stdcrpcauthfx

package
v0.0.237 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Overview

Package stdcrpcauthfx provides ConnectRPC authentication and authorization via OIDC/JWKS.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ProtoExtensionScope 

func ProtoExtensionScope(ext protoreflect.ExtensionType) fx.Option

ProtoExtensionScope returns an fx.Option that provides a ScopeResolver backed by the given protobuf method option extension type.

func Provide 

func Provide() fx.Option

Provide returns an fx.Option that wires the stdauth module with config from the environment. Like the other stdgo fx modules it reads its configuration from environment variables prefixed with STDCRPCAUTH_ (e.g. STDCRPCAUTH_TOKEN_ISSUER, STDCRPCAUTH_TOKEN_AUDIENCE, STDCRPCAUTH_TENANT_CLAIM).

func ProvideTenantIDResolver added in v0.0.230 

func ProvideTenantIDResolver() fx.Option

ProvideTenantIDResolver returns an fx.Option that wires a stdcrpcenttenancyfx.TenantIDResolver backed by the JWT TenantID claim stamped on ctx by this package's authn middleware (see [Claims.TenantID] / ClaimsFromContext).

Bundled here as a one-line convenience so composition roots that combine stdcrpcauthfx with stdcrpcenttenancyfx do not need to write the boilerplate closure that adapts ClaimsFromContext to the stdcrpcenttenancyfx.TenantIDResolver interface themselves.

Usage: 

fx.Options(
    stdcrpcauthfx.Provide(),
    stdcrpcenttenancyfx.Provide(),
    stdcrpcauthfx.ProvideTenantIDResolver(),
)

func TestProvide added in v0.0.218 

func TestProvide() fx.Option

TestProvide provides the package's components as an fx module with a configuration for testing. It replaces Provide() in test fx.App setups, skipping JWT/JWKS validation entirely. Claims are read from the request context via WithTestClaims. The real Wrap() code path (scope resolution, permission checking) still runs.

func WithClaims added in v0.0.237 

func WithClaims(ctx context.Context, c Claims) context.Context

WithClaims stamps c onto ctx using the same surface as the authn middleware, so ClaimsFromContext (and consequently the stdcrpcenttenancyfx.TenantIDResolver wired by ProvideTenantIDResolver) pick the value back up downstream.

Intended for use at trusted seams that cannot run the authn middleware — most notably the Temporal context propagator (github.com/advdv/stdgo/fx/stdcrpcauthfx/stdcrpcauthtemporalfx) re-stamping the activity ctx from the Temporal header. Production RPC code paths must NOT call this; claims belong on ctx via the authn middleware (or WithTestClaims in tests).

func WithTestClaims added in v0.0.218 

func WithTestClaims(ctx context.Context, c Claims) context.Context

WithTestClaims attaches Claims to the context for use with TestProvide. Each request can carry its own claims via its context.

Types

type AccessControl 

type AccessControl struct {
	// contains filtered or unexported fields
}

AccessControl holds all auth state: JWKS cache, config, and the authn middleware.

func (*AccessControl) Start 

func (ac *AccessControl) Start(ctx context.Context) (err error)

Start initializes the JWKS cache and fetches the initial key set.

func (*AccessControl) Stop 

func (ac *AccessControl) Stop(_ context.Context) error

Stop cancels the JWKS cache background refresh.

func (*AccessControl) Wrap 

func (ac *AccessControl) Wrap(handler http.Handler) http.Handler

Wrap returns an HTTP handler that authenticates and authorizes requests.

type Claims 

type Claims struct {
	Subject string
	Scopes  []string
	// TenantID is the opaque tenant identifier read from the JWT claim path
	// configured via Config.TenantClaim. It is empty when TenantClaim is not
	// configured or the token does not carry the configured claim. The value
	// is treated as opaque by this package; the consuming application owns
	// its semantics (Auth0 org_id, Cognito custom:tenant, etc).
	TenantID string
}

Claims holds the authentication information extracted from a JWT.

func ClaimsFromContext 

func ClaimsFromContext(ctx context.Context) Claims

ClaimsFromContext retrieves the claims stored by the auth middleware.

type Config 

type Config struct {
	TokenIssuer   string `env:"TOKEN_ISSUER,required"`
	TokenAudience string `env:"TOKEN_AUDIENCE,required"`
	// TenantClaim is the JWT claim path from which to read an opaque tenant
	// identifier (e.g. "https://example.com/org_id" for an Auth0 namespaced
	// custom claim, or "tenant_id" for a flat claim). When empty, no tenant
	// is extracted and Claims.TenantID is left blank. The semantics of the
	// value are owned by the consuming application; this package treats it
	// as an opaque string.
	TenantClaim string `env:"TENANT_CLAIM"`
}

Config holds the OIDC configuration read from environment variables.

type Params 

type Params struct {
	fx.In
	fx.Lifecycle

	Logs          *zap.Logger
	Config        Config
	ScopeResolver ScopeResolver
	Clock         jwt.Clock `optional:"true"`
}

Params holds the dependencies for constructing AccessControl.

type Result 

type Result struct {
	fx.Out

	AccessControl *AccessControl
}

Result holds the components produced by this module.

func New 

func New(params Params) (Result, error)

New constructs a new AccessControl and registers its lifecycle hooks.

type ScopeResolver 

type ScopeResolver interface {
	RequiredScope(procedure string) (string, error)
}

ScopeResolver resolves the required scope for a ConnectRPC procedure.

Source Files

View all Source files

Directories

Path Synopsis
Package crpcauthtesting provides test helpers for stdcrpcauthfx that use real JWT signing and validation.
 Package crpcauthtesting provides test helpers for stdcrpcauthfx that use real JWT signing and validation.
internal
v1
Package stdcrpcauthtemporalfx propagates the stdcrpcauthfx.Claims stamped on an RPC ctx (most importantly the per-request tenant identity) across the Temporal client → workflow → activity boundary.
 Package stdcrpcauthtemporalfx propagates the stdcrpcauthfx.Claims stamped on an RPC ctx (most importantly the per-request tenant identity) across the Temporal client → workflow → activity boundary.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.