Documentation
¶
Index ¶
- func FailureCategory(err error) string
- func ProtectedResourceHandler(cfg Config) http.Handler
- func WithPrincipal(ctx context.Context, p *Principal) context.Context
- func WriteUnauthorized(w http.ResponseWriter, errCode, errDesc string)
- type Authenticator
- type Config
- type Mode
- type Principal
- type ProtectedResourceMetadata
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FailureCategory ¶ added in v1.2.0
FailureCategory classifies an authentication error into a coarse-grained label for logs/metrics. It must never echo the raw error text to clients — callers strip details before responding (e.g. mcp.writeAuthFailure or the gRPC interceptor) and use this only for server-side observability.
The categorisation is intentionally pattern-matched against lowercased substrings of err.Error() rather than typed sentinels because authn errors are constructed via fmt.Errorf at multiple sites (oidc, mtls, forward_auth, static_bearer). Adding a new sentinel everywhere would be churn for a helper whose only consumer is structured logging.
func ProtectedResourceHandler ¶
ProtectedResourceHandler returns an http.Handler that serves the metadata document for an OIDC-protected MCP resource. The endpoint MUST be unauthenticated per RFC 9728 §3.
Returns nil when the supplied config has no resource URI configured — callers should not mount the endpoint in that case.
func WithPrincipal ¶
WithPrincipal attaches p to ctx so downstream handlers (enforcement, rate limiters, audit, tools) can read the authenticated identity.
func WriteUnauthorized ¶
func WriteUnauthorized(w http.ResponseWriter, errCode, errDesc string)
WriteUnauthorized emits an HTTP 401 with a WWW-Authenticate header in RFC 6750 §3 form. errCode and errDesc become the `error` and `error_description` parameters; pass empty strings to omit them. The realm is fixed to "clockify-mcp" to match the metadata document.
Types ¶
type Authenticator ¶
func New ¶
func New(cfg Config) (Authenticator, error)
type Config ¶
type Config struct {
Mode Mode
BearerToken string
DefaultTenantID string
TenantClaim string
SubjectClaim string
OIDCIssuer string
OIDCAudience string
OIDCJWKSURL string
OIDCJWKSPath string
ForwardTenantHeader string
ForwardSubjectHeader string
MTLSTenantHeader string
// MTLSTenantSource selects how the mtls authenticator derives the
// tenant identifier. Valid values:
// "cert" — verified client certificate only (URI SAN
// patterns clockify-mcp://tenant/<id> or
// spiffe://.../tenant/<id>, then Subject
// Organization fallback). Default; the only
// sound choice for direct native mTLS because
// a client-controlled header would let any
// authenticated client claim any tenant.
// "header" — request header (MTLSTenantHeader) only.
// Reserve for deployments where an upstream
// proxy terminates mTLS, validates it, and
// stamps the tenant header from a trusted
// source after stripping any client copy.
// "header_or_cert" — header first, then cert. Hybrid; mainly
// useful for the brief window of migrating
// from header-based to cert-based identity.
// Empty string is treated as "cert" (the safe default).
MTLSTenantSource string
// RequireMTLSTenant rejects authentication when no tenant could be
// derived from the configured source(s). Default false retains the
// historical "fall back to DefaultTenantID" behaviour for
// self-hosted single-tenant deployments.
RequireMTLSTenant bool
// OIDCResourceURI is the canonical resource URI this server represents
// per RFC 8707 (OAuth 2.0 Resource Indicators) and the MCP OAuth 2.1
// profile. When set, every OIDC token must list this URI in its `aud`
// claim — token-binding to the protected resource. Empty disables the
// extra check (back-compat with the simple OIDCAudience match).
OIDCResourceURI string
// OIDCStrict enables hosted-service-grade claim validation: tokens
// missing an `exp` claim are rejected. Config.Load enforces the
// audience/resource binding requirement at startup; this flag
// covers the per-token claim checks. Default false preserves
// self-hosted behaviour.
OIDCStrict bool
// RequireTenantClaim, when true, makes the OIDC authenticator
// reject any token whose tenant claim is empty — instead of
// quietly falling back to DefaultTenantID. Default false preserves
// self-hosted single-tenant behaviour.
RequireTenantClaim bool
// OIDCVerifyCacheTTL is the hard ceiling on cached verify results.
// Zero selects the default (oidcVerifyCacheMaxTTL); values are
// clamped to [oidcVerifyCacheMinTTL, oidcVerifyCacheTTLCeiling].
// Larger values amortise the ~54µs verify cost further, but extend
// the window after a token is revoked before the next Authenticate
// call re-checks the claims. Operators should pick this
// consciously; the default stays conservative at 60s.
OIDCVerifyCacheTTL time.Duration
// HTTPClient overrides the JWKS fetcher's transport. Tests inject
// httptest-backed clients here; production code leaves it nil and
// uses http.DefaultClient.
HTTPClient *http.Client
}
type Principal ¶
type ProtectedResourceMetadata ¶
type ProtectedResourceMetadata struct {
Resource string `json:"resource"`
AuthorizationServers []string `json:"authorization_servers,omitempty"`
BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
ResourceName string `json:"resource_name,omitempty"`
}
ProtectedResourceMetadata is the body served at /.well-known/oauth-protected-resource per the MCP OAuth 2.1 profile (RFC 9728). Clients fetch this document unauthenticated to discover which authorization server issues tokens for the resource and which bearer methods the resource accepts.