Documentation
¶
Overview ¶
Package authn provides transport middleware for Kernel authentication.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BearerExtractor ¶
func BearerExtractor(h transport.Header) (rootauthn.Credential, bool)
BearerExtractor extracts an Authorization: Bearer <token> credential.
func Server ¶
func Server(opts ...Option) middleware.Middleware
Server authenticates the caller and stores the normalized principal in both authn and contextx contexts so old and new Kernel packages see the same identity.
func TrustedHeaderExtractor ¶ added in v0.2.4
func TrustedHeaderExtractor(h transport.Header) (rootauthn.Credential, bool)
TrustedHeaderExtractor extracts Gateway-verified identity headers. It is for internal services running in gateway_trusted mode; external traffic must never be allowed to set these headers directly.
Types ¶
type CredentialExtractor ¶
type CredentialExtractor func(transport.Header) (rootauthn.Credential, bool)
CredentialExtractor extracts an authn credential from transport headers.
func GatewayTrustedExtractor ¶ added in v0.2.4
func GatewayTrustedExtractor(internalTokenHeader string) CredentialExtractor
GatewayTrustedExtractor extracts both Gateway-injected Principal headers and the optional Gateway-to-backend internal token header. The authenticator decides whether the internal token is required.
func HeaderExtractor ¶
func HeaderExtractor(headerName, scheme string) CredentialExtractor
HeaderExtractor extracts a token directly from a named header. It is useful for dev-token, API-key and mTLS adapter tests where the upstream identity has already been verified.
func HybridBearerOrGatewayTrustedExtractor ¶ added in v0.2.4
func HybridBearerOrGatewayTrustedExtractor(internalTokenHeader string) CredentialExtractor
HybridBearerOrGatewayTrustedExtractor extracts a bearer JWT when present; otherwise it falls back to Gateway trusted Principal headers. This is intended for migration/testing. Prefer a strict single mode in production.
type Option ¶
type Option func(*options)
Option configures Server.
func WithAllowAnonymous ¶
WithAllowAnonymous lets unauthenticated requests continue as anonymous.
func WithAuthenticator ¶
func WithAuthenticator(a rootauthn.Authenticator) Option
WithAuthenticator configures the authenticator used by Server.
func WithCredentialExtractor ¶
func WithCredentialExtractor(extractor CredentialExtractor) Option
WithCredentialExtractor configures how credentials are extracted.