oauth2

package

v1.0.6 Latest Latest Go to latest Published: Feb 15, 2023 License: AGPL-3.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitee.com/whubbledb/console

Links

Open Source Insights

Documentation ¶

Overview ¶

Package oauth2 contains all the necessary configurations to initialize the idp communication using oauth2 protocol

Index ¶

Constants
Variables
func GetIDPCallbackURL() string
func GetIDPCallbackURLDynamic() bool
func GetIDPClientID() string
func GetIDPSecret() string
func GetIDPURL() string
func GetIDPUserInfo() bool
func GetRandomStateWithHMAC(length int, keyFunc StateKeyFunc) string
func GetSTSEndpoint() string
func IsIDPEnabled() bool
type Config
- func (ac Config) AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string
- func (ac Config) Client(ctx context.Context, t *xoauth2.Token) *http.Client
- func (ac Config) Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)
- func (ac Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)
- func (ac Config) TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource
type Configuration
type DiscoveryDoc
type LoginURLParams
type OpenIDPCfg
- func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)
type Provider
- func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)
- func (client *Provider) GenerateLoginURL(keyFunc StateKeyFunc, iDPName string) string
- func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN string, keyFunc StateKeyFunc) (*credentials.Credentials, error)
- func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, state string, keyFunc StateKeyFunc) (*xoauth2.Token, error)
type ProviderConfig
- func (pc ProviderConfig) GetARNInf() string
- func (pc ProviderConfig) GetStateKeyFunc() StateKeyFunc
type StateKeyFunc
type User

Constants ¶

View Source

const (
	ConsoleMinIOServer           = "CONSOLE_MINIO_SERVER"
	ConsoleIDPURL                = "CONSOLE_IDP_URL"
	ConsoleIDPClientID           = "CONSOLE_IDP_CLIENT_ID"
	ConsoleIDPSecret             = "CONSOLE_IDP_SECRET"
	ConsoleIDPCallbackURL        = "CONSOLE_IDP_CALLBACK"
	ConsoleIDPCallbackURLDynamic = "CONSOLE_IDP_CALLBACK_DYNAMIC"
	ConsoleIDPHmacPassphrase     = "CONSOLE_IDP_HMAC_PASSPHRASE"
	ConsoleIDPHmacSalt           = "CONSOLE_IDP_HMAC_SALT"
	ConsoleIDPScopes             = "CONSOLE_IDP_SCOPES"
	ConsoleIDPUserInfo           = "CONSOLE_IDP_USERINFO"
	ConsoleIDPTokenExpiration    = "CONSOLE_IDP_TOKEN_EXPIRATION"
)

Environment constants for console IDP/SSO configuration

Variables ¶

View Source

var DefaultDerivedKey = func() []byte {
	return pbkdf2.Key([]byte(getPassphraseForIDPHmac()), []byte(getSaltForIDPHmac()), 4096, 32, sha1.New)
}

DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter its derived using pbkdf on CONSOLE_IDP_HMAC_PASSPHRASE with CONSOLE_IDP_HMAC_SALT

Functions ¶

func GetIDPCallbackURL ¶

func GetIDPCallbackURL() string

Public endpoint used by the identity oidcProvider when redirecting the user after identity verification

func GetIDPCallbackURLDynamic ¶

func GetIDPCallbackURLDynamic() bool

func GetIDPClientID ¶

func GetIDPClientID() string

func GetIDPSecret ¶

func GetIDPSecret() string

func GetIDPURL ¶

func GetIDPURL() string

func GetIDPUserInfo ¶

func GetIDPUserInfo() bool

func GetRandomStateWithHMAC ¶

func GetRandomStateWithHMAC(length int, keyFunc StateKeyFunc) string

GetRandomStateWithHMAC computes message + hmac(message, pbkdf2(key, salt)) to be used as state during the oauth authorization

func GetSTSEndpoint ¶

func GetSTSEndpoint() string

func IsIDPEnabled ¶

func IsIDPEnabled() bool

Types ¶

type Config ¶

type Config struct {
	xoauth2.Config
}

func (Config) AuthCodeURL ¶

func (ac Config) AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string

func (Config) Client ¶

func (ac Config) Client(ctx context.Context, t *xoauth2.Token) *http.Client

func (Config) Exchange ¶

func (ac Config) Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)

func (Config) PasswordCredentialsToken ¶

func (ac Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)

func (Config) TokenSource ¶

func (ac Config) TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource

type Configuration ¶

type Configuration interface {
	Exchange(ctx context.Context, code string, opts ...xoauth2.AuthCodeOption) (*xoauth2.Token, error)
	AuthCodeURL(state string, opts ...xoauth2.AuthCodeOption) string
	PasswordCredentialsToken(ctx context.Context, username, password string) (*xoauth2.Token, error)
	Client(ctx context.Context, t *xoauth2.Token) *http.Client
	TokenSource(ctx context.Context, t *xoauth2.Token) xoauth2.TokenSource
}

type DiscoveryDoc ¶

type DiscoveryDoc struct {
	Issuer                           string   `json:"issuer,omitempty"`
	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
	JwksURI                          string   `json:"jwks_uri,omitempty"`
	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
}

DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration

type LoginURLParams ¶

type LoginURLParams struct {
	State   string `json:"state"`
	IDPName string `json:"idp_name"`
}

type OpenIDPCfg ¶

type OpenIDPCfg map[string]ProviderConfig

func (OpenIDPCfg) NewOauth2ProviderClient ¶

func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)

NewOauth2ProviderClient instantiates a new oauth2 client using the `OpenIDPCfg` configuration struct. It returns a *Provider object that contains the necessary configuration to initiate an oauth2 authentication flow.

We only support Authentication with the Authorization Code Flow - spec: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

type Provider ¶

type Provider struct {
	// oauth2Config is an interface configuration that contains the following fields
	// Config{
	// 	 IDPName string
	//	 ClientSecret string
	//	 RedirectURL string
	//	 Endpoint oauth2.Endpoint
	//	 Scopes []string
	// }
	// - IDPName is the public identifier for this application
	// - ClientSecret is a shared secret between this application and the authorization server
	// - RedirectURL is the URL to redirect users going through
	//   the OAuth flow, after the resource owner's URLs.
	// - Endpoint contains the resource server's token endpoint
	//   URLs. These are constants specific to each server and are
	//   often available via site-specific packages, such as
	//   google.Endpoint or github.Endpoint.
	// - Scopes specifies optional requested permissions.
	IDPName string
	// if enabled means that we need extrace access_token as well
	UserInfo     bool
	RefreshToken string
	// contains filtered or unexported fields
}

Provider is a wrapper of the oauth2 configuration and the oidc provider

func NewOauth2ProviderClient ¶

func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error)

NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials it returns a *Provider object that contains the necessary configuration to initiate an oauth2 authentication flow.

We only support Authentication with the Authorization Code Flow - spec: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

func (*Provider) GenerateLoginURL ¶

func (client *Provider) GenerateLoginURL(keyFunc StateKeyFunc, iDPName string) string

GenerateLoginURL returns a new login URL based on the configured IDP

func (*Provider) VerifyIdentity ¶

func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN string, keyFunc StateKeyFunc) (*credentials.Credentials, error)

VerifyIdentity will contact the configured IDP to the user identity based on the authorization code and state if the user is valid, then it will contact MinIO to get valid sts credentials based on the identity provided by the IDP

func (*Provider) VerifyIdentityForOperator ¶

func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, state string, keyFunc StateKeyFunc) (*xoauth2.Token, error)

VerifyIdentityForOperator will contact the configured IDP and validate the user identity based on the authorization code and state

type ProviderConfig ¶

type ProviderConfig struct {
	URL                      string
	DisplayName              string // user-provided - can be empty
	ClientID, ClientSecret   string
	HMACSalt, HMACPassphrase string
	Scopes                   string
	Userinfo                 bool
	RedirectCallbackDynamic  bool
	RedirectCallback         string
	EndSessionEndpoint       string
	RoleArn                  string // can be empty
}

ProviderConfig - OpenID IDP Configuration for console.

func (ProviderConfig) GetARNInf ¶

func (pc ProviderConfig) GetARNInf() string

func (ProviderConfig) GetStateKeyFunc ¶

func (pc ProviderConfig) GetStateKeyFunc() StateKeyFunc

GetStateKeyFunc - return the key function used to generate the authorization code flow state parameter.

type StateKeyFunc ¶

type StateKeyFunc func() []byte

StateKeyFunc - is a function that returns a key used in OAuth Authorization flow state generation and verification.

type User ¶

type User struct {
	AppMetadata       map[string]interface{} `json:"app_metadata"`
	Blocked           bool                   `json:"blocked"`
	CreatedAt         string                 `json:"created_at"`
	Email             string                 `json:"email"`
	EmailVerified     bool                   `json:"email_verified"`
	FamilyName        string                 `json:"family_name"`
	GivenName         string                 `json:"given_name"`
	Identities        []interface{}          `json:"identities"`
	LastIP            string                 `json:"last_ip"`
	LastLogin         string                 `json:"last_login"`
	LastPasswordReset string                 `json:"last_password_reset"`
	LoginsCount       int                    `json:"logins_count"`
	MultiFactor       string                 `json:"multifactor"`
	Name              string                 `json:"name"`
	Nickname          string                 `json:"nickname"`
	PhoneNumber       string                 `json:"phone_number"`
	PhoneVerified     bool                   `json:"phone_verified"`
	Picture           string                 `json:"picture"`
	UpdatedAt         string                 `json:"updated_at"`
	UserID            string                 `json:"user_id"`
	UserMetadata      map[string]interface{} `json:"user_metadata"`
	Username          string                 `json:"username"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL