Documentation
¶
Index ¶
- Constants
- Variables
- func ErrClientNotFound(clientID string) error
- type ExternalService
- func (c *ExternalService) GetAudience() fosite.Arguments
- func (c *ExternalService) GetGrantTypes() fosite.Arguments
- func (c *ExternalService) GetHashedSecret() []byte
- func (c *ExternalService) GetID() string
- func (c *ExternalService) GetRedirectURIs() []string
- func (c *ExternalService) GetResponseTypes() fosite.Arguments
- func (c *ExternalService) GetScopes() fosite.Arguments
- func (c *ExternalService) GetScopesOnUser(ctx context.Context, accessControl ac.AccessControl, userID int64) []string
- func (c *ExternalService) IsPublic() bool
- func (c *ExternalService) LogID() string
- func (c *ExternalService) ToDTO() *ExternalServiceDTO
- type ExternalServiceDTO
- type ExternalServiceRegistration
- type ImpersonationCfg
- type KeyOption
- type KeyResult
- type OAuth2Server
- type SelfCfg
- type Store
Constants ¶
View Source
const ( // TmpOrgID is the orgID we use while global service accounts are not supported. TmpOrgID int64 = 1 // NoServiceAccountID is the ID we use for client that have no service account associated. NoServiceAccountID int64 = 0 // List of scopes used to identify the impersonated user. ScopeUsersSelf = "users:self" ScopeGlobalUsersSelf = "global.users:self" ScopeTeamsSelf = "teams:self" // Supported encryptions RS256 = "RS256" ES256 = "ES256" )
Variables ¶
View Source
var ( ErrClientRequiredID = errutil.NewBase(errutil.StatusBadRequest, "oauthserver.required-client-id", errutil.WithPublicMessage("client ID is required")).Errorf("Client ID is required") ErrClientRequiredName = errutil.NewBase(errutil.StatusBadRequest, "oauthserver.required-client-name", errutil.WithPublicMessage("client name is required")).Errorf("Client name is required") )
View Source
var (
ErrClientNotFoundMessageID = "oauthserver.client-not-found"
)
Functions ¶
func ErrClientNotFound ¶
Types ¶
type ExternalService ¶
type ExternalService struct {
ID int64 `xorm:"id pk autoincr"`
Name string `xorm:"name"`
ClientID string `xorm:"client_id"`
Secret string `xorm:"secret"`
RedirectURI string `xorm:"redirect_uri"` // Not used yet (code flow)
GrantTypes string `xorm:"grant_types"` // CSV value
Audiences string `xorm:"audiences"` // CSV value
PublicPem []byte `xorm:"public_pem"`
ServiceAccountID int64 `xorm:"service_account_id"`
// SelfPermissions are the registered service account permissions (registered and managed permissions)
SelfPermissions []ac.Permission
// ImpersonatePermissions is the restriction set of permissions while impersonating
ImpersonatePermissions []ac.Permission
// SignedInUser refers to the current Service Account identity/user
SignedInUser *user.SignedInUser
Scopes []string
ImpersonateScopes []string
}
func (*ExternalService) GetAudience ¶
func (c *ExternalService) GetAudience() fosite.Arguments
GetAudience returns the allowed audience(s) for this client.
func (*ExternalService) GetGrantTypes ¶
func (c *ExternalService) GetGrantTypes() fosite.Arguments
GetGrantTypes returns the client's allowed grant types.
func (*ExternalService) GetHashedSecret ¶
func (c *ExternalService) GetHashedSecret() []byte
GetHashedSecret returns the hashed secret as it is stored in the store.
func (*ExternalService) GetID ¶
func (c *ExternalService) GetID() string
GetID returns the client ID.
func (*ExternalService) GetRedirectURIs ¶
func (c *ExternalService) GetRedirectURIs() []string
GetRedirectURIs returns the client's allowed redirect URIs.
func (*ExternalService) GetResponseTypes ¶
func (c *ExternalService) GetResponseTypes() fosite.Arguments
GetResponseTypes returns the client's allowed response types. All allowed combinations of response types have to be listed, each combination having response types of the combination separated by a space.
func (*ExternalService) GetScopes ¶
func (c *ExternalService) GetScopes() fosite.Arguments
GetScopes returns the scopes this client is allowed to request on its own behalf.
func (*ExternalService) GetScopesOnUser ¶
func (c *ExternalService) GetScopesOnUser(ctx context.Context, accessControl ac.AccessControl, userID int64) []string
GetScopes returns the scopes this client is allowed to request on a specific user.
func (*ExternalService) IsPublic ¶
func (c *ExternalService) IsPublic() bool
IsPublic returns true, if this client is marked as public.
func (*ExternalService) LogID ¶
func (c *ExternalService) LogID() string
func (*ExternalService) ToDTO ¶
func (c *ExternalService) ToDTO() *ExternalServiceDTO
type ExternalServiceDTO ¶
type ExternalServiceDTO struct {
Name string `json:"name"`
ID string `json:"clientId"`
Secret string `json:"clientSecret"`
RedirectURI string `json:"redirectUri,omitempty"` // Not used yet (code flow)
GrantTypes string `json:"grantTypes"` // CSV value
Audiences string `json:"audiences"` // CSV value
KeyResult *KeyResult `json:"key,omitempty"`
}
type ExternalServiceRegistration ¶
type ExternalServiceRegistration struct {
Name string `json:"name"`
// RedirectURI is the URI that is used in the code flow.
// Note that this is not used yet.
RedirectURI *string `json:"redirectUri,omitempty"`
// Impersonation access configuration
Impersonation ImpersonationCfg `json:"impersonation"`
// Self access configuration
Self SelfCfg `json:"self"`
// Key is the option to specify a public key or ask the server to generate a crypto key pair.
Key *KeyOption `json:"key,omitempty"`
}
ExternalServiceRegistration represents the registration form to save new OAuth2 client.
type ImpersonationCfg ¶
type ImpersonationCfg struct {
// Enabled allows the service to request access tokens to impersonate users using the jwtbearer grant
Enabled bool `json:"enabled"`
// Groups allows the service to list the impersonated user's teams
Groups bool `json:"groups"`
// Permissions are the permissions that the external service needs when impersonating a user.
// The intersection of this set with the impersonated user's permission guarantees that the client will not
// gain more privileges than the impersonated user has.
Permissions []accesscontrol.Permission `json:"permissions,omitempty"`
}
type OAuth2Server ¶
type OAuth2Server interface {
// SaveExternalService creates or updates an external service in the database, it generates client_id and secrets and
// it ensures that the associated service account has the correct permissions.
SaveExternalService(ctx context.Context, cmd *ExternalServiceRegistration) (*ExternalServiceDTO, error)
// GetExternalService retrieves an external service from store by client_id. It populates the SelfPermissions and
// SignedInUser from the associated service account.
GetExternalService(ctx context.Context, id string) (*ExternalService, error)
// HandleTokenRequest handles the client's OAuth2 query to obtain an access_token by presenting its authorization
// grant (ex: client_credentials, jwtbearer).
HandleTokenRequest(rw http.ResponseWriter, req *http.Request)
// HandleIntrospectionRequest handles the OAuth2 query to determine the active state of an OAuth 2.0 token and
// to determine meta-information about this token.
HandleIntrospectionRequest(rw http.ResponseWriter, req *http.Request)
}
OAuth2Server represents a service in charge of managing OAuth2 clients and handling OAuth2 requests (token, introspection).
type SelfCfg ¶
type SelfCfg struct {
// Enabled allows the service to request access tokens for itself using the client_credentials grant
Enabled bool `json:"enabled"`
// Permissions are the permissions that the external service needs its associated service account to have.
Permissions []accesscontrol.Permission `json:"permissions,omitempty"`
}
type Store ¶
type Store interface {
RegisterExternalService(ctx context.Context, client *ExternalService) error
SaveExternalService(ctx context.Context, client *ExternalService) error
GetExternalService(ctx context.Context, id string) (*ExternalService, error)
GetExternalServiceByName(ctx context.Context, name string) (*ExternalService, error)
GetExternalServicePublicKey(ctx context.Context, clientID string) (*jose.JSONWebKey, error)
}
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.