Categorygithub.com/accelbyte/iam-go-sdk
modulepackage
0.1.0
Repository: https://github.com/accelbyte/iam-go-sdk.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
17
Dependents
0
Files
837 SLOC

# README

Build Status

IAM Go SDK

This is AccelByte's IAM Go SDK for integrating with IAM in Go projects.

Usage

Importing package

import "github.com/AccelByte/iam-go-sdk"

Creating default IAM client

cfg := &iam.Config{
    BaseURL: "<IAM URL>",
    ClientID: "<client ID>",
    ClientSecret: "<client secret>",
}

client := iam.NewDefaultClient(cfg)

It's recommended that you store the interface rather than the type since it enables you to mock the client during tests.

var client iam.Client

client := iam.NewDefaultClient(cfg)

So during tests, you can replace the client with:

var client iam.Client

client := iam.NewMockClient() // or create your own mock implementation that suits your test case

Note

By default, the client can only do token validation by requesting to IAM service.

To enable local validation, you need to call:

client.StartLocalValidation()

Then the client will automatically get JWK and revocation list and refreshing them periodically. This enables you to do local token validation and JWT claims parsing.

However, if you need to validate permission, you'll need to call ClientTokenGrant() to retrieve client access token that will be used as bearer token when requesting role details to IAM service.

Calling ClientTokenGrant() once will automatically trigger periodic token refresh.

client.ClientTokenGrant()

Validating token

Validating locally using downloaded JWK and revocation list:

claims, _ := client.ValidateAndParseClaims(accessToken)

Note

Store the claims output if you need to validate it's permission, role, or other properties.

Validating by sending request to IAM service:

ok, _ := client.ValidateAccessToken(accessToken)

Validating permission

For example, you have a resource permission that needs NAMESPACE:{namespace}:USER:{userId} resource string and 4 [UPDATE] action to access.

Using claims you can verify if the token owner is allowed to access the resource by:

permissionResource := make(map[string]string)
permissionResource["{namespace}"] = "example"
permissionResource["{userId}"] = "example"
client.ValidatePermission(claims, iam.Permission{Resource:"NAMESPACE:{namespace}:USER:{userId}", Action:4}, permissionResource)

Health check

Whenever the IAM service went unhealthy, the client will know by detecting if any of the automated refresh goroutines has error.

You can check the health by:

client.HealthCheck()

# Functions

NewDefaultClient creates new IAM DefaultClient.
NewMockClient creates new mock IAM DefaultClient.

# Constants

Permission action bit flags.
Permission action bit flags.
Permission action bit flags.
Permission action bit flags.
Mock IAM constants.
Mock IAM constants.
JFlags constants.
JFlags constants.
JFlags constants.

# Structs

Config contains IAM configurations.
DefaultClient define oauth client config.
JWK contains json web key's data.
JWTBan holds information about ban record in JWT.
JWTClaims holds data stored in a JWT access token with additional Justice Flags field.
Keys contains json web keys.
MockClient define mock oauth client config.
Permission holds information about the actions can be performed to the resource.
RevocationList contains revoked user and token.
Role holds info about a user role.
TokenResponse is the data structure for the response on successful token request.
UserRevocationListRecord is used to store revoked user data.

# Interfaces

Client provides interface for IAM Client It can be used as mocking point usage example: func main() { config := Config{ BaseURL: "/iam", ClientID: "clientID", ClientSecret: "clientSecret", } iamClient, _ := client.NewClient(&config) myFunction(iamClient) } func myFunction(iamClient *client.IAMClientAPI) { iamClient.ValidateTokenPermission(models.Permission{ Resource: "NAMESPACE:{namespace}:EXAMPLE", Action: 4 }, "accessToken") } .