traefik_plugin_oidc

package module
v0.0.0-...-3de4a33 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 9, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

README

Traefik Plugin OIDC

This plugin will allow ingress endpoints to be protected with SSO by using OIDC. Plugin will check for a valid token and redirect to SSO if one is not detected. Once a valid token is detected traffic will continue normally to the ingress.

Pre-requisites

Recommend using a tool like OpenLens to see whats happening inside the cluster.

Setting up SSO

Configure SSO endpoint:

  • client_id = <value comes from sso>
  • response_type = id_token
  • scope = at least oidc but might also be other scopes e.g. oidc profile

e.g. keycloak sso endpoint

general layout

http://keycloak.localhost/realms/<realm name>/protocol/openid-connect/auth?client_id=<client id>&nonce={{.Nonce}}&redirect_uri={{.CallbackUrl}}&state={{.State}}&scope=openid&response_type=id_token

value that should be used in settings

http://keycloak.localhost/realms/whoami/protocol/openid-connect/auth?client_id=whoami-middleware-oidc-keycloak&nonce={{.Nonce}}&redirect_uri={{.CallbackUrl}}&state={{.State}}&scope=openid&response_type=id_token

http://keycloak.localhost/realms/whoami/protocol/openid-connect/auth?client_id=whoami-middleware-oidc-keycloak&nonce=123123&redirect_uri=http://whoami.localhost/redirector&state=123123&scope=openid&response_type=id_token

Documentation

Index

Constants

View Source 
const LogFieldRequestID = "requestID"

Variables

This section is empty.

Functions

func New 

func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error)

Types

type Config 

type Config struct {
	SsoRedirectUrlAddressTemplate     string                      `json:"SsoRedirectUrlAddressTemplate,omitempty"`
	SsoRedirectUrlMacClientSecret     string                      `json:"ssoRedirectUrlMacClientSecret,omitempty"`
	SsoRedirectUrlMacPrivateKey       string                      `json:"ssoRedirectUrlMacPrivateKey,omitempty"`
	SsoRedirectUrlMacStrength         sso_redirector.HmacStrength `json:"ssoRedirectUrlMacStrength,omitempty"`
	SsoRedirectUrlMacAllowedClockSkew time.Duration               `json:"ssoRedirectUrlMacAllowedClockSkew,omitempty"`

	ClientSecret         string `json:"clientSecret,omitempty"`
	PublicKey            string `json:"publicKey,omitempty"`
	Issuer               string `json:"issuer,omitempty"`
	Audience             string `json:"audience,omitempty"`
	JwksAddress          string `json:"jwksAddress,omitempty"`
	OidcDiscoveryAddress string `json:"oidcDiscoveryAddress,omitempty"`
	UseDynamicValidation bool   `json:"useDynamicValidation,omitempty"`

	AlgorithmValidationRegex string        `json:"algorithmValidationRegex,omitempty"`
	AudienceValidationRegex  string        `json:"audienceValidationRegex,omitempty"`
	IssuerValidationRegex    string        `json:"issuerValidationRegex,omitempty"`
	SubjectValidationRegex   string        `json:"subjectValidationRegex,omitempty"`
	IdValidationRegex        string        `json:"idValidationRegex,omitempty"`
	TokenAllowedClockSkew    time.Duration `json:"tokenAllowedClockSkew,omitempty"`
	IgnorePathRegex          string        `json:"ignorePathRegex,omitempty"`
	CredentialsOptional      bool          `json:"credentialsOptional,omitempty"`
	ValidateOnOptions        bool          `json:"validateOnOptions,omitempty"`
}

func CreateConfig 

func CreateConfig() *Config

CreateConfig creates the default plugin configuration.

type Plugin 

type Plugin struct {
	// contains filtered or unexported fields
}

func (*Plugin) ServeHTTP 

func (a *Plugin) ServeHTTP(rw http.ResponseWriter, req *http.Request)

Source Files

View all Source files

Directories

Path Synopsis
Package assert provides convenience assert methods to complement the built in go testing library.
 Package assert provides convenience assert methods to complement the built in go testing library.
Package jwt is a Go implementation of JSON Web Tokens: http://self-issued.info/docs/draft-jones-json-web-token.html
 Package jwt is a Go implementation of JSON Web Tokens: http://self-issued.info/docs/draft-jones-json-web-token.html
validator
Package validator contains an implementation of jwtmiddleware.ValidateToken using the Square go-jose package version 2.
 Package validator contains an implementation of jwtmiddleware.ValidateToken using the Square go-jose package version 2.
log
buffer
Package buffer provides a thin wrapper around a byte slice.
 Package buffer provides a thin wrapper around a byte slice.
clock
color
Package color adds coloring functionality for TTY output.
 Package color adds coloring functionality for TTY output.
encoder
exit
Package exit provides stubs so that unit tests can exercise code that calls os.Exit(1).
 Package exit provides stubs so that unit tests can exercise code that calls os.Exit(1).
hook
level
multierr
Package multierr allows combining one or more errors together.
 Package multierr allows combining one or more errors together.
stacktrace
syncer

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.