Documentation
¶
Index ¶
- Constants
- Variables
- type Client
- func (c *Client) ClientFlow(clientID, clientSecret, scope string) (*Context, error)
- func (c *Client) DeviceFlow(clientID, tenant, deviceCode string, expiresIn, interval int) (*Context, error)
- func (c *Client) GetCsrfToken() (string, []*http.Cookie, error)
- func (c *Client) GetDeviceCodes(clientID, tenant, scope string) (*DeviceCodeInfo, error)
- func (c *Client) GetSessionToken(username, password string) (string, []*http.Cookie, error)
- func (c *Client) PKCEFlow(clientID, redirectURI, scope, username, password string) (*Context, error)
- func (c *Client) Refresh(clientID, scope, refreshToken string) (*Context, error)
- type ClientCredentialsRetriever
- type Context
- type DeviceCodeInfo
- type DeviceFlowRetriever
- type HTTPError
- type NoOpTokenRetriever
- type OIDCScope
- type PKCERetriever
- type RefreshTokenRetriever
- type TokenRetriever
Constants ¶
const (
// SplunkCloudIdpHost is the default identity provider host for Splunk Cloud
SplunkCloudIdpHost = "https://auth.scp.splunk.com"
)
Variables ¶
var ( // DefaultOIDCScopes defines the default OpenID Connect scopes to use in authn requests - "openid email profile" DefaultOIDCScopes = fmt.Sprintf("%s %s %s", ScopeOpenID, ScopeEmail, ScopeProfile) DefaultRefreshScope = fmt.Sprintf("%s %s %s %s", ScopeOpenID, ScopeEmail, ScopeOffline, ScopeProfile) )
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
ProviderHost string
AuthnPath string
AuthorizePath string
TokenPath string
TenantTokenPath string
DevicePath string
CsrfTokenPath string
Insecure bool
}
Client captures url and route information for the IdP endpoints
func NewClient ¶
func NewClient(providerURL string, authnPath string, authorizePath string, tokenPath string, tenantTokenPath string, csrfTokenPath string, devicePath string, insecure bool) *Client
NewClient Returns a new IdP client object.
providerURL: should be of the form https://example.com or optionally https://example.com:port
func (*Client) ClientFlow ¶
ClientFlow will authenticate using the "client credentials" flow.
func (*Client) DeviceFlow ¶ added in v1.11.0
func (c *Client) DeviceFlow(clientID, tenant, deviceCode string, expiresIn, interval int) (*Context, error)
DeviceFlow will authenticate using the device flow.
func (*Client) GetDeviceCodes ¶ added in v1.11.0
func (c *Client) GetDeviceCodes(clientID, tenant, scope string) (*DeviceCodeInfo, error)
GetDeviceCodes will get info for the device flow.
func (*Client) GetSessionToken ¶
GetSessionToken Returns a one-time session token by authenticating using a "primary" endpoint (/authn).
type ClientCredentialsRetriever ¶
type ClientCredentialsRetriever struct {
*Client
// ClientID to authenticate as which corresponds to a Client Credentials flow supported IdP client
ClientID string
// ClientSecret corresponding to the ClientID above
ClientSecret *util.Credential
// Scope(s) to request, separated by spaces -- this will be a custom scope, for example: "backend_service"
Scope string
}
ClientCredentialsRetriever retries a request after gettting a new access token from the identity provider using the Client Credentials flow
func NewClientCredentialsRetriever ¶
func NewClientCredentialsRetriever(clientID string, clientSecret string, scope string, idpHost string) *ClientCredentialsRetriever
NewClientCredentialsRetriever initializes a new token context retriever
idpURL: should be of the form https://example.com or optionally https://example.com:port - if "" is specified then SplunkCloudIdpURL will be used.
func (*ClientCredentialsRetriever) GetTokenContext ¶
func (tr *ClientCredentialsRetriever) GetTokenContext() (*Context, error)
GetTokenContext gets a new access token context from the identity provider
type Context ¶
type Context struct {
TokenType string `json:"token_type"`
AccessToken string `json:"access_token"`
ExpiresIn int `json:"expires_in"`
Scope string `json:"scope"`
IDToken string `json:"id_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
StartTime int64
}
Context Represents an authentication "context", which is the result of a successful OAuth authentication flow.
type DeviceCodeInfo ¶ added in v1.11.0
type DeviceCodeInfo struct {
DeviceCode string `json:"device_code"`
UserCode string `json:"user_code"`
ExpiresIn int `json:"expires_in"`
Interval int `json:"interval"`
VerificationURI string `json:"verification_uri"`
}
DeviceCodeInfo captures codes, verification URI and polling parameters for device flow.
type DeviceFlowRetriever ¶ added in v1.11.0
type DeviceFlowRetriever struct {
*Client
// ClientID corresponding to a Device flow supported IdP client
ClientID string
// Tenant to request an access token for
Tenant string
// DeviceCode to poll for the token with
DeviceCode string
// ExpiresIn indicates the expiry of the DeviceCode in seconds
ExpiresIn int
// Interval indicates the polling interval
Interval int
}
DeviceFlowRetriever retries a request after getting a new access token from the identity provider using the Device Authorization Flow
func NewDeviceFlowRetriever ¶ added in v1.11.0
func NewDeviceFlowRetriever(clientID string, tenant string, idpHost string) *DeviceFlowRetriever
NewDeviceFlowRetriever initializes a new token context retriever
idpURL: should be of the form https://example.com or optionally https://example.com:port - if "" is specified then SplunkCloudIdpURL will be used.
func (*DeviceFlowRetriever) GetTokenContext ¶ added in v1.11.0
func (tr *DeviceFlowRetriever) GetTokenContext() (*Context, error)
GetTokenContext gets a new access token context from the identity provider
type HTTPError ¶
type HTTPError struct {
StatusCode int `json:"status,omitempty"`
Body map[string]interface{} `json:"body,omitempty"`
}
HTTPError Represents an error response
type NoOpTokenRetriever ¶
type NoOpTokenRetriever struct {
Context *Context
}
NoOpTokenRetriever just returns the same static Context
func (*NoOpTokenRetriever) GetTokenContext ¶
func (tr *NoOpTokenRetriever) GetTokenContext() (*Context, error)
GetTokenContext just returns the same static Context
type OIDCScope ¶
type OIDCScope string
OIDCScope defines scopes that are OpenID Connect compatible, see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
const ( // ScopeOpenID - The basic (and required) scope for OpenID Connect ScopeOpenID OIDCScope = "openid" // ScopeEmail - This scope value requests access to the email and email_verified Claims ScopeEmail OIDCScope = "email" // ScopeProfile - This scope value requests access to the End-User's default profile Claims, which are: name, family_name, // given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, // locale, and updated_at ScopeProfile OIDCScope = "profile" // ScopeAddress - This scope value requests access to the address Claim ScopeAddress OIDCScope = "address" // ScopePhone - This scope value requests access to the phone_number and phone_number_verified Claims ScopePhone OIDCScope = "phone" // ScopeOffline - This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in). ScopeOffline OIDCScope = "offline_access" )
type PKCERetriever ¶
type PKCERetriever struct {
*Client
// ClientID corresponding to a PKCE flow supported IdP client
ClientID string
// RedirectURI that has been allowlisted according to the ClientID (NOTE: redirection is not actually needed for this implementation but this URI must match one specified by the IdP)
RedirectURI string
// Scope(s) to request, separated by spaces -- "openid email profile" is recommended for individual users
Scope string
// Username to authenticate as which must be registered to the ClientID in the IdP
Username string
// Password corresponding to the Username above
Password *util.Credential
}
PKCERetriever retries a request after gettting a new access token from the identity provider using the Proof Key for Code Exchange (PKCE) flow
func NewPKCERetriever ¶
func NewPKCERetriever(clientID string, redirectURI string, scope string, username string, password string, idpHost string) *PKCERetriever
NewPKCERetriever initializes a new token context retriever
idpURL: should be of the form https://example.com or optionally https://example.com:port - if "" is specified then SplunkCloudIdpURL will be used.
func (*PKCERetriever) GetTokenContext ¶
func (tr *PKCERetriever) GetTokenContext() (*Context, error)
GetTokenContext gets a new access token context from the identity provider
type RefreshTokenRetriever ¶
type RefreshTokenRetriever struct {
*Client
// ClientID which corresponds to an Refresh Token ("offline_access" scope) supported IdP client
ClientID string
// Scope(s) to request, separated by spaces -- "openid email profile" is recommended for individual users
Scope string
// RefreshToken to use to authenticate in order to generate an access token
RefreshToken *util.Credential
}
RefreshTokenRetriever retries a request after getting a new access token from the identity provider using a RefreshToken
func NewRefreshTokenRetriever ¶
func NewRefreshTokenRetriever(clientID string, scope string, refreshToken string, idpHost string) *RefreshTokenRetriever
NewRefreshTokenRetriever initializes a new token context retriever
idpURL: should be of the form https://example.com or optionally https://example.com:port - if "" is specified then SplunkCloudIdpURL will be used.
func (*RefreshTokenRetriever) GetTokenContext ¶
func (tr *RefreshTokenRetriever) GetTokenContext() (*Context, error)
GetTokenContext gets a new access token context from the identity provider
type TokenRetriever ¶
TokenRetriever retrieves an access token with context
Source Files