Documentation
¶
Overview ¶
SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Cloud Security Client Go contributors
SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Cloud Security Client Go contributors
SPDX-License-Identifier: Apache-2.0
Index ¶
- Variables
- func DefaultErrorHandler(w http.ResponseWriter, r *http.Request, err error)
- type Certificate
- type ContextKey
- type ErrorHandler
- type Middleware
- func (m *Middleware) Authenticate(r *http.Request) (Token, error)
- func (m *Middleware) AuthenticateWithProofOfPossession(r *http.Request) (Token, *Certificate, error)
- func (m *Middleware) AuthenticationHandler(next http.Handler) http.Handler
- func (m *Middleware) ClearCache()
- func (m *Middleware) GetTokenFlows() (*tokenclient.TokenFlows, error)
- type Options
- type Token
Constants ¶
This section is empty.
Variables ¶
var ErrClaimNotExists = errors.New("claim does not exist in the token")
ErrClaimNotExists shows that the requested custom claim does not exist in the token
var ErrNoClientCert = errors.New("there is no x509 client certificate provided")
var ErrNoToken = errors.New("there is no token provided")
Functions ¶
func DefaultErrorHandler ¶
func DefaultErrorHandler(w http.ResponseWriter, r *http.Request, err error)
DefaultErrorHandler responds with the error and HTTP status 401
Types ¶
type Certificate ¶ added in v0.12.0
type Certificate struct {
// contains filtered or unexported fields
}
Certificate is the public API to access claims of the X509 client certificate.
func ClientCertificateFromCtx ¶ added in v0.12.0
func ClientCertificateFromCtx(r *http.Request) *Certificate
ClientCertificateFromCtx retrieves the X.509 client certificate of a request which have been injected before via the auth middleware
func (*Certificate) GetThumbprint ¶ added in v0.12.0
func (c *Certificate) GetThumbprint() string
GetThumbprint returns the thumbprint without padding.
type ContextKey ¶ added in v0.5.4
type ContextKey int
The ContextKey type is used as a key for library related values in the go context. See also TokenCtxKey
const ( TokenCtxKey ContextKey = 0 ClientCertificateCtxKey ContextKey = 1 )
TokenCtxKey is the key that holds the authorization value (*OIDCClaims) in the request context ClientCertificateCtxKey is the key that holds the x509 client certificate in the request context
type ErrorHandler ¶ added in v0.5.2
type ErrorHandler func(w http.ResponseWriter, r *http.Request, err error)
ErrorHandler is the type for the Error Handler which is called on unsuccessful token validation and if the AuthenticationHandler middleware func is used
type Middleware ¶ added in v0.5.4
type Middleware struct {
// contains filtered or unexported fields
}
Middleware is the main entrypoint to the authn client library, instantiate with NewMiddleware. It holds information about the oAuth config and configured options. Use either the ready to use AuthenticationHandler as a middleware or implement your own middleware with the help of Authenticate.
func NewMiddleware ¶ added in v0.5.4
func NewMiddleware(identity env.Identity, options Options) *Middleware
NewMiddleware instantiates a new Middleware with defaults for not provided Options.
func (*Middleware) Authenticate ¶ added in v0.5.4
func (m *Middleware) Authenticate(r *http.Request) (Token, error)
Authenticate authenticates a request and returns the Token if validation was successful, otherwise error is returned
func (*Middleware) AuthenticateWithProofOfPossession ¶ added in v0.12.0
func (m *Middleware) AuthenticateWithProofOfPossession(r *http.Request) (Token, *Certificate, error)
AuthenticateWithProofOfPossession authenticates a request and returns the Token and the client certificate if validation was successful, otherwise error is returned
func (*Middleware) AuthenticationHandler ¶ added in v0.5.4
func (m *Middleware) AuthenticationHandler(next http.Handler) http.Handler
AuthenticationHandler authenticates a request and injects the claims into the request context. If the authentication (see Authenticate) does not succeed, the specified error handler (see Options.ErrorHandler) will be called and the current request will stop. In case of successful authentication the request context is enriched with the token, as well as the client certificate (if given).
func (*Middleware) ClearCache ¶ added in v0.5.4
func (m *Middleware) ClearCache()
ClearCache clears the entire storage of cached oidc tenants including their JWKs
func (*Middleware) GetTokenFlows ¶ added in v0.12.0
func (m *Middleware) GetTokenFlows() (*tokenclient.TokenFlows, error)
GetTokenFlows creates or returns TokenFlows, otherwise error is returned
type Options ¶
type Options struct {
ErrorHandler ErrorHandler // ErrorHandler called if the jwt verification fails and the AuthenticationHandler middleware func is used. Default: DefaultErrorHandler
HTTPClient *http.Client // HTTPClient which is used for OIDC discovery and to retrieve JWKs (JSON Web Keys). Default: basic http.Client with a timeout of 15 seconds
}
Options can be used as a argument to instantiate a AuthMiddle with NewMiddleware.
type Token ¶ added in v0.8.0
type Token interface {
TokenValue() string // TokenValue returns encoded token string
Audience() []string // Audience returns "aud" claim, if it doesn't exist empty string is returned
Expiration() time.Time // Expiration returns "exp" claim, if it doesn't exist empty string is returned
IsExpired() bool // IsExpired returns true, if 'exp' claim + leeway time of 1 minute is before current time
IssuedAt() time.Time // IssuedAt returns "iat" claim, if it doesn't exist empty string is returned
CustomIssuer() string // CustomIssuer returns "iss" claim if it is a custom domain (i.e. "ias_iss" claim available), otherwise empty string is returned
Issuer() string // Issuer returns token issuer with SAP domain; by default "iss" claim is returned or in case it is a custom domain, "ias_iss" is returned
NotBefore() time.Time // NotBefore returns "nbf" claim, if it doesn't exist empty string is returned
Subject() string // Subject returns "sub" claim, if it doesn't exist empty string is returned
GivenName() string // GivenName returns "given_name" claim, if it doesn't exist empty string is returned
FamilyName() string // FamilyName returns "family_name" claim, if it doesn't exist empty string is returned
Email() string // Email returns "email" claim, if it doesn't exist empty string is returned
ZoneID() string // ZoneID returns "zone_uuid" claim, if it doesn't exist empty string is returned
UserUUID() string // UserUUID returns "user_uuid" claim, if it doesn't exist empty string is returned
HasClaim(claim string) bool // HasClaim returns true if the provided claim exists in the token
GetClaimAsString(claim string) (string, error) // GetClaimAsString returns a custom claim type asserted as string. Returns error if the claim is not available or not a string.
GetClaimAsStringSlice(claim string) ([]string, error) // GetClaimAsStringSlice returns a custom claim type asserted as string slice. The claim name is case sensitive. Returns error if the claim is not available or not an array
GetClaimAsMap(claim string) (map[string]interface{}, error) // GetClaimAsMap returns a map of all members and its values of a custom claim in the token. The member name is case sensitive. Returns error if the claim is not available or not a map
GetAllClaimsAsMap() map[string]interface{} // GetAllClaimsAsMap returns a map of all claims contained in the token. The claim name is case sensitive. Includes also custom claims
// contains filtered or unexported methods
}
Token is the public API to access claims of the token
func NewToken ¶ added in v0.8.1
NewToken creates a Token from an encoded jwt. !!! WARNING !!! No validation done when creating a Token this way. Use only in tests!
func TokenFromCtx ¶ added in v0.8.0
TokenFromCtx retrieves the claims of a request which have been injected before via the auth middleware
Source Files