Standard interceptors for the SAML login flow + a few helper interceptors.
In addition, this namespace also contains interceptors used to create custom
SAML-authorized routes. A SAML-authorized route is constructed by appending to
the output of the chain
function.
By default, the SAML RelayState is assumed to be a redirect URL which has been encoded using the 'safe-encode' function in 'dk.cst.pedestal.sp.auth'.
Route-level authorisation checks can be made using the permit-request?
fn
from within an interceptor. For inline condition definitions and checks
(available in both Clojure/ClojureScript) refer to dk.cst.pedestal.sp.auth
.
Standard interceptors for the SAML login flow + a few helper interceptors. In addition, this namespace also contains interceptors used to create custom SAML-authorized routes. A SAML-authorized route is constructed by appending to the output of the `chain` function. By default, the SAML RelayState is assumed to be a redirect URL which has been encoded using the 'safe-encode' function in 'dk.cst.pedestal.sp.auth'. Route-level authorisation checks can be made using the `permit-request?` fn from within an interceptor. For inline condition definitions and checks (available in both Clojure/ClojureScript) refer to `dk.cst.pedestal.sp.auth`.
(auth-chain {:keys [auth-override] :as conf} condition)
Create an interceptor chain to make sure that a user is authorized to access
a resource based on the expanded conf
and a condition
.
Even if a route is not restricted, it might make sense to prepend it with an
'auth-chain' anyway, as this will (by default) reset the TTL of the session
whenever a user accesses the route in question. Use :all as the condition
to allow universal access to a route.
During development, the required authorisation can be modified by setting the :auth-override key of the conf to a different condition, e.g. :all.
Create an interceptor chain to make sure that a user is authorized to access a resource based on the expanded `conf` and a `condition`. Even if a route is not restricted, it might make sense to prepend it with an 'auth-chain' anyway, as this will (by default) reset the TTL of the session whenever a user accesses the route in question. Use :all as the `condition` to allow universal access to a route. During development, the required authorisation can be modified by setting the :auth-override key of the conf to a different condition, e.g. :all.
(authenticated? request)
Has the user making this request
authenticated via SAML?
Has the user making this `request` authenticated via SAML?
(consent-form consent-url
{:keys [agreed pedestal-sp summary checkboxes] :as consent}
RelayState)
Build a form for use with the 'consent-ic' based on a consent-url
,
a consent
map and a RelayState
.
Build a form for use with the 'consent-ic' based on a `consent-url`, a `consent` map and a `RelayState`.
(consent-ic {:keys [consent paths] :as conf})
Interceptor used to request consent from authenticated users based on conf
.
Only handles session expiration by default, but can be used for e.g. GDPR.
The interceptor has 3 states:
Interceptor used to request consent from authenticated users based on `conf`. Only handles session expiration by default, but can be used for e.g. GDPR. The interceptor has 3 states: - The user is shown the 'initial' view as part of the authentication flow. - The user agrees/disagrees to the specified policies by submitting the form which will set up required cookies and 'redirect' to the RelayState. - Subsequent visits to the consent url will all be the 'edit' view which sources the consent from the consent cookie state.
(echo-assertions-ic req)
Handler echoing SAML response assertions in session store.
Handler echoing SAML response assertions in session store.
(echo-request-ic req)
Handler echoing full SAML request in session store.
Handler echoing full SAML request in session store.
(echo-response-ic req)
Handler echoing full SAML response (including assertions) in session store.
Handler echoing full SAML response (including assertions) in session store.
(echo-session-ic req)
Handler echoing all current SAML-related information in session store.
Handler echoing all current SAML-related information in session store.
(failure-ic conf)
Error-handling interceptor creating responses for errors thrown by ::guard.
Error-handling interceptor creating responses for errors thrown by ::guard.
(guard-ic condition)
Interceptor that will throw exceptions based on the given condition
.
By also including the condition as metadata, other interceptors can look up conditions for different routes ahead of time (see: 'permit-request?' fn).
Interceptor that will throw exceptions based on the given `condition`. By also including the condition as metadata, other interceptors can look up conditions for different routes ahead of time (see: 'permit-request?' fn).
(logout-ic {:keys [form-params] :as req})
Delete current SAML-related session info related to the user, i.e. log out.
This is an API endpoint by default, so it returns 204. That will not by itself refresh the browser page, but a 303 redirect can be triggered by providing a RelayState query parameter similar to how the SAML login response endpoint works.
Delete current SAML-related session info related to the user, i.e. log out. This is an API endpoint by default, so it returns 204. That will not by itself refresh the browser page, but a 303 redirect can be triggered by providing a RelayState query parameter similar to how the SAML login response endpoint works.
(metadata-ic {:keys [app-name acs-url sp-cert] :as conf})
SAML Metadata handler from an expanded conf
. Returns the metadata as XML.
SAML Metadata handler from an expanded `conf`. Returns the metadata as XML.
(override-ic condition)
Interceptor that adds a condition
override to the SAML assertions map.
Interceptor that adds a `condition` override to the SAML assertions map.
(permit-request? ctx route)
(permit-request? {:keys [request] :as ctx} query-string verb)
Is a route
or query-string
allowed within the current interceptor ctx
?
Checks conditions set by interceptor chain constructed with the chain fn.
Note that unresolved routes will result in a truthy response, but the return value will be :not-found in that case!
Is a `route` or `query-string` allowed within the current interceptor `ctx`? Checks conditions set by interceptor chain constructed with the chain fn. Note that unresolved routes will result in a truthy response, but the return value will be :not-found in that case!
(request->consent-state request)
(request-ic {:keys [app-name acs-url idp-url issuer credential state-manager
relay-state]
:as conf})
SAML request handler from an expanded conf
. Redirects login to IdP.
Custom RelayState taking the form of a URL can be provided as a query-param.
SAML request handler from an expanded `conf`. Redirects login to IdP. Custom RelayState taking the form of a URL can be provided as a query-param.
(response-ic {:keys [idp-cert sp-private-key validation paths] :as conf})
SAML response handler from an expanded conf
. Accepts response from IdP.
Will treat RelayState as a location, redirecting there after authentication.
SAML response handler from an expanded `conf`. Accepts response from IdP. Will treat RelayState as a location, redirecting there after authentication.
(routing->auth-test {:keys [interceptors] :as routing})
Given a routing
map for a single route, return the auth test attached as
metadata to the ::session-guard interceptor.
Note: routing maps are returned by routing-for
.
Given a `routing` map for a single route, return the auth test attached as metadata to the ::session-guard interceptor. Note: routing maps are returned by `routing-for`.
(routing-for ctx query-string verb)
Resolve routing for query-string
and verb
using the router in the ctx
.
This is a modified version of io.pedestal.http.route/try-routing-for
.
Resolve routing for `query-string` and `verb` using the router in the `ctx`. This is a modified version of `io.pedestal.http.route/try-routing-for`.
(session-ic {:keys [session] :as conf})
Interceptor that adds Ring session data to a request.
Interceptor that adds Ring session data to a request.
(url-for {:keys [bindings] :as ctx} & args)
Call url-for in ctx
with args
.
Call *url-for* in `ctx` with `args`.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close