oauth

package
v0.0.0-...-d05bb39 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 28, 2025 License: BSD-3-Clause, BSD-3-Clause Imports: 28 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var CredentialsVersionKey = credentialsKey("version")
View Source 
var ErrorCannotAuthenticate = errors.New("Who are you? Sorry, you have no authentication cookie, and there is no authentication service configured")
View Source 
var ErrorLoops = errors.New("You have been redirected back to this url - but you still don't have an authentication token.\n" +
	"As a sentinent web server, I've decided that you human don't deserve any further redirect, as that would cause a loop\n" +
	"which would be bad for the future of the internet, my load, and your bandwidth. Hit refresh if you want, but there's likely\n" +
	"something wrong in your cookies, or your setup")
View Source 
var ErrorNotAuthenticated = errors.New("No authentication information found")
View Source 
var ErrorStateUnsupported = errors.New("Incorrect API usage - the authentication method does not support propagating state")

Functions

func AuthHandler 

func AuthHandler(a IAuthenticator) khttp.FuncHandler

AuthHandler returns the http handler to be invoked at the end of the oauth process.

func CheckRedirect 

func CheckRedirect(w http.ResponseWriter, r *http.Request, ad AuthData) bool

CheckRedirect checks AuthData to see if its state warrants a redirect. Returns true if it did redirect, false if a redirect was unnecessary.

func CreateRedirectURL 

func CreateRedirectURL(r *http.Request) *url.URL

func LoginHandler 

func LoginHandler(a IAuthenticator, lm ...LoginModifier) khttp.FuncHandler

LoginHandler creates and returns a LoginHandler.

func MakeAuthHandler 

func MakeAuthHandler(a IAuthenticator, handler khttp.FuncHandler) khttp.FuncHandler

MakeAuthHandler turns the specified handler into an AuthHandler.

func MakeLoginHandler 

func MakeLoginHandler(a IAuthenticator, handler khttp.FuncHandler, lm ...LoginModifier) khttp.FuncHandler

MakeLoginHandler turns the specified handler into a LoginHandler.

func Mapper 

func Mapper(a IAuthenticator, mapper kassets.AssetMapper, lm ...LoginModifier) kassets.AssetMapper

Mapper configures all the URLs to redirect to / unless an authentication cookie is provided by the browser. Further, it configures / to redirect and perform oauth authentication.

func SetCredentials 

func SetCredentials(ctx context.Context, creds *CredentialsCookie) context.Context

SetCredentials returns a context with the credentials of the user added. Use GetCredentials to retrieve them later.

func WithCredentials 

func WithCredentials(a IAuthenticator, handler khttp.FuncHandler) khttp.FuncHandler

WithCredentials invokes the handler with the identity of the user supplied in the context.

func WithCredentialsOrError 

func WithCredentialsOrError(a IAuthenticator, handler khttp.FuncHandler) khttp.FuncHandler

WithCredentialsOrError invokes the handler if credentials are available, errors out if not.

func WithCredentialsOrRedirect 

func WithCredentialsOrRedirect(a IAuthenticator, handler khttp.FuncHandler, target string) khttp.FuncHandler

WithCredentialsOrRedirect invokes the handler if credentials are available, or redirects if they are not.

Types

type AuthData 

type AuthData struct {
	Creds      *CredentialsCookie
	Identities []Identity
	Cookie     string
	Target     string
	State      interface{}
}

func (*AuthData) Complete 

func (a *AuthData) Complete() bool

type Authenticate 

type Authenticate func(w http.ResponseWriter, r *http.Request, rurl *url.URL) (*CredentialsCookie, error)

Authenticate parses the request received to authenticate the user.

type Authenticator 

type Authenticator struct {
	Extractor
	// contains filtered or unexported fields
}

func New 

func New(rng *rand.Rand, modifiers ...Modifier) (*Authenticator, error)

func (*Authenticator) CredentialsCookie 

func (a *Authenticator) CredentialsCookie(value string, co ...kcookie.Modifier) *http.Cookie

CredentialsCookie will create an http.Cookie object containing the user credentials.

func (*Authenticator) ExtractAuth 

func (a *Authenticator) ExtractAuth(w http.ResponseWriter, r *http.Request) (AuthData, error)

func (*Authenticator) LoginURL 

func (a *Authenticator) LoginURL(target string, state interface{}) (string, []byte, error)

LoginURL computes the URL the user is redirected to to perform login.

After the user authenticates, it is redirected back to URL set as auth handler, which verifies the credentials, and creates the authentication cookie.

At this point, either the auth handler returns a page directly (for example, when you set up your own handler with MakeAuthHandler), or, if a target parameter is set, the user is redirected to the configured target.

State is not used by the auth handler. You can basically pass anything you like and have it forwarded to you at the end of the authentication.

Returns: the url to use, a secure token, and nil or an error, in order.

func (*Authenticator) PerformAuth 

func (a *Authenticator) PerformAuth(w http.ResponseWriter, r *http.Request, co ...kcookie.Modifier) (AuthData, error)

PerformAuth implements the logic to handle an oauth request from an oauth provider.

func (*Authenticator) PerformLogin 

func (a *Authenticator) PerformLogin(w http.ResponseWriter, r *http.Request, lm ...LoginModifier) error

PerformLogin writes the response to the request to actually perform the login.

func (*Authenticator) SetAuthCookie 

func (a *Authenticator) SetAuthCookie(ad AuthData, w http.ResponseWriter, co ...kcookie.Modifier) (AuthData, error)

Legacy method for SetCredentialsOnResponse.

type Credentials 

type Credentials struct {
	ID     string `json:"id"`
	Secret string `json:"secret"`
}

Credentials structs are generally read from json files. They contain the oauth credentials used by the remote service to recognize the client.

type CredentialsCookie 

type CredentialsCookie struct {
	Identity Identity
	Token    oauth2.Token
}

CredentialsCookie is what is encrypted/decrypted in the cookie itself. Identity represents the identity of the user. Token represents the data that was obtained through oauth authentication.

Note that Token could be empty/undefined if the credentials were not certificate via oauth - by using, for example, email authentication.

func GetCredentials 

func GetCredentials(ctx context.Context) *CredentialsCookie

GetCredentials returns the credentials of a user extracted from an authentication cookie. Returns nil if the context has no credentials.

type CredentialsMeta 

type CredentialsMeta struct {
	context.Context
}

func (CredentialsMeta) Expires 

func (ctx CredentialsMeta) Expires() time.Time

func (CredentialsMeta) Issued 

func (ctx CredentialsMeta) Issued() time.Time

func (CredentialsMeta) Max 

func (ctx CredentialsMeta) Max() time.Time

func (CredentialsMeta) Version 

func (ctx CredentialsMeta) Version() int

type Extractor 

type Extractor struct {
	// contains filtered or unexported fields
}

Extractor is an object capable of extracting and verifying authentication information.

func NewExtractor 

func NewExtractor(modifiers ...Modifier) (*Extractor, error)

func (*Extractor) CredentialsCookieName 

func (a *Extractor) CredentialsCookieName() string

CredentialsCookieName returns the name of the cookie maintaing the set of user credentials.

This cookie is the one used to determine what the user can and cannot do on the UI.

func (*Extractor) EncodeCredentials 

func (a *Extractor) EncodeCredentials(creds CredentialsCookie) (string, error)

EncodeCredentials generates a string containing a CredentialsCookie.

func (*Extractor) GetCredentialsFromRequest 

func (a *Extractor) GetCredentialsFromRequest(r *http.Request) (*CredentialsCookie, string, error)

GetCredentialsFromRequest will parse and validate the credentials in an http request.

If successful, it will return a CredentialsCookie pointer and the string content of the cookie. If no credentials, or invalid credentials, an error is returned with nil credentials and no cookie.

func (*Extractor) ParseCredentialsCookie 

func (a *Extractor) ParseCredentialsCookie(cookie string) (CredentialsMeta, *CredentialsCookie, error)

ParseCredentialsCookie parses a string containing a CredentialsCookie, and returns the corresponding object.

func (*Extractor) PrepareCredentialsCookie 

func (a *Extractor) PrepareCredentialsCookie(ad AuthData, co ...kcookie.Modifier) (AuthData, *http.Cookie, error)

func (*Extractor) SetCredentialsOnResponse 

func (a *Extractor) SetCredentialsOnResponse(ad AuthData, w http.ResponseWriter, co ...kcookie.Modifier) (AuthData, error)

type ExtractorFlags 

type ExtractorFlags struct {
	// Version of the cookie format.
	Version int

	// Prefix to be prepended to the name of the cookie used.
	BaseCookie string

	SymmetricKey      []byte
	TokenVerifyingKey []byte

	// When generating credentials, how long should the token be valid for?
	LoginTime time.Duration
	// When checking credentials, tokens older than MaxLoginTime will be
	// rejected no matter what.
	MaxLoginTime time.Duration
}

func DefaultExtractorFlags 

func DefaultExtractorFlags() *ExtractorFlags

func (*ExtractorFlags) Register 

func (f *ExtractorFlags) Register(set kflags.FlagSet, prefix string) *ExtractorFlags

type Flags 

type Flags struct {
	*SigningExtractorFlags

	// The URL at the end of the oauth authentication process.
	TargetURL string

	// A buffer containing a JSON file with the Credentials struct (below).
	// This is passed to WithFileSecrets().
	OauthSecretJSON []byte

	// Alternative to OauthSecretJSON, OauthSecretID and OauthSecretKey can be used.
	OauthSecretID  string
	OauthSecretKey string

	// A JSON file containing all the details of the oauth provider to use.
	// See the jsonAuth struct below.
	OAuthFile []byte

	// How long is the token used to authenticate with the oauth servers.
	// Limit the total time a login can take.
	AuthTime time.Duration
}

Flags defines the basic configuration parameters to run the oauth cycle.

Use Flags if you have your own code to handle the specific oauth provider. To allow the configuration and use of one of the providers this library supports, use providers.ProviderFlags.

To pass Flags to one of the constructurs, use `WithFlags`.

func DefaultFlags 

func DefaultFlags() *Flags

func (*Flags) Register 

func (f *Flags) Register(set kflags.FlagSet, prefix string) *Flags

type IAuthenticator 

type IAuthenticator interface {
	PerformLogin(w http.ResponseWriter, r *http.Request, lm ...LoginModifier) error
	PerformAuth(w http.ResponseWriter, r *http.Request, mods ...kcookie.Modifier) (AuthData, error)
	GetCredentialsFromRequest(r *http.Request) (*CredentialsCookie, string, error)
}

An IAuthenticator is any object capable of performing authentication for a web server.

type Identity 

type Identity struct {
	Id           string
	Username     string
	Organization string
	Groups       []string
}

func (*Identity) CertMod 

func (i *Identity) CertMod() kcerts.CertMod

func (*Identity) GlobalName 

func (i *Identity) GlobalName() string

func (*Identity) Valid 

func (i *Identity) Valid() bool

type LoginModifier 

type LoginModifier func(*LoginOptions)

func WithCookieOptions 

func WithCookieOptions(mod ...kcookie.Modifier) LoginModifier

func WithState 

func WithState(state interface{}) LoginModifier

func WithTarget 

func WithTarget(target string) LoginModifier

func WithTemplateData 

func WithTemplateData(data map[string]interface{}) LoginModifier

type LoginModifiers 

type LoginModifiers []LoginModifier

func (LoginModifiers) Apply 

func (lm LoginModifiers) Apply(lo *LoginOptions) *LoginOptions

type LoginOptions 

type LoginOptions struct {
	CookieOptions kcookie.Modifiers
	Target        string
	State         interface{}
	TemplateData  map[string]interface{}
}

type LoginState 

type LoginState struct {
	Secret []byte
	Target string
	State  interface{}
}

type Modifier 

type Modifier func(auth *Options) error

func WithAuthTime 

func WithAuthTime(at time.Duration) Modifier

func WithAuthURL 

func WithAuthURL(url *url.URL) Modifier

func WithCookiePrefix 

func WithCookiePrefix(prefix string) Modifier

func WithEndpoint 

func WithEndpoint(endpoint oauth2.Endpoint) Modifier

func WithExtractorFlags 

func WithExtractorFlags(fl *ExtractorFlags) Modifier

func WithFactory 

func WithFactory(factory VerifierFactory) Modifier

WithFactory configures a validation factory.

Mandatory. Must be invoked after secrets have been configured.

func WithFlags 

func WithFlags(fl *Flags) Modifier

func WithLogging 

func WithLogging(log logger.Logger) Modifier

func WithLoginTime 

func WithLoginTime(lt time.Duration) Modifier

func WithMaxLoginTime 

func WithMaxLoginTime(lt time.Duration) Modifier

func WithModifiers 

func WithModifiers(mods ...Modifier) Modifier

func WithOAuthFile 

func WithOAuthFile(fileContent []byte) Modifier

func WithRedirectorFlags 

func WithRedirectorFlags(fl *RedirectorFlags) Modifier

func WithRng 

func WithRng(rng *rand.Rand) Modifier

func WithScopes 

func WithScopes(scopes []string) Modifier

func WithSecretFile 

func WithSecretFile(path string) Modifier

func WithSecretJSON 

func WithSecretJSON(data []byte) Modifier

func WithSecrets 

func WithSecrets(cid, csecret string) Modifier

func WithSigningExtractorFlags 

func WithSigningExtractorFlags(fl *SigningExtractorFlags) Modifier

func WithSigningOptions 

func WithSigningOptions(mods ...token.SigningSetter) Modifier

func WithSymmetricOptions 

func WithSymmetricOptions(mods ...token.SymmetricSetter) Modifier

func WithTargetURL 

func WithTargetURL(url string) Modifier

func WithVersion 

func WithVersion(version int) Modifier

type Modifiers 

type Modifiers []Modifier

func (Modifiers) Apply 

func (mods Modifiers) Apply(o *Options) error

type MultiOAuthState 

type MultiOAuthState struct {
	CurrentFlow   int
	OptIdentities []Identity
	Extra         interface{}
}

type MultiOauth 

type MultiOauth struct {
	RequiredAuth   *Authenticator
	OptAuth        []*Authenticator
	Enc            []*token.TypeEncoder
	LoginModifiers []LoginModifier
}

func NewMultiOAuth 

func NewMultiOAuth(rng *rand.Rand, required *Authenticator, opts ...*Authenticator) *MultiOauth

func (*MultiOauth) GetCredentialsFromRequest 

func (mo *MultiOauth) GetCredentialsFromRequest(r *http.Request) (*CredentialsCookie, string, error)

func (*MultiOauth) NewState 

func (mo *MultiOauth) NewState(Extra interface{}) *MultiOAuthState

func (*MultiOauth) PerformAuth 

func (mo *MultiOauth) PerformAuth(w http.ResponseWriter, r *http.Request, mods ...kcookie.Modifier) (AuthData, error)

func (*MultiOauth) PerformLogin 

func (mo *MultiOauth) PerformLogin(w http.ResponseWriter, r *http.Request, lm ...LoginModifier) error

type OptionalVerifier 

type OptionalVerifier struct {
	// contains filtered or unexported fields
}

func (*OptionalVerifier) Scopes 

func (ov *OptionalVerifier) Scopes() []string

func (*OptionalVerifier) Verify 

func (ov *OptionalVerifier) Verify(log logger.Logger, identity *Identity, tok *oauth2.Token) (*Identity, error)

type Options 

type Options struct {
	// contains filtered or unexported fields
}

func DefaultOptions 

func DefaultOptions(rng *rand.Rand) Options

func (*Options) GetCallbackURL 

func (o *Options) GetCallbackURL() *url.URL

func (*Options) GetLoginTime 

func (o *Options) GetLoginTime() time.Duration

func (*Options) NewAuthenticator 

func (opt *Options) NewAuthenticator() (*Authenticator, error)

func (*Options) NewExtractor 

func (opt *Options) NewExtractor() (*Extractor, error)

NewExtractor creates either a simple Extractor, or a SigningExtractor.

An Extractor is an object able to parse and extract data from a signed and encrypted cookie.

A SigningExtractor is just like an extractor, except it is also capable of generating new signing cookies.

func (*Options) NewRedirector 

func (opt *Options) NewRedirector() (*Redirector, error)

type Redirector 

type Redirector struct {
	*Extractor

	// If user does not have authentication cookie, redirect user to this URL to get one.
	AuthURL *url.URL
	// After successful authentication via redirection, send user back here by default.
	DefaultTarget string
}

Redirector is an extractor capable of redirecting to an authentication server for login.

func NewRedirector 

func NewRedirector(modifiers ...Modifier) (*Redirector, error)

func (*Redirector) Authenticate 

func (as *Redirector) Authenticate(w http.ResponseWriter, r *http.Request, rurl *url.URL) (*CredentialsCookie, error)

func (*Redirector) PerformAuth 

func (as *Redirector) PerformAuth(w http.ResponseWriter, r *http.Request, mods ...kcookie.Modifier) (AuthData, error)

func (*Redirector) PerformLogin 

func (as *Redirector) PerformLogin(w http.ResponseWriter, r *http.Request, lm ...LoginModifier) error

type RedirectorFlags 

type RedirectorFlags struct {
	*ExtractorFlags
	AuthURL string
}

func DefaultRedirectorFlags 

func DefaultRedirectorFlags() *RedirectorFlags

func (*RedirectorFlags) Register 

func (rf *RedirectorFlags) Register(set kflags.FlagSet, prefix string) *RedirectorFlags

type SigningExtractorFlags 

type SigningExtractorFlags struct {
	*ExtractorFlags

	// Keys used to generate signed tokens.
	TokenSigningKey []byte
}

func DefaultSigningExtractorFlags 

func DefaultSigningExtractorFlags() *SigningExtractorFlags

func (*SigningExtractorFlags) Register 

func (f *SigningExtractorFlags) Register(set kflags.FlagSet, prefix string) *SigningExtractorFlags

type Verifier 

type Verifier interface {
	Scopes() []string
	Verify(log logger.Logger, identity *Identity, tok *oauth2.Token) (*Identity, error)
}

Verifier is an object capable of verifying an oauth2.Token after obtaining it.

Verifiers can also add information retrieved from the remote provider to the identity, using some provider specific mechanisms.

For example, they can check if a domain matches a list of allowed domains, or retrieve a list of groups and add them as part of the user identity.

type VerifierFactory 

type VerifierFactory func(conf *oauth2.Config) (Verifier, error)

func NewOptionalVerifierFactory 

func NewOptionalVerifierFactory(factory VerifierFactory) VerifierFactory

Source Files

View all Source files

Directories

Path Synopsis
Collection of utilities to more easily compose cookies.
 Collection of utilities to more easily compose cookies.
Package providers provides functions to configure and use the providers supported out of the box by the enkit oauth library: google and github.
 Package providers provides functions to configure and use the providers supported out of the box by the enkit oauth library: google and github.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.