Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DomainConfig ¶
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
func NewMiddleware ¶
func NewMiddleware(logger *log.Logger, sessionValidator SessionValidator) *Middleware
NewMiddleware creates a new authentication middleware. The sessionValidator is optional; if nil, OIDC session tokens will be validated locally without group access checks.
func (*Middleware) AddDomain ¶
func (mw *Middleware) AddDomain(domain string, schemes []Scheme, publicKeyB64 string, expiration time.Duration, accountID, serviceID string) error
AddDomain registers authentication schemes for the given domain. If schemes are provided, a valid session public key is required to sign/verify session JWTs. Returns an error if the key is missing or invalid. Callers must not serve the domain if this returns an error, to avoid exposing an unauthenticated service.
func (*Middleware) Protect ¶
func (mw *Middleware) Protect(next http.Handler) http.Handler
Protect applies authentication middleware to the passed handler. For each incoming request it will be checked against the middleware's internal list of protected domains. If the Host domain in the inbound request is not present, then it will simply be passed through. However, if the Host domain is present, then the specified authentication schemes for that domain will be applied to the request. In the event that no authentication schemes are defined for the domain, then the request will also be simply passed through.
func (*Middleware) RemoveDomain ¶
func (mw *Middleware) RemoveDomain(domain string)
type OIDC ¶
type OIDC struct {
// contains filtered or unexported fields
}
func (OIDC) Authenticate ¶
Authenticate checks for an OIDC session token or obtains the OIDC redirect URL.
type Password ¶
type Password struct {
// contains filtered or unexported fields
}
func NewPassword ¶
func (Password) Authenticate ¶
Authenticate attempts to authenticate the request using a form value passed in the request. If authentication fails, the required HTTP form ID is returned so that it can be injected into a request from the UI so that authentication may be successful.
type Pin ¶
type Pin struct {
// contains filtered or unexported fields
}
func (Pin) Authenticate ¶
Authenticate attempts to authenticate the request using a form value passed in the request. If authentication fails, the required HTTP form ID is returned so that it can be injected into a request from the UI so that authentication may be successful.
type Scheme ¶
type Scheme interface {
Type() auth.Method
// Authenticate checks the request and determines whether it represents
// an authenticated user. An empty token indicates an unauthenticated
// request; optionally, promptData may be returned for the login UI.
// An error indicates an infrastructure failure (e.g. gRPC unavailable).
Authenticate(*http.Request) (token string, promptData string, err error)
}
Scheme defines an authentication mechanism for a domain.
type SessionValidator ¶
type SessionValidator interface {
ValidateSession(ctx context.Context, in *proto.ValidateSessionRequest, opts ...grpc.CallOption) (*proto.ValidateSessionResponse, error)
}
SessionValidator validates session tokens and checks user access permissions.
Source Files