Documentation ¶
Overview ¶
The Login service serves as the interface between external authentication systems and Taskcluster credentials.
See:
How to use this package ¶
First create a Login object:
login := tclogin.New(nil)
and then call one or more of login's methods, e.g.:
err := login.Ping(.....)
handling any errors...
if err != nil { // handle error... }
Taskcluster Schema ¶
The source code of this go package was auto-generated from the API definition at <rootUrl>/references/login/v1/api.json together with the input and output schemas it references,
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CredentialsResponse ¶
type CredentialsResponse struct { // Taskcluster credentials. Note that the credentials may not contain a certificate! Credentials TaskclusterCredentials `json:"credentials"` // Time after which the credentials are no longer valid. Callers should // call `oidcCredentials` again to get fresh credentials before this time. Expires tcclient.Time `json:"expires"` }
A response containing credentials corresponding to a supplied OIDC `access_token`.
type Login ¶
func New ¶
func New(credentials *tcclient.Credentials, rootURL string) *Login
New returns a Login client, configured to run against production. Pass in nil credentials to create a client without authentication. The returned client is mutable, so returned settings can be altered.
login := tclogin.New( nil, // client without authentication "http://localhost:1234/my/taskcluster", // taskcluster hosted at this root URL on local machine ) err := login.Ping(.....) // for example, call the Ping(.....) API endpoint (described further down)... if err != nil { // handle errors... }
func NewFromEnv ¶
func NewFromEnv() *Login
NewFromEnv returns a *Login configured from environment variables.
The root URL is taken from TASKCLUSTER_PROXY_URL if set to a non-empty string, otherwise from TASKCLUSTER_ROOT_URL if set, otherwise the empty string.
The credentials are taken from environment variables:
TASKCLUSTER_CLIENT_ID TASKCLUSTER_ACCESS_TOKEN TASKCLUSTER_CERTIFICATE
If TASKCLUSTER_CLIENT_ID is empty/unset, authentication will be disabled.
func (*Login) OidcCredentials ¶
func (login *Login) OidcCredentials(provider string) (*CredentialsResponse, error)
Stability: *** EXPERIMENTAL ***
Given an OIDC `access_token` from a trusted OpenID provider, return a set of Taskcluster credentials for use on behalf of the identified user.
This method is typically not called with a Taskcluster client library and does not accept Hawk credentials. The `access_token` should be given in an `Authorization` header: ``` Authorization: Bearer abc.xyz ```
The `access_token` is first verified against the named :provider, then passed to the provider's APIBuilder to retrieve a user profile. That profile is then used to generate Taskcluster credentials appropriate to the user. Note that the resulting credentials may or may not include a `certificate` property. Callers should be prepared for either alternative.
The given credentials will expire in a relatively short time. Callers should monitor this expiration and refresh the credentials if necessary, by calling this endpoint again, if they have expired.
See #oidcCredentials
type TaskclusterCredentials ¶
type TaskclusterCredentials struct { // Syntax: ^[a-zA-Z0-9_-]{22,66}$ AccessToken string `json:"accessToken"` Certificate string `json:"certificate,omitempty"` // Syntax: ^[A-Za-z0-9!@/:.+|_-]+$ ClientID string `json:"clientId"` }
Taskcluster credentials. Note that the credentials may not contain a certificate!