authn

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package authn provides transport middleware for Kernel authentication.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BearerExtractor

func BearerExtractor(h transport.Header) (rootauthn.Credential, bool)

BearerExtractor extracts an Authorization: Bearer <token> credential.

func Server

func Server(opts ...Option) middleware.Middleware

Server authenticates the caller and stores the normalized principal in both authn and contextx contexts so old and new Kernel packages see the same identity.

func TrustedHeaderExtractor added in v0.2.4

func TrustedHeaderExtractor(h transport.Header) (rootauthn.Credential, bool)

TrustedHeaderExtractor extracts Gateway-verified identity headers. It is for internal services running in gateway_trusted mode; external traffic must never be allowed to set these headers directly.

Types

type CredentialExtractor

type CredentialExtractor func(transport.Header) (rootauthn.Credential, bool)

CredentialExtractor extracts an authn credential from transport headers.

func GatewayTrustedExtractor added in v0.2.4

func GatewayTrustedExtractor(internalTokenHeader string) CredentialExtractor

GatewayTrustedExtractor extracts both Gateway-injected Principal headers and the optional Gateway-to-backend internal token header. The authenticator decides whether the internal token is required.

func HeaderExtractor

func HeaderExtractor(headerName, scheme string) CredentialExtractor

HeaderExtractor extracts a token directly from a named header. It is useful for dev-token, API-key and mTLS adapter tests where the upstream identity has already been verified.

func HybridBearerOrGatewayTrustedExtractor added in v0.2.4

func HybridBearerOrGatewayTrustedExtractor(internalTokenHeader string) CredentialExtractor

HybridBearerOrGatewayTrustedExtractor extracts a bearer JWT when present; otherwise it falls back to Gateway trusted Principal headers. This is intended for migration/testing. Prefer a strict single mode in production.

type Option

type Option func(*options)

Option configures Server.

func WithAllowAnonymous

func WithAllowAnonymous(allow bool) Option

WithAllowAnonymous lets unauthenticated requests continue as anonymous.

func WithAuthenticator

func WithAuthenticator(a rootauthn.Authenticator) Option

WithAuthenticator configures the authenticator used by Server.

func WithCredentialExtractor

func WithCredentialExtractor(extractor CredentialExtractor) Option

WithCredentialExtractor configures how credentials are extracted.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL