (*ConfigRequest) ProtoReflect 

func (x *ConfigRequest) ProtoReflect() protoreflect.Message

func (*ConfigRequest) Reset 

func (x *ConfigRequest) Reset()

func (*ConfigRequest) String 

func (x *ConfigRequest) String() string

type ConfigResponse 

type ConfigResponse struct {

	// Token that should be used in non-XHR requests to avoid cross-site request
	// forgery attacks.
	CsrfToken string `protobuf:"bytes,1,opt,name=csrf_token,json=csrfToken,proto3" json:"csrf_token,omitempty"`
	// A map of key-value pairs configured by available auth plugins, for example
	// google.client_id.
	Configs map[string]string `` /* 141-byte string literal not displayed */
	// contains filtered or unexported fields
}

Configuration information to help clients facilitate login.

func (*ConfigResponse) Descriptor deprecated 

func (*ConfigResponse) Descriptor() ([]byte, []int)

Deprecated: Use ConfigResponse.ProtoReflect.Descriptor instead.

func (*ConfigResponse) GetConfigs 

func (x *ConfigResponse) GetConfigs() map[string]string

func (*ConfigResponse) GetCsrfToken 

func (x *ConfigResponse) GetCsrfToken() string

func (*ConfigResponse) ProtoMessage 

func (*ConfigResponse) ProtoMessage()

func (*ConfigResponse) ProtoReflect 

func (x *ConfigResponse) ProtoReflect() protoreflect.Message

func (*ConfigResponse) Reset 

func (x *ConfigResponse) Reset()

func (*ConfigResponse) String 

func (x *ConfigResponse) String() string

type DelegationEventData added in v0.4.0 

type DelegationEventData struct {
	// The admin user who is assuming the identity
	Admin Identity

	// The identity that was assumed (includes delegation metadata)
	AssumedIdentity Identity

	// Reason provided for the delegation
	Reason string
}

DelegationEventData is emitted when an admin assumes another user's identity.

type DelegationInfo added in v0.4.0 

type DelegationInfo struct {

	// Original admin's subject identifier (e.g., "google123")
	DelegatorSub string `protobuf:"bytes,1,opt,name=delegator_sub,json=delegatorSub,proto3" json:"delegator_sub,omitempty"`
	// Original admin's identity provider (e.g., "google")
	DelegatorProvider string `protobuf:"bytes,2,opt,name=delegator_provider,json=delegatorProvider,proto3" json:"delegator_provider,omitempty"`
	// Original admin's session ID (jti claim)
	DelegatorSessionId string `protobuf:"bytes,3,opt,name=delegator_session_id,json=delegatorSessionId,proto3" json:"delegator_session_id,omitempty"`
	// Reason provided for the delegation (e.g., "support-case-873")
	Reason string `protobuf:"bytes,4,opt,name=reason,proto3" json:"reason,omitempty"`
	// Timestamp when the delegation occurred (Unix timestamp in seconds)
	DelegatedAt int64 `protobuf:"varint,5,opt,name=delegated_at,json=delegatedAt,proto3" json:"delegated_at,omitempty"`
	// contains filtered or unexported fields
}

Metadata about identity delegation when an admin assumes another user's identity.

func (*DelegationInfo) Descriptor deprecated added in v0.4.0 

func (*DelegationInfo) Descriptor() ([]byte, []int)

Deprecated: Use DelegationInfo.ProtoReflect.Descriptor instead.

func (*DelegationInfo) GetDelegatedAt added in v0.4.0 

func (x *DelegationInfo) GetDelegatedAt() int64

func (*DelegationInfo) GetDelegatorProvider added in v0.4.0 

func (x *DelegationInfo) GetDelegatorProvider() string

func (*DelegationInfo) GetDelegatorSessionId added in v0.4.0 

func (x *DelegationInfo) GetDelegatorSessionId() string

func (*DelegationInfo) GetDelegatorSub added in v0.4.0 

func (x *DelegationInfo) GetDelegatorSub() string

func (*DelegationInfo) GetReason added in v0.4.0 

func (x *DelegationInfo) GetReason() string

func (*DelegationInfo) ProtoMessage added in v0.4.0 

func (*DelegationInfo) ProtoMessage()

func (*DelegationInfo) ProtoReflect added in v0.4.0 

func (x *DelegationInfo) ProtoReflect() protoreflect.Message

func (*DelegationInfo) Reset added in v0.4.0 

func (x *DelegationInfo) Reset()

func (*DelegationInfo) String added in v0.4.0 

func (x *DelegationInfo) String() string

type Identity 

type Identity struct {

	// Unique identifier for the session that authenticated the identity. Maps to
	// the `jti` JWT claim.
	SessionID string

	// The time at which the identity was authenticated. Maps to `auth_time` JWT
	// claim. May differ from IssuedAt if a token is refreshed.
	AuthTime time.Time

	// Identity provider specific identifier. Maps to `sub` JWT claim.
	Subject string

	// Name of the identity provider used to authenticate the user. Maps to custom
	// `idp` JWT claim.
	Provider string

	// The email address received from the identity provider, if available. Maps
	// to `email` JWT claim.
	Email string

	// Whether the identity provider has verified the email address. Maps to
	// `email_verified` JWT claim.
	EmailVerified bool

	// Name received from the identity provider, if available. Maps to `name` JWT
	// claim.
	Name string

	// Delegation contains metadata when this identity was assumed by an admin user.
	// If nil, this is a normal (non-delegated) identity.
	Delegation *DelegationInfo
}

func IdentityFromContext 

func IdentityFromContext(ctx context.Context) (Identity, error)

IdentityFromContext parses and verifies a JWT received from the incoming request context (including GRPC metadata.) An `Authorization` header will take precedence over a `Cookie`, which in turn will take precedence over other identity extractors.

func ParseIdentityToken 

func ParseIdentityToken(ctx context.Context, tokenString string) (Identity, error)

ParseIdentityToken takes a signed JWT, validates it, and returns the identity information encoded within. Invalid and expired tokens will error.

type IdentityExtractor 

type IdentityExtractor func(ctx context.Context) (Identity, error)

IdentityExtractor is a function which returns a user identity from a given context. Providers should return ErrNotFound if no identity is found. By default, JWT identities are extracted from the `Authorization` header, and then from cookies. If no identity is found, the next registered extractor is called.

type IdentityRequest 

type IdentityRequest struct {
	// contains filtered or unexported fields
}

Empty request object. Auth credentials come from headers or cookie.

func (*IdentityRequest) Descriptor deprecated 

func (*IdentityRequest) Descriptor() ([]byte, []int)

Deprecated: Use IdentityRequest.ProtoReflect.Descriptor instead.

func (*IdentityRequest) ProtoMessage 

func (*IdentityRequest) ProtoMessage()

func (*IdentityRequest) ProtoReflect 

func (x *IdentityRequest) ProtoReflect() protoreflect.Message

func (*IdentityRequest) Reset 

func (x *IdentityRequest) Reset()

func (*IdentityRequest) String 

func (x *IdentityRequest) String() string

type IdentityResponse 

type IdentityResponse struct {
	Provider string `protobuf:"bytes,1,opt,name=provider,proto3" json:"provider,omitempty"`
	// An auth provider specific identifier used to authenticate the user.
	Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"`
	// An email address associated with the identity, if available.
	Email string `protobuf:"bytes,3,opt,name=email,proto3" json:"email,omitempty"`
	// Whether the email is thought to have been verified.
	EmailVerified bool `protobuf:"varint,4,opt,name=email_verified,json=emailVerified,proto3" json:"email_verified,omitempty"`
	// A name associated with the identity, if available.
	Name string `protobuf:"bytes,5,opt,name=name,proto3" json:"name,omitempty"`
	// Delegation information if this identity was assumed by an admin.
	Delegation *DelegationInfo `protobuf:"bytes,6,opt,name=delegation,proto3" json:"delegation,omitempty"`
	// contains filtered or unexported fields
}

Information about the authenticated identity.

func (*IdentityResponse) Descriptor deprecated 

func (*IdentityResponse) Descriptor() ([]byte, []int)

Deprecated: Use IdentityResponse.ProtoReflect.Descriptor instead.

func (*IdentityResponse) GetDelegation added in v0.4.0 

func (x *IdentityResponse) GetDelegation() *DelegationInfo

func (*IdentityResponse) GetEmail 

func (x *IdentityResponse) GetEmail() string

func (*IdentityResponse) GetEmailVerified 

func (x *IdentityResponse) GetEmailVerified() bool

func (*IdentityResponse) GetName 

func (x *IdentityResponse) GetName() string

func (*IdentityResponse) GetProvider 

func (x *IdentityResponse) GetProvider() string

func (*IdentityResponse) GetSubject 

func (x *IdentityResponse) GetSubject() string

func (*IdentityResponse) ProtoMessage 

func (*IdentityResponse) ProtoMessage()

func (*IdentityResponse) ProtoReflect 

func (x *IdentityResponse) ProtoReflect() protoreflect.Message

func (*IdentityResponse) Reset 

func (x *IdentityResponse) Reset()

func (*IdentityResponse) String 

func (x *IdentityResponse) String() string

type IdentityValidator added in v0.4.0 

type IdentityValidator func(ctx context.Context, provider, subject string) error

IdentityValidator is an optional hook that can validate whether a target identity exists and is valid before allowing delegation. This allows applications to prevent delegation to non-existent or suspended users.

type LoginHandler 

type LoginHandler func(ctx context.Context, req *LoginRequest) (*LoginResponse, error)

LoginHandler is a function which allows delegation of login requests.

type LoginRequest 

type LoginRequest struct {

	// Name of the auth-provider to use to process the creds.
	Provider string `protobuf:"bytes,1,opt,name=provider,proto3" json:"provider,omitempty"`
	// Creds contains key/value pairs of provider specific credentials.
	Creds map[string]string `` /* 137-byte string literal not displayed */
	// Whether a token should be returned in the response. If false, a cookie will
	// be set on the API root.
	IssueToken bool `protobuf:"varint,3,opt,name=issue_token,json=issueToken,proto3" json:"issue_token,omitempty"`
	// The URL where the user should be redirected after the cookie is set.
	// Incompatible with `issue_token`.
	RedirectUri string `protobuf:"bytes,4,opt,name=redirect_uri,json=redirectUri,proto3" json:"redirect_uri,omitempty"`
	// contains filtered or unexported fields
}

A client request to authenticate the user. For instance: 

{ "provider": "magiclink", "creds": {"email": "walt@disney.com"} }

func (*LoginRequest) Descriptor deprecated 

func (*LoginRequest) Descriptor() ([]byte, []int)

Deprecated: Use LoginRequest.ProtoReflect.Descriptor instead.

func (*LoginRequest) GetCreds 

func (x *LoginRequest) GetCreds() map[string]string

func (*LoginRequest) GetIssueToken 

func (x *LoginRequest) GetIssueToken() bool

func (*LoginRequest) GetProvider 

func (x *LoginRequest) GetProvider() string

func (*LoginRequest) GetRedirectUri 

func (x *LoginRequest) GetRedirectUri() string

func (*LoginRequest) ProtoMessage 

func (*LoginRequest) ProtoMessage()

func (*LoginRequest) ProtoReflect 

func (x *LoginRequest) ProtoReflect() protoreflect.Message

func (*LoginRequest) Reset 

func (x *LoginRequest) Reset()

func (*LoginRequest) String 

func (x *LoginRequest) String() string

type LoginResponse 

type LoginResponse struct {

	// Whether the token was issued. False does not necessarily indicate an error,
	// some auth providers may require an additional step. For example, magiclink
	// requires the user follow a URL that was sent to their email.
	Issued bool `protobuf:"varint,1,opt,name=issued,proto3" json:"issued,omitempty"`
	// An auth token which can be used to make subsequently authenticated requests
	// only set if `issue_token` is true.
	Token string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
	// Destination where the client should be redirected to, if applicable. HTTP
	// headers will be added to GRPC metadata which will cause a 302 redirect if
	// the RPC is called via the GRPC Gateway. Not compatible with `issue_token`
	// set to true.
	RedirectUri string `protobuf:"bytes,3,opt,name=redirect_uri,json=redirectUri,proto3" json:"redirect_uri,omitempty"`
	// contains filtered or unexported fields
}

The login response.

func (*LoginResponse) Descriptor deprecated 

func (*LoginResponse) Descriptor() ([]byte, []int)

Deprecated: Use LoginResponse.ProtoReflect.Descriptor instead.

func (*LoginResponse) GetIssued 

func (x *LoginResponse) GetIssued() bool

func (*LoginResponse) GetRedirectUri 

func (x *LoginResponse) GetRedirectUri() string

func (*LoginResponse) GetToken 

func (x *LoginResponse) GetToken() string

func (*LoginResponse) ProtoMessage 

func (*LoginResponse) ProtoMessage()

func (*LoginResponse) ProtoReflect 

func (x *LoginResponse) ProtoReflect() protoreflect.Message

func (*LoginResponse) Reset 

func (x *LoginResponse) Reset()

func (*LoginResponse) String 

func (x *LoginResponse) String() string

type LogoutRequest 

type LogoutRequest struct {

	// The URL where the user should be redirected after a successful logout.
	RedirectUri string `protobuf:"bytes,4,opt,name=redirect_uri,json=redirectUri,proto3" json:"redirect_uri,omitempty"`
	// contains filtered or unexported fields
}

The login response.

func (*LogoutRequest) Descriptor deprecated 

func (*LogoutRequest) Descriptor() ([]byte, []int)

Deprecated: Use LogoutRequest.ProtoReflect.Descriptor instead.

func (*LogoutRequest) GetRedirectUri 

func (x *LogoutRequest) GetRedirectUri() string

func (*LogoutRequest) ProtoMessage 

func (*LogoutRequest) ProtoMessage()

func (*LogoutRequest) ProtoReflect 

func (x *LogoutRequest) ProtoReflect() protoreflect.Message

func (*LogoutRequest) Reset 

func (x *LogoutRequest) Reset()

func (*LogoutRequest) String 

func (x *LogoutRequest) String() string

type LogoutResponse 

type LogoutResponse struct {

	// Destination where the client should be redirected to, if applicable. HTTP
	// headers will be added to GRPC metadata which will cause a 302 redirect if
	// the RPC is called via the GRPC Gateway.
	RedirectUri string `protobuf:"bytes,1,opt,name=redirect_uri,json=redirectUri,proto3" json:"redirect_uri,omitempty"`
	// contains filtered or unexported fields
}

The logout response.

func (*LogoutResponse) Descriptor deprecated 

func (*LogoutResponse) Descriptor() ([]byte, []int)

Deprecated: Use LogoutResponse.ProtoReflect.Descriptor instead.

func (*LogoutResponse) GetRedirectUri 

func (x *LogoutResponse) GetRedirectUri() string

func (*LogoutResponse) ProtoMessage 

func (*LogoutResponse) ProtoMessage()

func (*LogoutResponse) ProtoReflect 

func (x *LogoutResponse) ProtoReflect() protoreflect.Message

func (*LogoutResponse) Reset 

func (x *LogoutResponse) Reset()

func (*LogoutResponse) String 

func (x *LogoutResponse) String() string

type UnimplementedAuthServiceServer 

type UnimplementedAuthServiceServer struct{}

UnimplementedAuthServiceServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedAuthServiceServer) AssumeIdentity added in v0.4.0 

func (UnimplementedAuthServiceServer) AssumeIdentity(context.Context, *AssumeIdentityRequest) (*AssumeIdentityResponse, error)

func (UnimplementedAuthServiceServer) Identity 

func (UnimplementedAuthServiceServer) Identity(context.Context, *IdentityRequest) (*IdentityResponse, error)

func (UnimplementedAuthServiceServer) Login 

func (UnimplementedAuthServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error)

func (UnimplementedAuthServiceServer) Logout 

func (UnimplementedAuthServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)

type UnsafeAuthServiceServer 

type UnsafeAuthServiceServer interface {
	// contains filtered or unexported methods
}

UnsafeAuthServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AuthServiceServer will result in compilation errors.

Source Files

View all Source files

Directories

Path Synopsis
Package apikey provides an authentication plugin that allows for authentication via apikeys.
 Package apikey provides an authentication plugin that allows for authentication via apikeys.
Package fake provides an authentication plugin for testing purposes.
 Package fake provides an authentication plugin for testing purposes.
Package google provides authentication via Google SSO.
 Package google provides authentication via Google SSO.
Package magiclink provides passwordless authentication, allowing users to authenticate using a magic link that is sent to their email address.
 Package magiclink provides passwordless authentication, allowing users to authenticate using a magic link that is sent to their email address.
Package pwdauth provides an authentication service plugin that allows users to authenticate via a email and password.
 Package pwdauth provides an authentication service plugin that allows users to authenticate via a email and password.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.