connectors

package
v0.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 4, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package connectors wraps github.com/dexidp/dex/connector with a small Miren-flavored interface. Route protection uses these to authenticate users against upstream providers that don't speak OIDC (e.g. GitHub).

The wrapper layer exists to keep our existing httpingress code unaware of Dex's Scopes/connData/Identity types and to give us a stable shape for adding more connectors over time without leaking Dex internals.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Connector 

type Connector interface {
	// LoginURL returns the upstream URL to redirect the user to. The
	// returned connData blob must be persisted with the OAuth state and
	// handed back to HandleCallback unchanged.
	LoginURL(callbackURL, state string) (loginURL string, connData []byte, err error)

	// HandleCallback processes the OAuth callback request and returns the
	// resolved Identity.
	HandleCallback(ctx context.Context, connData []byte, r *http.Request) (Identity, error)
}

Connector is the Miren-side abstraction over Dex's CallbackConnector. The wrapper hides connector.Scopes (we always request groups), and normalizes the (loginURL, connData, error) tuple from LoginURL so the caller round-trips connData through the state cookie alongside the PKCE/state values already living there.

func NewGitHub 

func NewGitHub(cfg GitHubConfig, logger *slog.Logger) (Connector, error)

NewGitHub returns a Connector backed by github.com/dexidp/dex/connector/github.

type GitHubConfig 

type GitHubConfig struct {
	ClientID     string
	ClientSecret string
	RedirectURI  string

	// Orgs restricts login to members of these GitHub organizations.
	// If an Org includes Teams, the user must belong to one of those teams.
	Orgs []GitHubOrg

	// UseLoginAsID, when true, surfaces the GitHub login (e.g. "phinze")
	// as Identity.UserID instead of the numeric user ID. Defaults to false
	// to match OIDC's stable-`sub` convention.
	UseLoginAsID bool
}

GitHubConfig configures the GitHub connector. RedirectURI is pinned at construction time because Dex's connector validates it matches the callbackURL passed to LoginURL — callers should cache one Connector per (route, baseURL) pair.

type GitHubOrg 

type GitHubOrg struct {
	Name  string
	Teams []string
}

type Identity 

type Identity struct {
	UserID            string
	Username          string
	PreferredUsername string
	Email             string
	EmailVerified     bool
	Groups            []string

	// ConnectorData is opaque state that the underlying connector wants
	// to round-trip into a future Refresh call. Currently unused by the
	// route-protection flow; kept on the type so we can plumb it through
	// the session cookie later without changing the interface.
	ConnectorData []byte
}

Identity is the normalized result of a successful connector login.

func (Identity) Claims 

func (i Identity) Claims() map[string]any

Claims renders the identity as the map[string]interface{} shape that httpingress.injectClaims walks for claim-header mapping. The keys mirror the OIDC claim names so route operators can mix providers transparently.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.