Documentation
¶
Index ¶
- func Authenticate(ctx context.Context, input *openapi3filter.AuthenticationInput) error
- func GrantedScopes(claims Claims) []string
- func RegisterVerifier(schemeName string, verifier Verifier)
- func RequireScopes(required, granted []string) error
- type Claims
- type ClaimsSink
- type Credentials
- type OIDCConfig
- type Verifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Authenticate ¶
func Authenticate(ctx context.Context, input *openapi3filter.AuthenticationInput) error
Authenticate is an openapi3filter.AuthenticationFunc that handles HTTP basic and bearer security schemes. It parses the credentials from the request and delegates verification to the Verifier registered for the scheme name.
func GrantedScopes ¶
GrantedScopes extracts the scopes granted by a token from its claims, normalizing the shapes commonly used by identity providers:
- "scope": space-delimited string (OAuth2 standard)
- "scp": space-delimited string, or an array of strings (e.g. Azure AD)
- "scopes": an array of strings (fallback)
func RegisterVerifier ¶
RegisterVerifier registers a Verifier for a security scheme name as declared in the OpenAPI spec's components.securitySchemes.
func RequireScopes ¶
RequireScopes returns an error naming the missing scope(s) unless every required scope is present in granted. An empty required set always passes.
Types ¶
type Claims ¶
type Claims map[string]interface{}
Claims holds the identity attributes a verifier established for a request, exposed to the step pipeline as $.auth.
type ClaimsSink ¶
type ClaimsSink struct {
// contains filtered or unexported fields
}
ClaimsSink is a per-request holder that lets a Verifier (invoked deep inside openapi3filter request validation) hand the claims it established back to the HTTP handler without mutating the request.
func WithClaimsSink ¶
func WithClaimsSink(ctx context.Context) (context.Context, *ClaimsSink)
WithClaimsSink returns a context carrying a fresh ClaimsSink and the sink itself. Pass the returned context to openapi3filter.ValidateRequest so that Authenticate can record claims into the sink.
func (*ClaimsSink) Claims ¶
func (s *ClaimsSink) Claims() Claims
Claims returns the claims recorded during authentication, or nil if none.
type Credentials ¶
type Credentials struct {
// Scheme is the HTTP auth scheme the credentials were parsed from,
// either "basic" or "bearer".
Scheme string
// Username and Password are populated for basic auth.
Username string
Password string
// Token is populated for bearer auth.
Token string
// Scopes are the scopes required by the matched security requirement.
Scopes []string
// DiscoveryURL is the OpenID Connect discovery URL declared on the
// security scheme (openIdConnectUrl), populated for openIdConnect schemes.
DiscoveryURL string
}
Credentials holds the credentials parsed from an incoming request's Authorization header for a given security scheme.
type OIDCConfig ¶
type OIDCConfig struct {
// Issuer is the OIDC issuer URL. When empty, the issuer is derived from the
// security scheme's openIdConnectUrl (DiscoveryURL on the credentials).
Issuer string
// Audience is the expected token audience (aud). When empty, the audience
// check is skipped (signature, exp and iss are still verified).
Audience string
}
OIDCConfig configures an OIDC verifier. Both fields are optional.
type Verifier ¶
type Verifier func(ctx context.Context, creds Credentials) (Claims, error)
Verifier validates parsed credentials for a security scheme. On success it returns the Claims it established (may be nil) and a nil error; on failure it returns a non-nil error describing why authentication failed.
func GetVerifier ¶
GetVerifier retrieves the Verifier registered for a security scheme name.
func OIDCVerifier ¶
func OIDCVerifier(cfg OIDCConfig) Verifier
OIDCVerifier returns a Verifier that validates JWT bearer tokens against an OIDC provider discovered via its .well-known/openid-configuration document. Providers are discovered lazily on first use and cached per issuer, so server startup does not depend on the identity provider being reachable.
func StaticBasicVerifier ¶
StaticBasicVerifier returns a Verifier that accepts a single username and password pair, compared in constant time. It fails closed when the security requirement demands scopes, which a static credential cannot satisfy.
func StaticBearerVerifier ¶
StaticBearerVerifier returns a Verifier that accepts a single bearer token, compared in constant time. It fails closed when the security requirement demands scopes, which a static token cannot satisfy.
Source Files