iam

package
v1.102.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package iam builds the platform's authentication and authorization identity layer: the authenticator chain (NewIdentity) and the persona authorizer (NewAuthorizer).

Constructors take an explicit Input rather than the platform config, so the layer can be built and tested on its own. The package must not import pkg/platform: the auth config types live there, so importing it would create a cycle. Callers translate their config into Input at the boundary.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewAuthorizer

func NewAuthorizer(in Input) middleware.Authorizer

NewAuthorizer builds the persona-based authorizer from in. It is independent of NewIdentity so a caller can override one without constructing the other.

Types

type Identity

type Identity struct {
	// Authenticator is the assembled authenticator (a chain, or a noop when
	// nothing is configured).
	Authenticator middleware.Authenticator
	// APIKeyAuth is the API key authenticator when API keys are enabled, or nil.
	// The caller keeps it so DB-backed keys can be appended after startup.
	APIKeyAuth *auth.APIKeyAuthenticator
}

Identity is the authenticator half of the identity layer.

func NewIdentity

func NewIdentity(in Input) (Identity, error)

NewIdentity builds the authenticator chain from in. Authenticators are ordered OAuth JWT → OIDC → API key so a token issued by our own OAuth server is checked first; when none are configured a permissive noop is returned.

type Input

type Input struct {
	// OAuthEnabled gates the OAuth JWT authenticator (for tokens issued by our
	// own OAuth server). It is only added when a signing key is also present.
	OAuthEnabled bool
	OAuthJWT     auth.OAuthJWTConfig

	// OIDCEnabled gates the OIDC authenticator (for tokens from an external IdP).
	OIDCEnabled bool
	OIDC        auth.OIDCConfig

	// APIKeysEnabled gates the API key authenticator.
	APIKeysEnabled bool
	APIKeys        []auth.APIKey

	// AllowAnonymous permits unauthenticated access through the chained
	// authenticator; ignored when no authenticators are configured (noop).
	AllowAnonymous bool

	// Authorizer inputs.
	PersonaRegistry *persona.Registry
	RoleClaimPath   string
	RolePrefix      string
	OIDCToPersona   map[string]string
}

Input holds the values NewIdentity and NewAuthorizer need. Callers build it from their own config, keeping platform config types out of this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL