authorizer

package
v1.17.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 29, 2026 License: Apache-2.0 Imports: 22 Imported by: 4

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrTokenExchangeUnauthorized maps rejected source tokens to 401.
	ErrTokenExchangeUnauthorized = errors.New("token exchange unauthorized")

	// ErrTokenExchangeForbidden signals scope refusal from identity
	// (400 invalid_scope, RFC 6749 §5.2); the middleware projects to 403.
	ErrTokenExchangeForbidden = errors.New("token exchange forbidden")

	// ErrTokenExchangeUnavailable classifies transport and upstream availability failures.
	ErrTokenExchangeUnavailable = errors.New("token exchange unavailable")

	// ErrTokenExchangeFailed indicates token exchange returned a non-retriable
	// non-success response status that is neither 401 nor 5xx.
	ErrTokenExchangeFailed = errors.New("token exchange failed")

	// ErrTokenExchangeInvalidResponse indicates a malformed successful response body.
	ErrTokenExchangeInvalidResponse = errors.New("token exchange invalid response")

	// ErrTokenExchangeMissingAccessToken indicates a successful response omitted
	// the access_token field.
	ErrTokenExchangeMissingAccessToken = errors.New("token exchange response missing access token")

	// ErrPassportInvalid indicates exchange returned an unusable passport payload.
	ErrPassportInvalid = errors.New("passport invalid")
)

Functions

func TokenExchangeURL added in v1.17.0 

func TokenExchangeURL(identityHost string) string

TokenExchangeURL returns the full token exchange endpoint URL for an identity host.

Types

type Authorizer 

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer provides OpenAPI based authorization middleware backed by remote identity token exchange and ACL lookup.

func NewAuthorizer 

func NewAuthorizer(client client.Client, options *identityclient.Options, clientOptions *coreclient.HTTPClientOptions) (*Authorizer, error)

NewAuthorizer returns a new authorizer with required parameters.

func (*Authorizer) Authorize 

func (a *Authorizer) Authorize(authentication *openapi3filter.AuthenticationInput) (*authorization.Info, error)

Authorize checks the request against the OpenAPI security scheme.

func (*Authorizer) GetACL 

func (a *Authorizer) GetACL(ctx context.Context, organizationID string) (*identityapi.Acl, error)

GetACL retrieves access control information from the subject identified by the Authorize call.

type Getter added in v0.2.52 

type Getter string

func (Getter) Get added in v0.2.52 

func (a Getter) Get(_ context.Context) (string, error)

type HTTPTokenExchange added in v1.17.0 

type HTTPTokenExchange struct {
	// contains filtered or unexported fields
}

HTTPTokenExchange exchanges source access tokens through an OAuth2 token endpoint.

func (*HTTPTokenExchange) Exchange added in v1.17.0 

func (c *HTTPTokenExchange) Exchange(ctx context.Context, sourceToken string, options *tokenExchangeOptions) (string, error)

Exchange performs the RFC 8693 form-post against the configured token endpoint and returns the issued passport on success.

type TokenExchange added in v1.17.0 

type TokenExchange interface {
	Exchange(ctx context.Context, sourceToken string, options *tokenExchangeOptions) (string, error)
}

TokenExchange exchanges a source access token for a passport token via RFC 8693 token exchange.

func NewHTTPTokenExchange added in v1.17.0 

func NewHTTPTokenExchange(httpClient *http.Client, tokenURL string) TokenExchange

NewHTTPTokenExchange builds a token exchanger that performs RFC 8693 token exchange over HTTP.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.