Documentation
¶
Index ¶
- Variables
- type Authenticator
- func (a *Authenticator) Basic(ctx context.Context, username, password string) (*tokens.Token, *tokens.User, error)
- func (a *Authenticator) Domain() string
- func (a *Authenticator) Endpoint() string
- func (a *Authenticator) GetUser(ctx context.Context, token, userID string) (*users.User, error)
- func (a *Authenticator) OIDCTokenExchange(ctx context.Context, token string) (string, *OIDCTokenExchangeResult, error)
- type OIDCTokenExchangeResult
- type Options
Constants ¶
This section is empty.
Variables ¶
View Source
var (
ErrTokenExchange = errors.New("keystone token exchange failed")
)
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator provides Keystone authentication functionality.
func New ¶
func New(options *Options) *Authenticator
New returns a new authenticator with required fields populated. You must call AddFlags after this.
func (*Authenticator) Basic ¶
func (a *Authenticator) Basic(ctx context.Context, username, password string) (*tokens.Token, *tokens.User, error)
Basic does basic authentication, please rethink your life before using this.
func (*Authenticator) Domain ¶
func (a *Authenticator) Domain() string
Domain returns the default user domain. TODO: It stands to reason that the user should supply this in future.
func (*Authenticator) Endpoint ¶
func (a *Authenticator) Endpoint() string
Endpoint returns the endpoint host.
func (*Authenticator) OIDCTokenExchange ¶
func (a *Authenticator) OIDCTokenExchange(ctx context.Context, token string) (string, *OIDCTokenExchangeResult, error)
OIDCTokenExchange sends the OIDC ID token to keystone, which will then map that to a shadow user and group, and return an unscoped API token.
type OIDCTokenExchangeResult ¶
type OIDCTokenExchangeResult struct {
Token *struct {
// Methods will list the authentication methods e.g. openid.
Methods []string `json:"methods"`
// User contains metadata about the mapped user.
User *struct {
// Domain contains metadata about the user's domain.
Domain *struct {
// ID is the globally unique domain ID.
ID string `json:"id"`
// Name is a human readable domain name within the scope
// of its parent domain.
Name string `json:"name"`
} `json:"domain"`
// ID is the globally unique user ID.
ID string `json:"id"`
// Name is the human readable user name that the mapping extracts
// from the OIDC ID token. This is not guaranteed to be an email
// address.
Name string `json:"name"`
// Federation contains metadata from the federation engine.
Federation *struct {
// Groups lists the groups mapped from the claims in the
// OIDC ID token.
Groups []struct {
// ID is the globally unique group ID.
ID string `json:"id"`
} `json:"groups"`
// IdentityProvider contains metadata about the IdP.
IdentityProvider *struct {
// ID is the globally unique ID of the IdP.
ID string `json:"id"`
} `json:"identity_provider"`
// Protocol contains metadata about the protocol.
Protocol *struct {
// ID is the globally unique ID of the protocol.
ID string `json:"id"`
} `json:"protocol"`
} `json:"OS-FEDERATION"`
} `json:"user"`
// AuditIDs provide tracing for the user.
AuditIDs []string `json:"audit_ids"`
// ExpiresAt indicates the time the token will cease to work.
ExpiresAt time.Time `json:"expires_at"`
// IssuedAt indicates the time the token was issued.
IssuedAt time.Time `json:"issued_at"`
} `json:"token"`
}
OIDCTokenExchangeResult is what's returned by Keystone when we give it an OIDC token to exchnage for an OpenStack token.
Source Files
Click to show internal directories.
Click to hide internal directories.