Documentation
¶
Overview ¶
oidc implements the authenticator.Token interface using the OpenID Connect protocol.
config := oidc.Options{
IssuerURL: "https://accounts.google.com",
ClientID: os.Getenv("GOOGLE_CLIENT_ID"),
UsernameClaim: "email",
}
tokenAuthenticator, err := oidc.New(config)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AllValidSigningAlgorithms ¶ added in v0.30.0
func AllValidSigningAlgorithms() []string
func DeleteJWKSFetchMetrics ¶
func DeleteJWKSFetchMetrics(jwtIssuer, apiServerID string)
DeleteJWKSFetchMetrics deletes all JWKS-related metrics for a specific issuer and API server. This includes the hash metric and timestamp metrics (both success and failure). This should be called when an issuer is removed from the configuration to clean up stale metrics.
func RegisterMetrics ¶ added in v0.30.0
func RegisterMetrics()
func ResetMetrics ¶
func ResetMetrics()
Types ¶
type AuthenticatorTokenWithHealthCheck ¶ added in v0.30.0
type AuthenticatorTokenWithHealthCheck interface {
authenticator.Token
HealthCheck() error
}
func New ¶
func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error)
New returns an authenticator that is asynchronously initialized when opts.KeySet is not set. The input lifecycleCtx is used to: - terminate background goroutines that are needed for asynchronous initialization - as the base context for any requests that are made (i.e. for key fetching) Thus, once the lifecycleCtx is canceled, the authenticator must not be used. A caller may check if the authenticator is healthy by calling the HealthCheck method.
type CAContentProvider ¶ added in v0.22.0
type CAContentProvider interface {
CurrentCABundleContent() []byte
}
Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.
type Options ¶
type Options struct {
// JWTAuthenticator is the authenticator that will be used to verify the JWT.
JWTAuthenticator apiserver.JWTAuthenticator
// Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer.
// Mutually exclusive with JWTAuthenticator.Issuer.DiscoveryURL.
//
// The following API server metrics for fetching JWKS and provider status will not be recorded if this is set.
// - apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds
// - apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info
KeySet oidc.KeySet
// PEM encoded root certificate contents of the provider. Mutually exclusive with Client.
CAContentProvider CAContentProvider
// EgressLookup allows for optional opt-in egress configuration via a custom dialer. Mutually exclusive with Client.
EgressLookup egressselector.Lookup
// Optional http.Client used to make all requests to the remote issuer. Mutually exclusive with CAContentProvider and EgressLookup.
Client *http.Client
// Optional CEL compiler used to compile the CEL expressions. This is useful to use a shared instance
// of the compiler as these compilers holding a CEL environment are expensive to create. If not provided,
// a default compiler will be created.
// Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
Compiler authenticationcel.Compiler
// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
// can be used by the provider to sign tokens.
//
// https://tools.ietf.org/html/rfc7518#section-3.1
//
// This value defaults to RS256, the value recommended by the OpenID Connect
// spec:
//
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
SupportedSigningAlgs []string
DisallowedIssuers []string
// APIServerID is the ID of the API server
// This is used in metrics to identify the API server
APIServerID string
// contains filtered or unexported fields
}
Source Files