Documentation
¶
Index ¶
Constants ¶
const DefaultKeyRefreshIterval = 1 * time.Hour
DefaultKeyRefreshIterval is the default interval we try and refresh signing keys from the issuer.
Variables ¶
This section is empty.
Functions ¶
func ClaimsFromContext ¶
ClaimsFromContext returns the claims for the given request context
func RawIDTokenFromContext ¶
RawIDTokenFromContext returns the raw JWT from the given request context
func TokenSourceFromContext ¶
func TokenSourceFromContext(ctx context.Context) oauth2.TokenSource
TokenSourceFromContext returns a usable tokensource from this request context. The request must have been wrapped with the middleware for this to be initialized. This token source is
Types ¶
type Handler ¶
type Handler struct {
// Issuer is the URL to the OIDC issuer
Issuer string
// KeyRefreshInterval is how often we should try and refresh the signing keys
// from the issuer. Defaults to DefaultKeyRefreshIterval
KeyRefreshInterval time.Duration
// ClientID is a client ID for the relying party (the service authenticating
// against the OIDC server)
ClientID string
// ClientSecret is a client secret for the relying party
ClientSecret string
// BaseURL is the base URL for this relying party. If it is not safe to
// redirect the user to their original destination, they will be redirected
// to this URL.
BaseURL string
// RedirectURL is the callback URL registered with the OIDC issuer for this
// relying party
RedirectURL string
// AdditionalScopes is a list of scopes to request from the OIDC server, in
// addition to the base oidc scope.
AdditionalScopes []string
// ACRValues to request from the remote server. The handler validates that
// the returned token contains one of these.
ACRValues []string
// SessionStore are used for managing state that we need to persist across
// requests. It needs to be able to store ID and refresh tokens, plus a
// small amount of additional data. Required.
SessionStore SessionStore
// contains filtered or unexported fields
}
Handler wraps another http.Handler, protecting it with OIDC authentication.
type SessionData ¶
type SessionData struct {
// State for an in-progress auth flow.
State string `json:"oidc_state,omitempty"`
// PKCEChallenge for the in-progress auth flow
PKCEChallenge string `json:"pkce_challenge,omitempty"`
// ReturnTo is where we should navigate to at the end of the flow
ReturnTo string `json:"oidc_return_to,omitempty"`
// Token stores the returned oauth2.Token
Token *oidc.MarshaledToken `json:"token,omitempty"`
}
SessionData contains the data this middleware needs to save/restore across requests. This should be stored using a method that does not reveal the contents to the end user in any way.
type SessionStore ¶
type SessionStore interface {
// Get should always return a valid, usable session. If the session does not
// exist, it should be empty. error indicates that there was a failure that
// we should not proceed from.
Get(*http.Request) (*SessionData, error)
// Save should store the updated session. If the session data is nil, the
// session should be deleted.
Save(http.ResponseWriter, *http.Request, *SessionData) error
}
SessionStore are used for managing state across requests.
func NewMemorySessionStore ¶
func NewMemorySessionStore(template http.Cookie) (SessionStore, error)
NewMemorySessionStore creates a simple session store, that tracks state in memory. It is mainly used for testing, it is not suitable for anything outside a single process as the state will not be shared. It also does not have robust cleaning of stored session data.
It is provided with a "template" http.Cookie - this will be used for the cookies the session ID is tracked with. It must have at least a name set.
Source Files