Authentication recipes

// pkg/client/client.go
import "github.com/conductorone/baton-sdk/pkg/uhttp"

func NewClient(ctx context.Context, apiKey string) (*Client, error) {
    httpClient, err := uhttp.NewBaseHttpClient(ctx,
        uhttp.WithBearerToken(apiKey))
    if err != nil {
        return nil, err
    }
    return &Client{http: httpClient, baseURL: "https://api.example.com"}, nil
}

import (
    "golang.org/x/oauth2/clientcredentials"
)

func NewClient(ctx context.Context, clientID, clientSecret, tokenURL string) (*Client, error) {
    config := &clientcredentials.Config{
        ClientID:     clientID,
        ClientSecret: clientSecret,
        TokenURL:     tokenURL,
        Scopes:       []string{"read", "write"},
    }

    // This client automatically refreshes tokens
    httpClient := config.Client(ctx)

    return &Client{http: httpClient}, nil
}

import (
    "google.golang.org/api/option"
    admin "google.golang.org/api/admin/directory/v1"
)

func NewGoogleClient(ctx context.Context, credentialsJSON []byte, adminEmail string) (*admin.Service, error) {
    // Parse the service account key
    config, err := google.JWTConfigFromJSON(credentialsJSON,
        admin.AdminDirectoryUserReadonlyScope,
        admin.AdminDirectoryGroupReadonlyScope,
    )
    if err != nil {
        return nil, fmt.Errorf("failed to parse credentials: %w", err)
    }

    // Impersonate a domain admin for domain-wide access
    config.Subject = adminEmail

    // Create the service
    return admin.NewService(ctx, option.WithHTTPClient(config.Client(ctx)))
}

import "github.com/go-ldap/ldap/v3"

func NewLDAPClient(ctx context.Context, serverURL, bindDN, bindPassword string) (*ldap.Conn, error) {
    conn, err := ldap.DialURL(serverURL) // ldaps://dc.example.com:636
    if err != nil {
        return nil, fmt.Errorf("failed to connect to LDAP: %w", err)
    }

    // Simple bind with username/password
    err = conn.Bind(bindDN, bindPassword)
    if err != nil {
        conn.Close()
        return nil, fmt.Errorf("failed to bind: %w", err)
    }

    return conn, nil
}

// For Kerberos/GSSAPI (domain-joined machines)
func NewLDAPClientKerberos(ctx context.Context, serverURL string) (*ldap.Conn, error) {
    conn, err := ldap.DialURL(serverURL)
    if err != nil {
        return nil, err
    }

    err = conn.ExternalBind()
    if err != nil {
        conn.Close()
        return nil, err
    }

    return conn, nil
}