Documentation ¶
Index ¶
- Variables
- func GetAccessCookieExpiration(logger *zap.Logger, accessTokenDuration time.Duration, refresh string) time.Duration
- func GetIdentity(logger *zap.Logger, skipAuthorizationHeaderIdentity bool, ...) ...
- func GetRefreshTokenFromStore(ctx context.Context, store storage.Storage, token string) (string, error)
- func WithOAuthURI(baseURI string, oauthURI string) func(uri string) string
- func WithUMAIdentity(req *http.Request, targetPath string, user *UserContext, cookieUMAName string, ...) (authorization.AuthzDecision, error)
- type DiscoveryResponse
- type OauthProxy
- type OpenIDRoundTripper
- type PAT
- type RPT
- type RealmRoles
- type RequestScope
- type TokenResponse
- type UserContext
Constants ¶
This section is empty.
Variables ¶
var ErrHostNotConfigured = errors.New("acme/autocert: host not configured")
ErrHostNotConfigured indicates the hostname was not configured
Functions ¶
func GetAccessCookieExpiration ¶
func GetAccessCookieExpiration( logger *zap.Logger, accessTokenDuration time.Duration, refresh string, ) time.Duration
GetAccessCookieExpiration calculates the expiration of the access token cookie
func GetIdentity ¶
func GetIdentity( logger *zap.Logger, skipAuthorizationHeaderIdentity bool, enableEncryptedToken bool, forceEncryptedCookie bool, encKey string, ) func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error)
GetIdentity retrieves the user identity from a request, either from a session cookie or a bearer token
func GetRefreshTokenFromStore ¶
func GetRefreshTokenFromStore( ctx context.Context, store storage.Storage, token string, ) (string, error)
Get retrieves a token from the store, the key we are using here is the access token
func WithOAuthURI ¶
WithOAuthURI returns the oauth uri
func WithUMAIdentity ¶
func WithUMAIdentity( req *http.Request, targetPath string, user *UserContext, cookieUMAName string, provider *oidc3.Provider, clientID string, skipClientIDCheck bool, skipIssuerCheck bool, getIdentity func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error), authzFunc func(targetPath string, userPerms authorization.Permissions) (authorization.AuthzDecision, error), ) (authorization.AuthzDecision, error)
Types ¶
type DiscoveryResponse ¶
type OauthProxy ¶
type OauthProxy struct { Provider *oidc3.Provider Config *config.Config Endpoint *url.URL IdpClient *gocloak.GoCloak Listener net.Listener Log *zap.Logger Router http.Handler Server *http.Server Store storage.Storage Upstream reverseProxy GetIdentity func(req *http.Request, tokenCookie string, tokenHeader string) (*UserContext, error) Cm *cookie.Manager WithOAuthURI func(uri string) string // contains filtered or unexported fields }
func (*OauthProxy) CreateReverseProxy ¶
func (r *OauthProxy) CreateReverseProxy() error
createReverseProxy creates a reverse proxy
func (*OauthProxy) NewOpenIDProvider ¶
func (r *OauthProxy) NewOpenIDProvider() (*oidc3.Provider, *gocloak.GoCloak, error)
newOpenIDProvider initializes the openID configuration, note: the redirection url is deliberately left blank in order to retrieve it from the host header on request
type OpenIDRoundTripper ¶
func NewOpenIDRoundTripper ¶
func NewOpenIDRoundTripper(rt http.RoundTripper) OpenIDRoundTripper
type RealmRoles ¶
type RealmRoles struct {
Roles []string `json:"roles"`
}
type RequestScope ¶
type RequestScope struct { // AccessDenied indicates the request should not be proxied on AccessDenied bool // Identity is the user Identity of the request Identity *UserContext // The parsed (unescaped) value of the request path Path string // Preserve the original request path: KEYCLOAK-10864, KEYCLOAK-11276, KEYCLOAK-13315 // The exact path received in the request, if different than Path RawPath string Logger *zap.Logger }
RequestScope is a request level context scope passed between middleware
type TokenResponse ¶
type TokenResponse struct { TokenType string `json:"token_type"` AccessToken string `json:"access_token"` IDToken string `json:"id_token"` RefreshToken string `json:"refresh_token,omitempty"` ExpiresIn float64 `json:"expires_in"` Scope string `json:"scope,omitempty"` }
TokenResponse
type UserContext ¶
type UserContext struct { // the id of the user ID string // the audience for the token Audiences []string // whether the context is from a session cookie or authorization header BearerToken bool // the email associated to the user Email string // the expiration of the access token ExpiresAt time.Time // groups is a collection of groups where user is member Groups []string // a name of the user Name string // preferredName is the name of the user PreferredName string // roles is a collection of roles the users holds Roles []string // rawToken RawToken string // claims Claims map[string]interface{} // permissions Permissions authorization.Permissions }
userContext holds the information extracted the token
func ExtractIdentity ¶
func ExtractIdentity(token *jwt.JSONWebToken) (*UserContext, error)
ExtractIdentity parse the jwt token and extracts the various elements is order to construct
func (*UserContext) IsExpired ¶
func (r *UserContext) IsExpired() bool
isExpired checks if the token has expired
func (*UserContext) String ¶
func (r *UserContext) String() string
String returns a string representation of the user context