auth

package
v0.0.0-...-e311bc9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2024 License: MIT Imports: 39 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrNoCurrentUser = errors.New("not logged in, run `azd auth login` to login")

ErrNoCurrentUser indicates that the current user is not logged in. This is typically determined by inspecting the stored auth information and credentials on the machine. If the auth information or credentials are not found or invalid, the user is considered not to be logged in.

Functions

func EnsureLoggedInCredential 

func EnsureLoggedInCredential(
	ctx context.Context,
	credential azcore.TokenCredential,
	cloud *cloud.Cloud,
) (*azcore.AccessToken, error)

EnsureLoggedInCredential uses the credential's GetToken method to ensure an access token can be fetched. On success, the token we fetched is returned.

func GetOidFromAccessToken 

func GetOidFromAccessToken(token string) (string, error)

GetOidFromAccessToken extracts a string claim with the name "oid" from an access token. Access Tokens are JWT and the middle component is a base64 encoded string of a JSON object with claims.

func GetTenantIdFromToken 

func GetTenantIdFromToken(token string) (string, error)

func LoginScopes 

func LoginScopes(cloud *cloud.Cloud) []string

LoginScopes returns the scopes that we request an access token for when checking if a user is signed in.

func ShouldUseCloudShellAuth 

func ShouldUseCloudShellAuth() bool

Types

type AadErrorResponse 

type AadErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
	ErrorCodes       []int  `json:"error_codes"`
	Timestamp        string `json:"timestamp"`
	TraceId          string `json:"trace_id"`
	CorrelationId    string `json:"correlation_id"`
	ErrorUri         string `json:"error_uri"`
}

An error response from Azure Active Directory.

See https://www.rfc-editor.org/rfc/rfc6749#section-5.2 for OAuth 2.0 spec See https://learn.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes for AAD error codes

type AuthFailedError 

type AuthFailedError struct {
	// The HTTP response motivating the error, if available
	RawResp *http.Response
	// The unmarshaled error response, if available
	Parsed *AadErrorResponse
	// contains filtered or unexported fields
}

AuthFailedError indicates an authentication request has failed. This serves as a wrapper around MSAL related errors.

func (*AuthFailedError) Error 

func (e *AuthFailedError) Error() string

func (*AuthFailedError) Unwrap 

func (e *AuthFailedError) Unwrap() error

type Cache 

type Cache interface {
	Read(key string) ([]byte, error)
	Set(key string, value []byte) error
}

type CloudShellCredential 

type CloudShellCredential struct {
	// contains filtered or unexported fields
}

func NewCloudShellCredential 

func NewCloudShellCredential(httpClient httputil.HttpClient) *CloudShellCredential

func (CloudShellCredential) GetToken 

func (t CloudShellCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)

type CredentialForCurrentUserOptions 

type CredentialForCurrentUserOptions struct {
	// NoPrompt controls whether the credential may prompt for user interaction.
	NoPrompt bool
	// The tenant ID to use when constructing the credential, instead of the default tenant.
	TenantID string
}

type ExternalAuthConfiguration 

type ExternalAuthConfiguration struct {
	Endpoint string
	Key      string
	Client   httputil.HttpClient
}

type HttpClient 

type HttpClient interface {
	httputil.HttpClient

	// CloseIdleConnections closes any idle connections in a "keep-alive" state.
	CloseIdleConnections()
}

HttpClient interface as required by MSAL library.

type LoggedInGuard 

type LoggedInGuard struct{}

LoggedInGuard doesn't hold anything. It simply represents a type that can be used to expressed the logged in constraint.

func NewLoggedInGuard 

func NewLoggedInGuard(manager *Manager, ctx context.Context) (LoggedInGuard, error)

NewLoggedInGuard checks if the user is logged in. An error is returned if the user is not logged in.

type LoginInteractiveOptions 

type LoginInteractiveOptions struct {
	TenantID     string
	RedirectPort int
	WithOpenUrl  WithOpenUrl
}

LoginInteractiveOptions holds the optional inputs for interactive login.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager manages the authentication system of azd. It allows a user to log in, either as a user principal or service principal. Manager stores information so that the user can stay logged in across invocations of the CLI. When logged in as a user (either interactively or via a device code flow), we provide a durable cache to MSAL which is used to cache information to allow silent logins across process runs. This cache is stored inside the user's home directory, ACL'd such that it can only be read by the current user. In addition, on Windows, this cache is encrypted, using CryptProtectData. The home account id of the signed in user is stored as a property under [cCurrentUserKey]. This behavior matches the AZ CLI.

When logged in as a service principal, the same cache strategy that backed the MSAL cache is used to store the private key or secret and the public components (the client ID and tenant ID) are stored under [cCurrentUserKey].

Logging out removes this cached authentication data.

You can configure azd to ignore its native credential system and instead delegate to AZ CLI (useful for cases where azd does not yet support your preferred method of authentication by setting [cUseLegacyAzCliAuthKey] in config to true.

func NewManager 

func NewManager(
	configManager config.FileConfigManager,
	userConfigManager config.UserConfigManager,
	cloud *cloud.Cloud,
	httpClient HttpClient,
	console input.Console,
	externalAuthCfg ExternalAuthConfiguration,
) (*Manager, error)

func (*Manager) CredentialForCurrentUser 

func (m *Manager) CredentialForCurrentUser(
	ctx context.Context,
	options *CredentialForCurrentUserOptions,
) (azcore.TokenCredential, error)

CredentialForCurrentUser returns a TokenCredential instance for the current user. If `auth.useLegacyAzCliAuth` is set to a truthy value in config, an instance of azidentity.AzureCLICredential is returned instead. To accept the default options, pass nil.

func (*Manager) GetLoggedInServicePrincipalTenantID 

func (m *Manager) GetLoggedInServicePrincipalTenantID(ctx context.Context) (*string, error)

GetLoggedInServicePrincipalTenantID returns the stored service principal's tenant ID.

Service principals are fixed to a particular tenant.

This can be used to determine if the tenant is fixed, and if so short circuit performance intensive tenant-switching for service principals.

func (*Manager) LoginInteractive 

func (m *Manager) LoginInteractive(
	ctx context.Context,
	scopes []string,
	options *LoginInteractiveOptions) (azcore.TokenCredential, error)

LoginInteractive opens a browser for authenticate the user.

func (*Manager) LoginScopes 

func (m *Manager) LoginScopes() []string

func (*Manager) LoginWithBrokerAccount 

func (m *Manager) LoginWithBrokerAccount() error

LoginWithBrokerAccount logs in an account provided by the system authentication broker via OneAuth. For example, it will log in the user currently signed in to Windows. This method never prompts for user interaction and returns an error when the broker doesn't provide an account.

func (*Manager) LoginWithDeviceCode 

func (m *Manager) LoginWithDeviceCode(
	ctx context.Context, tenantID string, scopes []string, withOpenUrl WithOpenUrl) (azcore.TokenCredential, error)

func (*Manager) LoginWithOneAuth 

func (m *Manager) LoginWithOneAuth(ctx context.Context, tenantID string, scopes []string) error

LoginWithOneAuth starts OneAuth's interactive login flow.

func (*Manager) LoginWithServicePrincipalCertificate 

func (m *Manager) LoginWithServicePrincipalCertificate(
	ctx context.Context, tenantId, clientId string, certData []byte,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithServicePrincipalFederatedTokenProvider 

func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
	ctx context.Context, tenantId, clientId, provider string,
) (azcore.TokenCredential, error)

func (*Manager) LoginWithServicePrincipalSecret 

func (m *Manager) LoginWithServicePrincipalSecret(
	ctx context.Context, tenantId, clientId, clientSecret string,
) (azcore.TokenCredential, error)

func (*Manager) Logout 

func (m *Manager) Logout(ctx context.Context) error

Logout signs out the current user and removes any cached authentication information

func (*Manager) UseExternalAuth 

func (m *Manager) UseExternalAuth() bool

type MultiTenantCredentialProvider 

type MultiTenantCredentialProvider interface {
	// Gets an authenticated token credential for the given tenant. If tenantId is empty, uses the default home tenant.
	GetTokenCredential(ctx context.Context, tenantId string) (azcore.TokenCredential, error)
}

MultiTenantCredentialProvider provides token credentials for different tenants.

Only use this if you need to perform multi-tenant operations.

func NewMultiTenantCredentialProvider 

func NewMultiTenantCredentialProvider(auth *Manager) MultiTenantCredentialProvider

type ReLoginRequiredError 

type ReLoginRequiredError struct {
	// contains filtered or unexported fields
}

ReLoginRequiredError indicates that the logged in user needs to perform a log in to reauthenticate. This typically means that while the credentials stored on the machine are valid, the server has rejected the credentials due to expired credentials, or additional challenges being required.

func (*ReLoginRequiredError) Error 

func (e *ReLoginRequiredError) Error() string

type RemoteCredential 

type RemoteCredential struct {
	// contains filtered or unexported fields
}

RemoteCredential implements azcore.TokenCredential by using the remote credential protocol.

func (*RemoteCredential) GetToken 

func (rc *RemoteCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken implements azcore.TokenCredential.

type TokenFromCloudShell 

type TokenFromCloudShell struct {
	AccessToken  string      `json:"access_token"`
	RefreshToken string      `json:"refresh_token"`
	ExpiresIn    json.Number `json:"expires_in"    type:"integer"`
	ExpiresOn    json.Number `json:"expires_on"    type:"integer"`
	NotBefore    json.Number `json:"not_before"    type:"integer"`
	Resource     string      `json:"resource"`
	TokenType    string      `json:"token_type"`
}

type WithOpenUrl 

type WithOpenUrl func(url string) error

WithOpenUrl defines a custom strategy for browsing to the url.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.