authn

package

v0.0.0-...-acfe7e3 Latest Latest Go to latest Published: May 3, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/authlib

Documentation ¶

Index ¶

Variables
func IsInvalidTokenErr(err error) bool
type AccessTokenClaims
type AccessTokenVerifier
- func NewAccessTokenVerifier(cfg VerifierConfig) *AccessTokenVerifier
- func NewAccessTokenVerifierWithCache(cfg VerifierConfig, cache cache.Cache) *AccessTokenVerifier
- func (e *AccessTokenVerifier) Verify(ctx context.Context, token string) (*Claims[AccessTokenClaims], error)
type Claims
type ExchangeClientOpts
- func WithHTTPClient(client *http.Client) ExchangeClientOpts
type IDTokenClaims
type IDTokenVerifier
- func NewIDTokenVerifier(cfg VerifierConfig) *IDTokenVerifier
- func NewIDTokenVerifierWithCache(cfg VerifierConfig, cache cache.Cache) *IDTokenVerifier
- func (e *IDTokenVerifier) Verify(ctx context.Context, token string) (*Claims[IDTokenClaims], error)
type NoopVerifier
- func NewNoopVerifier[T any]() *NoopVerifier[T]
- func (v *NoopVerifier[T]) Verify(ctx context.Context, token string) (*Claims[T], error)
type TokenExchangeClient
- func NewTokenExchangeClient(cfg TokenExchangeConfig, opts ...ExchangeClientOpts) (*TokenExchangeClient, error)
- func (c *TokenExchangeClient) Exhange(ctx context.Context, r TokenExchangeRequest) (*TokenExhangeResponse, error)
type TokenExchangeConfig
- func (c *TokenExchangeConfig) RegisterFlags(prefix string, fs *flag.FlagSet)
type TokenExchangeRequest
type TokenExhangeResponse
type TokenType
type Verifier
type VerifierBase
- func NewVerifier[T any](cfg VerifierConfig, typ TokenType) *VerifierBase[T]
- func (v *VerifierBase[T]) Verify(ctx context.Context, token string) (*Claims[T], error)
type VerifierConfig
- func (c *VerifierConfig) RegisterFlags(prefix string, fs *flag.FlagSet)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrFetchingSigningKey = errors.New("unable to fetch signing keys")

	ErrParseToken        = fmt.Errorf("%w: failed to parse as jwt token", errInvalidToken)
	ErrInvalidTokenType  = fmt.Errorf("%w: invalid token type", errInvalidToken)
	ErrInvalidSigningKey = fmt.Errorf("%w: unrecognized signing key", errInvalidToken)

	ErrExpiredToken    = fmt.Errorf("%w: expired token", errInvalidToken)
	ErrInvalidAudience = fmt.Errorf("%w: invalid audience", errInvalidToken)
)

View Source

var (
	ErrMissingNamespace = errors.New("missing required namespace")
	ErrMissingAudiences = errors.New("missing required audiences")

	ErrInvalidExchangeResponse = errors.New("invalid exchange response")
)

Functions ¶

func IsInvalidTokenErr ¶

func IsInvalidTokenErr(err error) bool

Types ¶

type AccessTokenClaims ¶

type AccessTokenClaims struct {
	// Namespace takes the form of '<type>-<id>', '*' means all namespaces.
	// Type can be either org or stack.
	Namespace string `json:"namespace"`
	// Access policy scopes
	Scopes []string `json:"scopes"`
	// Grafana roles
	Permissions []string `json:"permissions"`
	// On-behalf-of user
	DelegatedPermissions []string `json:"delegatedPermissions"`
}

type AccessTokenVerifier ¶

type AccessTokenVerifier struct {
	// contains filtered or unexported fields
}

AccessTokenVerifier is a convenient wrapper around `Verifier` used to verify and authenticate Grafana issued AccessTokens.

func NewAccessTokenVerifier ¶

func NewAccessTokenVerifier(cfg VerifierConfig) *AccessTokenVerifier

func NewAccessTokenVerifierWithCache ¶

func NewAccessTokenVerifierWithCache(cfg VerifierConfig, cache cache.Cache) *AccessTokenVerifier

func (*AccessTokenVerifier) Verify ¶

func (e *AccessTokenVerifier) Verify(ctx context.Context, token string) (*Claims[AccessTokenClaims], error)

type Claims ¶

type Claims[T any] struct {
	*jwt.Claims
	Rest T
}

type ExchangeClientOpts ¶

type ExchangeClientOpts func(c *TokenExchangeClient)

ExchangeClientOpts allows setting custom parameters during construction.

func WithHTTPClient ¶

func WithHTTPClient(client *http.Client) ExchangeClientOpts

WithHTTPClient allows setting the HTTP client to be used by the token exchange client.

type IDTokenClaims ¶

type IDTokenClaims struct {
	// Namespace takes the form of '<type>-<id>', '*' means all namespaces.
	// Type can be either org or stack.
	Namespace string `json:"namespace"`
	// AuthenticatedBy is the method used to authenticate the identity.
	AuthenticatedBy string `json:"authenticatedBy"`
	Email           string `json:"email"`
	EmailVerified   string `json:"email_verified"`
}

type IDTokenVerifier ¶

type IDTokenVerifier struct {
	// contains filtered or unexported fields
}

IDTokenVerifier is a convenient wrapper around `Verifier` used to verify grafana issued id tokens.

func NewIDTokenVerifier ¶

func NewIDTokenVerifier(cfg VerifierConfig) *IDTokenVerifier

func NewIDTokenVerifierWithCache ¶

func NewIDTokenVerifierWithCache(cfg VerifierConfig, cache cache.Cache) *IDTokenVerifier

func (*IDTokenVerifier) Verify ¶

func (e *IDTokenVerifier) Verify(ctx context.Context, token string) (*Claims[IDTokenClaims], error)

type NoopVerifier ¶

type NoopVerifier[T any] struct{}

func NewNoopVerifier ¶

func NewNoopVerifier[T any]() *NoopVerifier[T]

func (*NoopVerifier[T]) Verify ¶

func (v *NoopVerifier[T]) Verify(ctx context.Context, token string) (*Claims[T], error)

type TokenExchangeClient ¶

type TokenExchangeClient struct {
	// contains filtered or unexported fields
}

func NewTokenExchangeClient ¶

func NewTokenExchangeClient(cfg TokenExchangeConfig, opts ...ExchangeClientOpts) (*TokenExchangeClient, error)

func (*TokenExchangeClient) Exhange ¶

func (c *TokenExchangeClient) Exhange(ctx context.Context, r TokenExchangeRequest) (*TokenExhangeResponse, error)

type TokenExchangeConfig ¶

type TokenExchangeConfig struct {
	// Token used to perform the exchange request.
	Token string
	// Url called to perform exhange request.
	TokenExchangeURL string
}

func (*TokenExchangeConfig) RegisterFlags ¶

func (c *TokenExchangeConfig) RegisterFlags(prefix string, fs *flag.FlagSet)

type TokenExchangeRequest ¶

type TokenExchangeRequest struct {
	// Namespace token should be signed with.
	// Use wildcard '*' to create a token for all namespaces.
	Namespace string `json:"namespace"`
	// Audiences token should be signed with.
	Audiences []string `json:"audiences"`
}

type TokenExhangeResponse ¶

type TokenExhangeResponse struct {
	Token string
}

type TokenType ¶

type TokenType = string

const (
	TokenTypeID     TokenType = "jwt"
	TokenTypeAccess TokenType = "at+jwt"
)

type Verifier ¶

type Verifier[T any] interface {
	// Verify will parse and verify provided token using public key from `VerifierConfig.SigningKeysURL`.
	// If `AllowedAudiences` was configured those will be validated as well.
	Verify(ctx context.Context, token string) (*Claims[T], error)
}

type VerifierBase ¶

type VerifierBase[T any] struct {
	// contains filtered or unexported fields
}

func NewVerifier ¶

func NewVerifier[T any](cfg VerifierConfig, typ TokenType) *VerifierBase[T]

func (*VerifierBase[T]) Verify ¶

func (v *VerifierBase[T]) Verify(ctx context.Context, token string) (*Claims[T], error)

Verify will parse and verify provided token using public key from `SigningKeysURL`. If `AllowedAudiences` was configured those will be validated as well.

type VerifierConfig ¶

type VerifierConfig struct {
	SigningKeysURL   string       `yaml:"signingKeysUrl"`
	AllowedAudiences jwt.Audience `yaml:"allowedAudiences"`
}

func (*VerifierConfig) RegisterFlags ¶

func (c *VerifierConfig) RegisterFlags(prefix string, fs *flag.FlagSet)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL