Documentation
¶
Overview ¶
Package oidc provides supported-adapter OIDC/JWKS bearer-token middleware.
Use New with Config to validate bearer tokens against an issuer, audiences, allowed algorithms, and a JWKS source. The middleware stores the authenticated subject and optional tenant/scope claims in request context and exposes HealthChecker for readiness.
Configuration fails closed when required identity-provider settings are missing or unsafe. Keep skip-header or development bypass behavior out of production identity paths.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HealthChecker ¶
func HealthChecker(cfg Config, client *http.Client) ports.HealthChecker
HealthChecker returns an OIDC JWKS health checker or nil when disabled.
func ResolveJWKSURL ¶
ResolveJWKSURL returns the configured JWKS URL or discovers it from OIDC metadata.
Types ¶
type ClaimRequirements ¶
type ClaimRequirements struct {
RequireSubject *bool
RequireExpiration *bool
RequireIssuedAt *bool
RequireNotBefore *bool
}
ClaimRequirements configures required JWT claims (nil preserves defaults).
type Config ¶
type Config struct {
Enabled bool
Issuer string
Audience string
DiscoveryURL string
JWKSURL string
// TenantClaim maps the tenant/org claim into Subject.TenantID. Defaults to tenant_id.
TenantClaim string
// ScopeClaim maps the scope/permission claim into Subject.Scope. Defaults to scope.
ScopeClaim string
// DiscoveryHTTPClient overrides the HTTP client used for OIDC discovery.
DiscoveryHTTPClient *http.Client
// AllowedAlgorithms constrains JWT signing methods. Defaults to RS256.
AllowedAlgorithms []string
AllowedClockSkew time.Duration
JWKSRefreshTimeout time.Duration
JWKSRefreshInterval time.Duration
// RequiredClaims enforces presence of specific JWT claims. Defaults to sub + exp.
RequiredClaims ClaimRequirements
// AllowDangerousDevBypasses enables skip headers only from trusted proxies.
AllowDangerousDevBypasses bool
SkipHeaderEnabled bool
SkipHeaderName string
// SkipTrustedProxies configures trusted CIDRs for skip header usage.
SkipTrustedProxies []string
}
Config controls provider-neutral OIDC token validation.
func LoadConfig ¶
LoadConfig reads OIDC configuration from environment.
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware validates OIDC bearer tokens and stores the subject.
func NewMiddleware ¶
NewMiddleware creates an OIDC middleware instance. If JWKS refresh is enabled, Close must be called or the passed context canceled on shutdown.
func (*Middleware) Close ¶
func (m *Middleware) Close()
Close stops background JWKS refresh work, if enabled.
func (*Middleware) Handler ¶
func (m *Middleware) Handler(next http.Handler) http.Handler
Handler returns the HTTP middleware enforcing authentication.
func (*Middleware) OptionalHandler ¶
func (m *Middleware) OptionalHandler(next http.Handler) http.Handler
OptionalHandler attaches a subject when a valid token is present, but allows requests without authentication to continue.
Source Files