oidc

package
v0.34.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 12, 2025 License: Apache-2.0 Imports: 36 Imported by: 48

Documentation

Overview

oidc implements the authenticator.Token interface using the OpenID Connect protocol. 

config := oidc.Options{
	IssuerURL:     "https://accounts.google.com",
	ClientID:      os.Getenv("GOOGLE_CLIENT_ID"),
	UsernameClaim: "email",
}
tokenAuthenticator, err := oidc.New(config)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AllValidSigningAlgorithms added in v0.30.0 

func AllValidSigningAlgorithms() []string

func RegisterMetrics added in v0.30.0 

func RegisterMetrics()

Types

type AuthenticatorTokenWithHealthCheck added in v0.30.0 

type AuthenticatorTokenWithHealthCheck interface {
	authenticator.Token
	HealthCheck() error
}

func New 

func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error)

New returns an authenticator that is asynchronously initialized when opts.KeySet is not set. The input lifecycleCtx is used to: - terminate background goroutines that are needed for asynchronous initialization - as the base context for any requests that are made (i.e. for key fetching) Thus, once the lifecycleCtx is canceled, the authenticator must not be used. A caller may check if the authenticator is healthy by calling the HealthCheck method.

type CAContentProvider added in v0.22.0 

type CAContentProvider interface {
	CurrentCABundleContent() []byte
}

Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.

type Options 

type Options struct {
	// JWTAuthenticator is the authenticator that will be used to verify the JWT.
	JWTAuthenticator apiserver.JWTAuthenticator

	// Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer.
	// Mutually exclusive with JWTAuthenticator.Issuer.DiscoveryURL.
	KeySet oidc.KeySet

	// PEM encoded root certificate contents of the provider.  Mutually exclusive with Client.
	CAContentProvider CAContentProvider

	// EgressLookup allows for optional opt-in egress configuration via a custom dialer.  Mutually exclusive with Client.
	EgressLookup egressselector.Lookup

	// Optional http.Client used to make all requests to the remote issuer.  Mutually exclusive with CAContentProvider and EgressLookup.
	Client *http.Client

	// Optional CEL compiler used to compile the CEL expressions. This is useful to use a shared instance
	// of the compiler as these compilers holding a CEL environment are expensive to create. If not provided,
	// a default compiler will be created.
	// Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
	Compiler authenticationcel.Compiler

	// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
	// can be used by the provider to sign tokens.
	//
	// https://tools.ietf.org/html/rfc7518#section-3.1
	//
	// This value defaults to RS256, the value recommended by the OpenID Connect
	// spec:
	//
	// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
	SupportedSigningAlgs []string

	DisallowedIssuers []string
	// contains filtered or unexported fields
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.