auth

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 17, 2025 License: BSD-3-Clause-Clear Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionRead   = "read"
	ActionWrite  = "write"
	ActionDelete = "delete"
	ActionUnsafe = "unsafe"
	ActionOther  = "other"
)
View Source 
const (
	// DiscoveryPath is the path to the discovery endpoint
	DiscoveryPath = "/.well-known/openid-configuration"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthNConfig 

type AuthNConfig struct {
	EnforceDPoP  bool          `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
	Issuer       string        `mapstructure:"issuer" json:"issuer"`
	Audience     string        `mapstructure:"audience" json:"audience"`
	Policy       PolicyConfig  `mapstructure:"policy" json:"policy"`
	CacheRefresh string        `mapstructure:"cache_refresh_interval" json:"cache_refresh_interval"`
	DPoPSkew     time.Duration `mapstructure:"dpopskew" json:"dpopskew" default:"1h"`
	TokenSkew    time.Duration `mapstructure:"skew" json:"skew" default:"1m"`
}

AuthNConfig is the configuration need for the platform to validate tokens

type Authentication 

type Authentication struct {
	// contains filtered or unexported fields
}

Authentication holds a jwks cache and information about the openid configuration

func NewAuthenticator 

func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error)

Creates new authN which is used to verify tokens for a set of given issuers

func (Authentication) ConnectUnaryServerInterceptor added in v0.4.27 

func (a Authentication) ConnectUnaryServerInterceptor() connect.UnaryInterceptorFunc

UnaryServerInterceptor is a grpc interceptor that verifies the token in the metadata

func (Authentication) IPCUnaryServerInterceptor added in v0.5.0 

func (a Authentication) IPCUnaryServerInterceptor() connect.UnaryInterceptorFunc

IPCReauthInterceptor is a grpc interceptor that verifies the token in the metadata and reauthorizes the token if the route is in the list

func (Authentication) MuxHandler 

func (a Authentication) MuxHandler(handler http.Handler) http.Handler

verifyTokenHandler is a http handler that verifies the token

type CasbinConfig 

type CasbinConfig struct {
	PolicyConfig
}

type Config 

type Config struct {
	Enabled      bool     `mapstructure:"enabled" json:"enabled" default:"true"`
	PublicRoutes []string `mapstructure:"-" json:"-"`
	// Used for re-authentication of IPC connections
	IPCReauthRoutes []string `mapstructure:"-" json:"-"`
	AuthNConfig     `mapstructure:",squash"`
}

AuthConfig pulls AuthN and AuthZ together

type Enforcer 

type Enforcer struct {
	*casbin.Enforcer
	Config CasbinConfig
	Policy string
	// contains filtered or unexported fields
}

func NewCasbinEnforcer 

func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)

newCasbinEnforcer creates a new casbin enforcer

func (*Enforcer) Enforce 

func (e *Enforcer) Enforce(token jwt.Token, resource, action string) (bool, error)

casbinEnforce is a helper function to enforce the policy with casbin TODO implement a common type so this can be used for both http and grpc

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer                           string   `json:"issuer"`
	AuthorizationEndpoint            string   `json:"authorization_endpoint"`
	TokenEndpoint                    string   `json:"token_endpoint"`
	UserinfoEndpoint                 string   `json:"userinfo_endpoint"`
	JwksURI                          string   `json:"jwks_uri"`
	ResponseTypesSupported           []string `json:"response_types_supported"`
	SubjectTypesSupported            []string `json:"subject_types_supported"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
	RequireRequestURIRegistration    bool     `json:"require_request_uri_registration"`
}

OIDCConfiguration holds the openid configuration for the issuer. Currently only required fields are included (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)

func DiscoverOIDCConfiguration 

func DiscoverOIDCConfiguration(ctx context.Context, issuer string, logger *logger.Logger) (*OIDCConfiguration, error)

DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided

type PolicyConfig 

type PolicyConfig struct {
	Builtin string `mapstructure:"-" json:"-"`
	// Username claim to use for user information
	UserNameClaim string `mapstructure:"username_claim" json:"username_claim" default:"preferred_username"`
	// Claim to use for group/role information
	GroupsClaim string `mapstructure:"groups_claim" json:"groups_claim" default:"realm_access.roles"`
	// Deprecated: Use GroupClain instead
	RoleClaim string `mapstructure:"claim" json:"claim" default:"realm_access.roles"`
	// Deprecated: Use Casbin grouping statements g, <user/group>, <role>
	RoleMap map[string]string `mapstructure:"map" json:"map"`
	// Override the builtin policy with a custom policy
	Csv string `mapstructure:"csv" json:"csv"`
	// Extend the builtin policy with a custom policy
	Extension string `mapstructure:"extension" json:"extension"`
	Model     string `mapstructure:"model" json:"model"`
	// Override the default string-adapter
	Adapter persist.Adapter `mapstructure:"-" json:"-"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.