workloadidentity

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package workloadidentity provides functionality for managing and using workload identity tokens based on RFC 8693: OAuth 2.0 Token Exchange

Index

Constants

View Source 
const (

	// DefaultSubjectTokenType is the default subject token type for token exchange.
	DefaultSubjectTokenType = SubjectTokenTypeIDToken
)

Variables

View Source 
var (
	// ErrExchangingToken is returned when there is an error exchanging tokens
	ErrExchangingToken = errors.New("error exchanging token")
	// ErrInvalidSubjectTokenType is returned when an invalid subject token type is provided
	ErrInvalidSubjectTokenType = errors.New("invalid subject token type")
)

Functions

func NewTokenSource 

func NewTokenSource(
	ctx context.Context,
	tokenurl string,
	opts ...Option,
) oauth2.TokenSource

NewTokenSource returns a TokenSource that uses workload identity.

Types

type Option 

type Option func(*WorkloadTokenSource)

Option is a functional config option for the TokenSource.

func WithAudience 

func WithAudience(aud string) Option

WithAudience sets the audience for the token exchange.

func WithHTTPClient 

func WithHTTPClient(client *http.Client) Option

WithHTTPClient sets a custom HTTP client for token requests.

func WithKubeSubjectToken 

func WithKubeSubjectToken(tokenPath string, tt SubjectTokenType) Option

WithKubeSubjectToken sets the function to retrieve subject token from a kubernetes service account token file.

func WithLogger 

func WithLogger(logger *zap.Logger) Option

WithLogger sets the logger for the WorkloadTokenSource.

func WithRequestTimeout 

func WithRequestTimeout(timeout time.Duration) Option

WithRequestTimeout sets the request timeout for token requests.

func WithScopes 

func WithScopes(scopes ...string) Option

WithScopes sets the scopes for the access token.

func WithSubjectTokenFn 

func WithSubjectTokenFn(fn SubjectTokenFn, tt SubjectTokenType) Option

WithSubjectTokenFn sets the function to retrieve the subject token. It also sets the subject token type.

func WithTokenReuseExpiry 

func WithTokenReuseExpiry(d time.Duration) Option

WithTokenReuseExpiry sets the token reuse expiry for the WorkloadTokenSource.

func WithTracer 

func WithTracer(tracer trace.Tracer) Option

WithTracer sets the tracer for the WorkloadTokenSource.

type SubjectTokenFn 

type SubjectTokenFn func(context.Context) (*oauth2.Token, error)

SubjectTokenFn is a function that retrieves the subject token.

type SubjectTokenType 

type SubjectTokenType string

SubjectTokenType is an identifier that describes the token https://datatracker.ietf.org/doc/html/rfc8693#section-3 

const (
	// SubjectTokenTypeAccessToken indicates that the token is an OAuth 2.0
	// access token issued by the given authorization server.
	SubjectTokenTypeAccessToken SubjectTokenType = "urn:ietf:params:oauth:token-type:access_token"
	// SubjectTokenTypeIDToken indicates that the token is an ID Token as
	// defined in Section 2 of [OpenID.Core](https://openid.net/specs/openid-connect-core-1_0.html).
	SubjectTokenTypeIDToken SubjectTokenType = "urn:ietf:params:oauth:token-type:id_token"
	// SubjectTokenTypeRefreshToken indicates that the token is an OAuth 2.0
	// refresh token issued by the given authorization server.
	SubjectTokenTypeRefreshToken SubjectTokenType = "urn:ietf:params:oauth:token-type:refresh_token"
	// SubjectTokenTypeSAML1 indicates that the token is a base64url-encoded
	// SAML 1.1 [OASIS.saml-core-1.1] assertion.
	SubjectTokenTypeSAML1 SubjectTokenType = "urn:ietf:params:oauth:token-type:saml1"
	// SubjectTokenTypeSAML2 indicates that the token is a base64url-encoded
	// SAML 2.0 [OASIS.saml-core-2.0-os](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
	// assertion.
	SubjectTokenTypeSAML2 SubjectTokenType = "urn:ietf:params:oauth:token-type:saml2"
)

func NewSubjectTokenTypeFromString added in v0.9.1 

func NewSubjectTokenTypeFromString(in string) (SubjectTokenType, error)

NewSubjectTokenTypeFromString creates a new SubjectTokenType from a string.

type TokenExchangeErrorResponse 

type TokenExchangeErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description,omitempty"`
	ErrorURI         string `json:"error_uri,omitempty"`
}

TokenExchangeErrorResponse is the error response for an RFC 8693 request https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2 https://www.rfc-editor.org/rfc/rfc6749#section-5.2

type TokenExchangeSuccessfulResponse 

type TokenExchangeSuccessfulResponse struct {
	AccessToken     string `json:"access_token"`
	IssuedTokenType string `json:"issued_token_type"`
	TokenType       string `json:"token_type"`
	ExpiresIn       int    `json:"expires_in"`
	Scope           string `json:"scope,omitempty"`
}

TokenExchangeSuccessfulResponse is the successful response for an RFC 8693 request https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.1

type WorkloadTokenSource 

type WorkloadTokenSource struct {
	// contains filtered or unexported fields
}

WorkloadTokenSource implements oauth2.TokenSource.

func NewWorkloadTokenSource 

func NewWorkloadTokenSource(
	ctx context.Context,
	tokenurl string,
	opts ...Option,
) *WorkloadTokenSource

NewWorkloadTokenSource returns a WorkLoadTokenSource struct

func (*WorkloadTokenSource) Token 

func (w *WorkloadTokenSource) Token() (*oauth2.Token, error)

Token returns a new OAuth2 token for the workload identity.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.