Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ErrBadService means the service does not follow the specification. ErrBadService = errors.New("bad service") // ErrBadDestinationScheme is returned when the destination // scheme isn't HTTPS. ErrBadDestinationScheme = errors.New("bad destination scheme") // not been whitelisted. ErrUnauthorizedService = errors.New("unauthorized service") // not part of the service. ErrUnauthorizedDestination = errors.New("unauthorized destination") // group ACLs do not match the current ticket. ErrUnauthorized = errors.New("unauthorized") )
Functions ¶
func New ¶
func New(loginService *LoginService, authClient authclient.Client, config *Config) (http.Handler, error)
New returns a new Server.
Types ¶
type Config ¶
type Config struct { login.Config `yaml:",inline"` URLPrefix string `yaml:"url_path_prefix"` AllowedCORSOrigins []string `yaml:"allowed_cors_origins"` SecretKeyFile string `yaml:"secret_key_file"` PublicKeyFile string `yaml:"public_key_file"` Domain string `yaml:"domain"` AllowedServices []string `yaml:"allowed_services"` AllowedExchanges []*struct { SrcRegexp string `yaml:"src_regexp"` DstRegexp string `yaml:"dst_regexp"` // contains filtered or unexported fields } `yaml:"allowed_exchanges"` ServiceTTLs []*struct { Regexp string `yaml:"regexp"` TTLSeconds int `yaml:"ttl"` // contains filtered or unexported fields } `yaml:"service_ttls"` KeyStore *clientutil.BackendConfig `yaml:"keystore"` KeyStoreEnableGroups []string `yaml:"keystore_enable_groups"` LoginDelayMs float64 `yaml:"login_delay_ms"` // contains filtered or unexported fields }
Config data for the SSO service.
type LoginService ¶
type LoginService struct {
// contains filtered or unexported fields
}
LoginService provides the business logic for the SSO server, offering the Authorize and Exchange methods.
func NewLoginService ¶
func NewLoginService(config *Config) (*LoginService, error)
NewLoginService returns a new LoginService with the specified configuration.
func (*LoginService) Authorize ¶
func (s *LoginService) Authorize(username, service, destination, nonce string, groups []string, maxTTL time.Duration) (string, error)
Authorize a user to access a service by generating a token for it. Note that the user must already be successfully identified by some other means (e.g. passing a login form, etc). The 'maxTTL' parameter, if non-zero, caps the time-to-live of the ticket, which is otherwise determined depending on the service configuration.
Click to show internal directories.
Click to hide internal directories.