auth

package
v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 11, 2026 License: BSD-3-Clause-Clear Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionRead   = "read"
	ActionWrite  = "write"
	ActionDelete = "delete"
	ActionUnsafe = "unsafe"
	ActionOther  = "other"
)
View Source 
const (
	// DiscoveryPath is the path to the discovery endpoint
	DiscoveryPath = "/.well-known/openid-configuration"
)

Variables

View Source 
var (

	// Exported error variables for client ID processing
	ErrClientIDClaimNotConfigured = errors.New("no client ID claim configured")
	ErrClientIDClaimNotFound      = errors.New("client ID claim not found")
	ErrClientIDClaimNotString     = errors.New("client ID claim is not a string")
)
View Source 
var (
	ErrPermissionDenied = errors.New("permission denied")
)

Functions

func IPCMetadataClientInterceptor added in v0.11.0 

func IPCMetadataClientInterceptor(log *logger.Logger) connect.UnaryInterceptorFunc

IPCMetadataClientInterceptor transfers gRPC outgoing metadata to Connect request headers for IPC calls

Types

type AccessTokenVerifier added in v0.15.0 

type AccessTokenVerifier interface {
	VerifyAccessToken(ctx context.Context, tokenRaw string) (jwt.Token, error)
}

AccessTokenVerifier validates raw access tokens.

type AuthNConfig 

type AuthNConfig struct {
	EnforceDPoP  bool          `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
	Issuer       string        `mapstructure:"issuer" json:"issuer"`
	Audience     string        `mapstructure:"audience" json:"audience"`
	Policy       PolicyConfig  `mapstructure:"policy" json:"policy"`
	CacheRefresh string        `mapstructure:"cache_refresh_interval" json:"cache_refresh_interval"`
	DPoPSkew     time.Duration `mapstructure:"dpopskew" json:"dpopskew" default:"1h"`
	TokenSkew    time.Duration `mapstructure:"skew" json:"skew" default:"1m"`
}

AuthNConfig is the configuration need for the platform to validate tokens

type Authentication 

type Authentication struct {
	// contains filtered or unexported fields
}

Authentication holds a jwks cache and information about the openid configuration

func NewAuthenticator 

func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error)

Creates new authN which is used to verify tokens for a set of given issuers

func (*Authentication) AccessTokenVerifier added in v0.15.0 

func (a *Authentication) AccessTokenVerifier() AccessTokenVerifier

AccessTokenVerifier returns the authenticator's shared access-token verifier.

func (Authentication) ConnectAuthNInterceptor added in v0.17.0 

func (a Authentication) ConnectAuthNInterceptor() connect.UnaryInterceptorFunc

ConnectAuthNInterceptor authenticates Connect requests and enriches the request context with configured token claims needed by later middleware.

func (Authentication) ConnectAuthZInterceptor added in v0.17.0 

func (a Authentication) ConnectAuthZInterceptor() connect.UnaryInterceptorFunc

ConnectAuthZInterceptor authorizes Connect requests using token and configured claims already stored in the request context.

func (Authentication) IPCUnaryServerInterceptor added in v0.5.0 

func (a Authentication) IPCUnaryServerInterceptor() connect.UnaryInterceptorFunc

IPCUnaryServerInterceptor is a grpc interceptor that: 1. verifies the token in the metadata 2. reauthorizes the token if the route is in the list 3. translates known IPC Connect request headers back to context metadata for downstream consumers

func (Authentication) MuxHandler 

func (a Authentication) MuxHandler(handler http.Handler) http.Handler

verifyTokenHandler is a http handler that verifies the token

type CasbinAuthzLog added in v0.17.0 

type CasbinAuthzLog struct {
	ConfiguredGroupsClaim string
	SubjectGroups         []string
}

type CasbinConfig 

type CasbinConfig struct {
	PolicyConfig
	RoleProvider authz.RoleProvider
}

type Config 

type Config struct {
	Enabled      bool     `mapstructure:"enabled" json:"enabled" default:"true"`
	PublicRoutes []string `mapstructure:"-" json:"-"`
	// Used for re-authentication of IPC connections
	IPCReauthRoutes []string `mapstructure:"-" json:"-"`
	AuthNConfig     `mapstructure:",squash"`

	// Programmatic role provider overrides (not loaded from config)
	RoleProvider          authz.RoleProvider                   `mapstructure:"-" json:"-"`
	RoleProviderFactories map[string]authz.RoleProviderFactory `mapstructure:"-" json:"-"`
}

AuthConfig pulls AuthN and AuthZ together

type EnforcementResult added in v0.17.0 

type EnforcementResult struct {
	Allowed     bool
	CasbinAuthz CasbinAuthzLog
}

type Enforcer 

type Enforcer struct {
	*casbin.Enforcer
	Config CasbinConfig
	Policy string
	// contains filtered or unexported fields
}

func NewCasbinEnforcer 

func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)

newCasbinEnforcer creates a new casbin enforcer

func (*Enforcer) ContextWithClaims added in v0.17.0 

func (e *Enforcer) ContextWithClaims(ctx context.Context, t jwt.Token, req authz.RoleRequest) (context.Context, error)

func (*Enforcer) Enforce 

func (e *Enforcer) Enforce(ctx context.Context, token jwt.Token, req authz.RoleRequest) (EnforcementResult, error)

casbinEnforce is a helper function to enforce the policy with casbin TODO implement a common type so this can be used for both http and grpc

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer                           string   `json:"issuer"`
	AuthorizationEndpoint            string   `json:"authorization_endpoint"`
	TokenEndpoint                    string   `json:"token_endpoint"`
	UserinfoEndpoint                 string   `json:"userinfo_endpoint"`
	JwksURI                          string   `json:"jwks_uri"`
	ResponseTypesSupported           []string `json:"response_types_supported"`
	SubjectTypesSupported            []string `json:"subject_types_supported"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
	RequireRequestURIRegistration    bool     `json:"require_request_uri_registration"`
}

OIDCConfiguration holds the openid configuration for the issuer. Currently only required fields are included (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)

func DiscoverOIDCConfiguration 

func DiscoverOIDCConfiguration(ctx context.Context, issuer string, logger *logger.Logger) (*OIDCConfiguration, error)

DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided

type PolicyConfig 

type PolicyConfig struct {
	Builtin string `mapstructure:"-" json:"-"`
	// Username claim to use for user information
	UserNameClaim string `mapstructure:"username_claim" json:"username_claim" default:"preferred_username"`
	// Claim to use for group/role information
	GroupsClaim string `mapstructure:"groups_claim" json:"groups_claim" default:"realm_access.roles"`
	// Role provider configuration (resolved via StartOptions)
	RolesProvider RolesProviderConfig `mapstructure:"roles_provider" json:"roles_provider"`
	// Claim to use to reference idP clientID
	ClientIDClaim string `mapstructure:"client_id_claim" json:"client_id_claim" default:"azp"`
	// Deprecated: Use GroupClain instead
	RoleClaim string `mapstructure:"claim" json:"claim" default:"realm_access.roles"`
	// Deprecated: Use Casbin grouping statements g, <user/group>, <role>
	RoleMap map[string]string `mapstructure:"map" json:"map"`
	// Override the builtin policy with a custom policy
	Csv string `mapstructure:"csv" json:"csv"`
	// Extend the builtin policy with a custom policy
	Extension string `mapstructure:"extension" json:"extension"`
	Model     string `mapstructure:"model" json:"model"`
	// Override the default string-adapter
	Adapter persist.Adapter `mapstructure:"-" json:"-"`
}

type RolesProviderConfig added in v0.13.0 

type RolesProviderConfig struct {
	Name   string         `mapstructure:"name" json:"name"`
	Config map[string]any `mapstructure:"config" json:"config"`
}

type TokenVerifier added in v0.15.0 

type TokenVerifier struct {
	// contains filtered or unexported fields
}

TokenVerifier validates access tokens against the platform's configured IdP.

func NewTokenVerifier added in v0.15.0 

func NewTokenVerifier(ctx context.Context, cfg AuthNConfig, log *logger.Logger) (*TokenVerifier, error)

NewTokenVerifier creates a reusable verifier backed by the IdP JWKS endpoint.

func (*TokenVerifier) VerifyAccessToken added in v0.15.0 

func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, tokenRaw string) (jwt.Token, error)

VerifyAccessToken validates the provided raw JWT and returns the parsed token on success.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.