Documentation ¶
Index ¶
- Variables
- type Authenticator
- func (a *Authenticator) Basic(ctx context.Context, username, password string) (*tokens.Token, *tokens.User, error)
- func (a *Authenticator) Domain() string
- func (a *Authenticator) Endpoint() string
- func (a *Authenticator) GetUser(ctx context.Context, token, userID string) (*users.User, error)
- func (a *Authenticator) OIDCTokenExchange(ctx context.Context, token string) (string, *OIDCTokenExchangeResult, error)
- type OIDCTokenExchangeResult
- type Options
Constants ¶
This section is empty.
Variables ¶
View Source
var (
ErrTokenExchange = errors.New("keystone token exchange failed")
)
Functions ¶
This section is empty.
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator provides Keystone authentication functionality.
func New ¶
func New(options *Options) *Authenticator
New returns a new authenticator with required fields populated. You must call AddFlags after this.
func (*Authenticator) Basic ¶
func (a *Authenticator) Basic(ctx context.Context, username, password string) (*tokens.Token, *tokens.User, error)
Basic does basic authentication, please rethink your life before using this.
func (*Authenticator) Domain ¶
func (a *Authenticator) Domain() string
Domain returns the default user domain. TODO: It stands to reason that the user should supply this in future.
func (*Authenticator) Endpoint ¶
func (a *Authenticator) Endpoint() string
Endpoint returns the endpoint host.
func (*Authenticator) OIDCTokenExchange ¶
func (a *Authenticator) OIDCTokenExchange(ctx context.Context, token string) (string, *OIDCTokenExchangeResult, error)
OIDCTokenExchange sends the OIDC ID token to keystone, which will then map that to a shadow user and group, and return an unscoped API token.
type OIDCTokenExchangeResult ¶
type OIDCTokenExchangeResult struct { Token *struct { // Methods will list the authentication methods e.g. openid. Methods []string `json:"methods"` // User contains metadata about the mapped user. User *struct { // Domain contains metadata about the user's domain. Domain *struct { // ID is the globally unique domain ID. ID string `json:"id"` // Name is a human readable domain name within the scope // of its parent domain. Name string `json:"name"` } `json:"domain"` // ID is the globally unique user ID. ID string `json:"id"` // Name is the human readable user name that the mapping extracts // from the OIDC ID token. This is not guaranteed to be an email // address. Name string `json:"name"` // Federation contains metadata from the federation engine. Federation *struct { // Groups lists the groups mapped from the claims in the // OIDC ID token. Groups []struct { // ID is the globally unique group ID. ID string `json:"id"` } `json:"groups"` // IdentityProvider contains metadata about the IdP. IdentityProvider *struct { // ID is the globally unique ID of the IdP. ID string `json:"id"` } `json:"identity_provider"` // Protocol contains metadata about the protocol. Protocol *struct { // ID is the globally unique ID of the protocol. ID string `json:"id"` } `json:"protocol"` } `json:"OS-FEDERATION"` } `json:"user"` // AuditIDs provide tracing for the user. AuditIDs []string `json:"audit_ids"` // ExpiresAt indicates the time the token will cease to work. ExpiresAt time.Time `json:"expires_at"` // IssuedAt indicates the time the token was issued. IssuedAt time.Time `json:"issued_at"` } `json:"token"` }
OIDCTokenExchangeResult is what's returned by Keystone when we give it an OIDC token to exchnage for an OpenStack token.
Click to show internal directories.
Click to hide internal directories.