Documentation ¶
Index ¶
Constants ¶
const DefaultKeyRefreshIterval = 1 * time.Hour
DefaultKeyRefreshIterval is the default interval we try and refresh signing keys from the issuer.
Variables ¶
This section is empty.
Functions ¶
func ClaimsFromContext ¶
ClaimsFromContext returns the claims for the given request context
func RawIDTokenFromContext ¶
RawIDTokenFromContext returns the raw JWT from the given request context
func TokenSourceFromContext ¶
func TokenSourceFromContext(ctx context.Context) oauth2.TokenSource
TokenSourceFromContext returns a usable tokensource from this request context. The request must have been wrapped with the middleware for this to be initialized. This token source is
Types ¶
type Handler ¶
type Handler struct { // Issuer is the URL to the OIDC issuer Issuer string // KeyRefreshInterval is how often we should try and refresh the signing keys // from the issuer. Defaults to DefaultKeyRefreshIterval KeyRefreshInterval time.Duration // ClientID is a client ID for the relying party (the service authenticating // against the OIDC server) ClientID string // ClientSecret is a client secret for the relying party ClientSecret string // BaseURL is the base URL for this relying party. If it is not safe to // redirect the user to their original destination, they will be redirected // to this URL. BaseURL string // RedirectURL is the callback URL registered with the OIDC issuer for this // relying party RedirectURL string // AdditionalScopes is a list of scopes to request from the OIDC server, in // addition to the base oidc scope. AdditionalScopes []string // ACRValues to request from the remote server. The handler validates that // the returned token contains one of these. ACRValues []string // SessionStore are used for managing state that we need to persist across // requests. It needs to be able to store ID and refresh tokens, plus a // small amount of additional data. Required. SessionStore SessionStore // contains filtered or unexported fields }
Handler wraps another http.Handler, protecting it with OIDC authentication.
type SessionData ¶
type SessionData struct { // State for an in-progress auth flow. State string `json:"oidc_state,omitempty"` // PKCEChallenge for the in-progress auth flow PKCEChallenge string `json:"pkce_challenge,omitempty"` // ReturnTo is where we should navigate to at the end of the flow ReturnTo string `json:"oidc_return_to,omitempty"` // Token stores the returned oauth2.Token Token *oidc.MarshaledToken `json:"token,omitempty"` }
SessionData contains the data this middleware needs to save/restore across requests. This should be stored using a method that does not reveal the contents to the end user in any way.
type SessionStore ¶
type SessionStore interface { // Get should always return a valid, usable session. If the session does not // exist, it should be empty. error indicates that there was a failure that // we should not proceed from. Get(*http.Request) (*SessionData, error) // Save should store the updated session. If the session data is nil, the // session should be deleted. Save(http.ResponseWriter, *http.Request, *SessionData) error }
SessionStore are used for managing state across requests.
func NewMemorySessionStore ¶
func NewMemorySessionStore(template http.Cookie) (SessionStore, error)
NewMemorySessionStore creates a simple session store, that tracks state in memory. It is mainly used for testing, it is not suitable for anything outside a single process as the state will not be shared. It also does not have robust cleaning of stored session data.
It is provided with a "template" http.Cookie - this will be used for the cookies the session ID is tracked with. It must have at least a name set.