apiserver: k8s.io/apiserver/plugin/pkg/authenticator/token/oidc Index | Files

package oidc

import "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"

oidc implements the authenticator.Token interface using the OpenID Connect protocol.

config := oidc.Options{
	IssuerURL:     "https://accounts.google.com",
	ClientID:      os.Getenv("GOOGLE_CLIENT_ID"),
	UsernameClaim: "email",
}
tokenAuthenticator, err := oidc.New(config)

Index

Package Files

oidc.go

type Authenticator Uses

type Authenticator struct {
    // contains filtered or unexported fields
}

func New Uses

func New(opts Options) (*Authenticator, error)

func (*Authenticator) AuthenticateToken Uses

func (a *Authenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)

func (*Authenticator) Close Uses

func (a *Authenticator) Close()

type Options Uses

type Options struct {
    // IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
    // field of all tokens produced by the provider and is used for configuration
    // discovery.
    //
    // The URL is usually the provider's URL without a path, for example
    // "https://accounts.google.com" or "https://login.salesforce.com".
    //
    // The provider must implement configuration discovery.
    // See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
    IssuerURL string

    // ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
    // client to ensure the plugin can be used with public providers.
    //
    // The plugin supports the "authorized party" OpenID Connect claim, which allows
    // specialized providers to issue tokens to a client for a different client.
    // See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
    ClientID string

    // APIAudiences are the audiences that the API server identitifes as. The
    // (API audiences unioned with the ClientIDs) should have a non-empty
    // intersection with the request's target audience. This preserves the
    // behavior of the OIDC authenticator pre-introduction of API audiences.
    APIAudiences authenticator.Audiences

    // Path to a PEM encoded root certificate of the provider.
    CAFile string

    // UsernameClaim is the JWT field to use as the user's username.
    UsernameClaim string

    // UsernamePrefix, if specified, causes claims mapping to username to be prefix with
    // the provided value. A value "oidc:" would result in usernames like "oidc:john".
    UsernamePrefix string

    // GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
    // groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
    // must be a string or list of strings.
    GroupsClaim string

    // GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
    // value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
    GroupsPrefix string

    // SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
    // can be used by the provider to sign tokens.
    //
    // https://tools.ietf.org/html/rfc7518#section-3.1
    //
    // This value defaults to RS256, the value recommended by the OpenID Connect
    // spec:
    //
    // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
    SupportedSigningAlgs []string

    // RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the
    // required claims key value pairs are present in the ID Token.
    RequiredClaims map[string]string
    // contains filtered or unexported fields
}

Package oidc imports 21 packages (graph) and is imported by 74 packages. Updated 2019-03-05. Refresh now. Tools for package owners.