Documentation
¶
Overview ¶
Package ssoutils provides helper functionality for OIDC-based SSO integration, helping to bridge the gap between our choices on HTTP Server, token issuance, and overall SSO flow Several of the functions in this package are used to generate URLs for SSO login and callback due to limitations within echox not allowing for easy access to route paths
Index ¶
Constants ¶
const ( // ExemptReasonOwner is set when the subject is the organization owner. This covers owners of // organizations created before per-member sso_exempt seeding existed, which are not backfilled ExemptReasonOwner = "owner" // ExemptReasonUser is set when the subject's membership carries an explicit SSO exemption ExemptReasonUser = "user_exempt" // ExemptReasonDomain is set when the subject is a member whose email domain is exempt ExemptReasonDomain = "domain_exempt" )
Exemption reasons describe why a subject is not subject to the SSO login redirect
Variables ¶
This section is empty.
Functions ¶
func EmailDomain ¶ added in v1.26.0
EmailDomain returns the lowercased domain portion of an email, or empty when it cannot be parsed
func SSOCallback ¶
SSOCallback returns the path for the SSO callback route
func SSOLogin ¶
SSOLogin returns the path for the SSO login route with the organization ID query parameter
func SSOTokenAuthorize ¶
SSOTokenAuthorize returns the path for the SSO token authorization route with token and org parameters
func SSOTokenCallback ¶
SSOTokenCallback returns the path for the SSO token callback route
Types ¶
type Decision ¶ added in v1.26.0
type Decision struct {
// SSOEnforced reports whether SSO enforcement is effective (enabled and connection tested)
SSOEnforced bool
// Exempt reports whether the subject is exempt from the SSO login redirect
Exempt bool
// ExemptReason explains why the subject is exempt; empty when not exempt
ExemptReason string
// MustSSO reports whether the subject must be redirected through the SSO login flow
MustSSO bool
// TFARequired reports whether the subject must satisfy multifactor authentication; this is
// independent of SSO exemption
TFARequired bool
}
Decision is the resolved authentication routing decision for a subject and organization
func Evaluate ¶ added in v1.26.0
func Evaluate(in EnforcementInput) Decision
Evaluate resolves how a subject must authenticate against an organization. SSO exemption only affects whether the subject is routed through the directory; multifactor enforcement applies regardless of exemption
type EnforcementInput ¶ added in v1.26.0
type EnforcementInput struct {
// SSOEnforced reports whether the organization has SSO login enforcement enabled
SSOEnforced bool
// TFAEnforced reports whether the organization enforces multifactor authentication
TFAEnforced bool
// ExemptDomains is the set of email domains whose existing members skip the SSO redirect
ExemptDomains []string
// IsMember reports whether the subject is already a member of the organization
IsMember bool
// IsOwner reports whether the subject is the organization owner; owners are exempt as a backwards
// compatible fallback for memberships created before sso_exempt seeding existed
IsOwner bool
// MemberExempt reports whether the subject's membership carries an SSO exemption
MemberExempt bool
// Email is the subject's email address used for domain based exemption checks
Email string
}
EnforcementInput carries the organization and membership facts needed to decide how a subject must authenticate against an organization. It is built from the organization setting and the subject's membership so this package stays free of ent dependencies
func LoadEnforcement ¶ added in v1.26.0
func LoadEnforcement(ctx context.Context, db *ent.Client, orgID, userID, email string) (EnforcementInput, *ent.OrganizationSetting, error)
LoadEnforcement loads the organization setting and, when a userID is provided, the subject's membership and email, and returns the EnforcementInput plus the loaded setting. It is the single db-aware source used by both the SSO handlers and the auth middleware to feed Evaluate, so the membership query is projected to only the fields the decision needs