auth

package

v0.1.1 Latest Latest Go to latest Published: Oct 16, 2025 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/mindersec/minder

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth contains the authentication logic for the control plane

Index ¶

Constants
Variables
func DeleteAccessToken(ctx context.Context, provider string, token string) error
func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
func NewProviderHttpClient(provider string) *http.Client
func WithIdentityContext(ctx context.Context, identity *Identity) context.Context
type Identity
- func IdentityFromContext(ctx context.Context) *Identity
- func (i *Identity) Human() string
- func (i *Identity) String() string
type IdentityClient
- func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)
type IdentityProvider
type Resolver

Constants ¶

View Source

const (
	// Github OAuth2 provider
	Github = "github"
)

Variables ¶

View Source

var OAuthSuccessHtml []byte

OAuthSuccessHtml is the html page sent to the client upon successful enrollment via CLI

Functions ¶

func DeleteAccessToken ¶

func DeleteAccessToken(ctx context.Context, provider string, token string) error

DeleteAccessToken deletes the access token for a given provider

func GetUserForGitHubId ¶

func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)

GetUserForGitHubId looks up a user in Keycloak by their GitHub ID. This is a temporary implementation until we have a proper interface in front of IDP implementations.

If the user is found, it returns their subject _in Keycloak_, suitable for use in the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may return a user of "" with no error if no users were found matching the GitHub ID.

func NewProviderHttpClient ¶

func NewProviderHttpClient(provider string) *http.Client

NewProviderHttpClient creates a new http client for the given provider

func WithIdentityContext ¶ added in v0.0.84

func WithIdentityContext(ctx context.Context, identity *Identity) context.Context

WithIdentityContext stores the identity in the context.

Types ¶

type Identity ¶

type Identity struct {
	// UserID is a stable unique identifier for the user.  This may be a large
	// integer or a UUID, rather than something human-readable.
	//
	// For KeyCloak, this is `sub`.
	UserID string
	// HumanName is a human-readable name.  Because humans are fickle, these may
	// not be unique or stable over time, though they should be unique at any
	// particular time.  For example, Alex may change their handle from
	// "alexsmith" to "alexawesome" after a life change, and someone else might
	// enroll the "alexsmith" handle.  If you are storing data, you want UserID,
	// not HumanName.  If you are presenting data, you probably want HumanName.
	//
	// For KeyCloak, this is `preferred_username`.  For some other providers,
	// this might be an email address.
	HumanName string
	// Provider is the identity provider that vended this identity.  Note that
	// UserID and HumanName are only unique within the context of a single
	// identity provider.
	Provider IdentityProvider
	// FirstName and LastName are optional fields that may be provided by the
	// identity provider. These are not guaranteed to be present, and may be
	// empty.
	FirstName string
	LastName  string
}

Identity represents a particular user's identity in a particular trust domain (represented by an IdentityProvider).

func IdentityFromContext ¶ added in v0.0.84

func IdentityFromContext(ctx context.Context) *Identity

IdentityFromContext retrieves the caller's identity from the context. This may return `nil` or an empty Identity if the user is not authenticated.

func (*Identity) Human ¶

func (i *Identity) Human() string

Human returns a human-readable representation of the identity, suitable for presentation to humans.

func (*Identity) String ¶

func (i *Identity) String() string

String implements strings.Stringer, and also provides a stable storage representation of the Identity.

type IdentityClient ¶

type IdentityClient struct {
	// contains filtered or unexported fields
}

IdentityClient supports the ability to look up identities in one or more IdentityProviders.

func NewIdentityClient ¶

func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)

NewIdentityClient creates a new IdentityClient with the supplied providers.

func (*IdentityClient) Register ¶

func (c *IdentityClient) Register(p IdentityProvider) error

Register registers a new identity provider with the client.

func (*IdentityClient) Resolve ¶

func (c *IdentityClient) Resolve(ctx context.Context, id string) (*Identity, error)

Resolve implements Resolver.

func (*IdentityClient) Validate ¶

func (c *IdentityClient) Validate(ctx context.Context, token jwt.Token) (*Identity, error)

Validate implements Resolver.

type IdentityProvider ¶

type IdentityProvider interface {
	Resolver

	// String returns the name of the identity provider.  This should be a short
	// one-word string suitable for presentation.  As a special case, a _single_
	// provider may use the empty string as its name to act as a default / fallback
	// provider.
	String() string
	// URL returns the `iss` URL of the identity provider.
	URL() url.URL
}

IdentityProvider provides an abstract interface for looking up identities in a remote identity provider.

type Resolver ¶

type Resolver interface {

	// Validate validates a token and returns an underlying identity representation
	// suitable for use in authz calls.  This _probably_ reads data from the token,
	// but could fetch from an external provider.
	Validate(ctx context.Context, token jwt.Token) (*Identity, error)

	// Resolve takes either a human-readable identifier or a stable identifier and
	// returns the underlying identity.  This may involve looking up or defining
	// the identity in the remote identity provider.
	//
	// For Keycloak + GitHub, this may define a new user in Keycloak based on
	// GitHub user data if the user is not already known to Keycloak.
	Resolve(ctx context.Context, id string) (*Identity, error)
}

Resolver is an interface for resolving human-readable or stable identifiers from either JWTs or stored strings

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
githubactions Package githubactions provides an implementation of the GitHub IdentityProvider.	Package githubactions provides an implementation of the GitHub IdentityProvider.
jwt Package jwt provides the logic for reading and validating JWT tokens	Package jwt provides the logic for reading and validating JWT tokens
dynamic Package dynamic provides the logic for reading and validating JWT tokens using a JWKS URL from the token's `iss` claim.	Package dynamic provides the logic for reading and validating JWT tokens using a JWKS URL from the token's `iss` claim.
merged Package merged provides the logic for reading and validating JWT tokens	Package merged provides the logic for reading and validating JWT tokens
mock Package mock_jwt is a generated GoMock package.	Package mock_jwt is a generated GoMock package.
noop Package noop provides a no-op implementation of the Validator interface	Package noop provides a no-op implementation of the Validator interface
keycloak Package keycloak provides an implementation of the Keycloak IdentityProvider.	Package keycloak provides an implementation of the Keycloak IdentityProvider.
client Package client provides primitives to interact with the openapi HTTP API.	Package client provides primitives to interact with the openapi HTTP API.
mock Package mock_auth is a generated GoMock package.	Package mock_auth is a generated GoMock package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL