Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetJwksProvider ¶
func GetJwksProvider(issuer string) *jwkeyset.CachingProvider
func JWTvalidation ¶
func JWTvalidation( issuer string, audience string, keyFunc func(context.Context) (interface{}, error), ) gin.HandlerFunc
* Authentication middleware * * Check for and validate access_token in the authorization header on all * incoming requests.
func ResultAuth ¶
func ResultAuth(keyring *Keyring) gin.HandlerFunc
* Middleware to auth the token returned by /query, which must be included with * requests to get access to /result. Any request in the /result family must * check the token and it should be independent of the operation, so it makes a * perfect fit for the middleware. This also makes it reasonably easy to test. * * The procedure boils down to: * - Get Authorization header * - Decode it and check signature * - Check that the pid in the token matches the pid for the request * * That way, only the one who made the request can query the status or get the * result.
Types ¶
type CustomClaims ¶
type CustomClaims struct {
Roles []string `json:"roles"`
}
* Custom claims that we expect to be in the JWT
type HttpClient ¶
* The go net/http module only provides an implementation, and not an interface * for it's HTTP Get() and response. To make testing feasible without having to * spin up a server, implement a tiny interface that net/http implements, and * just substitute that in the tests.
type Keyring ¶
type Keyring struct {
// contains filtered or unexported fields
}
* The Keyring is the concept of making, signing, and parsing tokens that * ensure that a result resource is only available to the one who requested it * [1]. It's based on a pre-shared key which can be randomly generated on * application startup, and given as environment or argument to whatever * service that needs it. * * [1] providing the token is not shared or leaked, but this is a problem with * all token-based access
func MakeKeyring ¶
* A stupid constructor function, really only to hide the key field and maybe * at some point do validation.
func (*Keyring) Sign ¶
* Sign with the default timeout - in practice, this is the only sign function * there should be a need for, and gives a single point for updates, bugfixes * and reasonable configuration.
func (*Keyring) SignWithTimeout ¶
* Sign, but with a custom timeout. This function is largely an implementation * detail, and is intended for testing (e.g. creating already-expired tokens). * However, it might provide useful as an escape hatch should a non-default * timeout be needed.
type OpenIDConfig ¶
* Public configuration struct with the variables necessary to auth
func GetOpenIDConfig ¶
func GetOpenIDConfig(c HttpClient, authserver string) (*OpenIDConfig, error)
* Get the Open ID config from a well-known URL * * > OpenID Connect defines a discovery mechanism, called OpenID Connect * > Discovery, where an OpenID server publishes its metadata at a well-known * > URL, typically https://server.com/.well-known/openid-configuration [1] * * The implementation only supports RSA keys, and only those with n and e [2], * which may not be all responses the protocol specifies. Keys that don't meet * the expecations of this function will be skipped, and if the response * contains no viable keys, a noRSAKeys error will be returned. * * [1] https://swagger.io/docs/specification/authentication/openid-connect-discovery * [2] https://tools.ietf.org/html/rfc7517#section-9.3