Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add static token option in client #187

Closed
wants to merge 1 commit into from
Closed

feat: add static token option in client #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 16 additions & 3 deletions pkg/client/middleware/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package middleware

import (
"context"
"fmt"
"os"

"github.com/zitadel/oidc/pkg/client/profile"
Expand Down Expand Up @@ -42,10 +43,10 @@ func JWTProfileFromKeyAndUserID(key []byte, keyID, userID string) JWTProfileToke
}
}

//NewAuthenticator creates an interceptor which authenticates a service account with a provided JWT Profile (using a key.json either as file or data).
//NewJWTProfileAuthenticator creates an interceptor which authenticates a service account with a provided JWT Profile (using a key.json either as file or data).
//There returned token will be used for authorization in all calls
//if expired, the token will be automatically refreshed
func NewAuthenticator(issuer string, jwtProfileTokenSource JWTProfileTokenSource, scopes ...string) (*AuthInterceptor, error) {
func NewJWTProfileAuthenticator(issuer string, jwtProfileTokenSource JWTProfileTokenSource, scopes ...string) (*AuthInterceptor, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

although it's probably not used directly in other projects, renaming it would be a breaking change... but it could be solved with a wrapper method:

...
// Deprecated: use NewJWTProfileAuthenticator instead
func NewAuthenticator(issuer string, jwtProfileTokenSource JWTProfileTokenSource, scopes ...string) (*AuthInterceptor, error) {
  return NewJWTProfileAuthenticator(issuer, jwtProfileTokenSource, scopes...)
}

func NewJWTProfileAuthenticator(issuer string, jwtProfileTokenSource JWTProfileTokenSource, scopes ...string) (*AuthInterceptor, error) {
...

ts, err := jwtProfileTokenSource(issuer, scopes)
if err != nil {
return nil, err
Expand All @@ -61,7 +62,7 @@ func NewAuthenticator(issuer string, jwtProfileTokenSource JWTProfileTokenSource
//
// Deprecated: use NewAuthenticator(issuer, JWTProfileFromPath(keyPath), scopes...) instead
func NewAuthInterceptor(issuer, keyPath string, scopes ...string) (*AuthInterceptor, error) {
return NewAuthenticator(issuer, JWTProfileFromPath(keyPath), scopes...)
return NewJWTProfileAuthenticator(issuer, JWTProfileFromPath(keyPath), scopes...)
}

func (interceptor *AuthInterceptor) Unary() grpc.UnaryClientInterceptor {
Expand Down Expand Up @@ -91,3 +92,15 @@ func (interceptor *AuthInterceptor) setToken(ctx context.Context) (context.Conte
}
return metadata.AppendToOutgoingContext(ctx, "authorization", token.TokenType+" "+token.AccessToken), nil
}

type StaticTokenSource string

func (a StaticTokenSource) GetRequestMetadata(ctx context.Context, url ...string) (map[string]string, error) {
return map[string]string{
"authorization": fmt.Sprintf("Bearer %s", a),
}, nil
}

func (a StaticTokenSource) RequireTransportSecurity() bool {
return false
}
Comment on lines +104 to +106
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO it should be possible to configure if TLS is used or not and i would prefer to have it enabled by default and that you would need to disable it explicitly

49 changes: 37 additions & 12 deletions pkg/client/zitadel/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,13 @@ type Connection struct {
issuer string
api string
jwtProfileTokenSource middleware.JWTProfileTokenSource
staticTokenSource middleware.StaticTokenSource
scopes []string
orgID string
insecure bool
unaryInterceptors []grpc.UnaryClientInterceptor
streamInterceptors []grpc.StreamClientInterceptor
perRPCCredentials credentials.PerRPCCredentials
*grpc.ClientConn
}

Expand All @@ -38,17 +40,27 @@ func NewConnection(issuer, api string, scopes []string, options ...Option) (*Con
}
}

err := c.setInterceptors(c.issuer, c.orgID, c.scopes, c.jwtProfileTokenSource)
if err != nil {
return nil, err
}
dialOptions := []grpc.DialOption{
grpc.WithChainUnaryInterceptor(
c.unaryInterceptors...,
),
grpc.WithChainStreamInterceptor(
c.streamInterceptors...,
),
dialOptions := []grpc.DialOption{}
if c.staticTokenSource == "" {
err := c.setInterceptors(c.issuer, c.orgID, c.scopes, c.jwtProfileTokenSource)
if err != nil {
return nil, err
}
dialOptions = append(dialOptions,
grpc.WithChainUnaryInterceptor(
c.unaryInterceptors...,
),
grpc.WithChainStreamInterceptor(
c.streamInterceptors...,
),
)
} else {
c.setCredentials(c.staticTokenSource)
dialOptions = append(dialOptions,
grpc.WithPerRPCCredentials(
c.perRPCCredentials,
),
)
Comment on lines +44 to +63
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the setInterceptors method also sets an interceptor for the x-zitadel-orgid header (allows to specify another organisation if needed)
IMO the static token version might need that as well

}

opt, err := transportOption(c.api, c.insecure)
Expand All @@ -66,7 +78,7 @@ func NewConnection(issuer, api string, scopes []string, options ...Option) (*Con
}

func (c *Connection) setInterceptors(issuer, orgID string, scopes []string, jwtProfileTokenSource middleware.JWTProfileTokenSource) error {
auth, err := middleware.NewAuthenticator(issuer, jwtProfileTokenSource, scopes...)
auth, err := middleware.NewJWTProfileAuthenticator(issuer, jwtProfileTokenSource, scopes...)
if err != nil {
return err
}
Expand All @@ -81,6 +93,10 @@ func (c *Connection) setInterceptors(issuer, orgID string, scopes []string, jwtP
return nil
}

func (c *Connection) setCredentials(staticTokenSource middleware.StaticTokenSource) {
c.perRPCCredentials = staticTokenSource
}

func transportOption(api string, insecure bool) (grpc.DialOption, error) {
if insecure {
return grpc.WithInsecure(), nil
Expand Down Expand Up @@ -138,6 +154,15 @@ func WithJWTProfileTokenSource(provider middleware.JWTProfileTokenSource) func(*
}
}

//WithStaticTokenSource sets the provider used for the authentication
//if not set, the key file will be read from the path set in env var ZITADEL_KEY_PATH
func WithStaticTokenSource(provider middleware.StaticTokenSource) func(*Connection) error {
return func(client *Connection) error {
client.staticTokenSource = provider
return nil
}
}

//WithOrgID sets the organization context (where the api calls are executed)
//if not set the resource owner (organisation) of the calling user will be used
func WithOrgID(orgID string) func(*Connection) error {
Expand Down