mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-22 21:47:16 +02:00
core/identity: dynamic authenticator registration (#5105)
This commit is contained in:
Caleb Doxsey
GitHub
parent
4031f4a962
commit
d225288ab3
63 changed files with 141 additions and 135 deletions
|
|
@ -3,8 +3,8 @@ package authenticate
|
|||
import (
|
||||
"github.com/pomerium/pomerium/authenticate/events"
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
type authenticateConfig struct {
|
||||
|
|
|
|||
|
|
@ -18,14 +18,14 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/authenticateflow"
|
||||
"github.com/pomerium/pomerium/internal/handlers"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/middleware"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/telemetry/trace"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
// Handler returns the authenticate service's handler chain.
|
||||
|
|
|
|||
|
|
@ -28,8 +28,6 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/encoding/mock"
|
||||
"github.com/pomerium/pomerium/internal/handlers"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
mstore "github.com/pomerium/pomerium/internal/sessions/mock"
|
||||
"github.com/pomerium/pomerium/internal/testutil"
|
||||
|
|
@ -37,6 +35,8 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
configproto "github.com/pomerium/pomerium/pkg/grpc/config"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
func testAuthenticate() *Authenticate {
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@ package authenticate
|
|||
|
||||
import (
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
func defaultGetIdentityProvider(options *config.Options, idpID string) (identity.Authenticator, error) {
|
||||
|
|
|
|||
|
|
@ -15,11 +15,11 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/encoding"
|
||||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/handlers"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/sessions/cookie"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
type flow interface {
|
||||
|
|
|
|||
|
|
@ -27,8 +27,6 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||
"github.com/pomerium/pomerium/internal/hashutil"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth/apple"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/sets"
|
||||
"github.com/pomerium/pomerium/internal/telemetry"
|
||||
|
|
@ -38,6 +36,8 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/grpc/config"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/crypt"
|
||||
"github.com/pomerium/pomerium/pkg/hpke"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth/apple"
|
||||
)
|
||||
|
||||
// DisableHeaderKey is the key used to check whether to disable setting header
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ import (
|
|||
"google.golang.org/protobuf/proto"
|
||||
|
||||
"github.com/pomerium/csrf"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth/apple"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/config"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth/apple"
|
||||
)
|
||||
|
||||
var cmpOptIgnoreUnexported = cmpopts.IgnoreUnexported(Options{}, Policy{})
|
||||
|
|
|
|||
|
|
@ -17,11 +17,11 @@ import (
|
|||
"google.golang.org/protobuf/types/known/durationpb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/hashutil"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
// Policy contains route specific configuration and access settings.
|
||||
|
|
|
|||
|
|
@ -17,9 +17,6 @@ import (
|
|||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||
"github.com/pomerium/pomerium/internal/events"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/legacymanager"
|
||||
"github.com/pomerium/pomerium/internal/identity/manager"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/telemetry"
|
||||
"github.com/pomerium/pomerium/internal/version"
|
||||
|
|
@ -28,6 +25,9 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/registry"
|
||||
"github.com/pomerium/pomerium/pkg/grpcutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/legacymanager"
|
||||
"github.com/pomerium/pomerium/pkg/identity/manager"
|
||||
)
|
||||
|
||||
// DataBroker represents the databroker service. The databroker service is a simple interface
|
||||
|
|
|
|||
|
|
@ -8,9 +8,9 @@ import (
|
|||
|
||||
"google.golang.org/protobuf/types/known/structpb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
|
||||
|
|
|
|||
|
|
@ -15,13 +15,13 @@ import (
|
|||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/manager"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/manager"
|
||||
)
|
||||
|
||||
// An "identity profile" is an alternative to a session, used in the stateless
|
||||
|
|
|
|||
|
|
@ -17,8 +17,6 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/handlers"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/manager"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
|
|
@ -28,6 +26,8 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/grpcutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/manager"
|
||||
)
|
||||
|
||||
// Stateful implements the stateful authentication flow. In this flow, the
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ import (
|
|||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/encoding"
|
||||
"github.com/pomerium/pomerium/internal/encoding/mock"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
mstore "github.com/pomerium/pomerium/internal/sessions/mock"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
|
|
@ -31,6 +30,7 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker/mock_databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/protoutil"
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/handlers"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
|
|
@ -29,6 +28,7 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/hpke"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
// Stateless implements the stateless authentication flow. In this flow, the
|
||||
|
|
|
|||
|
|
@ -1,74 +0,0 @@
|
|||
// Package identity provides support for making OpenID Connect (OIDC)
|
||||
// and OAuth2 authenticated HTTP requests with third party identity providers.
|
||||
package identity
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth/apple"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth/github"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/auth0"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/azure"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/cognito"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/gitlab"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/google"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/okta"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/onelogin"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc/ping"
|
||||
)
|
||||
|
||||
// Authenticator is an interface representing the ability to authenticate with an identity provider.
|
||||
type Authenticator interface {
|
||||
Authenticate(context.Context, string, identity.State) (*oauth2.Token, error)
|
||||
Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error)
|
||||
Revoke(context.Context, *oauth2.Token) error
|
||||
Name() string
|
||||
UpdateUserInfo(ctx context.Context, t *oauth2.Token, v any) error
|
||||
|
||||
SignIn(w http.ResponseWriter, r *http.Request, state string) error
|
||||
SignOut(w http.ResponseWriter, r *http.Request, idTokenHint, authenticateSignedOutURL, redirectToURL string) error
|
||||
}
|
||||
|
||||
// NewAuthenticator returns a new identity provider based on its name.
|
||||
func NewAuthenticator(o oauth.Options) (a Authenticator, err error) {
|
||||
ctx := context.Background()
|
||||
switch o.ProviderName {
|
||||
case apple.Name:
|
||||
a, err = apple.New(ctx, &o)
|
||||
case auth0.Name:
|
||||
a, err = auth0.New(ctx, &o)
|
||||
case azure.Name:
|
||||
a, err = azure.New(ctx, &o)
|
||||
case gitlab.Name:
|
||||
a, err = gitlab.New(ctx, &o)
|
||||
case github.Name:
|
||||
a, err = github.New(ctx, &o)
|
||||
case google.Name:
|
||||
a, err = google.New(ctx, &o)
|
||||
case oidc.Name:
|
||||
a, err = oidc.New(ctx, &o)
|
||||
case okta.Name:
|
||||
a, err = okta.New(ctx, &o)
|
||||
case onelogin.Name:
|
||||
a, err = onelogin.New(ctx, &o)
|
||||
case ping.Name:
|
||||
a, err = ping.New(ctx, &o)
|
||||
case cognito.Name:
|
||||
a, err = cognito.New(ctx, &o)
|
||||
case "":
|
||||
return nil, fmt.Errorf("identity: provider is not defined")
|
||||
default:
|
||||
return nil, fmt.Errorf("identity: unknown provider: %s", o.ProviderName)
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return a, nil
|
||||
}
|
||||
|
|
@ -11,8 +11,8 @@ import (
|
|||
"google.golang.org/protobuf/types/known/structpb"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/protoutil"
|
||||
"github.com/pomerium/pomerium/pkg/slices"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ import (
|
|||
"google.golang.org/protobuf/types/known/structpb"
|
||||
timestamppb "google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/slices"
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -7,9 +7,9 @@ import (
|
|||
"github.com/google/btree"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
const userRefreshInterval = 10 * time.Minute
|
||||
|
|
@ -18,7 +18,6 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||
"github.com/pomerium/pomerium/internal/enabler"
|
||||
"github.com/pomerium/pomerium/internal/events"
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/scheduler"
|
||||
"github.com/pomerium/pomerium/internal/telemetry/metrics"
|
||||
|
|
@ -26,6 +25,7 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/grpcutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
metrics_ids "github.com/pomerium/pomerium/pkg/metrics"
|
||||
)
|
||||
|
||||
|
|
@ -17,11 +17,11 @@ import (
|
|||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/events"
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker/mock_databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
metrics_ids "github.com/pomerium/pomerium/pkg/metrics"
|
||||
"github.com/pomerium/pomerium/pkg/protoutil"
|
||||
)
|
||||
|
|
@ -7,9 +7,9 @@ import (
|
|||
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
)
|
||||
|
||||
func nextSessionRefresh(
|
||||
|
|
@ -18,13 +18,13 @@ import (
|
|||
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||
"github.com/pomerium/pomerium/internal/enabler"
|
||||
"github.com/pomerium/pomerium/internal/events"
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/telemetry/metrics"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/session"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
"github.com/pomerium/pomerium/pkg/grpcutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
metrics_ids "github.com/pomerium/pomerium/pkg/metrics"
|
||||
)
|
||||
|
||||
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
)
|
||||
|
||||
type mockAuthenticator struct {
|
||||
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
)
|
||||
|
||||
// MockProvider provides a mocked implementation of the providers interface.
|
||||
|
|
@ -16,11 +16,11 @@ import (
|
|||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/internal/version"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
// Name identifies the apple identity provider.
|
||||
|
|
@ -17,12 +17,12 @@ import (
|
|||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/internal/version"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
// Name identifies the GitHub identity provider
|
||||
|
|
@ -36,7 +36,7 @@ const (
|
|||
emailPath = "/user/emails"
|
||||
// https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps
|
||||
authURL = "/login/oauth/authorize"
|
||||
tokenURL = "/login/oauth/access_token"
|
||||
tokenURL = "/login/oauth/access_token" //nolint:gosec
|
||||
|
||||
// since github doesn't implement oidc, we need this to refresh the user session
|
||||
refreshDeadline = time.Minute * 60
|
||||
|
|
@ -11,9 +11,9 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -12,7 +12,7 @@ import (
|
|||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
func TestProvider(t *testing.T) {
|
||||
|
|
@ -14,8 +14,8 @@ import (
|
|||
go_oidc "github.com/coreos/go-oidc/v3/oidc"
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
// Name identifies the Azure identity provider
|
||||
|
|
@ -7,7 +7,7 @@ import (
|
|||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
func TestAuthCodeOptions(t *testing.T) {
|
||||
|
|
@ -8,9 +8,9 @@ import (
|
|||
"net/url"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
var defaultScopes = []string{"openid", "email", "profile"}
|
||||
|
|
@ -12,7 +12,7 @@ import (
|
|||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
func TestProvider(t *testing.T) {
|
||||
|
|
@ -9,8 +9,8 @@ import (
|
|||
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
// Name identifies the GitLab identity provider.
|
||||
|
|
@ -10,8 +10,8 @@ import (
|
|||
|
||||
oidc "github.com/coreos/go-oidc/v3/oidc"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -7,7 +7,7 @@ import (
|
|||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
func TestAuthCodeOptions(t *testing.T) {
|
||||
|
|
@ -16,10 +16,10 @@ import (
|
|||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/identity/identity"
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/internal/version"
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
// Name identifies the generic OpenID Connect provider.
|
||||
|
|
@ -13,7 +13,7 @@ import (
|
|||
"github.com/stretchr/testify/require"
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
)
|
||||
|
||||
func TestRevoke(t *testing.T) {
|
||||
|
|
@ -7,8 +7,8 @@ import (
|
|||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -10,8 +10,8 @@ import (
|
|||
|
||||
oidc "github.com/coreos/go-oidc/v3/oidc"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -7,8 +7,8 @@ import (
|
|||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
pom_oidc "github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
)
|
||||
|
||||
const (
|
||||
80
pkg/identity/providers.go
Normal file
80
pkg/identity/providers.go
Normal file
|
|
@ -0,0 +1,80 @@
|
|||
// Package identity provides support for making OpenID Connect (OIDC)
|
||||
// and OAuth2 authenticated HTTP requests with third party identity providers.
|
||||
package identity
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/pomerium/pomerium/pkg/identity/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth/apple"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oauth/github"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/auth0"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/azure"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/cognito"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/gitlab"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/google"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/okta"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/onelogin"
|
||||
"github.com/pomerium/pomerium/pkg/identity/oidc/ping"
|
||||
)
|
||||
|
||||
// State is the identity state.
|
||||
type State = identity.State
|
||||
|
||||
// Authenticator is an interface representing the ability to authenticate with an identity provider.
|
||||
type Authenticator interface {
|
||||
Authenticate(context.Context, string, State) (*oauth2.Token, error)
|
||||
Refresh(context.Context, *oauth2.Token, State) (*oauth2.Token, error)
|
||||
Revoke(context.Context, *oauth2.Token) error
|
||||
Name() string
|
||||
UpdateUserInfo(ctx context.Context, t *oauth2.Token, v any) error
|
||||
|
||||
SignIn(w http.ResponseWriter, r *http.Request, state string) error
|
||||
SignOut(w http.ResponseWriter, r *http.Request, idTokenHint, authenticateSignedOutURL, redirectToURL string) error
|
||||
}
|
||||
|
||||
// AuthenticatorConstructor makes an Authenticator from the given options.
|
||||
type AuthenticatorConstructor func(context.Context, *oauth.Options) (Authenticator, error)
|
||||
|
||||
var registry = map[string]AuthenticatorConstructor{}
|
||||
|
||||
// RegisterAuthenticator registers a new Authenticator.
|
||||
func RegisterAuthenticator(name string, ctor AuthenticatorConstructor) {
|
||||
registry[name] = ctor
|
||||
}
|
||||
|
||||
func init() {
|
||||
RegisterAuthenticator(apple.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return apple.New(ctx, o) })
|
||||
RegisterAuthenticator(auth0.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return auth0.New(ctx, o) })
|
||||
RegisterAuthenticator(azure.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return azure.New(ctx, o) })
|
||||
RegisterAuthenticator(cognito.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return cognito.New(ctx, o) })
|
||||
RegisterAuthenticator(github.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return github.New(ctx, o) })
|
||||
RegisterAuthenticator(gitlab.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return gitlab.New(ctx, o) })
|
||||
RegisterAuthenticator(google.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return google.New(ctx, o) })
|
||||
RegisterAuthenticator(oidc.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return oidc.New(ctx, o) })
|
||||
RegisterAuthenticator(okta.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return okta.New(ctx, o) })
|
||||
RegisterAuthenticator(onelogin.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return onelogin.New(ctx, o) })
|
||||
RegisterAuthenticator(ping.Name, func(ctx context.Context, o *oauth.Options) (Authenticator, error) { return ping.New(ctx, o) })
|
||||
}
|
||||
|
||||
// NewAuthenticator returns a new identity provider based on its name.
|
||||
func NewAuthenticator(o oauth.Options) (a Authenticator, err error) {
|
||||
ctx := context.Background()
|
||||
|
||||
if o.ProviderName == "" {
|
||||
return nil, fmt.Errorf("identity: provider is not defined")
|
||||
}
|
||||
|
||||
ctor, ok := registry[o.ProviderName]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("identity: unknown provider: %s", o.ProviderName)
|
||||
}
|
||||
|
||||
return ctor(ctx, &o)
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue