Struct krill::daemon::auth::providers::openid_connect::provider::OpenIDConnectAuthProvider
source · pub struct OpenIDConnectAuthProvider { /* private fields */ }
Implementations§
source§impl OpenIDConnectAuthProvider
impl OpenIDConnectAuthProvider
pub fn new( config: Arc<Config>, session_cache: Arc<LoginSessionCache> ) -> KrillResult<Self>
source§impl OpenIDConnectAuthProvider
impl OpenIDConnectAuthProvider
sourcepub async fn authenticate(
&self,
request: &Request<Body>
) -> KrillResult<Option<ActorDef>>
pub async fn authenticate( &self, request: &Request<Body> ) -> KrillResult<Option<ActorDef>>
Validate the current login session, extending it with the OIDC provider if needed. Returns either the session attributes and (if available) the refreshed token, or an error to report back to the user (one of the ApiAuth* Error types). Make sure to not leak any OIDC implementation details into the Error result! This function is also responsible for all logging around refreshing the token / extending the session.
sourcepub async fn get_login_url(&self) -> KrillResult<HttpResponse>
pub async fn get_login_url(&self) -> KrillResult<HttpResponse>
Generate the login URL that the client should direct the end-user to so they can login with the operators chosen OpenID Connect: provider. The URL should be requested by the client on every login as the intention is that it contains randomly generated CSFF token and nonce values which can be used to protect against certain cross-site and replay attacks.
pub async fn login(&self, request: &Request<Body>) -> KrillResult<LoggedInUser>
sourcepub async fn logout(&self, request: &Request<Body>) -> KrillResult<HttpResponse>
pub async fn logout(&self, request: &Request<Body>) -> KrillResult<HttpResponse>
Log the user out of the OpenID Connect provider.
Note: As the session state is stored in an encrypted bearer token held by the client we cannot force the user to be logged out. Instead we rely on the Lagosta web UI to forget the bearer token and on informing the OpenID Connect provider that it should discard any session state that it holds so that any attempt in the near future by Krill to refresh the access token at the provider will fail.
Returns a HTTP 200 response with a body consisting of the URL which the Lagosta web UI should direct the user to in order to complete the logout process. We cannot respond with a HTTP redirect because we are contacted by JavaScript, not by the user agent. TODO: should we use a redirect based approach instead?
When the provider supports OpenID Connect RP-Initiated Logout 1.0 the URL returned is that of the OpenID Connect provider logout endpoint, including a post_logout_redirect_url which instructs the provider to redirect the user agent back to the Krill Lagosta web UI after logout is complete.
If instead the provider supports OAuth 2.0 Token Revocation then the trip via the user agent to the provider logout page is not possible, instead from the end-user’s perspective they are returned to the Lagosta web UI index page (which currently immediately redirects the user to the 3rd party OpenID Connect provider login page) but before that Krill contacts the provider on the logged-in users behalf to revoke their token at the provider.