README
¶
Go Token Client
This tokenclient module provides slim client to call /oauth2/token identity service endpoints as specified here. Furthermore, it introduces a new API to support the following token flow:
- Client Credentials Flow.
The Client Credentials (RFC 6749, section 4.4) is used by clients to obtain an access token outside of the context of a user. It is used for non interactive applications (a CLI, a batch job, or for service-2-service communication) where the token is issued to the client application itself, instead of an end user for accessing resources without principal propagation.
Initialization
Instantiate TokenFlows which makes by default use of a simple http.Client, which should NOT be used in production.
config, err := env.ParseIdentityConfig()
if err != nil {
panic(err)
}
tokenFlows, err := tokenclient.NewTokenFlows(config, tokenclient.Options{HTTPClient: <your http.Client>})
if err != nil {
panic(err)
}
Get TokenFlows from middleware
In case you leverage auth.NewMiddleware, you can also get an initialized TokenFlows from there:
tokenFlows, err := authMiddleware.GetTokenFlows()
if err != nil {
panic(err)
}
Usage
The TokenFlows allows applications to easily create and execute each flow.
Client Credentials Token Flow
Obtain a client credentials token:
params := map[string]string{
"resource": "urn:sap:identity:consumer:clientid:<<consumer identifier>>",
}
customerTenantUrl := oidcToken.Issuer()
encodedToken, err := tokenFlows.ClientCredentials(context.TODO(), customerTenantUrl, tokenclient.RequestOptions{Params: params})
if err != nil {
log.Fatal(err)
}
// optionally you can parse the token to access its claims
token, e := auth.NewToken(encodedToken)
if e != nil {
log.Fatal(err)
}
In the above sample the resource parameter specifies the consumer's client id the token is targeted at.
Outlook: Cache
The TokenFlows will cache tokens internally.
Documentation
¶
Overview ¶
SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Cloud Security Client Go contributors
SPDX-License-Identifier: Apache-2.0
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Options ¶
type Options struct {
HTTPClient *http.Client // Default: basic http.Client with a timeout of 10 seconds and allowing 50 idle connections
}
Options allows configuration http(s) client
type RequestFailedError ¶
type RequestFailedError struct {
// StatusCode of failed request
StatusCode int
// contains filtered or unexported fields
}
RequestFailedError represents a HTTP server error
func (*RequestFailedError) Error ¶
func (e *RequestFailedError) Error() string
Error initializes RequestFailedError
type RequestOptions ¶
type RequestOptions struct {
// Request parameters that shall be overwritten or added to the payload
Params map[string]string
// Token Endpoint overwrites the default used /oauth2/token
TokenEndpoint string
}
RequestOptions allows to configure the token request
type TokenFlows ¶
type TokenFlows struct {
Options Options
// contains filtered or unexported fields
}
TokenFlows setup once per application.
func NewTokenFlows ¶
func NewTokenFlows(identity env.Identity, options Options) (*TokenFlows, error)
NewTokenFlows initializes token flows
identity provides credentials and url to authenticate client with identity service options specifies rest client including tls config. Note: Setup of default tls config is not supported for windows os. Module crypto/x509 supports SystemCertPool with go 1.18 (https://go-review.googlesource.com/c/go/+/353589/)
func (*TokenFlows) ClientCredentials ¶
func (t *TokenFlows) ClientCredentials(ctx context.Context, customerTenantURL string, options RequestOptions) (string, error)
ClientCredentials implements the client credentials flow (RFC 6749, section 4.4). Clients obtain an access token outside the context of a user. It is used for non-interactive applications (a CLI, a batch job, or for service-2-service communication) where the token is issued to the application itself, instead of an end user for accessing resources without principal propagation.
ctx carries the request context like the deadline or other values that should be shared across API boundaries. customerTenantURL like "https://custom.accounts400.ondemand.com" gives the host of the customers ias tenant options allows to provide additional request parameters
Source Files