Documentation
¶
Overview ¶
Package login implements the authentication workflow, protecting another application by means of its Wrap() middleware.
Internally, it runs a simple state machine meant to match the interactions with the underlying auth-server. State transitions happen on POST requests. Request handling is split into two stages: the processing stage (processing request parameters and eventually modifying the current state), and the rendering stage (which renders content to the user).
- we start from the BEGIN state, where the user is asked for username and password.
- we make the first AuthRequest, which has two possible non-error return values ("ok" and "need 2fa"), resulting in the OK or 2FA states.
- in the 2FA state, we present the user with a request for the second authentication factor. We make a second AuthRequest that includes second factor information, resulting in the OK state if successful.
States are tied to specific URLs because we want to make states visible to the browser, and possibly give users the option of hitting the back button -- though doing so will likely result in being reset to the BEGIN state (but it makes it easier to have multiple endpoints for the 2FA state).
The login state machine is stored in a short-lived session cookie, which is global browser state, but the original_url parameter must instead be tracked per-window, so it must be brought along the request flow as a form parameter.
Index ¶
Constants ¶
const ( StateBEGIN = iota State2FA_OTP State2FA_U2F StateOK )
Variables ¶
This section is empty.
Functions ¶
func GetSessionID ¶
GetSessionID retrieves the session ID which is available during the AuthClient.Authenticate call.
Types ¶
type Auth ¶
type Auth struct {
// User name and other information (like group membership).
Username string `json:"u"`
UserInfo *auth.UserInfo `json:"ui"`
// Sticky session ID.
SessionID string `json:"sid"`
// Deadline until authentication will need to be renewed. The
// securecookie also provides a similar expiration mechanism,
// but we do not use it here because we want to be able to
// detect the expiration for UX purposes.
Deadline time.Time `json:"d"`
}
type AuthClient ¶
type AuthClient interface {
Authenticate(context.Context, *auth.Request) (*auth.Response, error)
Logout(context.Context, string, *auth.UserInfo) error
}
AuthClient is a wrapper interface for an id/auth.Client that adds support for a Logout event. This allows injection of state-aware components that can trigger on both successful authentication and logout to maintain external session-scoped state.
type AuthServiceList ¶
type AuthServiceList struct {
// Services the user has logged in to from this session.
Services []string `json:"s"`
// contains filtered or unexported fields
}
func GetServiceList ¶
func GetServiceList(ctx context.Context) (*AuthServiceList, bool)
GetServiceList returns the AuthServiceList object associated with the current session.
func (*AuthServiceList) AddService ¶
func (s *AuthServiceList) AddService(service string)
AddService adds a service to the current session (if it's not already there).
func (*AuthServiceList) Delete ¶
func (s *AuthServiceList) Delete(w http.ResponseWriter) error
func (*AuthServiceList) Save ¶
func (s *AuthServiceList) Save(w http.ResponseWriter) error
type Config ¶
type Config struct {
ui.Config `yaml:",inline"`
AuthService string `yaml:"auth_service"`
AuthSessionLifetimeSeconds int `yaml:"auth_session_lifetime"`
DeviceManager *device.Config `yaml:"device_manager"`
SessionAuthKey common.SessionAuthenticationKey `yaml:"session_auth_key"`
SessionEncKey common.SessionEncryptionKey `yaml:"session_enc_key"`
CSRFSecret common.YAMLBytes `yaml:"csrf_secret"`
TrustedOrigins []string `yaml:"trusted_origins"`
DefaultSignedInRedirect string `yaml:"default_signed_in_redirect"`
CookieSameSiteMode string `yaml:"cookie_same_site_mode"`
}
Source Files