auth

package
v0.24.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2025 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Cloud Security Client Go contributors

SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Cloud Security Client Go contributors

SPDX-License-Identifier: Apache-2.0

Index

Constants

This section is empty.

Variables

View Source 
var ErrClaimNotExists = errors.New("claim does not exist in the token")

ErrClaimNotExists shows that the requested custom claim does not exist in the token

View Source 
var ErrNoClientCert = errors.New("there is no x509 client certificate provided")

Functions

func DefaultErrorHandler 

func DefaultErrorHandler(w http.ResponseWriter, _ *http.Request, err error)

DefaultErrorHandler responds with the error and HTTP status 401

Types

type Certificate added in v0.12.0 

type Certificate struct {
	// contains filtered or unexported fields
}

Certificate is the public API to access claims of the X509 client certificate.

func ClientCertificateFromCtx added in v0.12.0 

func ClientCertificateFromCtx(r *http.Request) (*Certificate, bool)

ClientCertificateFromCtx retrieves the X.509 client certificate of a request which have been injected before via the auth middleware

func (*Certificate) GetThumbprint added in v0.12.0 

func (c *Certificate) GetThumbprint() string

GetThumbprint returns the thumbprint without padding.

type ContextKey added in v0.5.4 

type ContextKey int

The ContextKey type is used as a key for library related values in the go context. See also TokenCtxKey 

const (
	TokenCtxKey             ContextKey = 0
	ClientCertificateCtxKey ContextKey = 1
)

TokenCtxKey is the key that holds the authorization value (*OIDCClaims) in the request context ClientCertificateCtxKey is the key that holds the x509 client certificate in the request context

type ErrorHandler added in v0.5.2 

type ErrorHandler func(w http.ResponseWriter, r *http.Request, err error)

ErrorHandler is the type for the Error Handler which is called on unsuccessful token validation and if the AuthenticationHandler middleware func is used

type Middleware added in v0.5.4 

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware is the main entrypoint to the authn client library, instantiate with NewMiddleware. It holds information about the oAuth config and configured options. Use either the ready to use AuthenticationHandler as a middleware or implement your own middleware with the help of Authenticate.

func NewMiddleware added in v0.5.4 

func NewMiddleware(identity env.Identity, options Options) *Middleware

NewMiddleware instantiates a new Middleware with defaults for not provided Options.

func (*Middleware) Authenticate added in v0.5.4 

func (m *Middleware) Authenticate(r *http.Request) (Token, error)

Authenticate authenticates a request and returns the Token if validation was successful, otherwise error is returned

func (*Middleware) AuthenticateWithProofOfPossession added in v0.12.0 

func (m *Middleware) AuthenticateWithProofOfPossession(r *http.Request) (Token, *Certificate, error)

AuthenticateWithProofOfPossession authenticates a request and returns the Token and the client certificate if validation was successful, otherwise error is returned

func (*Middleware) AuthenticationHandler added in v0.5.4 

func (m *Middleware) AuthenticationHandler(next http.Handler) http.Handler

AuthenticationHandler authenticates a request and injects the claims into the request context. If the authentication (see Authenticate) does not succeed, the specified error handler (see Options.ErrorHandler) will be called and the current request will stop. In case of successful authentication the request context is enriched with the token, as well as the client certificate (if given).

func (*Middleware) ClearCache added in v0.5.4 

func (m *Middleware) ClearCache()

ClearCache clears the entire storage of cached oidc tenants including their JWKs

func (*Middleware) GetTokenFlows added in v0.12.0 

func (m *Middleware) GetTokenFlows() (*tokenclient.TokenFlows, error)

GetTokenFlows creates or returns TokenFlows, otherwise error is returned

func (*Middleware) ParseAndValidateJWT added in v0.23.0 

func (m *Middleware) ParseAndValidateJWT(rawToken string) (Token, error)

ParseAndValidateJWT parses the token into its claims, verifies the claims and verifies the signature

type Options 

type Options struct {
	ErrorHandler ErrorHandler // ErrorHandler called if the jwt verification fails and the AuthenticationHandler middleware func is used. Default: DefaultErrorHandler
	HTTPClient   *http.Client // HTTPClient which is used for OIDC discovery and to retrieve JWKs (JSON Web Keys). Default: basic http.Client with a timeout of 15 seconds
}

Options can be used as a argument to instantiate a AuthMiddle with NewMiddleware.

type Token added in v0.8.0 

type Token struct {
	// contains filtered or unexported fields
}

func NewToken added in v0.8.1 

func NewToken(encodedToken string) (Token, error)

NewToken creates a Token from an encoded jwt. !!! WARNING !!! No validation done when creating a Token this way. Use only in tests!

func TokenFromCtx added in v0.8.0 

func TokenFromCtx(r *http.Request) (Token, bool)

TokenFromCtx retrieves the claims of a request which have been injected before via the auth middleware

func (Token) AppTID added in v0.16.0 

func (t Token) AppTID() string

AppTID returns "app_tid" claim, if it doesn't exist empty string is returned

func (Token) Audience added in v0.8.0 

func (t Token) Audience() []string

Audience returns "aud" claim, if it doesn't exist empty string is returned

func (Token) Azp added in v0.16.0 

func (t Token) Azp() string

Azp returns "azp" claim, if it doesn't exist empty string is returned

func (Token) CustomIssuer added in v0.12.0 

func (t Token) CustomIssuer() string

CustomIssuer returns "iss" claim if it is a custom domain (i.e. "ias_iss" claim available), otherwise empty string is returned

func (Token) Email added in v0.8.0 

func (t Token) Email() string

Email returns "email" claim, if it doesn't exist empty string is returned

func (Token) Expiration added in v0.8.0 

func (t Token) Expiration() time.Time

Expiration returns "exp" claim, if it doesn't exist empty string is returned

func (Token) FamilyName added in v0.8.0 

func (t Token) FamilyName() string

FamilyName returns "family_name" claim, if it doesn't exist empty string is returned

func (Token) GetAllClaimsAsMap added in v0.8.0 

func (t Token) GetAllClaimsAsMap() map[string]interface{}

GetAllClaimsAsMap returns a map of all claims contained in the token. The claim name is case sensitive. Includes also custom claims

func (Token) GetClaimAsMap added in v0.12.0 

func (t Token) GetClaimAsMap(claim string) (map[string]interface{}, error)

GetClaimAsMap returns a map of all members and its values of a custom claim in the token. The member name is case sensitive. Returns error if the claim is not available or not a map

func (Token) GetClaimAsString added in v0.8.0 

func (t Token) GetClaimAsString(claim string) (string, error)

GetClaimAsString returns a custom claim type asserted as string. Returns error if the claim is not available or not a string.

func (Token) GetClaimAsStringSlice added in v0.8.0 

func (t Token) GetClaimAsStringSlice(claim string) ([]string, error)

GetClaimAsStringSlice returns a custom claim type asserted as string slice. The claim name is case-sensitive. Returns error if the claim is not available or not an array

func (Token) GivenName added in v0.8.0 

func (t Token) GivenName() string

GivenName returns "given_name" claim, if it doesn't exist empty string is returned

func (Token) Groups added in v0.19.0 

func (t Token) Groups() []string

Groups returns "groups" claim, if it doesn't exist empty string is returned

func (Token) HasClaim added in v0.12.0 

func (t Token) HasClaim(claim string) bool

HasClaim returns true if the provided claim exists in the token

func (Token) IsExpired added in v0.8.0 

func (t Token) IsExpired() bool

IsExpired returns true, if 'exp' claim + leeway time of 1 minute is before current time

func (Token) IssuedAt added in v0.8.0 

func (t Token) IssuedAt() time.Time

IssuedAt returns "iat" claim, if it doesn't exist empty string is returned

func (Token) Issuer added in v0.8.0 

func (t Token) Issuer() string

Issuer returns token issuer with SAP domain; by default "iss" claim is returned or in case it is a custom domain, "ias_iss" is returned

func (Token) NotBefore added in v0.8.0 

func (t Token) NotBefore() time.Time

NotBefore returns "nbf" claim, if it doesn't exist empty string is returned

func (Token) ScimID added in v0.19.0 

func (t Token) ScimID() string

ScimID returns "scim_id" claim, if it doesn't exist empty string is returned

func (Token) Subject added in v0.8.0 

func (t Token) Subject() string

Subject returns "sub" claim, if it doesn't exist empty string is returned

func (Token) TokenValue added in v0.8.0 

func (t Token) TokenValue() string

TokenValue returns encoded token string

func (Token) UserUUID added in v0.8.0 

func (t Token) UserUUID() string

UserUUID returns "user_uuid" claim, if it doesn't exist empty string is returned

func (Token) ZoneID added in v0.8.0 

func (t Token) ZoneID() string

ZoneID returns "app_tid" claim, if it doesn't exist empty string is returned Deprecated: is replaced by AppTID and will be removed with the next major release

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.