Documentation ¶
Overview ¶
Package keycloak implements a middleware that can handle the oauth2 Authorization Code Grant Flow using keycloak configuration
Index ¶
- type AddressClaim
- type Config
- func (c Config) AccountURL(referrer string) string
- func (c Config) LogoutURL(redirectURI string) string
- func (c Config) OAuth2(provider *oidc.Provider, redirectURL string, scopes []string) *oauth2.Config
- func (c Config) Provider(ctx context.Context) (*oidc.Provider, error)
- func (c Config) URL() string
- type Credentials
- type EmailClaim
- type ErrorLogger
- type InsecureStore
- type Middleware
- type PhoneNumberClaim
- type ProfileClaim
- type Session
- type SessionStore
- type StandardClaims
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AddressClaim ¶
type AddressClaim struct { // Formatted Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n"). Formatted string `json:"formatted"` // StreetAddress Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n"). StreetAddress string `json:"street_address"` // Locality City or locality component. Locality string `json:"locality"` // Region State, province, prefecture, or region component. Region string `json:"region"` // PostalCode Zip code or postal code component. PostalCode string `json:"postal_code"` // Country Country name component. Country string `json:"country"` }
AddressClaim as specified in http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
type Config ¶
type Config struct { Realm string `json:"realm"` // "dms" AuthServerURL string `json:"auth-server-url"` // "https://id.landgrafx.de/auth" SSLRequired string `json:"ssl-required"` // "all" Resource string `json:"resource"` // "dms-frontend" Credentials *Credentials `json:"credentials"` ConfidentialPort int `json:"confidential-port"` // 0 }
Config contains the Keycloak OIDC JSON format configuration
func ParseConfig ¶
ParseConfig parses the keycloak config (Keycloak OIDC JSON) format
func (Config) AccountURL ¶
AccountURL generates an Open ID Connect URL
type Credentials ¶
type Credentials struct {
Secret string `json:"secret"` // "bc199826-e290-44e9-a6bd-8af4808e10b7"
}
Credentials contains the client credentials for keycloak
type EmailClaim ¶
type EmailClaim struct { // Email Preferred e-mail address Email string `json:"email"` // EmailVerified True if the e-mail address has been verified; otherwise false EmailVerified bool `json:"email_verified"` }
EmailClaim as specified in http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
type ErrorLogger ¶
type ErrorLogger func(v ...interface{})
ErrorLogger that is used to log authentication errors
type InsecureStore ¶
type InsecureStore struct {
// contains filtered or unexported fields
}
InsecureStore implements the SessionStore interface in a naive / insecure way
func NewInsecureStore ¶
func NewInsecureStore(redirectAfterLoginURL string) *InsecureStore
NewInsecureStore creates a new insecure cookie based store that will redirect to the passed URL after successful login
func (*InsecureStore) DeleteSession ¶
func (s *InsecureStore) DeleteSession(session *Session)
DeleteSession implements SessionStore DeleteSession
func (*InsecureStore) GetSession ¶
func (s *InsecureStore) GetSession(r *http.Request) (*Session, error)
GetSession implements SessionStore GetSession
func (*InsecureStore) NewSession ¶
func (s *InsecureStore) NewSession(w http.ResponseWriter, r *http.Request, next http.Handler, session *Session)
NewSession implements SessionStore NewSession
type Middleware ¶
type Middleware struct { BaseURL string PathPrefix string Scopes []string Logger ErrorLogger SessionStore SessionStore // contains filtered or unexported fields }
Middleware handles unauthenticated incoming connections, redirect them to keycloak
func GetMiddleware ¶
func GetMiddleware(ctx context.Context) *Middleware
GetMiddleware returns the middleare from the current context
func (*Middleware) ConnectWithKeycloak ¶
func (m *Middleware) ConnectWithKeycloak(path string) error
ConnectWithKeycloak using the Keycloak OIDC JSON format file at given path
func (*Middleware) Handler ¶
func (m *Middleware) Handler(next http.Handler) http.Handler
Handler configures the middlewares next hop
func (*Middleware) RedirectToKeycloak ¶
func (m *Middleware) RedirectToKeycloak(w http.ResponseWriter, r *http.Request)
RedirectToKeycloak redirects the client browser to keycloak for authentication
func (*Middleware) ServeHTTP ¶
func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request)
type PhoneNumberClaim ¶
type PhoneNumberClaim struct { // PhoneNumber End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678. PhoneNumber string `json:"phone_number"` // PhoneNumberVerified True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format. PhoneNumberVerified bool `json:"phone_number_verified"` }
PhoneNumberClaim as specified in http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
type ProfileClaim ¶
type ProfileClaim struct { // Name End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. Name string `json:"name"` // FamilyName Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. FamilyName string `json:"family_name"` // GivenName(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. GivenName string `json:"given_name"` // MiddleName(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. MiddleName string `json:"middle_name"` // Nickname Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. Nickname string `json:"nickname"` // PreferredUsername Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7. PreferredUsername string `json:"preferred_username"` // ProfileURL URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. ProfileURL string `json:"profile"` // PictureURL URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User. PictureURL string `json:"picture"` // WebsiteURL URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with. WebsiteURL string `json:"website"` // Gender End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. Gender string `json:"gender"` // Birthdate String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. Birthdate string `json:"birthdate"` // Zoneinfo String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. Zoneinfo string `json:"zoneinfo"` // Locale End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well. Locale string `json:"locale"` // Address End-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1. Address *AddressClaim `json:"address"` // UpdatedAt Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. UpdatedAt uint64 `json:"updated_at"` }
ProfileClaim as specified in http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
type Session ¶
Session with ID and oauth2 token
func GetSession ¶
GetSession returns the session from the current context
func (*Session) Claims ¶
Claims unmarshals the raw JSON payload of the ID Token into a provided struct.
func (*Session) RawOpenIDToken ¶
RawOpenIDToken returns the openid token or an empty string
func (*Session) StandardClaims ¶
func (s *Session) StandardClaims() (*StandardClaims, error)
StandardClaims parses and returns the standard claims of the session
type SessionStore ¶
type SessionStore interface { // NewSession function gets called after successful session creation // the passed response write and request object can be used to handle the // connection directly NewSession(http.ResponseWriter, *http.Request, http.Handler, *Session) // GetSession must return the session for the given request, if no session // is provided the user will be redirected to keycloak to authenticate GetSession(*http.Request) (*Session, error) // DeleteSession function gets called on logout DeleteSession(*Session) }
SessionStore is the interface to implement to provide a store implementation to the keycloak middleware
type StandardClaims ¶
type StandardClaims struct { ProfileClaim PhoneNumberClaim EmailClaim }
StandardClaims as specified in http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims