mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
dbd7f55b20
* databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)
69 lines
2.2 KiB
Go
69 lines
2.2 KiB
Go
// Package identity provides support for making OpenID Connect (OIDC)
|
|
// and OAuth2 authenticated HTTP requests with third party identity providers.
|
|
package identity
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/url"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
"github.com/pomerium/pomerium/internal/identity/oauth"
|
|
"github.com/pomerium/pomerium/internal/identity/oauth/github"
|
|
"github.com/pomerium/pomerium/internal/identity/oidc"
|
|
"github.com/pomerium/pomerium/internal/identity/oidc/azure"
|
|
"github.com/pomerium/pomerium/internal/identity/oidc/gitlab"
|
|
"github.com/pomerium/pomerium/internal/identity/oidc/google"
|
|
"github.com/pomerium/pomerium/internal/identity/oidc/okta"
|
|
"github.com/pomerium/pomerium/internal/identity/oidc/onelogin"
|
|
)
|
|
|
|
var (
|
|
// compile time assertions that providers are satisfying the interface
|
|
_ Authenticator = &azure.Provider{}
|
|
_ Authenticator = &github.Provider{}
|
|
_ Authenticator = &gitlab.Provider{}
|
|
_ Authenticator = &google.Provider{}
|
|
_ Authenticator = &MockProvider{}
|
|
_ Authenticator = &oidc.Provider{}
|
|
_ Authenticator = &okta.Provider{}
|
|
_ Authenticator = &onelogin.Provider{}
|
|
)
|
|
|
|
// Authenticator is an interface representing the ability to authenticate with an identity provider.
|
|
type Authenticator interface {
|
|
Authenticate(context.Context, string, interface{}) (*oauth2.Token, error)
|
|
Refresh(context.Context, *oauth2.Token, interface{}) (*oauth2.Token, error)
|
|
Revoke(context.Context, *oauth2.Token) error
|
|
GetSignInURL(state string) string
|
|
LogOut() (*url.URL, error)
|
|
UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error
|
|
}
|
|
|
|
// NewAuthenticator returns a new identity provider based on its name.
|
|
func NewAuthenticator(o oauth.Options) (a Authenticator, err error) {
|
|
ctx := context.Background()
|
|
switch o.ProviderName {
|
|
case azure.Name:
|
|
a, err = azure.New(ctx, &o)
|
|
case gitlab.Name:
|
|
a, err = gitlab.New(ctx, &o)
|
|
case github.Name:
|
|
a, err = github.New(ctx, &o)
|
|
case google.Name:
|
|
a, err = google.New(ctx, &o)
|
|
case oidc.Name:
|
|
a, err = oidc.New(ctx, &o)
|
|
case okta.Name:
|
|
a, err = okta.New(ctx, &o)
|
|
case onelogin.Name:
|
|
a, err = onelogin.New(ctx, &o)
|
|
default:
|
|
return nil, fmt.Errorf("identity: unknown provider: %s", o.ProviderName)
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return a, nil
|
|
}
|