Documentation ¶
Index ¶
- Constants
- Variables
- func CheckSafeRedirectionPOST(ctx *middlewares.AutheliaCtx)
- func ConfigurationGET(ctx *middlewares.AutheliaCtx)
- func DuoDeviceDELETE(ctx *middlewares.AutheliaCtx)
- func DuoDevicePOST(ctx *middlewares.AutheliaCtx)
- func DuoDevicesGET(duoAPI duo.API) middlewares.RequestHandler
- func DuoPOST(duoAPI duo.API) middlewares.RequestHandler
- func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.RequestHandler
- func Handle1FAResponse(ctx *middlewares.AutheliaCtx, targetURI, requestMethod string, username string, ...)
- func Handle2FAResponse(ctx *middlewares.AutheliaCtx, targetURI string)
- func HandleAllow(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, ...)
- func HandleAutoSelection(ctx *middlewares.AutheliaCtx, devices []DuoDevice, username string) (string, string, error)
- func HandleInitialDeviceSelection(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, ...) (device string, method string, err error)
- func HandlePreferredDeviceCheck(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, ...) (string, string, error)
- func HealthGET(ctx *middlewares.AutheliaCtx)
- func JSONWebKeySetGET(ctx *middlewares.AutheliaCtx)
- func LogoutPOST(ctx *middlewares.AutheliaCtx)
- func MethodPreferencePOST(ctx *middlewares.AutheliaCtx)
- func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx)
- func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request)
- func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx)
- func OpenIDConnectConsentGET(ctx *middlewares.AutheliaCtx)
- func OpenIDConnectConsentPOST(ctx *middlewares.AutheliaCtx)
- func OpenIDConnectPushedAuthorizationRequest(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request)
- func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func OpenIDConnectUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func PasswordPolicyConfigurationGET(ctx *middlewares.AutheliaCtx)
- func ResetPasswordDELETE(ctx *middlewares.AutheliaCtx)
- func ResetPasswordPOST(ctx *middlewares.AutheliaCtx)
- func SetStatusCodeResponse(ctx *fasthttp.RequestCtx, statusCode int)
- func SetValues(userSession session.UserSession, device string, method string, remoteIP string, ...) (url.Values, error)
- func StateGET(ctx *middlewares.AutheliaCtx)
- func Status(statusCode int) fasthttp.RequestHandler
- func TOTPConfigurationDELETE(ctx *middlewares.AutheliaCtx)
- func TOTPRegisterDELETE(ctx *middlewares.AutheliaCtx)
- func TOTPRegisterGET(ctx *middlewares.AutheliaCtx)
- func TOTPRegisterPOST(ctx *middlewares.AutheliaCtx)
- func TOTPRegisterPUT(ctx *middlewares.AutheliaCtx)
- func TimeBasedOneTimePasswordGET(ctx *middlewares.AutheliaCtx)
- func TimeBasedOneTimePasswordPOST(ctx *middlewares.AutheliaCtx)
- func UserInfoGET(ctx *middlewares.AutheliaCtx)
- func UserInfoPOST(ctx *middlewares.AutheliaCtx)
- func UserSessionElevateDELETE(ctx *middlewares.AutheliaCtx)
- func UserSessionElevationGET(ctx *middlewares.AutheliaCtx)
- func UserSessionElevationPOST(ctx *middlewares.AutheliaCtx)
- func UserSessionElevationPUT(ctx *middlewares.AutheliaCtx)
- func WebAuthnAssertionGET(ctx *middlewares.AutheliaCtx)
- func WebAuthnAssertionPOST(ctx *middlewares.AutheliaCtx)
- func WebAuthnCredentialDELETE(ctx *middlewares.AutheliaCtx)
- func WebAuthnCredentialPUT(ctx *middlewares.AutheliaCtx)
- func WebAuthnCredentialsGET(ctx *middlewares.AutheliaCtx)
- func WebAuthnRegistrationDELETE(ctx *middlewares.AutheliaCtx)
- func WebAuthnRegistrationPOST(ctx *middlewares.AutheliaCtx)
- func WebAuthnRegistrationPUT(ctx *middlewares.AutheliaCtx)
- type Authn
- type AuthnStrategy
- type AuthnType
- type Authz
- type AuthzBearerIntrospectionProvider
- type AuthzBuilder
- func (b *AuthzBuilder) Build() (authz *Authz)
- func (b *AuthzBuilder) WithConfig(config *schema.Configuration) *AuthzBuilder
- func (b *AuthzBuilder) WithEndpointConfig(config schema.ServerEndpointsAuthz) *AuthzBuilder
- func (b *AuthzBuilder) WithImplementationAuthRequest() *AuthzBuilder
- func (b *AuthzBuilder) WithImplementationExtAuthz() *AuthzBuilder
- func (b *AuthzBuilder) WithImplementationForwardAuth() *AuthzBuilder
- func (b *AuthzBuilder) WithImplementationLegacy() *AuthzBuilder
- func (b *AuthzBuilder) WithStrategies(strategies ...AuthnStrategy) *AuthzBuilder
- type AuthzConfig
- type AuthzImplementation
- type AuthzResult
- type CookieSessionAuthnStrategy
- func (s *CookieSessionAuthnStrategy) CanHandleUnauthorized() (handle bool)
- func (s *CookieSessionAuthnStrategy) Get(ctx *middlewares.AutheliaCtx, provider *session.Session, ...) (authn *Authn, err error)
- func (s *CookieSessionAuthnStrategy) HandleUnauthorized(_ *middlewares.AutheliaCtx, _ *Authn, _ *url.URL)
- func (s *CookieSessionAuthnStrategy) HeaderStrategy() (header bool)
- type DuoDevice
- type DuoDeviceBody
- type DuoDevicesResponse
- type DuoSignResponse
- type HandlerAuthzAuthorized
- type HandlerAuthzGetAutheliaURL
- type HandlerAuthzGetObject
- type HandlerAuthzGetRedirectionURL
- type HandlerAuthzUnauthorized
- type HandlerAuthzVerifyObject
- type HeaderAuthnStrategy
- func (s *HeaderAuthnStrategy) CanHandleUnauthorized() (handle bool)
- func (s *HeaderAuthnStrategy) Get(ctx *middlewares.AutheliaCtx, _ *session.Session, object *authorization.Object) (authn *Authn, err error)
- func (s *HeaderAuthnStrategy) HandleUnauthorized(ctx *middlewares.AutheliaCtx, authn *Authn, _ *url.URL)
- func (s *HeaderAuthnStrategy) HeaderStrategy() (header bool)
- type HeaderAuthorization
- type HeaderLegacyAuthnStrategy
- func (s *HeaderLegacyAuthnStrategy) CanHandleUnauthorized() (handle bool)
- func (s *HeaderLegacyAuthnStrategy) Get(ctx *middlewares.AutheliaCtx, _ *session.Session, _ *authorization.Object) (authn *Authn, err error)
- func (s *HeaderLegacyAuthnStrategy) HandleUnauthorized(ctx *middlewares.AutheliaCtx, authn *Authn, _ *url.URL)
- func (s *HeaderLegacyAuthnStrategy) HeaderStrategy() (header bool)
- type MethodList
- type PasswordPolicyBody
- type StateResponse
- type TOTPKeyResponse
Constants ¶
const ( AuthnStrategyCookieSession = "CookieSession" AuthnStrategyHeaderAuthorization = "HeaderAuthorization" AuthnStrategyHeaderProxyAuthorization = "HeaderProxyAuthorization" AuthnStrategyHeaderAuthRequestProxyAuthorization = "HeaderAuthRequestProxyAuthorization" AuthnStrategyHeaderLegacy = "HeaderLegacy" )
AuthnStrategy names.
const ( WebAuthnExtensionCredProps = "credProps" WebAuthnExtensionCredPropsResidentKey = "rk" WebAuthnDiscoverable = "discoverable" )
const (
// ActionResetPassword is the string representation of the action for which the token has been produced.
ActionResetPassword = "ResetPassword"
)
Variables ¶
var ResetPasswordIdentityFinish = middlewares.IdentityVerificationFinish( middlewares.IdentityVerificationFinishArgs{ActionClaim: ActionResetPassword}, resetPasswordIdentityFinish)
ResetPasswordIdentityFinish the handler for finishing the identity validation.
var ResetPasswordIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{ MailTitle: "Reset your password", MailButtonContent: "Reset", MailButtonRevokeContent: "Revoke", TargetEndpoint: "/reset-password/step2", RevokeEndpoint: "/revoke/reset-password", ActionClaim: ActionResetPassword, IdentityRetrieverFunc: identityRetrieverFromStorage, }, middlewares.TimingAttackDelay(10, 250, 85, time.Millisecond*500, false))
ResetPasswordIdentityStart is the handler for initiating the identity validation for resetting a password. We need to ensure the attacker cannot perform user enumeration by always replying with 200 whatever what happens in backend.
Functions ¶
func CheckSafeRedirectionPOST ¶ added in v4.35.0
func CheckSafeRedirectionPOST(ctx *middlewares.AutheliaCtx)
CheckSafeRedirectionPOST handler checking whether the redirection to a given URL provided in body is safe.
func ConfigurationGET ¶ added in v4.35.0
func ConfigurationGET(ctx *middlewares.AutheliaCtx)
ConfigurationGET get the configuration accessible to authenticated users.
func DuoDeviceDELETE ¶ added in v4.38.0
func DuoDeviceDELETE(ctx *middlewares.AutheliaCtx)
DuoDeviceDELETE deletes the useres preferred Duo device and method.
func DuoDevicePOST ¶ added in v4.35.0
func DuoDevicePOST(ctx *middlewares.AutheliaCtx)
DuoDevicePOST update the user preferences regarding Duo device and method.
func DuoDevicesGET ¶ added in v4.35.0
func DuoDevicesGET(duoAPI duo.API) middlewares.RequestHandler
DuoDevicesGET handler for retrieving available devices and capabilities from duo api.
func DuoPOST ¶ added in v4.35.0
func DuoPOST(duoAPI duo.API) middlewares.RequestHandler
DuoPOST handler for sending a push notification via duo api.
func FirstFactorPOST ¶ added in v4.35.0
func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.RequestHandler
FirstFactorPOST is the handler performing the first factory.
func Handle1FAResponse ¶
func Handle1FAResponse(ctx *middlewares.AutheliaCtx, targetURI, requestMethod string, username string, groups []string)
Handle1FAResponse handle the redirection upon 1FA authentication.
func Handle2FAResponse ¶
func Handle2FAResponse(ctx *middlewares.AutheliaCtx, targetURI string)
Handle2FAResponse handle the redirection upon 2FA authentication.
func HandleAllow ¶ added in v4.33.0
func HandleAllow(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, bodyJSON *bodySignDuoRequest)
HandleAllow handler for successful logins.
func HandleAutoSelection ¶ added in v4.33.0
func HandleAutoSelection(ctx *middlewares.AutheliaCtx, devices []DuoDevice, username string) (string, string, error)
HandleAutoSelection handler automatically selects preferred device if there is only one suitable option.
func HandleInitialDeviceSelection ¶ added in v4.33.0
func HandleInitialDeviceSelection(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, bodyJSON *bodySignDuoRequest) (device string, method string, err error)
HandleInitialDeviceSelection handler for retrieving all available devices.
func HandlePreferredDeviceCheck ¶ added in v4.33.0
func HandlePreferredDeviceCheck(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, device string, method string, bodyJSON *bodySignDuoRequest) (string, string, error)
HandlePreferredDeviceCheck handler to check if the saved device and method is still valid.
func HealthGET ¶ added in v4.35.0
func HealthGET(ctx *middlewares.AutheliaCtx)
HealthGET can be used by health checks.
func JSONWebKeySetGET ¶ added in v4.35.0
func JSONWebKeySetGET(ctx *middlewares.AutheliaCtx)
JSONWebKeySetGET returns the JSON Web Key Set. Used in OAuth 2.0 and OpenID Connect 1.0.
func LogoutPOST ¶ added in v4.35.0
func LogoutPOST(ctx *middlewares.AutheliaCtx)
LogoutPOST is the handler logging out the user attached to the given cookie.
func MethodPreferencePOST ¶ added in v4.35.0
func MethodPreferencePOST(ctx *middlewares.AutheliaCtx)
MethodPreferencePOST update the user preferences regarding 2FA method.
func OAuthAuthorizationServerWellKnownGET ¶ added in v4.35.0
func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx)
OAuthAuthorizationServerWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the OAuth 2.0 Authorization Server Metadata (RFC8414).
RFC5785: Defining Well-Known URIs (https://datatracker.ietf.org/doc/html/rfc5785)
RFC8414: OAuth 2.0 Authorization Server Metadata (https://datatracker.ietf.org/doc/html/rfc8414)
func OAuthIntrospectionPOST ¶ added in v4.35.0
func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OAuthIntrospectionPOST handles POST requests to the OAuth 2.0 Introspection endpoint.
func OAuthRevocationPOST ¶ added in v4.35.0
func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OAuthRevocationPOST handles POST requests to the OAuth 2.0 Revocation endpoint.
func OpenIDConnectAuthorization ¶ added in v4.37.2
func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request)
OpenIDConnectAuthorization handles GET/POST requests to the OpenID Connect 1.0 Authorization endpoint.
https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
func OpenIDConnectConfigurationWellKnownGET ¶ added in v4.35.0
func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx)
OpenIDConnectConfigurationWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the OpenID Connect Discovery 1.0 metadata.
RFC5785: Defining Well-Known URIs (https://datatracker.ietf.org/doc/html/rfc5785)
OpenID Connect Discovery 1.0 (https://openid.net/specs/openid-connect-discovery-1_0.html)
func OpenIDConnectConsentGET ¶ added in v4.35.0
func OpenIDConnectConsentGET(ctx *middlewares.AutheliaCtx)
OpenIDConnectConsentGET handles requests to provide consent for OpenID Connect.
func OpenIDConnectConsentPOST ¶ added in v4.35.0
func OpenIDConnectConsentPOST(ctx *middlewares.AutheliaCtx)
OpenIDConnectConsentPOST handles consent responses for OpenID Connect.
func OpenIDConnectPushedAuthorizationRequest ¶ added in v4.38.0
func OpenIDConnectPushedAuthorizationRequest(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request)
OpenIDConnectPushedAuthorizationRequest handles POST requests to the OAuth 2.0 Pushed Authorization Requests endpoint.
func OpenIDConnectTokenPOST ¶ added in v4.35.0
func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OpenIDConnectTokenPOST handles POST requests to the OpenID Connect 1.0 Token endpoint.
https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
func OpenIDConnectUserinfo ¶ added in v4.35.0
func OpenIDConnectUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OpenIDConnectUserinfo handles GET/POST requests to the OpenID Connect 1.0 UserInfo endpoint.
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
func PasswordPolicyConfigurationGET ¶ added in v4.36.0
func PasswordPolicyConfigurationGET(ctx *middlewares.AutheliaCtx)
PasswordPolicyConfigurationGET get the password policy configuration.
func ResetPasswordDELETE ¶ added in v4.38.0
func ResetPasswordDELETE(ctx *middlewares.AutheliaCtx)
ResetPasswordDELETE handler for deleting password reset JWT's.
func ResetPasswordPOST ¶ added in v4.35.0
func ResetPasswordPOST(ctx *middlewares.AutheliaCtx)
ResetPasswordPOST handler for resetting passwords.
func SetStatusCodeResponse ¶ added in v4.35.0
func SetStatusCodeResponse(ctx *fasthttp.RequestCtx, statusCode int)
SetStatusCodeResponse writes a response status code and an appropriate body on either a *fasthttp.RequestCtx or *middlewares.AutheliaCtx.
func SetValues ¶ added in v4.33.0
func SetValues(userSession session.UserSession, device string, method string, remoteIP string, targetURL string, passcode string) (url.Values, error)
SetValues sets all appropriate Values for the Auth Request.
func StateGET ¶ added in v4.35.0
func StateGET(ctx *middlewares.AutheliaCtx)
StateGET is the handler serving the user state.
func Status ¶ added in v4.36.0
func Status(statusCode int) fasthttp.RequestHandler
Status handles basic status responses.
func TOTPConfigurationDELETE ¶ added in v4.38.0
func TOTPConfigurationDELETE(ctx *middlewares.AutheliaCtx)
TOTPConfigurationDELETE removes a registered TOTP configuration.
func TOTPRegisterDELETE ¶ added in v4.38.0
func TOTPRegisterDELETE(ctx *middlewares.AutheliaCtx)
TOTPRegisterDELETE removes a pending TOTP registration.
func TOTPRegisterGET ¶ added in v4.38.0
func TOTPRegisterGET(ctx *middlewares.AutheliaCtx)
TOTPRegisterGET returns the registration specific options.
func TOTPRegisterPOST ¶ added in v4.38.0
func TOTPRegisterPOST(ctx *middlewares.AutheliaCtx)
TOTPRegisterPOST handles validation that the user has properly registered the configuration.
func TOTPRegisterPUT ¶ added in v4.38.0
func TOTPRegisterPUT(ctx *middlewares.AutheliaCtx)
TOTPRegisterPUT handles the users choice of registration specific options and returns the generated configuration.
func TimeBasedOneTimePasswordGET ¶ added in v4.38.0
func TimeBasedOneTimePasswordGET(ctx *middlewares.AutheliaCtx)
TimeBasedOneTimePasswordGET returns the users TOTP configuration.
func TimeBasedOneTimePasswordPOST ¶ added in v4.35.0
func TimeBasedOneTimePasswordPOST(ctx *middlewares.AutheliaCtx)
TimeBasedOneTimePasswordPOST validate the TOTP passcode provided by the user.
func UserInfoGET ¶ added in v4.34.6
func UserInfoGET(ctx *middlewares.AutheliaCtx)
UserInfoGET get the info related to the user identified by the session.
func UserInfoPOST ¶ added in v4.34.6
func UserInfoPOST(ctx *middlewares.AutheliaCtx)
UserInfoPOST handles setting up info for users if necessary when they login.
func UserSessionElevateDELETE ¶ added in v4.38.0
func UserSessionElevateDELETE(ctx *middlewares.AutheliaCtx)
UserSessionElevateDELETE marks a pending elevation session as revoked.
func UserSessionElevationGET ¶ added in v4.38.0
func UserSessionElevationGET(ctx *middlewares.AutheliaCtx)
UserSessionElevationGET returns the session elevation status.
func UserSessionElevationPOST ¶ added in v4.38.0
func UserSessionElevationPOST(ctx *middlewares.AutheliaCtx)
UserSessionElevationPOST creates a new elevation session to be validated.
func UserSessionElevationPUT ¶ added in v4.38.0
func UserSessionElevationPUT(ctx *middlewares.AutheliaCtx)
UserSessionElevationPUT validates an elevation session and puts it into effect.
func WebAuthnAssertionGET ¶ added in v4.38.0
func WebAuthnAssertionGET(ctx *middlewares.AutheliaCtx)
WebAuthnAssertionGET handler starts the assertion ceremony.
func WebAuthnAssertionPOST ¶ added in v4.38.0
func WebAuthnAssertionPOST(ctx *middlewares.AutheliaCtx)
WebAuthnAssertionPOST handler completes the assertion ceremony after verifying the challenge.
func WebAuthnCredentialDELETE ¶ added in v4.38.0
func WebAuthnCredentialDELETE(ctx *middlewares.AutheliaCtx)
WebAuthnCredentialDELETE deletes a specific credential for the current user.
func WebAuthnCredentialPUT ¶ added in v4.38.0
func WebAuthnCredentialPUT(ctx *middlewares.AutheliaCtx)
WebAuthnCredentialPUT updates the description for a specific credential for the current user.
func WebAuthnCredentialsGET ¶ added in v4.38.0
func WebAuthnCredentialsGET(ctx *middlewares.AutheliaCtx)
WebAuthnCredentialsGET returns all credentials registered for the current user.
func WebAuthnRegistrationDELETE ¶ added in v4.38.0
func WebAuthnRegistrationDELETE(ctx *middlewares.AutheliaCtx)
WebAuthnRegistrationDELETE deletes any active WebAuthn registration session..
func WebAuthnRegistrationPOST ¶ added in v4.38.0
func WebAuthnRegistrationPOST(ctx *middlewares.AutheliaCtx)
WebAuthnRegistrationPOST processes the attestation challenge response from the client.
func WebAuthnRegistrationPUT ¶ added in v4.38.0
func WebAuthnRegistrationPUT(ctx *middlewares.AutheliaCtx)
WebAuthnRegistrationPUT returns the attestation challenge from the server.
Types ¶
type Authn ¶ added in v4.38.0
type Authn struct { Username string Method string ClientID string Details authentication.UserDetails Level authentication.Level Object authorization.Object Type AuthnType Header HeaderAuthorization }
Authn is authentication.
type AuthnStrategy ¶ added in v4.38.0
type AuthnStrategy interface { Get(ctx *middlewares.AutheliaCtx, provider *session.Session, object *authorization.Object) (authn *Authn, err error) HeaderStrategy() (is bool) }
AuthnStrategy is a strategy used for Authz authentication.
type AuthnType ¶ added in v4.38.0
type AuthnType int
AuthnType is an auth type.
const ( // AuthnTypeNone is a nil Authentication AuthnType. AuthnTypeNone AuthnType = iota // AuthnTypeCookie is an Authentication AuthnType based on the Cookie header. AuthnTypeCookie // AuthnTypeProxyAuthorization is an Authentication AuthnType based on the Proxy-Authorization header. AuthnTypeProxyAuthorization // AuthnTypeAuthorization is an Authentication AuthnType based on the Authorization header. AuthnTypeAuthorization )
type Authz ¶ added in v4.38.0
type Authz struct {
// contains filtered or unexported fields
}
Authz is a type which is a effectively is a middlewares.RequestHandler for authorization requests. This should NOT be manually used and developers should instead use NewAuthzBuilder.
func (*Authz) Handler ¶ added in v4.38.0
func (authz *Authz) Handler(ctx *middlewares.AutheliaCtx)
Handler is the middlewares.RequestHandler for Authz.
type AuthzBearerIntrospectionProvider ¶ added in v4.38.0
type AuthzBearerIntrospectionProvider interface { GetRegisteredClient(ctx context.Context, id string) (client oidc.Client, err error) GetAudienceStrategy(ctx context.Context) (strategy oauthelia2.AudienceMatchingStrategy) IntrospectToken(ctx context.Context, token string, tokenUse oauthelia2.TokenUse, session oauthelia2.Session, scope ...string) (oauthelia2.TokenUse, oauthelia2.AccessRequester, error) }
type AuthzBuilder ¶ added in v4.38.0
type AuthzBuilder struct {
// contains filtered or unexported fields
}
AuthzBuilder is a builder pattern for the Authz type.
func NewAuthzBuilder ¶ added in v4.38.0
func NewAuthzBuilder() *AuthzBuilder
NewAuthzBuilder creates a new AuthzBuilder.
func (*AuthzBuilder) Build ¶ added in v4.38.0
func (b *AuthzBuilder) Build() (authz *Authz)
Build returns a new Authz from the currently configured options in this builder.
func (*AuthzBuilder) WithConfig ¶ added in v4.38.0
func (b *AuthzBuilder) WithConfig(config *schema.Configuration) *AuthzBuilder
WithConfig allows configuring the Authz config by providing a *schema.Configuration. This function converts it to an AuthzConfig and assigns it to the builder.
func (*AuthzBuilder) WithEndpointConfig ¶ added in v4.38.0
func (b *AuthzBuilder) WithEndpointConfig(config schema.ServerEndpointsAuthz) *AuthzBuilder
WithEndpointConfig configures the AuthzBuilder with a *schema.ServerAuthzEndpointConfig. Should be called AFTER WithConfig or WithAuthzConfig.
func (*AuthzBuilder) WithImplementationAuthRequest ¶ added in v4.38.0
func (b *AuthzBuilder) WithImplementationAuthRequest() *AuthzBuilder
WithImplementationAuthRequest configures this builder to output an Authz which is used with the AuthRequest implementation traditionally used by NGINX.
func (*AuthzBuilder) WithImplementationExtAuthz ¶ added in v4.38.0
func (b *AuthzBuilder) WithImplementationExtAuthz() *AuthzBuilder
WithImplementationExtAuthz configures this builder to output an Authz which is used with the ExtAuthz implementation traditionally used by Envoy.
func (*AuthzBuilder) WithImplementationForwardAuth ¶ added in v4.38.0
func (b *AuthzBuilder) WithImplementationForwardAuth() *AuthzBuilder
WithImplementationForwardAuth configures this builder to output an Authz which is used with the ForwardAuth implementation traditionally used by Traefik, Caddy, and Skipper.
func (*AuthzBuilder) WithImplementationLegacy ¶ added in v4.38.0
func (b *AuthzBuilder) WithImplementationLegacy() *AuthzBuilder
WithImplementationLegacy configures this builder to output an Authz which is used with the Legacy implementation which is a mix of the other implementations and usually works with most proxies.
func (*AuthzBuilder) WithStrategies ¶ added in v4.38.0
func (b *AuthzBuilder) WithStrategies(strategies ...AuthnStrategy) *AuthzBuilder
WithStrategies replaces all strategies in this builder with the provided value.
type AuthzConfig ¶ added in v4.38.0
type AuthzConfig struct { RefreshInterval schema.RefreshIntervalDuration // StatusCodeBadRequest is sent for configuration issues prior to performing authorization checks. It's set by the // builder. StatusCodeBadRequest int }
AuthzConfig represents the configuration elements of the Authz type.
type AuthzImplementation ¶ added in v4.38.0
type AuthzImplementation int
AuthzImplementation represents an Authz implementation.
const ( // AuthzImplLegacy is the legacy Authz implementation (VerifyGET). AuthzImplLegacy AuthzImplementation = iota // AuthzImplForwardAuth is the modern Forward Auth Authz implementation which is used by Caddy and Traefik. AuthzImplForwardAuth // AuthzImplAuthRequest is the modern Auth Request Authz implementation which is used by NGINX and modelled after // the ingress-nginx k8s ingress. AuthzImplAuthRequest // AuthzImplExtAuthz is the modern ExtAuthz Authz implementation which is used by Envoy. AuthzImplExtAuthz )
func (AuthzImplementation) String ¶ added in v4.38.0
func (i AuthzImplementation) String() string
String returns the text representation of this AuthzImplementation.
type AuthzResult ¶ added in v4.38.0
type AuthzResult int
AuthzResult is a result for Authz response handling determination.
const ( // AuthzResultForbidden means the user is forbidden the access to a resource. AuthzResultForbidden AuthzResult = iota AuthzResultUnauthorized // AuthzResultAuthorized means the user is authorized given her current permissions. AuthzResultAuthorized )
type CookieSessionAuthnStrategy ¶ added in v4.38.0
type CookieSessionAuthnStrategy struct {
// contains filtered or unexported fields
}
CookieSessionAuthnStrategy is a session cookie AuthnStrategy.
func NewCookieSessionAuthnStrategy ¶ added in v4.38.0
func NewCookieSessionAuthnStrategy(refresh schema.RefreshIntervalDuration) *CookieSessionAuthnStrategy
NewCookieSessionAuthnStrategy creates a new CookieSessionAuthnStrategy.
func (*CookieSessionAuthnStrategy) CanHandleUnauthorized ¶ added in v4.38.0
func (s *CookieSessionAuthnStrategy) CanHandleUnauthorized() (handle bool)
CanHandleUnauthorized returns true if this AuthnStrategy should handle Unauthorized requests.
func (*CookieSessionAuthnStrategy) Get ¶ added in v4.38.0
func (s *CookieSessionAuthnStrategy) Get(ctx *middlewares.AutheliaCtx, provider *session.Session, _ *authorization.Object) (authn *Authn, err error)
Get returns the Authn information for this AuthnStrategy.
func (*CookieSessionAuthnStrategy) HandleUnauthorized ¶ added in v4.38.0
func (s *CookieSessionAuthnStrategy) HandleUnauthorized(_ *middlewares.AutheliaCtx, _ *Authn, _ *url.URL)
HandleUnauthorized is the Unauthorized handler for the cookie AuthnStrategy.
func (*CookieSessionAuthnStrategy) HeaderStrategy ¶ added in v4.38.3
func (s *CookieSessionAuthnStrategy) HeaderStrategy() (header bool)
HeaderStrategy returns true if this AuthnStrategy is header based.
type DuoDevice ¶ added in v4.33.0
type DuoDevice struct { Device string `json:"device"` DisplayName string `json:"display_name"` Capabilities []string `json:"capabilities"` }
DuoDevice represents Duo devices and methods.
func DuoPreAuth ¶ added in v4.33.0
func DuoPreAuth(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API) (result, message string, devices []DuoDevice, enrollURL string, err error)
DuoPreAuth helper function for retrieving supported devices and capabilities from duo api.
type DuoDeviceBody ¶ added in v4.33.0
type DuoDeviceBody struct { Device string `json:"device" valid:"required"` Method string `json:"method" valid:"required"` }
DuoDeviceBody the selected Duo device and method.
type DuoDevicesResponse ¶ added in v4.33.0
type DuoDevicesResponse struct { Result string `json:"result" valid:"required"` Devices []DuoDevice `json:"devices,omitempty"` EnrollURL string `json:"enroll_url,omitempty"` }
DuoDevicesResponse represents all available user devices and methods as well as an optional enrollment url.
type DuoSignResponse ¶ added in v4.33.0
type DuoSignResponse struct { Result string `json:"result" valid:"required"` Devices []DuoDevice `json:"devices,omitempty"` Redirect string `json:"redirect,omitempty"` EnrollURL string `json:"enroll_url,omitempty"` }
DuoSignResponse represents a result of the preauth and or auth call with further optional info.
type HandlerAuthzAuthorized ¶ added in v4.38.0
type HandlerAuthzAuthorized func(ctx *middlewares.AutheliaCtx, authn *Authn)
HandlerAuthzAuthorized is a Authz handler func that handles authorized responses.
type HandlerAuthzGetAutheliaURL ¶ added in v4.38.0
type HandlerAuthzGetAutheliaURL func(ctx *middlewares.AutheliaCtx) (portalURL *url.URL, err error)
HandlerAuthzGetAutheliaURL is a Authz handler func that handles retrieval of the Portal URL.
type HandlerAuthzGetObject ¶ added in v4.38.0
type HandlerAuthzGetObject func(ctx *middlewares.AutheliaCtx) (object authorization.Object, err error)
HandlerAuthzGetObject is a Authz handler func that handles retrieval of the authorization.Object to authorize.
type HandlerAuthzGetRedirectionURL ¶ added in v4.38.0
type HandlerAuthzGetRedirectionURL func(ctx *middlewares.AutheliaCtx, object *authorization.Object) (redirectionURL *url.URL, err error)
HandlerAuthzGetRedirectionURL is a Authz handler func that handles retrieval of the Redirection URL.
type HandlerAuthzUnauthorized ¶ added in v4.38.0
type HandlerAuthzUnauthorized func(ctx *middlewares.AutheliaCtx, authn *Authn, redirectionURL *url.URL)
HandlerAuthzUnauthorized is a Authz handler func that handles unauthorized responses.
type HandlerAuthzVerifyObject ¶ added in v4.38.0
type HandlerAuthzVerifyObject func(ctx *middlewares.AutheliaCtx, object authorization.Object) (err error)
HandlerAuthzVerifyObject is a Authz handler func that handles authorization of the authorization.Object.
type HeaderAuthnStrategy ¶ added in v4.38.0
type HeaderAuthnStrategy struct {
// contains filtered or unexported fields
}
HeaderAuthnStrategy is a header AuthnStrategy.
func NewHeaderAuthorizationAuthnStrategy ¶ added in v4.38.0
func NewHeaderAuthorizationAuthnStrategy(schemes ...string) *HeaderAuthnStrategy
NewHeaderAuthorizationAuthnStrategy creates a new HeaderAuthnStrategy using the Authorization and WWW-Authenticate headers, and the 407 Proxy Auth Required response.
func NewHeaderProxyAuthorizationAuthRequestAuthnStrategy ¶ added in v4.38.0
func NewHeaderProxyAuthorizationAuthRequestAuthnStrategy(schemes ...string) *HeaderAuthnStrategy
NewHeaderProxyAuthorizationAuthRequestAuthnStrategy creates a new HeaderAuthnStrategy using the Proxy-Authorization and WWW-Authenticate headers, and the 401 Proxy Auth Required response. This is a special AuthnStrategy for the AuthRequest implementation.
func NewHeaderProxyAuthorizationAuthnStrategy ¶ added in v4.38.0
func NewHeaderProxyAuthorizationAuthnStrategy(schemes ...string) *HeaderAuthnStrategy
NewHeaderProxyAuthorizationAuthnStrategy creates a new HeaderAuthnStrategy using the Proxy-Authorization and Proxy-Authenticate headers, and the 407 Proxy Auth Required response.
func (*HeaderAuthnStrategy) CanHandleUnauthorized ¶ added in v4.38.0
func (s *HeaderAuthnStrategy) CanHandleUnauthorized() (handle bool)
CanHandleUnauthorized returns true if this AuthnStrategy should handle Unauthorized requests.
func (*HeaderAuthnStrategy) Get ¶ added in v4.38.0
func (s *HeaderAuthnStrategy) Get(ctx *middlewares.AutheliaCtx, _ *session.Session, object *authorization.Object) (authn *Authn, err error)
Get returns the Authn information for this AuthnStrategy.
func (*HeaderAuthnStrategy) HandleUnauthorized ¶ added in v4.38.0
func (s *HeaderAuthnStrategy) HandleUnauthorized(ctx *middlewares.AutheliaCtx, authn *Authn, _ *url.URL)
HandleUnauthorized is the Unauthorized handler for the header AuthnStrategy.
func (*HeaderAuthnStrategy) HeaderStrategy ¶ added in v4.38.3
func (s *HeaderAuthnStrategy) HeaderStrategy() (header bool)
HeaderStrategy returns true if this AuthnStrategy is header based.
type HeaderAuthorization ¶
type HeaderAuthorization struct { Authorization *model.Authorization Realm string Scope string Error *oauthelia2.RFC6749Error }
type HeaderLegacyAuthnStrategy ¶ added in v4.38.0
type HeaderLegacyAuthnStrategy struct{}
HeaderLegacyAuthnStrategy is a legacy header AuthnStrategy which can be switched based on the query parameters.
func NewHeaderLegacyAuthnStrategy ¶ added in v4.38.0
func NewHeaderLegacyAuthnStrategy() *HeaderLegacyAuthnStrategy
NewHeaderLegacyAuthnStrategy creates a new HeaderLegacyAuthnStrategy.
func (*HeaderLegacyAuthnStrategy) CanHandleUnauthorized ¶ added in v4.38.0
func (s *HeaderLegacyAuthnStrategy) CanHandleUnauthorized() (handle bool)
CanHandleUnauthorized returns true if this AuthnStrategy should handle Unauthorized requests.
func (*HeaderLegacyAuthnStrategy) Get ¶ added in v4.38.0
func (s *HeaderLegacyAuthnStrategy) Get(ctx *middlewares.AutheliaCtx, _ *session.Session, _ *authorization.Object) (authn *Authn, err error)
Get returns the Authn information for this AuthnStrategy.
func (*HeaderLegacyAuthnStrategy) HandleUnauthorized ¶ added in v4.38.0
func (s *HeaderLegacyAuthnStrategy) HandleUnauthorized(ctx *middlewares.AutheliaCtx, authn *Authn, _ *url.URL)
HandleUnauthorized is the Unauthorized handler for the Legacy header AuthnStrategy.
func (*HeaderLegacyAuthnStrategy) HeaderStrategy ¶ added in v4.38.3
func (s *HeaderLegacyAuthnStrategy) HeaderStrategy() (header bool)
HeaderStrategy returns true if this AuthnStrategy is header based.
type PasswordPolicyBody ¶ added in v4.36.0
type PasswordPolicyBody struct { Mode string `json:"mode"` MinLength int `json:"min_length"` MaxLength int `json:"max_length"` MinScore int `json:"min_score"` RequireUppercase bool `json:"require_uppercase"` RequireLowercase bool `json:"require_lowercase"` RequireNumber bool `json:"require_number"` RequireSpecial bool `json:"require_special"` }
PasswordPolicyBody represents the response sent by the password reset step 2.
type StateResponse ¶
type StateResponse struct { Username string `json:"username"` AuthenticationLevel authentication.Level `json:"authentication_level"` DefaultRedirectionURL string `json:"default_redirection_url"` }
StateResponse represents the response sent by the state endpoint.
type TOTPKeyResponse ¶
type TOTPKeyResponse struct { Base32Secret string `json:"base32_secret"` OTPAuthURL string `json:"otpauth_url"` }
TOTPKeyResponse is the model of response that is sent to the client up successful identity verification.
Source Files ¶
- const.go
- duo.go
- handler_authz.go
- handler_authz_authn.go
- handler_authz_builder.go
- handler_authz_common.go
- handler_authz_impl_authrequest.go
- handler_authz_impl_extauthz.go
- handler_authz_impl_forwardauth.go
- handler_authz_impl_legacy.go
- handler_authz_types.go
- handler_authz_util.go
- handler_checks_safe_redirection.go
- handler_configuration.go
- handler_configuration_password_policy.go
- handler_firstfactor.go
- handler_health.go
- handler_jwks.go
- handler_logout.go
- handler_oauth_introspection.go
- handler_oauth_revocation.go
- handler_oidc_authorization.go
- handler_oidc_authorization_consent.go
- handler_oidc_authorization_consent_explicit.go
- handler_oidc_authorization_consent_implicit.go
- handler_oidc_authorization_consent_pre_configured.go
- handler_oidc_consent.go
- handler_oidc_token.go
- handler_oidc_userinfo.go
- handler_oidc_wellknown.go
- handler_register_duo_device.go
- handler_register_totp.go
- handler_register_webauthn.go
- handler_reset_password.go
- handler_session_elevation.go
- handler_sign_duo.go
- handler_sign_totp.go
- handler_sign_webauthn.go
- handler_state.go
- handler_status.go
- handler_user_info.go
- handler_webauthn_credentials.go
- oidc.go
- response.go
- types.go
- util.go
- webauthn.go