stdcrpcauthfx

package

v0.0.231 Latest Latest Go to latest Published: May 18, 2026 License: MIT Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/advdv/stdgo

Links

Open Source Insights

Documentation ¶

Overview ¶

Package stdcrpcauthfx provides ConnectRPC authentication and authorization via OIDC/JWKS.

Index ¶

func ProtoExtensionScope(ext protoreflect.ExtensionType) fx.Option
func Provide() fx.Option
func ProvideTenantIDResolver() fx.Option
func TestProvide() fx.Option
func WithTestClaims(ctx context.Context, c Claims) context.Context
type AccessControl
type Claims
- func ClaimsFromContext(ctx context.Context) Claims
type Config
type Params
type Result
- func New(params Params) (Result, error)
type ScopeResolver

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ProtoExtensionScope ¶

func ProtoExtensionScope(ext protoreflect.ExtensionType) fx.Option

ProtoExtensionScope returns an fx.Option that provides a ScopeResolver backed by the given protobuf method option extension type.

func Provide ¶

func Provide() fx.Option

Provide returns an fx.Option that wires the stdauth module with config from the environment. Like the other stdgo fx modules it reads its configuration from environment variables prefixed with STDCRPCAUTH_ (e.g. STDCRPCAUTH_TOKEN_ISSUER, STDCRPCAUTH_TOKEN_AUDIENCE, STDCRPCAUTH_TENANT_CLAIM).

func ProvideTenantIDResolver ¶ added in v0.0.230

func ProvideTenantIDResolver() fx.Option

ProvideTenantIDResolver returns an fx.Option that wires a stdcrpcenttenancyfx.TenantIDResolver backed by the JWT TenantID claim stamped on ctx by this package's authn middleware (see [Claims.TenantID] / ClaimsFromContext).

Bundled here as a one-line convenience so composition roots that combine stdcrpcauthfx with stdcrpcenttenancyfx do not need to write the boilerplate closure that adapts ClaimsFromContext to the stdcrpcenttenancyfx.TenantIDResolver interface themselves.

Usage:

fx.Options(
    stdcrpcauthfx.Provide(),
    stdcrpcenttenancyfx.Provide(),
    stdcrpcauthfx.ProvideTenantIDResolver(),
)

func TestProvide ¶ added in v0.0.218

func TestProvide() fx.Option

TestProvide provides the package's components as an fx module with a configuration for testing. It replaces Provide() in test fx.App setups, skipping JWT/JWKS validation entirely. Claims are read from the request context via WithTestClaims. The real Wrap() code path (scope resolution, permission checking) still runs.

func WithTestClaims ¶ added in v0.0.218

func WithTestClaims(ctx context.Context, c Claims) context.Context

WithTestClaims attaches Claims to the context for use with TestProvide. Each request can carry its own claims via its context.

Types ¶

type AccessControl ¶

type AccessControl struct {
	// contains filtered or unexported fields
}

AccessControl holds all auth state: JWKS cache, config, and the authn middleware.

func (*AccessControl) Start ¶

func (ac *AccessControl) Start(ctx context.Context) (err error)

Start initializes the JWKS cache and fetches the initial key set.

func (*AccessControl) Stop ¶

func (ac *AccessControl) Stop(_ context.Context) error

Stop cancels the JWKS cache background refresh.

func (*AccessControl) Wrap ¶

func (ac *AccessControl) Wrap(handler http.Handler) http.Handler

Wrap returns an HTTP handler that authenticates and authorizes requests.

type Claims ¶

type Claims struct {
	Subject string
	Scopes  []string
	// TenantID is the opaque tenant identifier read from the JWT claim path
	// configured via Config.TenantClaim. It is empty when TenantClaim is not
	// configured or the token does not carry the configured claim. The value
	// is treated as opaque by this package; the consuming application owns
	// its semantics (Auth0 org_id, Cognito custom:tenant, etc).
	TenantID string
}

Claims holds the authentication information extracted from a JWT.

func ClaimsFromContext ¶

func ClaimsFromContext(ctx context.Context) Claims

ClaimsFromContext retrieves the claims stored by the auth middleware.

type Config ¶

type Config struct {
	TokenIssuer   string `env:"TOKEN_ISSUER,required"`
	TokenAudience string `env:"TOKEN_AUDIENCE,required"`
	// TenantClaim is the JWT claim path from which to read an opaque tenant
	// identifier (e.g. "https://example.com/org_id" for an Auth0 namespaced
	// custom claim, or "tenant_id" for a flat claim). When empty, no tenant
	// is extracted and Claims.TenantID is left blank. The semantics of the
	// value are owned by the consuming application; this package treats it
	// as an opaque string.
	TenantClaim string `env:"TENANT_CLAIM"`
}

Config holds the OIDC configuration read from environment variables.

type Params ¶

type Params struct {
	fx.In
	fx.Lifecycle

	Logs          *zap.Logger
	Config        Config
	ScopeResolver ScopeResolver
	Clock         jwt.Clock `optional:"true"`
}

Params holds the dependencies for constructing AccessControl.

type Result ¶

type Result struct {
	fx.Out

	AccessControl *AccessControl
}

Result holds the components produced by this module.

func New ¶

func New(params Params) (Result, error)

New constructs a new AccessControl and registers its lifecycle hooks.

type ScopeResolver ¶

type ScopeResolver interface {
	RequiredScope(procedure string) (string, error)
}

ScopeResolver resolves the required scope for a ConnectRPC procedure.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
crpcauthtesting Package crpcauthtesting provides test helpers for stdcrpcauthfx that use real JWT signing and validation.	Package crpcauthtesting provides test helpers for stdcrpcauthfx that use real JWT signing and validation.
internal
v1

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL