package oidc

nomad – github.com/hashicorp/nomad/lib/auth/oidc Index | Files

import "github.com/hashicorp/nomad/lib/auth/oidc"

Index ¶

Constants
Variables
func BuildClientAssertionJWT(config *structs.ACLAuthMethodConfig, nomadKey *rsa.PrivateKey, nomadKID string) (*cass.JWT, error)
type CallbackServer

func NewCallbackServer(addr string) (*CallbackServer, error)
func (s *CallbackServer) Close() error
func (s *CallbackServer) ErrorCh() <-chan error
func (s *CallbackServer) Nonce() string
func (s *CallbackServer) RedirectURI() string
func (s *CallbackServer) ServeHTTP(w http.ResponseWriter, req *http.Request)
func (s *CallbackServer) SuccessCh() <-chan *api.ACLOIDCCompleteAuthRequest

type ProviderCache

func NewProviderCache() *ProviderCache
func (c *ProviderCache) Delete(name string)
func (c *ProviderCache) Get(authMethod *structs.ACLAuthMethod) (*oidc.Provider, error)
func (c *ProviderCache) Shutdown()

type RequestCache

func NewRequestCache(timeout time.Duration) *RequestCache
func (rc *RequestCache) Load(nonce string) *oidc.Req
func (rc *RequestCache) LoadAndDelete(nonce string) *oidc.Req
func (rc *RequestCache) Store(req *oidc.Req) error

Constants ¶

const MaxRequests = 1000

MaxRequests is how many requests are allowed to be stored at a time. It needs to be large enough for legitimate user traffic, but small enough to prevent a DOS from eating up server memory.

Variables ¶

var (
	ErrNonceReuse = errors.New("nonce reuse detected")
	// ErrTooManyRequests is returned if the request cache is full.
	// Realistically, we expect this only to happen if the auth-url
	// API endpoint is being DOS'd.
	ErrTooManyRequests = errors.New("too many auth requests")
)

Functions ¶

func BuildClientAssertionJWT ¶

func BuildClientAssertionJWT(config *structs.ACLAuthMethodConfig, nomadKey *rsa.PrivateKey, nomadKID string) (*cass.JWT, error)

BuildClientAssertionJWT makes a JWT to be included in an OIDC auth request. Reference: https://oauth.net/private-key-jwt/

There are three input variations depending on OIDCClientAssertion.KeySource:

"client_secret": uses the config's ClientSecret as an HMAC key to sign the JWT. This is marginally more secure than a bare ClientSecret, as the JWT is time-bound, and signed by the secret rather than sending the secret itself over the network.
"nomad": uses the RS256 nomadKey (Nomad's private key) to sign the JWT, and the nomadKID as the JWT's "kid" header, which the OIDC provider uses to find the public key at Nomad's JWKS endpoint (/.well-known/jwks.json) to verify the JWT signature. This is arguably the most secure option, because only Nomad has the private key.
"private_key": uses an RSA private key provided by the user. They may provide a KeyID to use as the JWT's "kid" header, or an x509 public certificate to derive an x5t#S256 (or x5t) header, which the OIDC provider uses to find the cert on their end to verify the JWT signature. This is the most flexible option, allowing users to manage their own keys however they like.

Types ¶

type CallbackServer ¶

type CallbackServer struct {
	// contains filtered or unexported fields
}

CallbackServer is started with NewCallbackServer and creates an HTTP server for handling loopback OIDC auth redirects.

func NewCallbackServer ¶

func NewCallbackServer(addr string) (*CallbackServer, error)

NewCallbackServer creates and starts a new local HTTP server for OIDC authentication to redirect to. This is used to capture the necessary information to complete the authentication.

func (*CallbackServer) Close ¶

func (s *CallbackServer) Close() error

Close cleans up and shuts down the server. On close, errors may be sent to ErrorCh and should be ignored.

func (*CallbackServer) ErrorCh ¶

func (s *CallbackServer) ErrorCh() <-chan error

ErrorCh returns a channel where any errors are sent. Errors may be sent after Close and should be disregarded.

func (*CallbackServer) Nonce ¶

func (s *CallbackServer) Nonce() string

Nonce returns a generated nonce that can be used for the request.

func (*CallbackServer) RedirectURI ¶

func (s *CallbackServer) RedirectURI() string

RedirectURI is the redirect URI that should be provided for the auth.

func (*CallbackServer) ServeHTTP ¶

func (s *CallbackServer) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServeHTTP implements http.Handler and handles the callback request. This isn't usually used directly; use the server address instead.

func (*CallbackServer) SuccessCh ¶

func (s *CallbackServer) SuccessCh() <-chan *api.ACLOIDCCompleteAuthRequest

SuccessCh returns a channel that gets sent a partially completed request to complete the OIDC auth with the Nomad server.

type ProviderCache ¶

type ProviderCache struct {
	// contains filtered or unexported fields
}

ProviderCache is a cache for OIDC providers. OIDC providers are something you don't want to recreate per-request since they make HTTP requests when they're constructed.

The ProviderCache purges a provider under two scenarios: (1) the provider config is updated, and it is different and (2) after a set amount of time (see cacheExpiry for value) in case the remote provider configuration changed.

func NewProviderCache ¶

func NewProviderCache() *ProviderCache

NewProviderCache should be used to initialize a provider cache. This will start up background resources to manage the cache.

func (*ProviderCache) Delete ¶

func (c *ProviderCache) Delete(name string)

Delete force deletes a single auth method from the cache by name.

func (*ProviderCache) Get ¶

func (c *ProviderCache) Get(authMethod *structs.ACLAuthMethod) (*oidc.Provider, error)

Get returns the OIDC provider for the given auth method configuration. This will initialize the provider if it isn't already in the cache or if the configuration changed.

func (*ProviderCache) Shutdown ¶

func (c *ProviderCache) Shutdown()

Shutdown stops any long-lived cache process and informs each OIDC provider that they are done. This should be called whenever the Nomad server is shutting down.

type RequestCache ¶

type RequestCache struct {
	// contains filtered or unexported fields
}

func NewRequestCache ¶

func NewRequestCache(timeout time.Duration) *RequestCache

NewRequestCache creates a cache for OIDC requests. The JWT expiration time in the cap library is 5 minutes, so timeout should be around that long.

func (*RequestCache) Load ¶

func (rc *RequestCache) Load(nonce string) *oidc.Req

func (*RequestCache) LoadAndDelete ¶

func (rc *RequestCache) LoadAndDelete(nonce string) *oidc.Req

func (*RequestCache) Store ¶

func (rc *RequestCache) Store(req *oidc.Req) error

Store saves the request, to be Loaded later with its Nonce. If LoadAndDelete is not called, the stale request will be auto-deleted.

Source Files ¶

client_assertion.go provider.go request.go server.go

Version: v1.10.0 (latest)
Published: Apr 9, 2025
Platform: linux/amd64
Imports: 23 packages
Last checked: 2 days ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples