kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go

var synchronizeTokenIDVerifierForTest

const wellKnownEndpointPath

type Options

type CAContentProvider

// initVerifier creates a new ID token verifier for the given configuration and issuer URL.  On success, calls setVerifier with the
// resulting verifier.
func initVerifier(ctx context.Context, config *oidc.Config, iss string, audiences sets.Set[string]) (*idTokenVerifier, error) {}

type asyncIDTokenVerifier

// newAsyncIDTokenVerifier creates a new asynchronous token verifier.  The
// verifier is available immediately, but may remain uninitialized for some time
// after creation.
func newAsyncIDTokenVerifier(ctx context.Context, c *oidc.Config, iss string, audiences sets.Set[string]) *asyncIDTokenVerifier {}

// verifier returns the underlying ID token verifier, or nil if one is not yet initialized.
func (a *asyncIDTokenVerifier) verifier() *idTokenVerifier {}

type jwtAuthenticator

type idTokenVerifier

func (a *jwtAuthenticator) setVerifier(v *idTokenVerifier) {}

func (a *jwtAuthenticator) idTokenVerifier() (*idTokenVerifier, bool) {}

func AllValidSigningAlgorithms() []string {}

var allowedSigningAlgs

type AuthenticatorTokenWithHealthCheck

// New returns an authenticator that is asynchronously initialized when opts.KeySet is not set.
// The input lifecycleCtx is used to:
// - terminate background goroutines that are needed for asynchronous initialization
// - as the base context for any requests that are made (i.e. for key fetching)
// Thus, once the lifecycleCtx is canceled, the authenticator must not be used.
// A caller may check if the authenticator is healthy by calling the HealthCheck method.
func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error) {}

type errorHolder

type discoveryURLRoundTripper

func (t *discoveryURLRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {}

// untrustedIssuer extracts an untrusted "iss" claim from the given JWT token,
// or returns an error if the token can not be parsed.  Since the JWT is not
// verified, the returned issuer should not be trusted.
func untrustedIssuer(token string) (string, error) {}

func hasCorrectIssuer(iss, tokenData string) bool {}

type endpoint

type claimResolver

// newClaimResolver creates a new resolver for distributed claims.
// the input ctx is retained and is used as the base context for background requests such as key fetching.
func newClaimResolver(ctx context.Context, claim string, client *http.Client, config *oidc.Config, audiences sets.Set[string]) *claimResolver {}

// Verifier returns either the verifier for the specified issuer, or error.
func (r *claimResolver) Verifier(iss string) (*idTokenVerifier, error) {}

// expand extracts the distributed claims from claim names and claim sources.
// The extracted claim value is pulled up into the supplied claims.
//
// Distributed claims are of the form as seen below, and are defined in the
// OIDC Connect Core 1.0, section 5.6.2.
// See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
//
//	{
//	  ... (other normal claims)...
//	  "_claim_names": {
//	    "groups": "src1"
//	  },
//	  "_claim_sources": {
//	    "src1": {
//	      "endpoint": "https://www.example.com",
//	      "access_token": "f005ba11"
//	    },
//	  },
//	}
func (r *claimResolver) expand(ctx context.Context, c claims) error {}

// resolve requests distributed claims from all endpoints passed in,
// and inserts the lookup results into allClaims.
func (r *claimResolver) resolve(ctx context.Context, endpoint endpoint, allClaims claims) error {}

func (v *idTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {}

// verifyAudience verifies the audience field in the ID token matches the expected audience.
// This is added based on https://github.com/coreos/go-oidc/blob/b203e58c24394ddf5e816706a7645f01280245c7/oidc/verify.go#L275-L281
// with the difference that we allow multiple audiences.
//
// AuthenticationConfiguration has a audienceMatchPolicy field, but the only supported value now is "MatchAny".
// So, The default match behavior is to match at least one of the audiences in the ID token.
func (v *idTokenVerifier) verifyAudience(t *oidc.IDToken) error {}

func (a *jwtAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {}

func (a *jwtAuthenticator) HealthCheck() error {}

func (a *jwtAuthenticator) getUsername(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (string, error) {}

func (a *jwtAuthenticator) getGroups(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) ([]string, error) {}

func (a *jwtAuthenticator) getUID(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (string, error) {}

func (a *jwtAuthenticator) getExtra(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (map[string][]string, error) {}

func getCredentialID(c claims) string {}

// getClaimJWT gets a distributed claim JWT from url, using the supplied access
// token as bearer token.  If the access token is "", the authorization header
// will not be set.
// TODO: Allow passing in JSON hints to the IDP.
func getClaimJWT(ctx context.Context, client *http.Client, url, accessToken string) (string, error) {}

type stringOrArray

func (s *stringOrArray) UnmarshalJSON(b []byte) error {}

type claims

func (c claims) unmarshalClaim(name string, v interface{}

func (c claims) hasClaim(name string) bool {}

// convertCELValueToStringList converts the CEL value to a string list.
// The CEL value needs to be either a string or a list of strings.
// "", [] are treated as not being present and will return nil.
// Empty string in a list of strings is treated as not being present and will be filtered out.
func convertCELValueToStringList(val ref.Val) ([]string, error) {}

type messageFunc

// checkValidationRulesEvaluation checks if the validation rules evaluation results
// are valid. If the validation rules evaluation results are not valid, it returns
// an error with an optional message that was set in the validation rule.
func checkValidationRulesEvaluation(results []authenticationcel.EvaluationResult, messageFn messageFunc) error {}

func convertObjectToUnstructured(obj interface{}

func convertUserInfoToUnstructured(info user.Info) (*unstructured.Unstructured, error) {}