Documentation
¶
Overview ¶
Package token provides grant-agnostic access-token sources for proxy auth.
A Source hides which OAuth grant is in play (interactive refresh-token vs client_credentials) behind a single Token/Invalidate seam, so request code can attach a token and retry on rejection without branching on auth mode.
Index ¶
Constants ¶
const ModeClientCredentials = "client_credentials"
ModeClientCredentials selects the non-interactive service-account grant. Any other mode ("", "oauth", "oidc") uses the interactive refresh-token grant.
Variables ¶
var ErrNotAuthenticated = errors.New("not authenticated")
ErrNotAuthenticated is returned by an interactive Source when no credentials are stored (e.g. the user has not run `panda auth login`, or logged out).
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// IssuerURL is the resolved OIDC issuer (callers apply any proxy-URL
// fallback before passing it in).
IssuerURL string
// ClientID is the OAuth client ID.
ClientID string
// Resource is the optional RFC 8707 resource indicator.
Resource string
// Username and Password are the service-account credentials for
// ModeClientCredentials.
Username string
Password string
// Mode selects the grant: ModeClientCredentials or interactive (default).
Mode string
// RefreshTokenTTL is the expected refresh-token lifetime, used by the
// interactive store to keep the refresh token alive via rotation.
RefreshTokenTTL time.Duration
// MintTimeout bounds a single client_credentials mint.
MintTimeout time.Duration
}
Config describes how to build a Source. A blank IssuerURL or ClientID means no auth is configured and NewSource returns nil.
type Source ¶
type Source interface {
// Token returns a currently valid access token, refreshing or minting one
// as needed.
Token(ctx context.Context) (string, error)
// Invalidate drops any cached access token so the next Token call obtains a
// fresh one. Used when the proxy rejects a token that has not yet hit the
// local expiry buffer (e.g. server-side revocation).
Invalidate()
}
Source yields valid access tokens for proxy requests, hiding the OAuth grant.
func NewClientCredentialsSource ¶
func NewClientCredentialsSource(log logrus.FieldLogger, c client.Client, mintTimeout time.Duration) Source
NewClientCredentialsSource builds a Source that mints tokens via the client_credentials grant, caching them in memory for mintTimeout-bounded re-mints.
func NewRefreshSource ¶
NewRefreshSource builds a Source backed by the on-disk credential store.
func NewSource ¶
func NewSource(log logrus.FieldLogger, cfg Config) Source
NewSource builds the access-token Source for cfg, owning the grant decision and the construction of the OAuth client and (for interactive grants) the on-disk credential store. It returns nil when no auth is configured, so the proxy can treat "no token source" as "no auth required".
Source Files