Struct krill::daemon::auth::providers::openid_connect::provider::OpenIDConnectAuthProvider

source · 
pub struct OpenIDConnectAuthProvider { /* private fields */ }

Implementations§

source§

impl OpenIDConnectAuthProvider

source

pub fn new( config: Arc<Config>, session_cache: Arc<LoginSessionCache> ) -> KrillResult<Self>

source§

impl OpenIDConnectAuthProvider

source

pub async fn authenticate( &self, request: &Request<Body> ) -> KrillResult<Option<ActorDef>>

Validate the current login session, extending it with the OIDC provider if needed. Returns either the session attributes and (if available) the refreshed token, or an error to report back to the user (one of the ApiAuth* Error types). Make sure to not leak any OIDC implementation details into the Error result! This function is also responsible for all logging around refreshing the token / extending the session.

source

pub async fn get_login_url(&self) -> KrillResult<HttpResponse>

Generate the login URL that the client should direct the end-user to so they can login with the operators chosen OpenID Connect: provider. The URL should be requested by the client on every login as the intention is that it contains randomly generated CSFF token and nonce values which can be used to protect against certain cross-site and replay attacks.

source

pub async fn login(&self, request: &Request<Body>) -> KrillResult<LoggedInUser>

source

pub async fn logout(&self, request: &Request<Body>) -> KrillResult<HttpResponse>

Log the user out of the OpenID Connect provider.

Note: As the session state is stored in an encrypted bearer token held by the client we cannot force the user to be logged out. Instead we rely on the Lagosta web UI to forget the bearer token and on informing the OpenID Connect provider that it should discard any session state that it holds so that any attempt in the near future by Krill to refresh the access token at the provider will fail.

Returns a HTTP 200 response with a body consisting of the URL which the Lagosta web UI should direct the user to in order to complete the logout process. We cannot respond with a HTTP redirect because we are contacted by JavaScript, not by the user agent. TODO: should we use a redirect based approach instead?

When the provider supports OpenID Connect RP-Initiated Logout 1.0 the URL returned is that of the OpenID Connect provider logout endpoint, including a post_logout_redirect_url which instructs the provider to redirect the user agent back to the Krill Lagosta web UI after logout is complete.

If instead the provider supports OAuth 2.0 Token Revocation then the trip via the user agent to the provider logout page is not possible, instead from the end-user’s perspective they are returned to the Lagosta web UI index page (which currently immediately redirects the user to the 3rd party OpenID Connect provider login page) but before that Krill contacts the provider on the logged-in users behalf to revoke their token at the provider.

Trait Implementations§

source§

impl From<OpenIDConnectAuthProvider> for AuthProvider

source§

fn from(provider: OpenIDConnectAuthProvider) -> Self

Converts to this type from the input type.

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more