Documentation ¶
Index ¶
- Variables
- func AddFlags(set *pflag.FlagSet)
- func ContextWithSubject(parent context.Context, subject *Subject) context.Context
- type HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) AddKeysFile(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) AddKeysURL(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) AddPublicPath(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) Build() (result func(http.Handler) http.Handler, err error)
- func (b *HandlerWrapperBuilder) SetFlags(flags *pflag.FlagSet) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetGuestSubject(value *Subject) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetKeysCA(value *x509.CertPool) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetKeysCAFile(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetKeysInsecure(value bool) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetKeysToken(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetKeysTokenFile(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetLogger(value *slog.Logger) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetRealm(value string) *HandlerWrapperBuilder
- func (b *HandlerWrapperBuilder) SetTolerance(value time.Duration) *HandlerWrapperBuilder
- type Subject
Constants ¶
This section is empty.
Variables ¶
var Guest = &Subject{ Name: guestName, Claims: map[string]any{ "sub": guestName, }, }
Guest is the subject used when no authentication has been performed.
Functions ¶
Types ¶
type HandlerWrapperBuilder ¶
type HandlerWrapperBuilder struct {
// contains filtered or unexported fields
}
HandlerWrapperBuilder contains the data and logic needed to create a wrapper that knows how to convert an HTTP handler into another one that also performs authentication using the JSON web token from the authorization header.
The locations of the JSON web key sets used to verify the signatures of the tokens should be specified calling the AddKeysFile or AddKeysURL methods of the builder. If no JSON web key set location is specified then access will be granted to any client.
Don't create instances of this object directly, use the NewHandlerWrapper function instead.
func NewHandlerWrapper ¶
func NewHandlerWrapper() *HandlerWrapperBuilder
NewHandlerWrapper creates a builder that can then be configured and used to create authentication handler wrappers. This wrapper is a function that transforms an HTTP handler into another that performs authentication using the JWT token in the authorization header.
func (*HandlerWrapperBuilder) AddKeysFile ¶
func (b *HandlerWrapperBuilder) AddKeysFile(value string) *HandlerWrapperBuilder
AddKeysFile adds a file containing a JSON web key set that will be used to verify the signatures of the tokens. The keys from this file will be loaded when a token is received containing an unknown key identifier.
If no keys file or URL are provided then all requests will be accepted and the guest subject Will be added to the context.
func (*HandlerWrapperBuilder) AddKeysURL ¶
func (b *HandlerWrapperBuilder) AddKeysURL(value string) *HandlerWrapperBuilder
AddKeysURL sets the URL containing a JSON web key set that will be used to verify the signatures of the tokens. The keys from these URLs will be loaded when a token is received containing an unknown key identifier.
If no keys file or URL are provided then all requests will be accepted and the guest subject Will be added to the context.
func (*HandlerWrapperBuilder) AddPublicPath ¶
func (b *HandlerWrapperBuilder) AddPublicPath(value string) *HandlerWrapperBuilder
AddPublicPath adds a regular expression that defines parts of the URL space that considered public, and therefore require no authentication. This method may be called multiple times and then all the given regular expressions will be used to check what parts of the URL space are public.
func (*HandlerWrapperBuilder) Build ¶
Build uses the data stored in the builder to create a new authentication handler.
func (*HandlerWrapperBuilder) SetFlags ¶
func (b *HandlerWrapperBuilder) SetFlags(flags *pflag.FlagSet) *HandlerWrapperBuilder
SetFlags sets the command line flags that should be used to configure the wrapper. This is optional.
func (*HandlerWrapperBuilder) SetGuestSubject ¶
func (b *HandlerWrapperBuilder) SetGuestSubject(value *Subject) *HandlerWrapperBuilder
SetGuestSubject sets the subject that will be added to the context for public parts of the URL space if no authentication details are provided in the request. The default is to use the built-in guest subject, which has only one 'guest' identity.
func (*HandlerWrapperBuilder) SetKeysCA ¶
func (b *HandlerWrapperBuilder) SetKeysCA(value *x509.CertPool) *HandlerWrapperBuilder
SetKeysCA sets the certificate authorities that will be trusted when verifying the certificate of the web server where keys are loaded from.
func (*HandlerWrapperBuilder) SetKeysCAFile ¶
func (b *HandlerWrapperBuilder) SetKeysCAFile(value string) *HandlerWrapperBuilder
SetKeysCAFile sets the file containing the certificates of the certificate authorities that will be trusted when verifying the certificate of the web server where keys are loaded from.
func (*HandlerWrapperBuilder) SetKeysInsecure ¶
func (b *HandlerWrapperBuilder) SetKeysInsecure(value bool) *HandlerWrapperBuilder
SetKeysInsecure sets the flag that indicates that the certificate of the web server where the keys are loaded from should not be checked. The default is false and changing it to true makes the token verification insecure, so refrain from doing that in security sensitive environments.
func (*HandlerWrapperBuilder) SetKeysToken ¶
func (b *HandlerWrapperBuilder) SetKeysToken(value string) *HandlerWrapperBuilder
SetKeysToken sets the bearer token that will be used in the HTTP requests to download JSON web key sets. This is optional, by default no token is used.
func (*HandlerWrapperBuilder) SetKeysTokenFile ¶
func (b *HandlerWrapperBuilder) SetKeysTokenFile(value string) *HandlerWrapperBuilder
SetKeysTokenFile sets the name of the file containing the bearer token that will be used in the HTTP requests to download JSON web key sets.
This is intended for use when running inside a Kubernetes cluster and using service account tokens for authentication. In that case it is convenient to set this to the following value:
/run/secrets/kubernetes.io/serviceaccount/token
Kubernetes writes in that file the token of the service account of the pod. That token grants access to the following JSON web key set URL, which should be set using the AddKeysURL method:
https://kubernetes/openid/v1/jwks
This is optional, by default no token file is used.
func (*HandlerWrapperBuilder) SetLogger ¶
func (b *HandlerWrapperBuilder) SetLogger(value *slog.Logger) *HandlerWrapperBuilder
SetLogger sets the logger that the middleware will use to send messages to the log. This is mandatory.
func (*HandlerWrapperBuilder) SetRealm ¶
func (b *HandlerWrapperBuilder) SetRealm(value string) *HandlerWrapperBuilder
SetRealm sets the realm that will be returned in the WWW-Authenticate request when authentication fails. This optional and the default value is O2IMS.
func (*HandlerWrapperBuilder) SetTolerance ¶
func (b *HandlerWrapperBuilder) SetTolerance(value time.Duration) *HandlerWrapperBuilder
SetTolerance sets the maximum time that a token will be considered valid after it has expired. For example, to accept requests with tokens that have expired up to five minutes ago:
wrapper, err := authentication.NewHandler(). SetLogger(logger). SetKeysURL("https://..."). SetTolerance(5 * time.Minute). Build() if err != nil { ... }
The default value is zero tolerance.
type Subject ¶
type Subject struct { // Token is the raw token. Token string // Name is the name of the subject, typically extracted from the 'sub' claim. Name string // Claims is the complete set of claims extracted from the token. Claims map[string]any }
Subject represents an entity, such as person or a service account.
func SubjectFromContext ¶
SubjectFromContext extracts the subject from the context. Panics if there is no subject in the context.