README
¶
OpenID Connect for IBMid
This is support code for authenticating using IBM's OpenID Connect authentication servers, in particular IBMid.
The OpenID Connect parameters for IBMid are provided in the call to NewIBMidAuthenticator:
- The client ID, given to you during the enrollment process
- The client secret, ditto
- The callback URL
Example usage:
ibmid := ibmoidc.NewIBMidAuthenticator(myClientID, myClientSecret, myCallbackURL)
http.Handle("/login", ibmid.BeginLogin())
http.Handle("/openid/code", ibmid.CompleteLogin(myauthhandler))
where the callback URL is https://www.example.com/openid/code on your web app.
The http.Handler myauthhandler can then do:
token, ok := ibmoidc.TokenFromRequest(r) // r is the http.Request
The jwt.Token in token will contain the the authenticated information from
IBMid. At that point it's up to you to work out some way to persist it via a
session, cookies, or whatever.
It's also up to you to access and unpack the ext parameter from the JWT,
which contains JSON you can deserialize in order to obtain the BlueGroups
information.
Here's an example of how you might turn the token into a User object:
type User struct {
Name string
Email string
Company string
BlueGroups []string
}
func getString(tok *jwt.Token, key string) string {
x, ok := tok.Get(key)
if !ok {
return ""
}
switch v := x.(type) {
case string:
return v
default:
return ""
}
}
func NewUser(tok *jwt.Token) *User {
type Ext struct {
BlueGroups []string `json:"blueGroups"`
Company string `json:"company"`
}
user := &User{}
extjson, ok := tok.Get("ext")
if ok {
extstr := extjson.(string)
ext := Ext{}
err := json.Unmarshal([]byte(extstr), &ext)
if err == nil {
user.Company = ext.Company
user.BlueGroups = ext.BlueGroups
}
}
user.Email = getString(tok, "email")
user.Name = getString(tok, "name")
return user
}
Copyright © IBM Corporation 2016-2019.
Documentation
¶
Overview ¶
Package ibmoidc provides code for using OpenID Connect to authenticate users via IBM w3id and IBM blueID.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var IBMidEndpoint = oauth2.Endpoint{
AuthURL: "https://idaas.iam.ibm.com/idaas/oidc/endpoint/default/authorize",
TokenURL: "https://idaas.iam.ibm.com/idaas/oidc/endpoint/default/token",
}
IBMidEndpoint is the Endpoint for IBMid authentication.
var IBMidPublicKey = pemToRSA(`
-----BEGIN CERTIFICATE-----
MIIE9zCCA9+gAwIBAgIQEtIWltRmlIjYrI++/uo0YzANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUwOTI1MDAwMDAwWhcNMTgwOTI0MjM1
OTU5WjCBgzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQH
FAZBcm1vbmsxNDAyBgNVBAoUK0ludGVybmF0aW9uYWwgQnVzaW5lc3MgTWFjaGlu
ZXMgQ29ycG9yYXRpb24xGjAYBgNVBAMUEWlkYWFzLmlhbS5pYm0uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtbLV6yge386z4xvlRAuX76/Uj1Ef
/98JQSIFN0CqqzwF4KT/4o1jsdaPNp+kJdkPaOkBHe7n9faIXuT+gN4SiWQodh2y
0xsj31luJF0WnLjmdkDcDRSm/d1TcnAst8DA/0MkhRKBYcXA9YEpAveaaPOq9O+0
wyPsccuIsxMez9ix4NjkIEds8q6VvWYOnUfF+vxbi/aVXRN7JRV8k8XV0ipcaLO5
oNnENMzQKAkyhuUw3HkRChbtW5uD7StyIn58J6o6ux2aNJwjtga1ZnQ703YLci20
ahRex2T33IgmrxJNORGFy/MJd+Nxm3IoXCLwEBoOou0HjQ0dX8V45kLbPwIDAQAB
o4IBozCCAZ8wHAYDVR0RBBUwE4IRaWRhYXMuaWFtLmlibS5jb20wCQYDVR0TBAIw
ADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2duLnN5
bWNiLmNvbS9nbi5jcmwwgZ0GA1UdIASBlTCBkjCBjwYGZ4EMAQICMIGEMD8GCCsG
AQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL3JlcG9z
aXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwzaHR0cHM6Ly93d3cuZ2VvdHJ1c3Qu
Y29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTSb/eW9IU/cjwwfSPahXibo3xafDBX
BggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9nbi5zeW1jZC5jb20w
JgYIKwYBBQUHMAKGGmh0dHA6Ly9nbi5zeW1jYi5jb20vZ24uY3J0MA0GCSqGSIb3
DQEBCwUAA4IBAQCHRaLZRPsbl7lBop20TLORqV1IgfBT2hw1sxOp1A/COZACKgTS
YiF+s9LYk2l1ol9dMZPSgM6D5YmyEGJuGOi4w3SheeruPv98MeL5oNzBARWIRgKm
Sbo+OtO7HC7H0A+pqZ2V1TJt4YqlgEmidanmuaPwzGxLMt/LGICZQ5F8d1k0/PVa
JphH1MiYT+mGfebRyXK2tjkhRxU0j7c+/Edb13eLuhW3gn2v0PbHqB4KRe6ysyDZ
lCONX6jaU84y7MjLi2bgbJFs0uOlGHHl8QowjxuxH4YJZNfTvZWRjqAiFImL0Eev
42tVXrYThUXNkahZCDA07l3e+DQWf0U0L1++
-----END CERTIFICATE-----
`)
var IBMw3idEndpoint = oauth2.Endpoint{
AuthURL: "https://w3id.sso.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize",
TokenURL: "https://w3id.sso.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/token",
}
IBMw3idEndpoint is the Endpoint for IBM w3ID authentication.
var IBMw3idPublicKey = pemToRSA(`
-----BEGIN CERTIFICATE-----
MIIFijCCA3KgAwIBAgIIW9rTyXsPjfswDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UE
BhMCdXMxCzAJBgNVBAgTAnR4MRIwEAYDVQQHEwlzb2Z0bGF5ZXIxDDAKBgNVBAoT
A2libTENMAsGA1UECxMEaXNhbTEWMBQGA1UEAwwNKi5zc28uaWJtLmNvbTAeFw0x
NjA3MjYxODE3MjJaFw0yMTA3MjYxODE3MjJaMGMxCzAJBgNVBAYTAnVzMQswCQYD
VQQIEwJ0eDESMBAGA1UEBxMJc29mdGxheWVyMQwwCgYDVQQKEwNpYm0xDTALBgNV
BAsTBGlzYW0xFjAUBgNVBAMMDSouc3NvLmlibS5jb20wggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCzmGqNMH0mxwGfv1P/LlPeqseniWPC1j9Csy37nZnG
snUKoDT7nWUFhxgNDHWDODlsgE2hswSEfgqdYZyno5mQMGK7+jP3dnG0u+mpcQ8s
xQmpOOOzKmicWz1V5v8dCysVoBrVjV0DJnY/kdxcf4DJW5b5Jo/tdc0ILcJwechO
icOhndbkUdH6lQDVkmOcUY6fCDviZjUOjL33VfMvEZdhhEDhpjuANhcoq2vGUeg3
8ZuY8bK1MOmAcNcUNguWhi9NVjKEbfv/p8a0uet2bnfmkNkeqNtstRBa1XEAZLpO
LGxPqNL2v3SIRDNMavXKuecEYXMFFokga3IhmQzTRo9uktJbCl8B7THBvs+Ksm6S
hAlcgs0n7mhOiEMmcGMknl2Sc1VpRzb8gNMqq/C3YH8XC9xc0LyRXISN0ug6tQcs
YRoLUaN22vJU6Qu8kyADj1nVTNk1gq49l5mGGffhEbrghULIQLb0zLiapgX3Ma2a
4uhOmmKfH8HglOOfQemekuerXRNqZF0hMgyPagCga8w2LLiiMFUWQmS+qs7w55Cx
X+AIWjAOy6uddvgTF4JHdaPYFxP5/wynLC9OlP7+ijCJmW1enOVTdrn0nMdhE8sD
vjJCSWM03VQpxLQuXGoUQs3y+p9/22ft6VfYUOD8IXKPH+u6S0ZtaqqBdMXGHbKC
CwIDAQABo0IwQDAdBgNVHQ4EFgQU4dUZV6haEYrgZg0bKOaD2Hrgw7cwHwYDVR0j
BBgwFoAU4dUZV6haEYrgZg0bKOaD2Hrgw7cwDQYJKoZIhvcNAQEFBQADggIBAK9N
L+FdiQtsJKXjjRl7KiosJ+ez5fFqClzS23dSwXXWiXORTsIlnKfm5xetTPwnebRt
XbyfpdgeQ7x3mjhkfodtyj+of0OCskHLWCXzf3q/8XeGG6aOciQwrFL4KZEpBiQb
p3cMy0LmS+JOgchS37Y5WkXCwFGrHEIbb5X7qaOOmaMsQKoeztv+xPUVxfTb6n+i
2LGAXle6QXbmjhqE67EH2dLlAMVxFGDQIvXkz+mVQu78V10IPL2PTxx4y2ypXo/A
bIAlzhZmpUYvB/Qqs5nj8Hoxtspc9kluYfaSP2/o5QLyhFfxl3hfXyhxW8ngzkhQ
nXjDTqnXzes/ffcNw641gk8Nsb2l4KWicSVxPYcoaXDwn+L63cwCovn7pKiueoSK
gLldhFp/rjSqpYK8tZSGToeEgA1cl2Ia26phVKa5RnB27U0l4LLIZmzDoH9LOEyz
/VQAB3QQYQ7K3obcXraqcLeogf8vGYWChIqLL4nlqmeRrB0lDu/DZ7v5dgKrFws8
EYAmt7loO42lXpdqK6KwyRazDEQY2mCCEQiwGl3o7jri2zT6el6b1aO3gQEvGgf6
DDL5ZheWFybSPMYDdlqTMlrdq7PxhySnoqn0JjKWqJkN+1F0Kms/k6ZM8pqZX3Zm
1M/QwlvmNhXX3X0zORRmgusiV8MPDbiwkp82m335
-----END CERTIFICATE-----
`)
IBMw3idPublicKey is the rsa.PublicKey to use to verify the signature on an id_token value returned from IBMw3idEndpoint.TokenURL.
var IBMw3idStagingEndpoint = oauth2.Endpoint{
AuthURL: "https://w3id.alpha.sso.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize",
TokenURL: "https://w3id.alpha.sso.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/token",
}
IBMw3idStagingEndpoint is the endpoint for testing IBM w3ID authentication.
var IBMw3idStagingPublicKey = pemToRSA(`
-----BEGIN CERTIFICATE-----
MIIFgDCCA2igAwIBAgIIL36iZKXHdl0wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UE
BhMCdXMxDDAKBgNVBAgTA2RhbDEMMAoGA1UEBxMDQ0lTMQwwCgYDVQQKEwNpYm0x
DTALBgNVBAsTBGlzYW0xFjAUBgNVBAMMDSouc3NvLmlibS5jb20wHhcNMTYwNzIw
MTI1NzU1WhcNMjEwNzIwMTI1NzU1WjBeMQswCQYDVQQGEwJ1czEMMAoGA1UECBMD
ZGFsMQwwCgYDVQQHEwNDSVMxDDAKBgNVBAoTA2libTENMAsGA1UECxMEaXNhbTEW
MBQGA1UEAwwNKi5zc28uaWJtLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAKHcfeeElNS9dkjqER+6S4QfuEv/Zi5FTjLf7coX902dU1JTUa6D8RBE
haxvqYTi7TLxMQArwJW6x1xCShFDlK7DWyqkNp1Vi7TLVY4eSy9S5QlvF8Z6mxpx
nNBCWpkWd3jBaZ/5HiW0luk/ZvqU82P1cVFrn+LiQQ834IDlyL/lSyaIoUd3+s2b
ssJt0ASOwHfjgy25Y39QEpzQqDPuW+2S4hGEYhRhwZM1YpS2cRxS0EiD34otP8FW
4CvRYh25e74ThdOhq8yTvNIjrxhSXIvCT2Yj9+bl9TbOZhvgaYP2ghEg7SfnHAbL
dz6dLkJ2jA+rhzUYA1jXNpNrLNFCCwlTxS//nYmU4qHrTAWtODgLvTuaiyBVyl2z
9w8TFYsRi/2eThFhxjXhDVf0rDz3jSmQHK4iBihuXIcOhcvRWJJPdUTdv1fqtt91
6112FKC+KucG5W6U/odOJ8oaqENtwYpJzPXcx+zHENkNSYbUXjwfl1nqZN2JwtVe
9QIdFxMJFTNJt8zOZIs7R8EjUNpfh8oVyC4KYModCcYSVwQfsswBYi14OZvXL9g2
kDCRLaNwj1FcmBEqIsiDGR//YsAwDq30tsmsfl7j/v1RhF0kkqkAfKZQjd74590L
1EzHNYALiXEK5UhXGjnjld8AxGKMrIgKqH9Gl2M7G8YhW1HUxRZNAgMBAAGjQjBA
MB0GA1UdDgQWBBQKI1QLqujSAAW7/R7PkkQ/krTAnjAfBgNVHSMEGDAWgBQKI1QL
qujSAAW7/R7PkkQ/krTAnjANBgkqhkiG9w0BAQUFAAOCAgEAlg9/cKQOvbfb+Oxk
uEbuJyVtPn77eDGaOqDa6HkBMq/0VpfsihvlkYHRZ8hCw7E4lx0ScA1sD9rM2vUi
D/cY903wP7cr5AlSkvVYpXX5jajYw6yV9SLiIpkz3I3O+TIL9YG5HTb7BFZ69ng2
F2fayJWO5DLrkrSnTpOY9A/taR4aAUoPt34sAnUD31oQyjCivl72KKD5NvGaFDoQ
aXcTZFAd+SV4Ix8vSJo7Ow9F5wVemu9Khy+mDC1Hyl+hx8fjHgnGpe/ZeklVnuaL
btM8MIZ+sbkAfxeYEhuTS79qM414uR9HWIDiC+R4kOacTzhpkAufsq5KqvNYEoc0
1wiIur6PJ6elbUCz/N6AAdQKl4SKi5dA925PdqPMBNDHnXbmBU2aibXxQGMxS/ZK
91IguNhyUeuFSITFY+OTFQeJOUioQ5meg2jiwAftL3WesQyQoL3TbjCR3KZ2nonG
KItT0KePrS+7Rf7VOIaPlCf0Z7YY4/eBaPtb1Kann2Zm3wfIz61Ae+5eVoy8l61f
SEwmEkPTcZDu1sFtu5wyqmXiNkEPyVb1iQnCMm87cZECGCHoNWERVTa7iStafSHX
vmnTitMiW+CK4xopp/Qjsiv8a7N8hdxcOWRYhcy/UbI4cnlsmtiWebp+5P/XmHyF
LE8MSbFAHuo8ezk3fOism6yVYHU=
-----END CERTIFICATE-----
`)
var IBMw3idTapEndpoint = oauth2.Endpoint{
AuthURL: "https://w3id.tap.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize",
TokenURL: "https://w3id.tap.ibm.com/isam/oidc/endpoint/amapp-runtime-oidcidp/token",
}
IBMw3idEndpoint is the TAP pilot endpoint for IBM w3ID authentication.
var IBMw3idTapPublicKey = pemToRSA(`
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgIQWOR/OBcrWWF01H2dMB/axDANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUwNDA4MDAwMDAwWhcNMTcwNDA3MjM1
OTU5WjCBgjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQH
FAZBcm1vbmsxNDAyBgNVBAoUK0ludGVybmF0aW9uYWwgQnVzaW5lc3MgTWFjaGlu
ZXMgQ29ycG9yYXRpb24xGTAXBgNVBAMUEHczaWQudGFwLmlibS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbNMnE20rYCN1kfPp58DZ8cgBeK3yh
Z6aVsPx2iqY0GtxWpAQv5P5dD3mc3ZoQItPPHLOduvoqOXxdxzj6/qQlqUou9nUU
mYp6V6eKvpu9JOk3/yrzc1255OPCzHfvZHvZhQ7JNIeVxLJnhzhqDor3BXEgF/VH
2rTipRkC3T5R++jObjQ2vmE55YdYMP9O86RqMzau5LXgW3Pov0XY2MgMmUaEDoew
49BUsiZ9aiW+Tfil8PL8tCDUxULZoJTHirIOOhA+ZPtD0d8M8LYthR89GmRXyvOI
wOSaNPi+y5O4ID0lGzAqTjgKm64R25ZLwleMBISm6nWZY7+HsrEsPVSVAgMBAAGj
ggGiMIIBnjAbBgNVHREEFDASghB3M2lkLnRhcC5pYm0uY29tMAkGA1UdEwQCMAAw
DgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9nbi5zeW1j
Yi5jb20vZ24uY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCBhDA/BggrBgEF
BQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0
b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdlb3RydXN0LmNv
bS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU0m/3lvSFP3I8MH0j2oV4m6N8WnwwVwYI
KwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ24uc3ltY2QuY29tMCYG
CCsGAQUFBzAChhpodHRwOi8vZ24uc3ltY2IuY29tL2duLmNydDANBgkqhkiG9w0B
AQsFAAOCAQEAPI8gm9gJThAQsKZy3Qr6MY51SRyY/HaHBK9Zq4kocReO+LI5kISc
d9JROIVHmnE/jbL/7z7tiSOkiQna43LrL7AUaCvDUPTCRqTClvfILXlpTHtiZ3Si
8fxV+Aac85NCVETv47X4K7G9err6ems0O2OIOU22SdHaWcB0Wtg0lmCFGnpdeKgA
AtFtuAk8BfGLVloXy9SGV09gwP8HbuUgUek4uMlA+ySXvMLrnEyl1KbWhm9b5N/Q
DSOIlfn+l1rSdDe6x6ss1yzYSb83G4F11i0vxUAncMSilNHJ3tKySwEoankiBhmS
Feny/MUth7ai8QV4J5//VfIh7lnVY0WWsg==
-----END CERTIFICATE-----
`)
IBMw3idPublicKey is the rsa.PublicKey to use to verify the signature on an id_token value returned from IBMw3idTapEndpoint.TokenURL.
Functions ¶
func MakeCSRFcookie ¶
MakeCSRFcookie turns a string generated by MakeCSRFtoken into a CSRF cookie.
func MakeCSRFtoken ¶
MakeCSRFtoken makes a random 32-character string for use as a CSRF token.
func ReadCSRFcookie ¶
ReadCSRFcookie gets the token from the CSRF cookie, if found.
func RequestWithToken ¶ added in v1.2.1
RequestWithToken adds a token to the http request, using a private context key.
func TokenFromRequest ¶ added in v1.2.1
TokenFromRequest obtains the authenticated token from the request's context, where it was stored earlier by RequestWithToken. The boolean indicates whether an authenticated token was actually found in the request.
Types ¶
type Authenticator ¶
Authenticator is an object for processing IBM authentication responses.
func NewIBMidAuthenticator ¶ added in v1.2.1
func NewIBMidAuthenticator(clientid, clientsecret, redirecturl string) *Authenticator
NewIntranetAuthenticator creates an Authenticator object for processing IBMid authentication server responses.
func NewIntranetAuthenticator ¶
func NewIntranetAuthenticator(clientid, clientsecret, redirecturl string) *Authenticator
NewIntranetAuthenticator creates an Authenticator object for processing intranet w3ID authentication server responses.
func NewIntranetStagingAuthenticator ¶ added in v0.8.1
func NewIntranetStagingAuthenticator(clientid, clientsecret, redirecturl string) *Authenticator
NewIntranetStagingAuthenticator creates an Authenticator object for processing intranet w3ID authentication server responses from the staging server.
func (*Authenticator) BeginLogin ¶
func (auth *Authenticator) BeginLogin() http.Handler
BeginLogin redirects the browser to the federated authentication provider in order to begin the login process.
func (*Authenticator) CompleteLogin ¶
func (auth *Authenticator) CompleteLogin(next http.Handler) http.Handler
CompleteLogin accepts the HTTP GET response from the federated authentication provider and completes the login process by fetching identity information from the provider. The verified identity is then added to the request context, so that it can be accessed by the next handler in the chain using TokenFromRequest.
func (*Authenticator) CompleteLoginFunc ¶ added in v1.2.1
func (auth *Authenticator) CompleteLoginFunc(next http.HandlerFunc) http.HandlerFunc
CompleteLoginFunc is the http.HandlerFunc version of CompleteLogin. It accepts the HTTP GET response from the federated authentication provider and completes the login process by fetching identity information from the provider. The verified identity is then added to the request context, so that it can be accessed by the next handler in the chain using TokenFromRequest.
func (*Authenticator) FetchToken ¶ added in v0.8.1
func (auth *Authenticator) FetchToken(code string) (*jwt.Token, error)
Source Files