ssoutils

package
v1.26.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package ssoutils provides helper functionality for OIDC-based SSO integration, helping to bridge the gap between our choices on HTTP Server, token issuance, and overall SSO flow Several of the functions in this package are used to generate URLs for SSO login and callback due to limitations within echox not allowing for easy access to route paths

Index

Constants

View Source
const (
	// ExemptReasonOwner is set when the subject is the organization owner. This covers owners of
	// organizations created before per-member sso_exempt seeding existed, which are not backfilled
	ExemptReasonOwner = "owner"
	// ExemptReasonUser is set when the subject's membership carries an explicit SSO exemption
	ExemptReasonUser = "user_exempt"
	// ExemptReasonDomain is set when the subject is a member whose email domain is exempt
	ExemptReasonDomain = "domain_exempt"
)

Exemption reasons describe why a subject is not subject to the SSO login redirect

Variables

This section is empty.

Functions

func EmailDomain added in v1.26.0

func EmailDomain(email string) string

EmailDomain returns the lowercased domain portion of an email, or empty when it cannot be parsed

func SSOCallback

func SSOCallback(e *echo.Echo) string

SSOCallback returns the path for the SSO callback route

func SSOLogin

func SSOLogin(e *echo.Echo, orgID string) string

SSOLogin returns the path for the SSO login route with the organization ID query parameter

func SSOTokenAuthorize

func SSOTokenAuthorize(e *echo.Echo, orgID, tokenID, tokenType string) string

SSOTokenAuthorize returns the path for the SSO token authorization route with token and org parameters

func SSOTokenCallback

func SSOTokenCallback(e *echo.Echo) string

SSOTokenCallback returns the path for the SSO token callback route

Types

type Decision added in v1.26.0

type Decision struct {
	// SSOEnforced reports whether SSO enforcement is effective (enabled and connection tested)
	SSOEnforced bool
	// Exempt reports whether the subject is exempt from the SSO login redirect
	Exempt bool
	// ExemptReason explains why the subject is exempt; empty when not exempt
	ExemptReason string
	// MustSSO reports whether the subject must be redirected through the SSO login flow
	MustSSO bool
	// TFARequired reports whether the subject must satisfy multifactor authentication; this is
	// independent of SSO exemption
	TFARequired bool
}

Decision is the resolved authentication routing decision for a subject and organization

func Evaluate added in v1.26.0

func Evaluate(in EnforcementInput) Decision

Evaluate resolves how a subject must authenticate against an organization. SSO exemption only affects whether the subject is routed through the directory; multifactor enforcement applies regardless of exemption

type EnforcementInput added in v1.26.0

type EnforcementInput struct {
	// SSOEnforced reports whether the organization has SSO login enforcement enabled
	SSOEnforced bool
	// TFAEnforced reports whether the organization enforces multifactor authentication
	TFAEnforced bool
	// ExemptDomains is the set of email domains whose existing members skip the SSO redirect
	ExemptDomains []string
	// IsMember reports whether the subject is already a member of the organization
	IsMember bool
	// IsOwner reports whether the subject is the organization owner; owners are exempt as a backwards
	// compatible fallback for memberships created before sso_exempt seeding existed
	IsOwner bool
	// MemberExempt reports whether the subject's membership carries an SSO exemption
	MemberExempt bool
	// Email is the subject's email address used for domain based exemption checks
	Email string
}

EnforcementInput carries the organization and membership facts needed to decide how a subject must authenticate against an organization. It is built from the organization setting and the subject's membership so this package stays free of ent dependencies

func LoadEnforcement added in v1.26.0

func LoadEnforcement(ctx context.Context, db *ent.Client, orgID, userID, email string) (EnforcementInput, *ent.OrganizationSetting, error)

LoadEnforcement loads the organization setting and, when a userID is provided, the subject's membership and email, and returns the EnforcementInput plus the loaded setting. It is the single db-aware source used by both the SSO handlers and the auth middleware to feed Evaluate, so the membership query is projected to only the fields the decision needs

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL