sts

package

v0.1.43 Latest Latest Go to latest Published: Oct 17, 2025 License: Apache-2.0 Imports: 13 Imported by: 8

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/chainguard-dev/sdk

Links

Open Source Insights

Documentation ¶

Index ¶

func Exchange(ctx context.Context, issuer, audience, idToken string, opts ...ExchangerOption) (string, error)deprecated
func NewContextTokenSource(ctx context.Context, ts oauth2.TokenSource, xchg Exchanger) oauth2.TokenSource
func NewTokenSource(ts oauth2.TokenSource, xchg Exchanger) oauth2.TokenSource
func NewTokenSourceFromValues(ctx context.Context, issuer string, audience string, identity string, ...) oauth2.TokenSource
type Exchanger
- func New(issuer, audience string, opts ...ExchangerOption) Exchanger
type ExchangerOption
type HTTP1DowngradeExchanger
- func NewHTTP1DowngradeExchanger(issuer, audience string, opts ...ExchangerOption) *HTTP1DowngradeExchanger
- func (i *HTTP1DowngradeExchanger) Exchange(ctx context.Context, token string, opts ...ExchangerOption) (TokenPair, error)
- func (i *HTTP1DowngradeExchanger) Refresh(ctx context.Context, token string, opts ...ExchangerOption) (string, string, error)
type TokenPair
- func ExchangePair(ctx context.Context, issuer, audience, idToken string, ...) (TokenPair, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Exchange deprecated added in v0.1.2

func Exchange(ctx context.Context, issuer, audience, idToken string, opts ...ExchangerOption) (string, error)

Exchange performs an OIDC token exchange with the correct Exchanger based on the provided options.

Deprecated: use ExchangePair instead. This is kept around only until we migrate all existing callers to ExchangePair.

func NewContextTokenSource ¶ added in v0.1.42

func NewContextTokenSource(ctx context.Context, ts oauth2.TokenSource, xchg Exchanger) oauth2.TokenSource

NewTokenSource creates an oauth2.TokenSource by wrapping another TokenSource in a Chainguard STS exchange brokered by the provided Exchanger.

func NewTokenSource ¶

func NewTokenSource(ts oauth2.TokenSource, xchg Exchanger) oauth2.TokenSource

NewTokenSource creates an oauth2.TokenSource by wrapping another TokenSource in a Chainguard STS exchange brokered by the provided Exchanger. This wraps NewContextTokenSource with a new background context.

func NewTokenSourceFromValues ¶ added in v0.1.33

func NewTokenSourceFromValues(ctx context.Context, issuer string, audience string, identity string, ts oauth2.TokenSource) oauth2.TokenSource

NewTokenSourceFromValues creates a new TokenSource with common input parameters. This is a convenience wrapper around NewContextTokenSource.

Types ¶

type Exchanger ¶

type Exchanger interface {

	// Exchange performs the actual token exchange, sending "token" to the
	// Chainguard issuer's STS interface, and receiving bytes or an error.
	Exchange(ctx context.Context, token string, opts ...ExchangerOption) (TokenPair, error)

	// Refresh exchanges a refresh token for a new access token and refresh token.
	Refresh(ctx context.Context, token string, opts ...ExchangerOption) (accessToken string, refreshToken string, err error)
}

Exchanger is an interface for exchanging a third-party token for a Chainguard token.

func New ¶

func New(issuer, audience string, opts ...ExchangerOption) Exchanger

New creates a new Exchanger that works against the provided issuer's STS endpoint, and requests token with the specified audience. It's behavior can be further customized via optional ExchangerOption parameters.

type ExchangerOption ¶

type ExchangerOption func(*options)

ExchangerOption is a way of customizing the behavior of the Exchanger constructed via New()

func WithCapabilities ¶

func WithCapabilities(capabilities ...string) ExchangerOption

WithCapabilities sets the capabilities sent by the Exchanger.

func WithHTTP1Downgrade ¶ added in v0.1.2

func WithHTTP1Downgrade() ExchangerOption

WithHTTP1Downgrade signals Exchange to use HTTP1DowngradeExchanger in the STS exchange.

func WithIdentity ¶

func WithIdentity(uid string) ExchangerOption

WithIdentity sets the the unique ID of the identity so that STS exchange can look up pre-stored verification keys without ambiguity

func WithIdentityProvider ¶ added in v0.1.25

func WithIdentityProvider(idp string) ExchangerOption

WithIdentityProvider sets the identity provider to use for the exchange.

func WithScope ¶

func WithScope(scope ...string) ExchangerOption

WithScope sets the scope parameter sent by the Exchanger.

Only one of cluster or scope may be set.

func WithUserAgent ¶

func WithUserAgent(agent string) ExchangerOption

WithUserAgent sets the user agent sent by the Exchanger.

type HTTP1DowngradeExchanger ¶

type HTTP1DowngradeExchanger struct {
	// contains filtered or unexported fields
}

func NewHTTP1DowngradeExchanger ¶

func NewHTTP1DowngradeExchanger(issuer, audience string, opts ...ExchangerOption) *HTTP1DowngradeExchanger

func (*HTTP1DowngradeExchanger) Exchange ¶

func (i *HTTP1DowngradeExchanger) Exchange(ctx context.Context, token string, opts ...ExchangerOption) (TokenPair, error)

func (*HTTP1DowngradeExchanger) Refresh ¶ added in v0.1.11

func (i *HTTP1DowngradeExchanger) Refresh(ctx context.Context, token string, opts ...ExchangerOption) (string, string, error)

type TokenPair ¶ added in v0.1.25

type TokenPair struct {
	AccessToken  string
	RefreshToken string
	Expiry       time.Time
}

func ExchangePair ¶ added in v0.1.25

func ExchangePair(ctx context.Context, issuer, audience, idToken string, exchangerOptions ...ExchangerOption) (TokenPair, error)

ExchangePair performs an OIDC token exchange with the correct Exchanger based on the provided options.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL