auth

package
v1.0.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package auth provides authentication for Microsoft Graph using MSAL.

Index

Constants

This section is empty.

Variables

View Source 
var ErrIncrementalConsentNotSupported = fmt.Errorf("incremental consent is not supported for app-only authentication; grant the required permissions in the Entra ID portal")

ErrIncrementalConsentNotSupported is returned when incremental consent is attempted with an app-only auth method.

Functions

func StatusJSON 

func StatusJSON(ctx context.Context, provider TokenProvider) ([]byte, error)

StatusJSON returns the status as JSON bytes.

Types

type ClientCertificateClient added in v1.0.0 

type ClientCertificateClient struct {
	// contains filtered or unexported fields
}

ClientCertificateClient implements TokenProvider using a client certificate.

func NewClientCertificateClient added in v1.0.0 

func NewClientCertificateClient(cfg *config.Config) (*ClientCertificateClient, error)

NewClientCertificateClient creates a confidential client using a certificate.

func (*ClientCertificateClient) AcquireToken added in v1.0.0 

func (c *ClientCertificateClient) AcquireToken(ctx context.Context, _ []string) (string, error)

AcquireToken acquires a token using client certificate credentials.

func (*ClientCertificateClient) AcquireTokenWithExtraScopes added in v1.0.0 

func (c *ClientCertificateClient) AcquireTokenWithExtraScopes(_ context.Context, _, _ []string) (string, error)

AcquireTokenWithExtraScopes is not supported for app-only auth.

func (*ClientCertificateClient) IsAppOnly added in v1.0.0 

func (c *ClientCertificateClient) IsAppOnly() bool

IsAppOnly returns true.

func (*ClientCertificateClient) SignOut added in v1.0.0 

func (c *ClientCertificateClient) SignOut() error

SignOut clears the token cache.

func (*ClientCertificateClient) Status added in v1.0.0 

func (c *ClientCertificateClient) Status(ctx context.Context) (map[string]interface{}, error)

Status returns the current auth state.

type ClientSecretClient added in v1.0.0 

type ClientSecretClient struct {
	// contains filtered or unexported fields
}

ClientSecretClient implements TokenProvider using client secret credentials.

func NewClientSecretClient added in v1.0.0 

func NewClientSecretClient(cfg *config.Config) (*ClientSecretClient, error)

NewClientSecretClient creates a confidential client using a client secret.

func (*ClientSecretClient) AcquireToken added in v1.0.0 

func (c *ClientSecretClient) AcquireToken(ctx context.Context, _ []string) (string, error)

AcquireToken acquires a token using client credentials.

func (*ClientSecretClient) AcquireTokenWithExtraScopes added in v1.0.0 

func (c *ClientSecretClient) AcquireTokenWithExtraScopes(_ context.Context, _, _ []string) (string, error)

AcquireTokenWithExtraScopes is not supported for app-only auth.

func (*ClientSecretClient) IsAppOnly added in v1.0.0 

func (c *ClientSecretClient) IsAppOnly() bool

IsAppOnly returns true.

func (*ClientSecretClient) SignOut added in v1.0.0 

func (c *ClientSecretClient) SignOut() error

SignOut clears the token cache.

func (*ClientSecretClient) Status added in v1.0.0 

func (c *ClientSecretClient) Status(ctx context.Context) (map[string]interface{}, error)

Status returns the current auth state.

type DelegatedClient added in v1.0.0 

type DelegatedClient struct {
	// contains filtered or unexported fields
}

DelegatedClient implements TokenProvider using MSAL public client (interactive + device code). This is the default auth method for user-delegated authentication.

func NewDelegatedClient added in v1.0.0 

func NewDelegatedClient(cfg *config.Config) (*DelegatedClient, error)

NewDelegatedClient creates a new MSAL public client for delegated auth.

func (*DelegatedClient) AcquireToken added in v1.0.0 

func (c *DelegatedClient) AcquireToken(ctx context.Context, scopes []string) (string, error)

AcquireToken attempts silent auth first, then falls back to interactive/device code.

func (*DelegatedClient) AcquireTokenDeviceCode added in v1.0.0 

func (c *DelegatedClient) AcquireTokenDeviceCode(ctx context.Context, scopes []string) (string, error)

AcquireTokenDeviceCode uses the device code flow for authentication.

func (*DelegatedClient) AcquireTokenInteractive added in v1.0.0 

func (c *DelegatedClient) AcquireTokenInteractive(ctx context.Context, scopes []string) (string, error)

AcquireTokenInteractive opens the system browser for authentication.

func (*DelegatedClient) AcquireTokenSilent added in v1.0.0 

func (c *DelegatedClient) AcquireTokenSilent(ctx context.Context, scopes []string) (string, error)

AcquireTokenSilent attempts to get a token from the cache without user interaction.

func (*DelegatedClient) AcquireTokenWithExtraScopes added in v1.0.0 

func (c *DelegatedClient) AcquireTokenWithExtraScopes(ctx context.Context, existingScopes, extraScopes []string) (string, error)

AcquireTokenWithExtraScopes re-authenticates with additional scopes for incremental consent.

func (*DelegatedClient) GetAccounts added in v1.0.0 

func (c *DelegatedClient) GetAccounts(ctx context.Context) ([]public.Account, error)

GetAccounts returns the accounts currently in the cache.

func (*DelegatedClient) IsAppOnly added in v1.0.0 

func (c *DelegatedClient) IsAppOnly() bool

IsAppOnly returns false — delegated auth has a user context.

func (*DelegatedClient) SignOut added in v1.0.0 

func (c *DelegatedClient) SignOut() error

SignOut clears the session cache.

func (*DelegatedClient) Status added in v1.0.0 

func (c *DelegatedClient) Status(ctx context.Context) (map[string]interface{}, error)

Status returns information about the current auth state.

type ManagedIdentityClient added in v1.0.0 

type ManagedIdentityClient struct {
	// contains filtered or unexported fields
}

ManagedIdentityClient implements TokenProvider using Azure managed identity. This works on Azure VMs, App Service, Azure Functions, AKS, and other Azure compute resources with a managed identity assigned.

func NewManagedIdentityClient added in v1.0.0 

func NewManagedIdentityClient(cfg *config.Config) (*ManagedIdentityClient, error)

NewManagedIdentityClient creates a managed identity client. If MSGRAPH_MANAGED_IDENTITY_CLIENT_ID is set, uses a user-assigned identity. Otherwise, uses the system-assigned identity.

func (*ManagedIdentityClient) AcquireToken added in v1.0.0 

func (c *ManagedIdentityClient) AcquireToken(ctx context.Context, _ []string) (string, error)

AcquireToken acquires a token using managed identity.

func (*ManagedIdentityClient) AcquireTokenWithExtraScopes added in v1.0.0 

func (c *ManagedIdentityClient) AcquireTokenWithExtraScopes(_ context.Context, _, _ []string) (string, error)

AcquireTokenWithExtraScopes is not supported for app-only auth.

func (*ManagedIdentityClient) IsAppOnly added in v1.0.0 

func (c *ManagedIdentityClient) IsAppOnly() bool

IsAppOnly returns true.

func (*ManagedIdentityClient) SignOut added in v1.0.0 

func (c *ManagedIdentityClient) SignOut() error

SignOut is a no-op for managed identity (no session to clear).

func (*ManagedIdentityClient) Status added in v1.0.0 

func (c *ManagedIdentityClient) Status(ctx context.Context) (map[string]interface{}, error)

Status returns the current auth state.

type SessionData 

type SessionData struct {
	Account  public.Account `json:"account"`
	TenantID string         `json:"tenantId"`
	ClientID string         `json:"clientId"`
	Scopes   []string       `json:"scopes"`
}

SessionData stores the current auth session state.

type TokenProvider added in v1.0.0 

type TokenProvider interface {
	// AcquireToken gets an access token for the given scopes.
	// For app-only auth, individual scopes are ignored and .default is used.
	AcquireToken(ctx context.Context, scopes []string) (string, error)

	// AcquireTokenWithExtraScopes re-acquires a token with additional scopes
	// for incremental consent. Returns ErrIncrementalConsentNotSupported for
	// app-only auth methods where permissions are pre-granted by admin.
	AcquireTokenWithExtraScopes(ctx context.Context, existingScopes, extraScopes []string) (string, error)

	// SignOut clears any cached credentials/sessions.
	SignOut() error

	// Status returns information about the current auth state.
	Status(ctx context.Context) (map[string]interface{}, error)

	// IsAppOnly returns true for app-only auth methods (no user context).
	IsAppOnly() bool
}

TokenProvider is the interface for all auth methods. The Graph HTTP client uses this interface to acquire tokens without knowing the underlying method.

func NewTokenProvider added in v1.0.0 

func NewTokenProvider(cfg *config.Config) (TokenProvider, error)

NewTokenProvider creates the appropriate TokenProvider based on the config. It auto-detects the auth method from environment variables.

type WorkloadIdentityClient added in v1.0.0 

type WorkloadIdentityClient struct {
	// contains filtered or unexported fields
}

WorkloadIdentityClient implements TokenProvider using federated token assertion. This supports workload identity federation from Azure Kubernetes Service, AWS EKS, GCP GKE, and other environments that provide a JWT token file.

The token file is re-read on each acquisition to pick up rotated tokens.

func NewWorkloadIdentityClient added in v1.0.0 

func NewWorkloadIdentityClient(cfg *config.Config) (*WorkloadIdentityClient, error)

NewWorkloadIdentityClient creates a confidential client using a federated token assertion.

func (*WorkloadIdentityClient) AcquireToken added in v1.0.0 

func (c *WorkloadIdentityClient) AcquireToken(ctx context.Context, _ []string) (string, error)

AcquireToken acquires a token using the federated assertion.

func (*WorkloadIdentityClient) AcquireTokenWithExtraScopes added in v1.0.0 

func (c *WorkloadIdentityClient) AcquireTokenWithExtraScopes(_ context.Context, _, _ []string) (string, error)

AcquireTokenWithExtraScopes is not supported for app-only auth.

func (*WorkloadIdentityClient) IsAppOnly added in v1.0.0 

func (c *WorkloadIdentityClient) IsAppOnly() bool

IsAppOnly returns true.

func (*WorkloadIdentityClient) SignOut added in v1.0.0 

func (c *WorkloadIdentityClient) SignOut() error

SignOut clears the token cache.

func (*WorkloadIdentityClient) Status added in v1.0.0 

func (c *WorkloadIdentityClient) Status(ctx context.Context) (map[string]interface{}, error)

Status returns the current auth state.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.