openid

package
v0.0.0-...-a6a3a47 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 5, 2023 License: AGPL-3.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ClientID      = "client_id"
	ClientSecret  = "client_secret"
	ConfigURL     = "config_url"
	ClaimName     = "claim_name"
	ClaimUserinfo = "claim_userinfo"
	RolePolicy    = "role_policy"
	DisplayName   = "display_name"

	Scopes             = "scopes"
	RedirectURI        = "redirect_uri"
	RedirectURIDynamic = "redirect_uri_dynamic"
	Vendor             = "vendor"

	// Vendor specific ENV only enabled if the Vendor matches == "vendor"
	KeyCloakRealm    = "keycloak_realm"
	KeyCloakAdminURL = "keycloak_admin_url"

	// Removed params
	JwksURL     = "jwks_url"
	ClaimPrefix = "claim_prefix"
)

OpenID keys and envs.

Variables

View Source
var (
	SigningMethodES3256 *jwt.SigningMethodECDSA
	SigningMethodES3384 *jwt.SigningMethodECDSA
	SigningMethodES3512 *jwt.SigningMethodECDSA
)

Specific instances for EC256 and company

View Source
var (
	SigningMethodRS3256 *jwt.SigningMethodRSA
	SigningMethodRS3384 *jwt.SigningMethodRSA
	SigningMethodRS3512 *jwt.SigningMethodRSA
)

Specific instances for RS256 and company

View Source
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   config.Enable,
			Value: "",
		},
		config.KV{
			Key:   DisplayName,
			Value: "",
		},
		config.KV{
			Key:   ConfigURL,
			Value: "",
		},
		config.KV{
			Key:   ClientID,
			Value: "",
		},
		config.KV{
			Key:   ClientSecret,
			Value: "",
		},
		config.KV{
			Key:   ClaimName,
			Value: iampolicy.PolicyName,
		},
		config.KV{
			Key:   ClaimUserinfo,
			Value: "",
		},
		config.KV{
			Key:   RolePolicy,
			Value: "",
		},
		config.KV{
			Key:   ClaimPrefix,
			Value: "",
		},
		config.KV{
			Key:   RedirectURI,
			Value: "",
		},
		config.KV{
			Key:   RedirectURIDynamic,
			Value: "off",
		},
		config.KV{
			Key:   Scopes,
			Value: "",
		},
		config.KV{
			Key:   Vendor,
			Value: "",
		},
		config.KV{
			Key:   KeyCloakRealm,
			Value: "",
		},
		config.KV{
			Key:   KeyCloakAdminURL,
			Value: "",
		},
	}
)

DefaultKVS - default config for OpenID config

View Source
var DummyRoleARN = func() arn.ARN {
	v, err := arn.NewIAMRoleARN("dummy-internal", "")
	if err != nil {
		panic("should not happen!")
	}
	return v
}()

DummyRoleARN is used to indicate that the user associated with it was authenticated via policy-claim based OpenID provider.

View Source
var ErrProviderConfigNotFound = errors.New("provider configuration not found")

ErrProviderConfigNotFound - represents a non-existing provider error.

View Source
var (
	ErrTokenExpired = errors.New("token expired")
)

ErrTokenExpired - error token expired

View Source
var (
	Help = config.HelpKVS{
		config.HelpKV{
			Key:         DisplayName,
			Description: "Friendly display name for this Provider/App" + defaultHelpPostfix(DisplayName),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ConfigURL,
			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"` + defaultHelpPostfix(ConfigURL),
			Type:        "url",
		},
		config.HelpKV{
			Key:         ClientID,
			Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"` + defaultHelpPostfix(ClientID),
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClientSecret,
			Description: `secret for the unique public identifier for apps` + defaultHelpPostfix(ClientSecret),
			Sensitive:   true,
			Type:        "string",
			Secret:      true,
		},
		config.HelpKV{
			Key:         RolePolicy,
			Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"` + defaultHelpPostfix(RolePolicy),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimName,
			Description: `JWT canned policy claim name` + defaultHelpPostfix(ClaimName),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         Scopes,
			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"` + defaultHelpPostfix(Scopes),
			Optional:    true,
			Type:        "csv",
		},
		config.HelpKV{
			Key:         Vendor,
			Description: `Specify vendor type for vendor specific behavior to checking validity of temporary credentials and service accounts on MinIO` + defaultHelpPostfix(Vendor),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimUserinfo,
			Description: `Enable fetching claims from UserInfo Endpoint for authenticated user` + defaultHelpPostfix(ClaimUserinfo),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         KeyCloakRealm,
			Description: `Specify Keycloak 'realm' name, only honored if vendor was set to 'keycloak' as value, if no realm is specified 'master' is default` + defaultHelpPostfix(KeyCloakRealm),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         KeyCloakAdminURL,
			Description: `Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/` + defaultHelpPostfix(KeyCloakAdminURL),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURIDynamic,
			Description: `Enable 'Host' header based dynamic redirect URI` + defaultHelpPostfix(RedirectURIDynamic),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ClaimPrefix,
			Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"` + defaultHelpPostfix(ClaimPrefix),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURI,
			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback` + defaultHelpPostfix(RedirectURI),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,
			Type:        "sentence",
		},
	}
)

Help template for OpenID identity feature.

Functions

func Enabled

func Enabled(kvs config.KVS) bool

Enabled returns if configURL is enabled.

func GetDefaultExpiration

func GetDefaultExpiration(dsecs string) (time.Duration, error)

GetDefaultExpiration - returns the expiration seconds expected.

Types

type Config

type Config struct {
	Enabled bool

	// map of config names to providerCfg's
	ProviderCfgs map[string]*providerCfg
	// contains filtered or unexported fields
}

Config - OpenID Config

func LookupConfig

func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error)

LookupConfig lookup jwks from config, override with any ENVs.

func (*Config) Clone

func (r *Config) Clone() Config

Clone returns a cloned copy of OpenID config.

func (*Config) GetConfigInfo

func (r *Config) GetConfigInfo(s config.Config, cfgName string) ([]madmin.IDPCfgInfo, error)

GetConfigInfo - returns configuration and related info for the given IDP provider.

func (*Config) GetConfigList

func (r *Config) GetConfigList(s config.Config) ([]madmin.IDPListItem, error)

GetConfigList - list openID configurations

func (*Config) GetIAMPolicyClaimName

func (r *Config) GetIAMPolicyClaimName() string

GetIAMPolicyClaimName - returns the policy claim name for the (at most one) provider configured without a role policy.

func (Config) GetRoleInfo

func (r Config) GetRoleInfo() map[arn.ARN]string

GetRoleInfo - returns ARN to policies map if a role policy based openID provider is configured. Otherwise returns nil.

func (*Config) GetSettings

func (r *Config) GetSettings() madmin.OpenIDSettings

GetSettings - fetches OIDC settings for site-replication related validation. NOTE that region must be populated by caller as this package does not know.

func (Config) LookupUser

func (r Config) LookupUser(roleArn, userid string) (provider.User, error)

LookupUser lookup userid for the provider

func (*Config) PopulatePublicKey

func (r *Config) PopulatePublicKey(arn arn.ARN) error

PopulatePublicKey - populates a new publickey from the JWKS URL.

func (Config) ProviderEnabled

func (r Config) ProviderEnabled() bool

ProviderEnabled returns true if any vendor specific provider is enabled.

func (*Config) Validate

func (r *Config) Validate(ctx context.Context, arn arn.ARN, token, accessToken, dsecs string, claims jwtgo.MapClaims) error

Validate - validates the id_token.

type DiscoveryDoc

type DiscoveryDoc struct {
	Issuer                           string   `json:"issuer,omitempty"`
	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
	EndSessionEndpoint               string   `json:"end_session_endpoint,omitempty"`
	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
	JwksURI                          string   `json:"jwks_uri,omitempty"`
	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
}

DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration

type JWKS

type JWKS struct {
	Keys []*JWKS `json:"keys,omitempty"`

	Kty string `json:"kty"`
	Use string `json:"use,omitempty"`
	Kid string `json:"kid,omitempty"`
	Alg string `json:"alg,omitempty"`

	Crv string `json:"crv,omitempty"`
	X   string `json:"x,omitempty"`
	Y   string `json:"y,omitempty"`
	D   string `json:"d,omitempty"`
	N   string `json:"n,omitempty"`
	E   string `json:"e,omitempty"`
	K   string `json:"k,omitempty"`
}

JWKS - https://tools.ietf.org/html/rfc7517

func (*JWKS) DecodePublicKey

func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error)

DecodePublicKey - decodes JSON Web Key (JWK) as public key

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL