federation

package
v1.6.18 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2026 License: GPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateFederatedIdentity 

func CreateFederatedIdentity(fi FederatedIdentity) error

func CreateFederationProvider 

func CreateFederationProvider(p FederationProvider) error

func DeleteFederatedIdentity added in v1.3.2 

func DeleteFederatedIdentity(id string) error

func DeleteFederationProvider 

func DeleteFederationProvider(id string) error

func HandleCreateProvider added in v1.4.4 

func HandleCreateProvider(w http.ResponseWriter, r *http.Request)

HandleCreateProvider godoc @Summary Create a federation provider @Tags admin-federation @Accept json @Produce json @Param request body FederationProviderRequest true "Provider request" @Security AdminAuth @Success 201 {object} map[string]string @Router /admin/api/federation [post]

func HandleDeleteProvider added in v1.4.4 

func HandleDeleteProvider(w http.ResponseWriter, r *http.Request)

HandleDeleteProvider godoc @Summary Delete a federation provider @Tags admin-federation @Param id path string true "Provider ID" @Security AdminAuth @Success 204 @Failure 404 {object} model.ApiError @Router /admin/api/federation/{id} [delete]

func HandleFederationBegin 

func HandleFederationBegin(w http.ResponseWriter, r *http.Request)

HandleFederationBegin initiates an OIDC federation login by redirecting the user to the external identity provider.

func HandleFederationCallback 

func HandleFederationCallback(w http.ResponseWriter, r *http.Request)

HandleFederationCallback handles the OIDC callback from the external provider, resolves the local user, and issues an authorization code.

func HandleFederationIcon added in v1.6.16 

func HandleFederationIcon(w http.ResponseWriter, r *http.Request)

HandleFederationIcon serves a provider's icon_svg with image/svg+xml content type. The login template references this via <img src> — SVGs loaded via <img> are processed by browsers in secure static mode (scripts and external resources disabled), neutralizing any malicious content in the admin-supplied SVG. The restrictive per-response CSP defends the case where someone navigates directly to the URL, treating the SVG as a top-level document.

func HandleGetProvider added in v1.4.4 

func HandleGetProvider(w http.ResponseWriter, r *http.Request)

HandleGetProvider godoc @Summary Get a federation provider @Tags admin-federation @Produce json @Param id path string true "Provider ID" @Security AdminAuth @Success 200 {object} ProviderResponse @Failure 404 {object} model.ApiError @Router /admin/api/federation/{id} [get]

func HandleListProviders added in v1.4.4 

func HandleListProviders(w http.ResponseWriter, r *http.Request)

HandleListProviders godoc @Summary List federation providers @Tags admin-federation @Produce json @Security AdminAuth @Success 200 {array} ProviderResponse @Router /admin/api/federation [get]

func HandleUpdateProvider added in v1.4.4 

func HandleUpdateProvider(w http.ResponseWriter, r *http.Request)

HandleUpdateProvider godoc @Summary Update a federation provider @Tags admin-federation @Accept json @Produce json @Param id path string true "Provider ID" @Param request body FederationProviderRequest true "Provider request" @Security AdminAuth @Success 200 {object} map[string]string @Failure 404 {object} model.ApiError @Router /admin/api/federation/{id} [put]

func SignState 

func SignState(s FederationState) (string, error)

SignState JSON-encodes the FederationState, signs it with HMAC-SHA256 using the CSRF secret, and returns a base64url-encoded "payload.signature" string.

func UpdateFederationProvider 

func UpdateFederationProvider(id string, req FederationProviderRequest) error

Types

type FederatedIdentity 

type FederatedIdentity struct {
	ID             string
	ProviderID     string
	ProviderUserID string
	UserID         string
	Email          sql.NullString
	CreatedAt      time.Time
}

FederatedIdentity links a local user to a provider-specific subject (sub).

func FederatedIdentitiesByUserID added in v1.3.2 

func FederatedIdentitiesByUserID(userID string) ([]*FederatedIdentity, error)

func FederatedIdentityByProviderAndSub 

func FederatedIdentityByProviderAndSub(providerID, sub string) (*FederatedIdentity, error)

type FederationProvider 

type FederationProvider struct {
	ID           string
	Name         string
	Issuer       string
	ClientID     string
	ClientSecret string
	IconSVG      sql.NullString
	Enabled      bool
	SortOrder    int
	CreatedAt    time.Time
}

FederationProvider represents a registered OIDC identity provider.

func FederationProviderByID 

func FederationProviderByID(id string) (*FederationProvider, error)

func ListFederationProviders 

func ListFederationProviders() ([]*FederationProvider, error)

type FederationProviderRequest 

type FederationProviderRequest struct {
	ID           string `json:"id"`
	Name         string `json:"name"`
	Issuer       string `json:"issuer"`
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
	IconSVG      string `json:"icon_svg"`
	Enabled      *bool  `json:"enabled"`
	SortOrder    int    `json:"sort_order"`
}

FederationProviderRequest is used for admin create/update API calls.

type FederationProviderView 

type FederationProviderView struct {
	ID      string
	Name    string
	HasIcon bool
}

FederationProviderView is a safe, template-ready representation of a provider. HasIcon signals whether to emit an <img> referencing the icon route — admin SVG is never injected into the login HTML directly to prevent stored XSS.

func ListEnabledProviderViews 

func ListEnabledProviderViews() ([]FederationProviderView, error)

ListEnabledProviderViews returns only enabled providers as template-safe views, ordered by sort_order for display on the login page. Admin-supplied SVG never flows into the template — HasIcon tells the template to emit an <img> pointing at the federation icon route, which serves the SVG with image/svg+xml.

type FederationState 

type FederationState struct {
	Nonce               string `json:"nonce"`
	ProviderID          string `json:"provider_id"`
	RedirectURI         string `json:"redirect_uri"`
	ClientID            string `json:"client_id"`
	Scope               string `json:"scope"`
	State               string `json:"state"`
	CodeChallenge       string `json:"code_challenge"`
	CodeChallengeMethod string `json:"code_challenge_method"`
}

FederationState is HMAC-signed and round-tripped via the OAuth2 state parameter. It carries the original OIDC authorization request params across the provider redirect.

func VerifyState 

func VerifyState(raw string) (*FederationState, error)

VerifyState parses a signed state string produced by SignState, verifies the HMAC signature, and returns the decoded FederationState.

type ProviderResponse added in v1.4.4 

type ProviderResponse struct {
	ID        string `json:"id"`
	Name      string `json:"name"`
	Issuer    string `json:"issuer"`
	ClientID  string `json:"client_id"`
	IconSVG   string `json:"icon_svg"`
	Enabled   bool   `json:"enabled"`
	SortOrder int    `json:"sort_order"`
}

ProviderResponse is the shared response shape for federation provider endpoints.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.