package options const ( // OIDCEmailClaim is the generic email claim used by the OIDC provider. OIDCEmailClaim = "email" // OIDCGroupsClaim is the generic groups claim used by the OIDC provider. OIDCGroupsClaim = "groups" ) // OIDCAudienceClaims is the generic audience claim list used by the OIDC provider. var OIDCAudienceClaims = []string{"aud"} // Providers is a collection of definitions for providers. type Providers []Provider // Provider holds all configuration for a single provider type Provider struct { // ClientID is the OAuth Client ID that is defined in the provider // This value is required for all providers. ClientID string `json:"clientID,omitempty"` // ClientSecret is the OAuth Client Secret that is defined in the provider // This value is required for all providers. ClientSecret string `json:"clientSecret,omitempty"` // ClientSecretFile is the name of the file // containing the OAuth Client Secret, it will be used if ClientSecret is not set. ClientSecretFile string `json:"clientSecretFile,omitempty"` // KeycloakConfig holds all configurations for Keycloak provider. KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"` // AzureConfig holds all configurations for Azure provider. AzureConfig AzureOptions `json:"azureConfig,omitempty"` // ADFSConfig holds all configurations for ADFS provider. ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"` // BitbucketConfig holds all configurations for Bitbucket provider. BitbucketConfig BitbucketOptions `json:"bitbucketConfig,omitempty"` // GitHubConfig holds all configurations for GitHubC provider. GitHubConfig GitHubOptions `json:"githubConfig,omitempty"` // GitLabConfig holds all configurations for GitLab provider. GitLabConfig GitLabOptions `json:"gitlabConfig,omitempty"` // GoogleConfig holds all configurations for Google provider. GoogleConfig GoogleOptions `json:"googleConfig,omitempty"` // OIDCConfig holds all configurations for OIDC provider // or providers utilize OIDC configurations. OIDCConfig OIDCOptions `json:"oidcConfig,omitempty"` // LoginGovConfig holds all configurations for LoginGov provider. LoginGovConfig LoginGovOptions `json:"loginGovConfig,omitempty"` // ID should be a unique identifier for the provider. // This value is required for all providers. ID string `json:"id,omitempty"` // Type is the OAuth provider // must be set from the supported providers group, // otherwise 'Google' is set as default Type ProviderType `json:"provider,omitempty"` // Name is the providers display name // if set, it will be shown to the users in the login page. Name string `json:"name,omitempty"` // CAFiles is a list of paths to CA certificates that should be used when connecting to the provider. // If not specified, the default Go trust sources are used instead CAFiles []string `json:"caFiles,omitempty"` // UseSystemTrustStore determines if your custom CA files and the system trust store are used // If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. UseSystemTrustStore bool `json:"useSystemTrustStore,omitempty"` // LoginURL is the authentication endpoint LoginURL string `json:"loginURL,omitempty"` // LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL LoginURLParameters []LoginURLParameter `json:"loginURLParameters,omitempty"` // RedeemURL is the token redemption endpoint RedeemURL string `json:"redeemURL,omitempty"` // ProfileURL is the profile access endpoint ProfileURL string `json:"profileURL,omitempty"` // SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token // default set to 'false' SkipClaimsFromProfileURL bool `json:"skipClaimsFromProfileURL,omitempty"` // ProtectedResource is the resource that is protected (Azure AD and ADFS only) ProtectedResource string `json:"resource,omitempty"` // ValidateURL is the access token validation endpoint ValidateURL string `json:"validateURL,omitempty"` // Scope is the OAuth scope specification Scope string `json:"scope,omitempty"` // AllowedGroups is a list of restrict logins to members of this group AllowedGroups []string `json:"allowedGroups,omitempty"` // The code challenge method CodeChallengeMethod string `json:"code_challenge_method,omitempty"` // URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session BackendLogoutURL string `json:"backendLogoutURL"` } // ProviderType is used to enumerate the different provider type options // Valid options are: adfs, azure, bitbucket, digitalocean facebook, github, // gitlab, google, keycloak, keycloak-oidc, linkedin, login.gov, nextcloud // and oidc. type ProviderType string const ( // ADFSProvider is the provider type for ADFS ADFSProvider ProviderType = "adfs" // AzureProvider is the provider type for Azure AzureProvider ProviderType = "azure" // BitbucketProvider is the provider type for Bitbucket BitbucketProvider ProviderType = "bitbucket" // DigitalOceanProvider is the provider type for DigitalOcean DigitalOceanProvider ProviderType = "digitalocean" // FacebookProvider is the provider type for Facebook FacebookProvider ProviderType = "facebook" // GitHubProvider is the provider type for GitHub GitHubProvider ProviderType = "github" // GitLabProvider is the provider type for GitLab GitLabProvider ProviderType = "gitlab" // GoogleProvider is the provider type for GoogleProvider GoogleProvider ProviderType = "google" // KeycloakProvider is the provider type for Keycloak KeycloakProvider ProviderType = "keycloak" // KeycloakOIDCProvider is the provider type for Keycloak OIDC KeycloakOIDCProvider ProviderType = "keycloak-oidc" // LinkedInProvider is the provider type for LinkedIn LinkedInProvider ProviderType = "linkedin" // LoginGovProvider is the provider type for LoginGov LoginGovProvider ProviderType = "login.gov" // NextCloudProvider is the provider type for NextCloud NextCloudProvider ProviderType = "nextcloud" // OIDCProvider is the provider type for OIDC OIDCProvider ProviderType = "oidc" ) type KeycloakOptions struct { // Group enables to restrict login to members of indicated group Groups []string `json:"groups,omitempty"` // Role enables to restrict login to users with role (only available when using the keycloak-oidc provider) Roles []string `json:"roles,omitempty"` } type AzureOptions struct { // Tenant directs to a tenant-specific or common (tenant-independent) endpoint // Default value is 'common' Tenant string `json:"tenant,omitempty"` // GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph // Default value is 'id' GraphGroupField string `json:"graphGroupField,omitempty"` } type ADFSOptions struct { // Skip adding the scope parameter in login request // Default value is 'false' SkipScope bool `json:"skipScope,omitempty"` } type BitbucketOptions struct { // Team sets restrict logins to members of this team Team string `json:"team,omitempty"` // Repository sets restrict logins to user with access to this repository Repository string `json:"repository,omitempty"` } type GitHubOptions struct { // Org sets restrict logins to members of this organisation Org string `json:"org,omitempty"` // Team sets restrict logins to members of this team Team string `json:"team,omitempty"` // Repo sets restrict logins to collaborators of this repository Repo string `json:"repo,omitempty"` // Token is the token to use when verifying repository collaborators // it must have push access to the repository Token string `json:"token,omitempty"` // Users allows users with these usernames to login // even if they do not belong to the specified org and team or collaborators Users []string `json:"users,omitempty"` } type GitLabOptions struct { // Group sets restrict logins to members of this group Group []string `json:"group,omitempty"` // Projects restricts logins to members of these projects Projects []string `json:"projects,omitempty"` } type GoogleOptions struct { // Groups sets restrict logins to members of this Google group Groups []string `json:"group,omitempty"` // AdminEmail is the Google admin to impersonate for api calls AdminEmail string `json:"adminEmail,omitempty"` // ServiceAccountJSON is the path to the service account json credentials ServiceAccountJSON string `json:"serviceAccountJson,omitempty"` // UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON UseApplicationDefaultCredentials bool `json:"useApplicationDefaultCredentials,omitempty"` // TargetPrincipal is the Google Service Account used for Application Default Credentials TargetPrincipal string `json:"targetPrincipal,omitempty"` } type OIDCOptions struct { // IssuerURL is the OpenID Connect issuer URL // eg: https://accounts.google.com IssuerURL string `json:"issuerURL,omitempty"` // InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified // default set to 'false' InsecureAllowUnverifiedEmail bool `json:"insecureAllowUnverifiedEmail,omitempty"` // InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL // default set to 'false' InsecureSkipIssuerVerification bool `json:"insecureSkipIssuerVerification,omitempty"` // InsecureSkipNonce skips verifying the ID Token's nonce claim that must match // the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked // after the initial OAuth redeem & subsequent token refreshes. // default set to 'true' // Warning: In a future release, this will change to 'false' by default for enhanced security. InsecureSkipNonce bool `json:"insecureSkipNonce,omitempty"` // SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints // default set to 'false' SkipDiscovery bool `json:"skipDiscovery,omitempty"` // JwksURL is the OpenID Connect JWKS URL // eg: https://www.googleapis.com/oauth2/v3/certs JwksURL string `json:"jwksURL,omitempty"` // EmailClaim indicates which claim contains the user email, // default set to 'email' EmailClaim string `json:"emailClaim,omitempty"` // GroupsClaim indicates which claim contains the user groups // default set to 'groups' GroupsClaim string `json:"groupsClaim,omitempty"` // UserIDClaim indicates which claim contains the user ID // default set to 'email' UserIDClaim string `json:"userIDClaim,omitempty"` // AudienceClaim allows to define any claim that is verified against the client id // By default `aud` claim is used for verification. AudienceClaims []string `json:"audienceClaims,omitempty"` // ExtraAudiences is a list of additional audiences that are allowed // to pass verification in addition to the client id. ExtraAudiences []string `json:"extraAudiences,omitempty"` } type LoginGovOptions struct { // JWTKey is a private key in PEM format used to sign JWT, JWTKey string `json:"jwtKey,omitempty"` // JWTKeyFile is a path to the private key file in PEM format used to sign the JWT JWTKeyFile string `json:"jwtKeyFile,omitempty"` // PubJWKURL is the JWK pubkey access endpoint PubJWKURL string `json:"pubjwkURL,omitempty"` } func providerDefaults() Providers { providers := Providers{ { Type: "google", AzureConfig: AzureOptions{ Tenant: "common", }, OIDCConfig: OIDCOptions{ InsecureAllowUnverifiedEmail: false, InsecureSkipNonce: true, SkipDiscovery: false, UserIDClaim: OIDCEmailClaim, // Deprecated: Use OIDCEmailClaim EmailClaim: OIDCEmailClaim, GroupsClaim: OIDCGroupsClaim, AudienceClaims: OIDCAudienceClaims, ExtraAudiences: []string{}, }, }, } return providers }