bridge

package
v0.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

Package bridge provides cross-protocol bridging for agent-protocols.

The bridge package enables interoperability between the three authentication protocols (ID-JAG, AIMS, AAuth) by providing:

  • Canonical identity representation shared across all protocols
  • Token converters for translating between protocol-specific formats
  • Multi-protocol middleware for accepting any protocol token

Canonical Identity

All three protocols share a common set of identity fields that form the "canonical identity":

  • Issuer (iss): Entity that issued the token
  • Subject (sub): Primary identity being asserted
  • Audience (aud): Intended recipient(s)
  • IssuedAt (iat): Token creation time
  • ExpiresAt (exp): Token validity end
  • JWTID (jti): Unique identifier for replay prevention

The Identity type captures these common fields, allowing application code to work with a unified identity regardless of which protocol was used.

Token Conversion

Convert between protocol token types:

// Extract canonical identity from any token
identity, err := bridge.FromIDJAG(assertion)
identity, err := bridge.FromWIT(wit)
identity, err := bridge.FromAAuth(agentToken)

// Convert to a different protocol
assertion, err := identity.ToIDJAG(clientID)
wit, err := identity.ToWIT(spiffeID)
agentToken, err := identity.ToAAuth(cnf)

Multi-Protocol Middleware

Accept any protocol token in HTTP requests:

handler := bridge.MultiProtocolMiddleware(
	bridge.WithIDJAGVerifier(idjagVerifier),
	bridge.WithWITVerifier(witVerifier),
	bridge.WithAAuthVerifier(aauthorizer),
)(protectedHandler)

The middleware detects the protocol from request headers and extracts the canonical identity into the request context.

Protocol Detection

Protocols are detected by examining:

  • JWT typ header: oauth-id-jag+jwt, wimse-id+jwt, aa-agent+jwt
  • HTTP headers: Authorization Bearer, Workload-Identity-Token, Signature-Key

Use Cases

Common bridging scenarios:

  • Gateway accepting multiple protocols from different clients
  • Migration from one protocol to another
  • Hybrid environments with mixed protocol usage
  • Protocol translation for legacy system integration

Index

Constants

View Source
const (
	// IdentityContextKey is the context key for the canonical identity.
	IdentityContextKey contextKey = "bridge.identity"

	// ProtocolContextKey is the context key for the detected protocol.
	ProtocolContextKey contextKey = "bridge.protocol"
)
View Source
const (
	TypIDJAG = "oauth-id-jag+jwt"
	TypWIT   = "wimse-id+jwt"
	TypWPT   = "wimse-proof+jwt"
	TypAAuth = "aa-agent+jwt"
)

JWT typ header values for protocol detection.

Variables

View Source
var (
	ErrUnsupportedProtocol  = errors.New("unsupported protocol")
	ErrMissingRequiredField = errors.New("missing required field")
	ErrInvalidIdentity      = errors.New("invalid identity")
)

Common errors for bridge operations.

View Source
var (
	ErrNoToken            = errors.New("no authentication token found")
	ErrVerificationFailed = errors.New("token verification failed")
	ErrNoVerifier         = errors.New("no verifier configured for protocol")
)

Common middleware errors.

View Source
var (
	ErrInvalidJWT      = errors.New("invalid JWT format")
	ErrUnknownProtocol = errors.New("unknown protocol")
	ErrParsingFailed   = errors.New("token parsing failed")
)

Parser errors.

Functions

func IsAAuth

func IsAAuth(tokenString string) bool

IsAAuth returns true if the token is an AAuth agent token.

func IsIDJAG

func IsIDJAG(tokenString string) bool

IsIDJAG returns true if the token is an ID-JAG assertion.

func IsWIT

func IsWIT(tokenString string) bool

IsWIT returns true if the token is an AIMS WIT.

func MultiProtocolMiddleware

func MultiProtocolMiddleware(opts ...MiddlewareOption) func(http.Handler) http.Handler

MultiProtocolMiddleware creates HTTP middleware that accepts any configured protocol.

The middleware detects the protocol from request headers:

  • Authorization: Bearer <token> with typ=oauth-id-jag+jwt → ID-JAG
  • Workload-Identity-Token header → AIMS
  • Signature-Key header → AAuth

On success, the canonical Identity is stored in the request context.

Types

type AAuthVerifier

type AAuthVerifier interface {
	VerifyAgentToken(ctx context.Context, tokenString string) (*aauth.AgentToken, error)
}

AAuthVerifier verifies AAuth agent tokens.

type Actor

type Actor struct {
	// Subject is the actor's identity.
	Subject string

	// Issuer is the actor's issuer (optional).
	Issuer string

	// Actor is the nested actor for multi-level delegation.
	Actor *Actor
}

Actor represents an actor in a delegation chain (RFC 8693 act claim).

type IDJAGVerifier

type IDJAGVerifier interface {
	Verify(ctx context.Context, tokenString string) (*idjag.Assertion, error)
}

IDJAGVerifier verifies ID-JAG assertions.

type Identity

type Identity struct {
	// Protocol indicates which protocol this identity was extracted from.
	Protocol Protocol

	// Issuer is the entity that issued the token (iss claim).
	Issuer string

	// Subject is the primary identity being asserted (sub claim).
	Subject string

	// Audience is the intended recipient(s) of the token (aud claim).
	Audience []string

	// IssuedAt is when the token was created (iat claim).
	IssuedAt time.Time

	// ExpiresAt is when the token expires (exp claim).
	ExpiresAt time.Time

	// JWTID is the unique token identifier (jti claim).
	JWTID string

	// KeyBinding contains proof-of-possession key information if present.
	// This is extracted from CNF claims in AIMS and AAuth.
	KeyBinding *KeyBinding

	// Actor contains delegation chain information if present.
	// This is extracted from act claims in ID-JAG and AAuth.
	Actor *Actor

	// OriginalClaims preserves protocol-specific claims for reference.
	OriginalClaims map[string]any
}

Identity represents the canonical identity extracted from any protocol. This is the common representation that enables cross-protocol bridging.

func FromAAuth

func FromAAuth(token *aauth.AgentToken) (*Identity, error)

FromAAuth extracts a canonical identity from an AAuth agent token.

func FromIDJAG

func FromIDJAG(assertion *idjag.Assertion) (*Identity, error)

FromIDJAG extracts a canonical identity from an ID-JAG assertion.

func FromWIT

func FromWIT(wit *aims.WorkloadIdentityToken) (*Identity, error)

FromWIT extracts a canonical identity from an AIMS Workload Identity Token.

func IdentityFromContext

func IdentityFromContext(ctx context.Context) (*Identity, bool)

IdentityFromContext retrieves the canonical identity from context.

func (*Identity) HasDelegation

func (i *Identity) HasDelegation() bool

HasDelegation returns true if the identity has a delegation chain.

func (*Identity) HasKeyBinding

func (i *Identity) HasKeyBinding() bool

HasKeyBinding returns true if the identity has proof-of-possession binding.

func (*Identity) IsExpired

func (i *Identity) IsExpired() bool

IsExpired returns true if the identity has expired.

func (*Identity) SignAAuth

func (i *Identity) SignAAuth(cnf *aauth.CNF, signer crypto.Signer, keyID string) (string, error)

SignAAuth converts the identity to an AAuth agent token and signs it.

func (*Identity) SignIDJAG

func (i *Identity) SignIDJAG(clientID string, signer crypto.Signer, keyID string) (string, error)

SignIDJAG converts the identity to an ID-JAG assertion and signs it.

func (*Identity) SignWIT

func (i *Identity) SignWIT(signer crypto.Signer, keyID string) (string, error)

SignWIT converts the identity to a WIT and signs it.

func (*Identity) ToAAuth

func (i *Identity) ToAAuth(cnf *aauth.CNF) (*aauth.AgentToken, error)

ToAAuth converts the canonical identity to an AAuth agent token. The cnf parameter provides the required proof-of-possession binding.

func (*Identity) ToIDJAG

func (i *Identity) ToIDJAG(clientID string) (*idjag.Assertion, error)

ToIDJAG converts the canonical identity to an ID-JAG assertion. The clientID parameter is required for ID-JAG compliance.

func (*Identity) ToWIT

func (i *Identity) ToWIT() (*aims.WorkloadIdentityToken, error)

ToWIT converts the canonical identity to an AIMS Workload Identity Token. The identity's subject should be a valid SPIFFE ID for full AIMS compliance.

type KeyBinding

type KeyBinding struct {
	// Kid is the key identifier.
	Kid string

	// JWK is the embedded public key in JWK format.
	JWK []byte

	// JKU is the URL to fetch the JWK Set.
	JKU string

	// X5T is the X.509 certificate SHA-256 thumbprint.
	X5T string
}

KeyBinding represents proof-of-possession key binding information.

type MiddlewareConfig

type MiddlewareConfig struct {
	// IDJAGVerifier verifies ID-JAG assertions.
	IDJAGVerifier IDJAGVerifier

	// WITVerifier verifies AIMS WITs.
	WITVerifier WITVerifier

	// AAuthVerifier verifies AAuth agent tokens.
	AAuthVerifier AAuthVerifier

	// OnError is called when verification fails.
	// If nil, a 401 response is returned.
	OnError func(w http.ResponseWriter, r *http.Request, err error)

	// RequireKeyBinding requires proof-of-possession for all protocols.
	RequireKeyBinding bool

	// AllowedProtocols limits which protocols are accepted.
	// If empty, all configured protocols are allowed.
	AllowedProtocols []Protocol
}

MiddlewareConfig holds configuration for multi-protocol middleware.

type MiddlewareOption

type MiddlewareOption func(*MiddlewareConfig)

MiddlewareOption configures the middleware.

func WithAAuthVerifier

func WithAAuthVerifier(v AAuthVerifier) MiddlewareOption

WithAAuthVerifier sets the AAuth verifier.

func WithAllowedProtocols

func WithAllowedProtocols(protocols ...Protocol) MiddlewareOption

WithAllowedProtocols limits which protocols are accepted.

func WithErrorHandler

func WithErrorHandler(handler func(w http.ResponseWriter, r *http.Request, err error)) MiddlewareOption

WithErrorHandler sets a custom error handler.

func WithIDJAGVerifier

func WithIDJAGVerifier(v IDJAGVerifier) MiddlewareOption

WithIDJAGVerifier sets the ID-JAG verifier.

func WithRequireKeyBinding

func WithRequireKeyBinding() MiddlewareOption

WithRequireKeyBinding requires proof-of-possession binding.

func WithWITVerifier

func WithWITVerifier(v WITVerifier) MiddlewareOption

WithWITVerifier sets the AIMS WIT verifier.

type ParseResult

type ParseResult struct {
	// Protocol is the detected protocol.
	Protocol Protocol

	// Identity is the canonical identity extracted from the token.
	Identity *Identity

	// IDJAGAssertion is the parsed ID-JAG assertion (if Protocol == ProtocolIDJAG).
	IDJAGAssertion *idjag.Assertion

	// WIT is the parsed AIMS WIT (if Protocol == ProtocolAIMS).
	WIT *aims.WorkloadIdentityToken

	// AAuthToken is the parsed AAuth agent token (if Protocol == ProtocolAAuth).
	AAuthToken *aauth.AgentToken
}

ParseResult contains the result of parsing a token.

func MustParse

func MustParse(tokenString string) *ParseResult

MustParse is like Parse but panics on error. Use only in tests or when the token is known to be valid.

func Parse

func Parse(tokenString string) (*ParseResult, error)

Parse attempts to parse a JWT token and detect its protocol. This parses without verification - use Verify methods for secure validation.

type Protocol

type Protocol string

Protocol represents the source protocol of an identity.

const (
	// ProtocolIDJAG indicates the identity came from an ID-JAG assertion.
	ProtocolIDJAG Protocol = "id-jag"

	// ProtocolAIMS indicates the identity came from an AIMS WIT.
	ProtocolAIMS Protocol = "aims"

	// ProtocolAAuth indicates the identity came from an AAuth agent token.
	ProtocolAAuth Protocol = "aauth"

	// ProtocolUnknown indicates the protocol could not be determined.
	ProtocolUnknown Protocol = "unknown"
)

func DetectProtocol

func DetectProtocol(tokenString string) (Protocol, error)

DetectProtocol examines a JWT token and returns its protocol.

func ProtocolFromContext

func ProtocolFromContext(ctx context.Context) Protocol

ProtocolFromContext retrieves the detected protocol from context.

type WITVerifier

type WITVerifier interface {
	Verify(tokenString string) (*aims.WorkloadIdentityToken, error)
}

WITVerifier verifies AIMS Workload Identity Tokens.

Directories

Path Synopsis
Package observe provides observability integration for the bridge package using the omniobserve library.
Package observe provides observability integration for the bridge package using the omniobserve library.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL