Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding "auth" and "auth/gcp" packages #160

Merged
merged 22 commits into from
Nov 5, 2018
Merged

Adding "auth" and "auth/gcp" packages #160

merged 22 commits into from
Nov 5, 2018

Conversation

jprobinson
Copy link
Contributor

As devs move away from marvin and App Engine 1st generation and back to the land of gizmo with the 2nd generation, we need some tools to replace GAE's auth mechanisms for internal and external traffic. This is the first iteration of tools to fill this need.

The auth package provides a new interface for servers who will be verifying inbound signed JWTs. This is meant to be the server side version of oauth2.TokenSource

type PublicKeySource interface {
    Get(context.Context) (PublicKeySet, error)
}

Two major implementations are being added, one for IAM and one for Google identity tokens. These are supported by helper functions for parsing JWKS responses from URL or directly from JSON.

To make things easier on the users, the auth package is also introducing a new Verifier type, that will be composed of a PublicKeySource and helper functions for decoding and verifying inbound tokens.

type Verifier struct {
    ks PublicKeySource
    df ClaimsDecoderFunc
    vf VerifyFunc
}

For the client side of things, the gcp package also introduces an oauth2.TokenSource for IAM and the Identity token.

There are a handful of other handy functions and tools to help tie everything together. I hope to add more soon that will reduce the amount of (already minimal) configuration required along with tools to make local and test environments easer to work with.

Both IAM and Identity are being provided because we're prefer to use Identity tokens in GCP, but they aren't available in the 1st generation runtime. The IAM tools provided are meant to be a bridge for users migrating large projects over to the 2nd generation runtime, one service at a time.

Side note: I decided to go against using other JWT libraries as they have been taking a more generic approach and allow for multiple forms of crypto. We're just using the rsa.PublicKey in both of our use cases so I took a more opinionated approach.

@coveralls
Copy link

coveralls commented Nov 2, 2018
edited
Loading

Coverage Status

Coverage remained the same at 44.895% when pulling af98692 on auth into bb17238 on master.

darrenmcc
darrenmcc reviewed Nov 4, 2018
View reviewed changes
auth/gcp/iam.go Outdated Show resolved Hide resolved
darrenmcc
darrenmcc reviewed Nov 4, 2018
View reviewed changes
auth/keys.go Outdated Show resolved Hide resolved
darrenmcc
darrenmcc approved these changes Nov 4, 2018
View reviewed changes
Copy link
Contributor

@darrenmcc darrenmcc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few little things but looks good 🅰️➕➕➕

@jprobinson jprobinson merged commit ba3c663 into master Nov 5, 2018
@jprobinson jprobinson deleted the auth branch November 5, 2018 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darrenmcc darrenmcc darrenmcc approved these changes

@fsouza fsouza Awaiting requested review from fsouza

@oliver-nyt oliver-nyt Awaiting requested review from oliver-nyt

@marwan-at-work marwan-at-work Awaiting requested review from marwan-at-work

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jprobinson @coveralls @darrenmcc