Categorygithub.com/lpar/ibmoidc
modulepackage
0.8.1
Repository: https://github.com/lpar/ibmoidc.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
16
Dependents
0
Files
364 SLOC

# README

OpenID Connect for IBM w3id

This is support code for authenticating using IBM's internal OpenID Connect authentication servers.

The OpenID Connect parameters for w3ID are taken from environment variables:

	W3ID_CLIENTID
W3ID_CLIENTSECRET
W3ID_CALLBACKURL

Example usage:

w3id := ibmoidc.NewIntranetAuthenticator()

http.Handle("/login", w3id.BeginLogin())
	http.Handle("/openid/code", w3id.CompleteLogin(myauthhandler))

where W3ID_CALLBACKURL is https://www.example.com/openid/code on your web app.

The http.Handler myauthhandler can then do:

claimset, ok := ibmoidc.ClaimSetFromRequest(r) // r is the http.Request

The claimset will contain the the authenticated information from w3ID. At that point it's up to you to work out some way to persist it via a session, cookies, or whatever.

The useful claimset keys are generally given_name, family_name, email, name, sub and blueGroups.

Copyright © IBM Corporation 2016-2018.

# Functions

ClaimSetFromRequest obtains the authenticated claimset from the request's context, where it was stored earlier by RequestWithClaimSet.
Decode unpacks an id_token payload, as returned from the token endpoint, from its raw base64-encoded value.
MakeCSRFcookie turns a string generated by MakeCSRFtoken into a CSRF cookie.
MakeCSRFtoken makes a random 32-character string for use as a CSRF token.
NewIntranetAuthenticator creates an Authenticator object for processing intranet w3ID authentication server responses.
NewIntranetStagingAuthenticator creates an Authenticator object for processing intranet w3ID authentication server responses from the staging server.
ReadCSRFcookie gets the token from the CSRF cookie, if found.
RequestWithClaimSet adds a claimset to the http request, using a private context key.
UnmarshalJSON turns a JSON payload from a JWS token into a set of claims, and handles remapping IBM-specific private claims to standard ones: lastName → family_name firstName → given_name cn → name dn → sub emailAddress → email The original emailAddress claim is left intact, as are the dn and realmName claims.

# Variables

IBMblueIDEndpoint is the Endpoint for IBM blueID authentication.
IBMw3idEndpoint is the Endpoint for IBM w3ID authentication.
IBMw3idPublicKey is the rsa.PublicKey to use to verify the signature on an id_token value returned from IBMw3idEndpoint.TokenURL.
IBMw3idStagingEndpoint is the endpoint for testing IBM w3ID authentication.
No description provided by the author
IBMw3idEndpoint is the TAP pilot endpoint for IBM w3ID authentication.
IBMw3idPublicKey is the rsa.PublicKey to use to verify the signature on an id_token value returned from IBMw3idTapEndpoint.TokenURL.

# Structs

Authenticator is an object for processing IBM authentication responses.