oauthservice

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2018 License: BSD-3-Clause Imports: 25 Imported by: 5

Documentation

Index

Constants

View Source 
const (
	//AuthorizationGrantCodeType is the requested response_type for an 'authorization code' oauth2 flow
	AuthorizationGrantCodeType = "code"
	//ClientCredentialsGrantCodeType is the requested grant_type for a 'client credentials' oauth2 flow
	ClientCredentialsGrantCodeType = "client_credentials"
)

Variables

View Source 
var AccessTokenExpiration = time.Second * 3600 * 24 //Tokens expire after 1 day

AccessTokenExpiration is the time in seconds an access token expires

Functions

func InitModels 

func InitModels()

InitModels initialize models in mongo, if required.

func IsAuthorizationValid added in v0.9.15 

func IsAuthorizationValid(possibleScopes []string, authorizedScopes []string) bool

IsAuthorizationValid checks if the possible scopes that are being requested are already authorized

func UserHasAuthorizedScopes added in v1.0.0 

func UserHasAuthorizedScopes(r *http.Request, authorization *user.Authorization) (bool, error)

UserHasAuthorizedScopes checks if all labels from an authorization scope mapping are still present on the user

Types

type AccessToken 

type AccessToken struct {
	ID          bson.ObjectId `json:"-" bson:"_id,omitempty"`
	AccessToken string
	Type        string
	Username    string
	GlobalID    string //The organization that granted the token (in case of a client credentials flow)
	Scope       string
	ClientID    string //The client_id of the organization that was granted the token
	CreatedAt   time.Time
}

AccessToken is an oauth2 accesstoken together with the access information it stands for

func (*AccessToken) ExpirationTime 

func (at *AccessToken) ExpirationTime() time.Time

ExpirationTime return the time at which this token expires

func (*AccessToken) IsExpired 

func (at *AccessToken) IsExpired() bool

IsExpired is a convenience method for IsExpired(time.Now())

func (*AccessToken) IsExpiredAt 

func (at *AccessToken) IsExpiredAt(testtime time.Time) bool

IsExpiredAt checks if the token is expired at a specific time

type ClientManager 

type ClientManager interface {
	//AllByClientID retrieves all clients with a given ID
	AllByClientID(clientID string) ([]*Oauth2Client, error)
}

ClientManager defines a client persistence interface

type IdentityService 

type IdentityService interface {
	//FilterAuthorizedScopes filters the requested scopes to the ones that are authorizated, if no authorization exists, authorizedScops is nil
	FilterAuthorizedScopes(r *http.Request, username string, grantedTo string, requestedscopes []string) (authorizedScopes []string, err error)
	//FilterPossibleScopes filters the requestedScopes to the relevant ones that are possible
	// For example, a `user:memberof:orgid1` is not possible if the user is not a member the `orgid1` organization and there is no outstanding invite for this organization
	// If allowInvitations is true, invitations to organizations allows the "user:memberof:organization" as possible scopes
	FilterPossibleScopes(r *http.Request, username string, requestedScopes []string, allowInvitations bool) (possibleScopes []string, err error)
}

IdentityService provides some basic knowledge about authorizations required for the oauthservice

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager is used to store

func NewManager 

func NewManager(r *http.Request) *Manager

NewManager creates and initializes a new Manager

func (*Manager) AllByClientID 

func (m *Manager) AllByClientID(clientID string) (clients []*Oauth2Client, err error)

AllByClientID retrieves all clients with a given ID

func (*Manager) CreateClient 

func (m *Manager) CreateClient(client *Oauth2Client) (err error)

CreateClient saves an Oauth2 client

func (*Manager) DeleteAllForOrganization 

func (m *Manager) DeleteAllForOrganization(clientID string) (err error)

DeleteAllForOrganization removes al client secrets for the organization

func (*Manager) DeleteClient 

func (m *Manager) DeleteClient(clientID, label string) (err error)

DeleteClient removes a client secret by it's clientID and label

func (*Manager) GetAccessToken 

func (m *Manager) GetAccessToken(token string) (at *AccessToken, err error)

GetAccessToken gets an access token by it's actual token string If the token is not found or is expired, nil is returned

func (*Manager) GetClient 

func (m *Manager) GetClient(clientID, label string) (client *Oauth2Client, err error)

GetClient retrieves a client given a clientid and a label

func (*Manager) GetClientLabels 

func (m *Manager) GetClientLabels(clientID string) (labels []string, err error)

GetClientLabels returns a list of labels for which there are apikeys registered for a specific client

func (*Manager) RemoveClientsByID 

func (m *Manager) RemoveClientsByID(clientid string) error

RemoveClientsByID removes oauth clients by client id

func (*Manager) RemoveOrganizationScopes added in v0.9.9 

func (m *Manager) RemoveOrganizationScopes(globalID string, username string) error

RemoveOrganizationScopes removes all user:memberof:globalid scopes from all access tokens

func (*Manager) RemoveTokensByGlobalID 

func (m *Manager) RemoveTokensByGlobalID(globalid string) error

RemoveTokensByGlobalID removes oauth tokens by global id

func (*Manager) UpdateClient 

func (m *Manager) UpdateClient(clientID, oldLabel, newLabel string, callbackURL string, clientcredentialsGrantType bool) (err error)

UpdateClient updates the label, callbackurl and clientCredentialsGrantType properties of a client

type Oauth2Client 

type Oauth2Client struct {
	ClientID                   string
	Label                      string //Label is a just a tag to identity the secret for this ClientID
	Secret                     string
	CallbackURL                string
	ClientCredentialsGrantType bool //ClientCredentialsGrantType indicates if this client can be used in an oauth2 client credentials grant flow
}

Oauth2Client is an oauth2 client

func NewOauth2Client 

func NewOauth2Client(clientID, label, callbackURL string, clientCredentialsGrantType bool) *Oauth2Client

NewOauth2Client creates a new NewOauth2Client with a random secret

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service is the oauthserver http service

func NewService 

func NewService(sessionService SessionService, identityService IdentityService, ecdsaKey *ecdsa.PrivateKey) (service *Service, err error)

NewService creates and initializes a Service

func (*Service) AccessTokenHandler 

func (service *Service) AccessTokenHandler(w http.ResponseWriter, r *http.Request)

AccessTokenHandler is the handler of the /v1/oauth/access_token endpoint

func (*Service) AddRoutes 

func (service *Service) AddRoutes(router *mux.Router)

AddRoutes adds the routes and handlerfunctions to the router

func (*Service) AuthorizeHandler 

func (service *Service) AuthorizeHandler(w http.ResponseWriter, request *http.Request)

AuthorizeHandler is the handler of the /v1/oauth/authorize endpoint

func (*Service) GetOauthUser added in v0.9.11 

func (service *Service) GetOauthUser(r *http.Request, w http.ResponseWriter) (username string, err error)

GetOauthUser returns a user in a protected oauth session, or an empty string if there is none

func (*Service) GetWebuser 

func (service *Service) GetWebuser(r *http.Request, w http.ResponseWriter) (username string, err error)

GetWebuser returns the authenticated user if any or an empty string if not

func (*Service) JWTHandler 

func (service *Service) JWTHandler(w http.ResponseWriter, r *http.Request)

JWTHandler returns a JWT with claims that are a subset of the scopes available to the authorizing token

func (*Service) RefreshJWTHandler 

func (service *Service) RefreshJWTHandler(w http.ResponseWriter, r *http.Request)

RefreshJWTHandler returns a new refreshed JWT with the same scopes as the original JWT The original JWT needs to be passed in the authorization header as a bearer token If the stored allowed scopes no longer contains a specific scope present in the jwt, this scope is also dropped in the newly created JWT.

type SessionService 

type SessionService interface {
	//GetLoggedInUser returns an authenticated user, or an empty string if there is none
	GetLoggedInUser(request *http.Request, w http.ResponseWriter) (username string, err error)
	//GetOauthUser returns a user in a protected oauth session, or an empty string if there is none
	GetOauthUser(request *http.Request, w http.ResponseWriter) (username string, err error)
	//SetAPIAccessToken sets the api access token for this session
	SetAPIAccessToken(w http.ResponseWriter, token string) (err error)
}

SessionService declares a context where you can have a logged in user

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.