Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ProtectedResourceHandler ¶
ProtectedResourceHandler returns an http.Handler that serves the metadata document for an OIDC-protected MCP resource. The endpoint MUST be unauthenticated per RFC 9728 §3.
Returns nil when the supplied config has no resource URI configured — callers should not mount the endpoint in that case.
func WithPrincipal ¶
WithPrincipal attaches p to ctx so downstream handlers (enforcement, rate limiters, audit, tools) can read the authenticated identity.
func WriteUnauthorized ¶
func WriteUnauthorized(w http.ResponseWriter, errCode, errDesc string)
WriteUnauthorized emits an HTTP 401 with a WWW-Authenticate header in RFC 6750 §3 form. errCode and errDesc become the `error` and `error_description` parameters; pass empty strings to omit them. The realm is fixed to "clockify-mcp" to match the metadata document.
Types ¶
type Authenticator ¶
func New ¶
func New(cfg Config) (Authenticator, error)
type Config ¶
type Config struct {
Mode Mode
BearerToken string
DefaultTenantID string
TenantClaim string
SubjectClaim string
OIDCIssuer string
OIDCAudience string
OIDCJWKSURL string
OIDCJWKSPath string
ForwardTenantHeader string
ForwardSubjectHeader string
MTLSTenantHeader string
// OIDCResourceURI is the canonical resource URI this server represents
// per RFC 8707 (OAuth 2.0 Resource Indicators) and the MCP OAuth 2.1
// profile. When set, every OIDC token must list this URI in its `aud`
// claim — token-binding to the protected resource. Empty disables the
// extra check (back-compat with the simple OIDCAudience match).
OIDCResourceURI string
// HTTPClient overrides the JWKS fetcher's transport. Tests inject
// httptest-backed clients here; production code leaves it nil and
// uses http.DefaultClient.
HTTPClient *http.Client
}
type Principal ¶
type ProtectedResourceMetadata ¶
type ProtectedResourceMetadata struct {
Resource string `json:"resource"`
AuthorizationServers []string `json:"authorization_servers,omitempty"`
BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
ResourceName string `json:"resource_name,omitempty"`
}
ProtectedResourceMetadata is the body served at /.well-known/oauth-protected-resource per the MCP OAuth 2.1 profile (RFC 9728). Clients fetch this document unauthenticated to discover which authorization server issues tokens for the resource and which bearer methods the resource accepts.