oauth

package
v0.2.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 26, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const CallbackPath = "/oauth/callback"

Variables

View Source
var (
	ErrTicketNotFound   = errors.New("oauth connect: ticket expired or unknown")
	ErrProviderNotFound = errors.New("oauth connect: provider not configured for this consumer")
)
View Source
var (
	ErrNoAuthorizationServer        = errors.New("oauth: no authorization server configured")
	ErrAmbiguousAuthorizationServer = errors.New("oauth: multiple authorization servers configured")
	ErrRegistrationUnavailable      = errors.New("oauth: dynamic client registration unavailable")
)
View Source
var ErrInvalidGrant = errors.New("oauth provider: grant is no longer valid")
View Source
var ErrUpstreamNotDiscoverable = errors.New(
	"oauth dcr: upstream does not publish OAuth protected-resource metadata; configure registration: manual with a pre-registered OAuth app")

Functions

func IsAcceptableRedirectURI

func IsAcceptableRedirectURI(raw string) bool

Types

type AuthProxy

type AuthProxy interface {
	Authorize(ctx context.Context, baseURL string, req AuthorizeRequest) (string, error)
	Callback(ctx context.Context, baseURL, state, code, idpErr, idpErrDesc string) (string, error)
	Exchange(ctx context.Context, baseURL string, req TokenRequest) (map[string]any, error)
}

func NewAuthProxy

func NewAuthProxy(
	credentials appauth.CredentialFinder,
	paths appconsumer.PathResolver,
	client *http.Client,
	store FlowStore,
	chainer ConsentChainer,
	signer appsts.TokenSigner,
	userinfo UserInfoClient,
) AuthProxy

type AuthorizeRequest

type AuthorizeRequest struct {
	ResponseType        string
	ClientID            string
	RedirectURI         string
	State               string
	Scope               string
	CodeChallenge       string
	CodeChallengeMethod string
	Resource            string
}

type ClientStore

type ClientStore interface {
	SaveClient(ctx context.Context, key string, c RegisteredClient) error
	GetClient(ctx context.Context, key string) (*RegisteredClient, error)
}

type CodeGrant

type CodeGrant struct {
	ClientID      string         `json:"client_id"`
	RedirectURI   string         `json:"redirect_uri"`
	CodeChallenge string         `json:"code_challenge"`
	Token         map[string]any `json:"token"`
	Subject       string         `json:"subject,omitempty"`
	AuthID        string         `json:"auth_id,omitempty"`
	GatewayID     string         `json:"gateway_id,omitempty"`
	Audiences     []string       `json:"audiences,omitempty"`
	Scopes        []string       `json:"scopes,omitempty"`
	SessionMode   bool           `json:"session_mode,omitempty"`
}

type ConnectPage

type ConnectPage struct {
	ConsumerPath string
	Providers    []ProviderStatus
	ResumeURL    string
}

type ConnectService

type ConnectService interface {
	CreateTicket(ctx context.Context, gatewayID ids.GatewayID, principalSub, consumerPath string) (string, error)
	Page(ctx context.Context, ticketID string) (*ConnectPage, error)
	Start(ctx context.Context, baseURL, ticketID, provider string) (string, error)
	Callback(ctx context.Context, baseURL, provider, state, code, errCode, errDesc string) (string, error)
	Disconnect(ctx context.Context, ticketID, provider string) error
	RefreshAuth(ctx context.Context, gatewayID ids.GatewayID, reg *registrydomain.Registry) (*registrydomain.MCPAuth, error)
	ChainURL(ctx context.Context, baseURL string, gatewayID ids.GatewayID, resource, principalSub, resumeURL string) (string, error)
}

func NewConnectService

func NewConnectService(
	store ConnectStore,
	vault vaultdomain.Repository,
	consumers appconsumer.DataFinder,
	provider ProviderClient,
	registrar UpstreamRegistrar,
) ConnectService

type ConnectState

type ConnectState struct {
	Ticket   ConnectTicket `json:"ticket"`
	TicketID string        `json:"ticket_id"`
	Provider string        `json:"provider"`
	Verifier string        `json:"verifier,omitempty"`
}

type ConnectStore

type ConnectStore interface {
	SaveTicket(ctx context.Context, id string, t ConnectTicket) error
	GetTicket(ctx context.Context, id string) (*ConnectTicket, error)
	SaveConnect(ctx context.Context, state string, s ConnectState) error
	TakeConnect(ctx context.Context, state string) (*ConnectState, error)
}

type ConnectTicket

type ConnectTicket struct {
	GatewayID    string `json:"gateway_id"`
	PrincipalSub string `json:"principal_sub"`
	ConsumerPath string `json:"consumer_path"`
	ResumeURL    string `json:"resume_url,omitempty"`
}

type ConsentChainer

type ConsentChainer interface {
	ChainURL(ctx context.Context, baseURL string, gatewayID ids.GatewayID, resource, principalSub, resumeURL string) (string, error)
}

type FlowStore

type FlowStore interface {
	SavePending(ctx context.Context, state string, p PendingAuthorization) error
	TakePending(ctx context.Context, state string) (*PendingAuthorization, error)
	SaveCode(ctx context.Context, code string, g CodeGrant) error
	TakeCode(ctx context.Context, code string) (*CodeGrant, error)
	SaveGatewayClient(ctx context.Context, c RegisteredGatewayClient) error
	GetGatewayClient(ctx context.Context, clientID string) (*RegisteredGatewayClient, error)
	SaveSession(ctx context.Context, refreshToken string, rec SessionRecord) error
	TakeSession(ctx context.Context, refreshToken string) (*SessionRecord, error)
}

type MetadataService

type MetadataService interface {
	ProtectedResource(ctx context.Context, baseURL, resource string) (*ProtectedResourceMetadata, error)
	AuthorizationServer(ctx context.Context, baseURL string) (map[string]any, error)
	RegisterClient(ctx context.Context, req RegisterRequest) (*RegisterResponse, error)
}

func NewMetadataService

func NewMetadataService(credentials appauth.CredentialFinder, paths appconsumer.PathResolver, client *http.Client, clients FlowStore) MetadataService

type OAuthError

type OAuthError struct {
	Code        string `json:"error"`
	Description string `json:"error_description,omitempty"`
}

func (*OAuthError) Error

func (e *OAuthError) Error() string

type PendingAuthorization

type PendingAuthorization struct {
	ClientID            string `json:"client_id"`
	RedirectURI         string `json:"redirect_uri"`
	State               string `json:"state"`
	CodeChallenge       string `json:"code_challenge"`
	CodeChallengeMethod string `json:"code_challenge_method"`
	Scope               string `json:"scope"`
	CodeVerifier        string `json:"code_verifier"`
	Resource            string `json:"resource,omitempty"`
	AuthID              string `json:"auth_id,omitempty"`
}

type ProtectedResourceMetadata

type ProtectedResourceMetadata struct {
	Resource               string   `json:"resource"`
	AuthorizationServers   []string `json:"authorization_servers,omitempty"`
	BearerMethodsSupported []string `json:"bearer_methods_supported"`
	ScopesSupported        []string `json:"scopes_supported,omitempty"`
}

type ProviderClient

type ProviderClient interface {
	AuthorizeURL(cfg *registrydomain.MCPAuth, redirectURI, state, challenge string) string
	ExchangeCode(ctx context.Context, cfg *registrydomain.MCPAuth, code, redirectURI, verifier string) (*ProviderToken, error)
	Refresh(ctx context.Context, cfg *registrydomain.MCPAuth, refreshToken string) (*ProviderToken, error)
}

type ProviderStatus

type ProviderStatus struct {
	Provider   string
	Registry   string
	Linked     bool
	AccountRef string
	ExpiresAt  time.Time
}

type ProviderToken

type ProviderToken struct {
	AccessToken  string
	RefreshToken string
	Scopes       []string
	ExpiresAt    time.Time
}

type RegisterRequest

type RegisterRequest struct {
	RedirectURIs []string `json:"redirect_uris"`
	ClientName   string   `json:"client_name,omitempty"`
}

type RegisterResponse

type RegisterResponse struct {
	ClientID                string   `json:"client_id"`
	RedirectURIs            []string `json:"redirect_uris,omitempty"`
	ClientName              string   `json:"client_name,omitempty"`
	GrantTypes              []string `json:"grant_types"`
	ResponseTypes           []string `json:"response_types"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method"`
}

type RegisteredClient

type RegisteredClient struct {
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret,omitempty"`
	RedirectURI  string `json:"redirect_uri"`
}

type RegisteredGatewayClient

type RegisteredGatewayClient struct {
	ClientID     string   `json:"client_id"`
	RedirectURIs []string `json:"redirect_uris"`
	ClientName   string   `json:"client_name,omitempty"`
}

type SessionRecord added in v0.2.3

type SessionRecord struct {
	Subject   string   `json:"subject"`
	Scopes    []string `json:"scopes,omitempty"`
	GatewayID string   `json:"gateway_id"`
	AuthID    string   `json:"auth_id"`
	Audiences []string `json:"audiences,omitempty"`
}

type TokenRequest

type TokenRequest struct {
	GrantType    string
	Code         string
	RedirectURI  string
	ClientID     string
	CodeVerifier string
	RefreshToken string
	Resource     string
}

type UpstreamAuthServer

type UpstreamAuthServer struct {
	Issuer                string   `json:"issuer"`
	AuthorizationEndpoint string   `json:"authorization_endpoint"`
	TokenEndpoint         string   `json:"token_endpoint"`
	RegistrationEndpoint  string   `json:"registration_endpoint"`
	ScopesSupported       []string `json:"scopes_supported"`
	Resource              string   `json:"resource"`
}

type UpstreamRegistrar

type UpstreamRegistrar interface {
	Discover(ctx context.Context, upstreamURL string) (*UpstreamAuthServer, error)
	EnsureClient(ctx context.Context, key string, meta *UpstreamAuthServer, redirectURI string) (*RegisteredClient, error)
	CachedClient(ctx context.Context, key string) (*RegisteredClient, error)
}

type UserInfoClient added in v0.2.3

type UserInfoClient interface {
	Fetch(ctx context.Context, userInfoURL, accessToken string) (map[string]any, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL