Documentation
¶
Index ¶
- Variables
- type Authentication
- type AuthenticationInterceptor
- func (a *AuthenticationInterceptor) AddAuthenticator(authenticator Authenticator) *AuthenticationInterceptor
- func (a *AuthenticationInterceptor) AddPermittedMethod(method string) *AuthenticationInterceptor
- func (a *AuthenticationInterceptor) Authenticate(ctx context.Context, req any, info *grpc.UnaryServerInfo, ...) (any, error)
- type Authenticator
- type BasicAuthenticator
- type InMemoryUserStore
- type JWTAuthenticator
- type User
- type UserStore
Constants ¶
This section is empty.
Variables ¶
var ( ErrMissingMetadata = status.Errorf(codes.InvalidArgument, "missing metadata") ErrUnauthenticated = status.Error(codes.Unauthenticated, "unauthenticated") )
var ( ErrEmptyIssuer = errors.New("issuer cannot be empty") ErrEmptyAudience = errors.New("audience cannot be empty") ErrJwksFetch = errors.New("failed to fetch JWKS") )
var (
ErrUserNotFound = errors.New("user not found")
)
Functions ¶
This section is empty.
Types ¶
type Authentication ¶
type Authentication struct {
// Principal is the authenticated entity, such as a user ID or client ID.
Principal string
// IsAuthenticated is true if the authentication attempt was successful.
IsAuthenticated bool
}
Authentication represents the result of an authentication attempt.
type AuthenticationInterceptor ¶
type AuthenticationInterceptor struct {
// contains filtered or unexported fields
}
AuthenticationInterceptor is a grpc.UnaryServerInterceptor which authenticates requests based on the "authorization" header in the incoming context's metadata. It uses a map of Authenticator (keyed by scheme) to authenticate the scheme and credentials contained in the header. Additionally, it can be configured to skip authentication for certain gRPC methods by adding them to a list of permitted methods.
func NewAuthenticationInterceptor ¶
func NewAuthenticationInterceptor() *AuthenticationInterceptor
NewAuthenticationInterceptor is the constructor for AuthenticationInterceptor.
func (*AuthenticationInterceptor) AddAuthenticator ¶
func (a *AuthenticationInterceptor) AddAuthenticator(authenticator Authenticator) *AuthenticationInterceptor
AddAuthenticator adds an Authenticator to the interceptor. It returns the interceptor to allow for chaining.
func (*AuthenticationInterceptor) AddPermittedMethod ¶
func (a *AuthenticationInterceptor) AddPermittedMethod(method string) *AuthenticationInterceptor
AddPermittedMethod adds a gRPC method name the list of permitted methods. These methods will not be authenticated by the interceptor. Methods are case-sensitive and are typically in the format "/package.Service/Method". The interceptor is returned to allow for chaining.
func (*AuthenticationInterceptor) Authenticate ¶
func (a *AuthenticationInterceptor) Authenticate( ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, ) (any, error)
Authenticate attempts to authenticate current the request based on the "authorization" header in the incoming context's metadata. It returns the result of the authentication attempt, or any error that occurred.
type Authenticator ¶
type Authenticator interface {
// Authenticate attempts to authenticate the given credentials and returns
// the result, or any error that occurred.
Authenticate(ctx context.Context, creds string) (*Authentication, error)
// Scheme returns the authentication scheme that this authenticator can
// handle.
Scheme() string
}
Authenticator represents a type that can authenticate some credentials for some defined scheme.
type BasicAuthenticator ¶
type BasicAuthenticator struct {
// contains filtered or unexported fields
}
BasicAuthenticator is an Authenticator that authenticates requests where the credentials are provided using the "basic" authentication scheme.
func NewBasicAuthenticator ¶
func NewBasicAuthenticator(store UserStore) *BasicAuthenticator
NewBasicAuthenticator is the constructor for BasicAuthenticator.
func (*BasicAuthenticator) Authenticate ¶
func (a *BasicAuthenticator) Authenticate(ctx context.Context, creds string) (*Authentication, error)
Authenticate attempts to authenticate the given HTTP basic auth credentials and returns the result, or any error that occurred. The credentials are expected to be in the form "username:password" (base64 encoded), according to the HTTP basic auth specification RFC 7617. The user ID is used to look up the user in the user store (database, etc.), and the password is compared to the user's stored password hash. The user ID is returned as the principal in the Authentication result.
func (*BasicAuthenticator) Scheme ¶
func (a *BasicAuthenticator) Scheme() string
type InMemoryUserStore ¶
type InMemoryUserStore struct {
// contains filtered or unexported fields
}
InMemoryUserStore is a simple in-memory implementation of UserStore.
func NewInMemoryUserStore ¶
func NewInMemoryUserStore() *InMemoryUserStore
NewInMemoryUserStore is the constructor for InMemoryUserStore.
func (*InMemoryUserStore) AddUser ¶
func (s *InMemoryUserStore) AddUser(user *User)
AddUser adds a user to the in-memory store.
func (*InMemoryUserStore) FindUserByID ¶
FindUserByID looks up a user by their unique ID and returns the user, or an error if the user could not be found.
type JWTAuthenticator ¶
type JWTAuthenticator struct {
// contains filtered or unexported fields
}
JWTAuthenticator is an Authenticator that authenticates requests where API credentials in the form of JSON Web Tokens (JWTs) are provided using the "bearer" authentication scheme, such as those defined by RFC 6750.
func NewJWTAuthenticator ¶
func NewJWTAuthenticator(ctx context.Context, issuer, audience, jwksUri string) (*JWTAuthenticator, error)
NewJWTAuthenticator is the constructor for JWTAuthenticator. The issuer and audience parameters are used to validate tokens, and the jwksUri parameter is the URI of the JSON Web Key Set (JWKS) that contains the public jwks used to verify the tokens. The JWKS is fetched and cached by the authenticator at construction time.
func (*JWTAuthenticator) Authenticate ¶
func (a *JWTAuthenticator) Authenticate(_ context.Context, creds string) (*Authentication, error)
Authenticate attempts to authenticate the given JWT token and returns the result, or any error that occurred. The creds parameter is expected to be a valid JWT token signed by one of the jwks in the authenticator's key set. Additionally, the following claims are expected to be present in the token:
- "iss" (issuer): The issuer of the token.
- "aud" (audience): The audience for the token.
- "email_verified": A custom claim indicating whether the user's email address has been verified.
The "iss" and "aud" claims are used to validate the token, and they must match the authenticator's issuer and audience, respectively. The custom "email_verified" claim is used to enforce that only verified users can access the service. The time-based claims ("exp", "nbf", "iat") are also validated by the authenticator if they are present in the token.
func (*JWTAuthenticator) Scheme ¶
func (a *JWTAuthenticator) Scheme() string
type UserStore ¶
type UserStore interface {
// FindUserByID looks up a user by their unique ID and returns the user, or
// an error if the user could not be found.
FindUserByID(ctx context.Context, id string) (*User, error)
}
UserStore is a data access type can look up user details by their unique ID.
Source Files