auth

package
v0.64.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 27, 2026 License: BSD-3-Clause Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	HostedGrantType = "urn:ietf:params:oauth:grant-type:device_code"
)

HostedGrantType grant type for device flow on Hosted

Variables

This section is empty.

Functions

This section is empty.

Types

type Auth added in v0.64.2 

type Auth struct {
	// contains filtered or unexported fields
}

Auth manages authentication operations with the management server It maintains a long-lived connection and automatically handles reconnection with backoff

func NewAuth added in v0.64.2 

func NewAuth(ctx context.Context, privateKey string, mgmURL *url.URL, config *profilemanager.Config) (*Auth, error)

NewAuth creates a new Auth instance that manages authentication flows It establishes a connection to the management server that will be reused for all operations The connection is automatically recreated with backoff if it becomes disconnected

func (*Auth) Close added in v0.64.2 

func (a *Auth) Close() error

Close closes the management client connection

func (*Auth) GetOAuthFlow added in v0.64.2 

func (a *Auth) GetOAuthFlow(ctx context.Context, forceDeviceAuth bool) (OAuthFlow, error)

GetOAuthFlow returns an OAuth flow (PKCE or Device) using the existing management connection This avoids creating a new connection to the management server

func (*Auth) IsLoginRequired added in v0.64.2 

func (a *Auth) IsLoginRequired(ctx context.Context) (bool, error)

IsLoginRequired checks if login is required by attempting to authenticate with the server Automatically retries with backoff and reconnection on connection errors.

func (*Auth) IsSSOSupported added in v0.64.2 

func (a *Auth) IsSSOSupported(ctx context.Context) (bool, error)

IsSSOSupported checks if the management server supports SSO by attempting to retrieve auth flow configurations. Returns true if either PKCE or Device authorization flow is supported, false otherwise. This function encapsulates the SSO detection logic to avoid exposing gRPC error codes to upper layers. Automatically retries with backoff and reconnection on connection errors.

func (*Auth) Login added in v0.64.2 

func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (error, bool)

Login attempts to log in or register the client with the management server Returns error and a boolean indicating if it's an authentication error (permission denied) that should stop retries. Automatically retries with backoff and reconnection on connection errors.

type AuthFlowInfo 

type AuthFlowInfo struct {
	DeviceCode              string `json:"device_code"`
	UserCode                string `json:"user_code"`
	VerificationURI         string `json:"verification_uri"`
	VerificationURIComplete string `json:"verification_uri_complete"`
	ExpiresIn               int    `json:"expires_in"`
	Interval                int    `json:"interval"`
}

AuthFlowInfo holds information for the OAuth 2.0 authorization flow

type Claims 

type Claims struct {
	Audience interface{} `json:"aud"`
}

Claims used when validating the access token

type DeviceAuthProviderConfig added in v0.64.2 

type DeviceAuthProviderConfig struct {
	// ClientID An IDP application client id
	ClientID string
	// ClientSecret An IDP application client secret
	ClientSecret string
	// Domain An IDP API domain
	// Deprecated. Use OIDCConfigEndpoint instead
	Domain string
	// Audience An Audience for to authorization validation
	Audience string
	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
	TokenEndpoint string
	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
	DeviceAuthEndpoint string
	// Scopes provides the scopes to be included in the token request
	Scope string
	// UseIDToken indicates if the id token should be used for authentication
	UseIDToken bool
	// LoginHint is used to pre-fill the email/username field during authentication
	LoginHint string
}

DeviceAuthProviderConfig has all attributes needed to initiate a device authorization flow

type DeviceAuthorizationFlow 

type DeviceAuthorizationFlow struct {
	HTTPClient HTTPClient
	// contains filtered or unexported fields
}

DeviceAuthorizationFlow implements the OAuthFlow interface, for the Device Authorization Flow.

func NewDeviceAuthorizationFlow 

func NewDeviceAuthorizationFlow(config DeviceAuthProviderConfig) (*DeviceAuthorizationFlow, error)

NewDeviceAuthorizationFlow returns device authorization flow client

func (*DeviceAuthorizationFlow) GetClientID 

func (d *DeviceAuthorizationFlow) GetClientID(ctx context.Context) string

GetClientID returns the provider client id

func (*DeviceAuthorizationFlow) RequestAuthInfo 

func (d *DeviceAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error)

RequestAuthInfo requests a device code login flow information from Hosted

func (*DeviceAuthorizationFlow) SetLoginHint added in v0.64.2 

func (d *DeviceAuthorizationFlow) SetLoginHint(hint string)

SetLoginHint sets the login hint for the device authorization flow

func (*DeviceAuthorizationFlow) WaitToken 

func (d *DeviceAuthorizationFlow) WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error)

WaitToken waits user's login and authorize the app. Once the user's authorize it retrieves the access token from Hosted's endpoint and validates it before returning. The method creates a timeout context internally based on info.ExpiresIn.

type HTTPClient 

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

HTTPClient http client interface for API calls

type OAuthFlow 

type OAuthFlow interface {
	RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error)
	WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error)
	GetClientID(ctx context.Context) string
}

OAuthFlow represents an interface for authorization using different OAuth 2.0 flows

func NewOAuthFlow 

func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool, forceDeviceCodeFlow bool, hint string) (OAuthFlow, error)

NewOAuthFlow initializes and returns the appropriate OAuth flow based on the management configuration

It starts by initializing the PKCE.If this process fails, it resorts to the Device Code Flow, and if that also fails, the authentication process is deemed unsuccessful

On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow forceDeviceCodeFlow can be used to skip PKCE and go directly to Device Code Flow (e.g., for Android TV)

type PKCEAuthProviderConfig added in v0.64.2 

type PKCEAuthProviderConfig struct {
	// ClientID An IDP application client id
	ClientID string
	// ClientSecret An IDP application client secret
	ClientSecret string
	// Audience An Audience for to authorization validation
	Audience string
	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
	TokenEndpoint string
	// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code
	AuthorizationEndpoint string
	// Scopes provides the scopes to be included in the token request
	Scope string
	// RedirectURL handles authorization code from IDP manager
	RedirectURLs []string
	// UseIDToken indicates if the id token should be used for authentication
	UseIDToken bool
	// ClientCertPair is used for mTLS authentication to the IDP
	ClientCertPair *tls.Certificate
	// DisablePromptLogin makes the PKCE flow to not prompt the user for login
	DisablePromptLogin bool
	// LoginFlag is used to configure the PKCE flow login behavior
	LoginFlag common.LoginFlag
	// LoginHint is used to pre-fill the email/username field during authentication
	LoginHint string
}

PKCEAuthProviderConfig has all attributes needed to initiate PKCE authorization flow

type PKCEAuthorizationFlow 

type PKCEAuthorizationFlow struct {
	// contains filtered or unexported fields
}

PKCEAuthorizationFlow implements the OAuthFlow interface for the Authorization Code Flow with PKCE.

func NewPKCEAuthorizationFlow 

func NewPKCEAuthorizationFlow(config PKCEAuthProviderConfig) (*PKCEAuthorizationFlow, error)

NewPKCEAuthorizationFlow returns new PKCE authorization code flow.

func (*PKCEAuthorizationFlow) GetClientID 

func (p *PKCEAuthorizationFlow) GetClientID(_ context.Context) string

GetClientID returns the provider client id

func (*PKCEAuthorizationFlow) RequestAuthInfo 

func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error)

RequestAuthInfo requests a authorization code login flow information.

func (*PKCEAuthorizationFlow) SetLoginHint added in v0.64.2 

func (p *PKCEAuthorizationFlow) SetLoginHint(hint string)

SetLoginHint sets the login hint for the PKCE authorization flow

func (*PKCEAuthorizationFlow) WaitToken 

func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error)

WaitToken waits for the OAuth token in the PKCE Authorization Flow. It starts an HTTP server to receive the OAuth token callback and waits for the token or an error. Once the token is received, it is converted to TokenInfo and validated before returning. The method creates a timeout context internally based on info.ExpiresIn.

type RequestDeviceCodePayload 

type RequestDeviceCodePayload struct {
	Audience string `json:"audience"`
	ClientID string `json:"client_id"`
	Scope    string `json:"scope"`
}

RequestDeviceCodePayload used for request device code payload for auth0

type TokenInfo 

type TokenInfo struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	IDToken      string `json:"id_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int    `json:"expires_in"`
	UseIDToken   bool   `json:"-"`
	Email        string `json:"-"`
}

TokenInfo holds information of issued access token

func (TokenInfo) GetTokenToUse 

func (t TokenInfo) GetTokenToUse() string

GetTokenToUse returns either the access or id token based on UseIDToken field

type TokenRequestPayload 

type TokenRequestPayload struct {
	GrantType    string `json:"grant_type"`
	DeviceCode   string `json:"device_code,omitempty"`
	ClientID     string `json:"client_id"`
	RefreshToken string `json:"refresh_token,omitempty"`
}

TokenRequestPayload used for requesting the auth0 token

type TokenRequestResponse 

type TokenRequestResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
	TokenInfo
}

TokenRequestResponse used for parsing Hosted token's response

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.