package oidc
import "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc"
oidc implements the authenticator.Token interface using the OpenID Connect protocol.
config := oidc.OIDCOptions{
IssuerURL: "https://accounts.google.com",
ClientID: os.Getenv("GOOGLE_CLIENT_ID"),
UsernameClaim: "email",
}
tokenAuthenticator, err := oidc.New(config)
Index ¶
- type OIDCAuthenticator
- func New(opts OIDCOptions) (*OIDCAuthenticator, error)
- func (a *OIDCAuthenticator) AuthenticateToken(value string) (user.Info, bool, error)
- func (a *OIDCAuthenticator) Close()
- type OIDCOptions
Types ¶
type OIDCAuthenticator ¶
type OIDCAuthenticator struct {
// contains filtered or unexported fields
}
func New ¶
func New(opts OIDCOptions) (*OIDCAuthenticator, error)
New creates a token authenticator which validates OpenID Connect ID Tokens.
func (*OIDCAuthenticator) AuthenticateToken ¶
AuthenticateToken decodes and verifies an ID Token using the OIDC client, if the verification succeeds, then it will extract the user info from the JWT claims.
func (*OIDCAuthenticator) Close ¶
func (a *OIDCAuthenticator) Close()
Close stops all goroutines used by the authenticator.
type OIDCOptions ¶
type OIDCOptions struct {
// IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
// field of all tokens produced by the provider and is used for configuration
// discovery.
//
// The URL is usually the provider's URL without a path, for example
// "https://accounts.google.com" or "https://login.salesforce.com".
//
// The provider must implement configuration discovery.
// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
IssuerURL string
// ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
// client to ensure the plugin can be used with public providers.
//
// The plugin supports the "authorized party" OpenID Connect claim, which allows
// specialized providers to issue tokens to a client for a different client.
// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
ClientID string
// Path to a PEM encoded root certificate of the provider.
CAFile string
// UsernameClaim is the JWT field to use as the user's username.
UsernameClaim string
// GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
// groups with an ID Token field. If the GrouppClaim field is present in an ID Token the value
// must be a string or list of strings.
GroupsClaim string
}
Source Files ¶
oidc.go
Directories ¶
| Path | Synopsis |
|---|---|
| plugin/pkg/auth/authenticator/token/oidc/testing |
- Version
- v1.5.9-beta.0
- Published
- Oct 1, 2017
- Platform
- js/wasm
- Imports
- 15 packages
- Last checked
- 15 minutes ago –
Tools for package owners.