http

package
v0.0.55 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 3, 2025 License: Apache-2.0 Imports: 24 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var WellKnownEndpoints = []string{
	oauthAuthorizationServerEndpoint,
	oauthProtectedResourceEndpoint,
	openIDConfigurationEndpoint,
}

Functions

func AuthorizationMiddleware 

func AuthorizationMiddleware(staticConfig *config.StaticConfig, oidcProvider *oidc.Provider, verifier KubernetesApiTokenVerifier, httpClient *http.Client) func(http.Handler) http.Handler

AuthorizationMiddleware validates the OAuth flow for protected resources.

The flow is skipped for unprotected resources, such as health checks and well-known endpoints. 

There are several auth scenarios supported by this middleware:

 1. requireOAuth is false:

    - The OAuth flow is skipped, and the server is effectively unprotected.
    - The request is passed to the next handler without any validation.

    see TestAuthorizationRequireOAuthFalse

 2. requireOAuth is set to true, server is protected:

    2.1. Raw Token Validation (oidcProvider is nil):
         - The token is validated offline for basic sanity checks (expiration).
         - If OAuthAudience is set, the token is validated against the audience.
         - If ValidateToken is set, the token is then used against the Kubernetes API Server for TokenReview.

         see TestAuthorizationRawToken

    2.2. OIDC Provider Validation (oidcProvider is not nil):
         - The token is validated offline for basic sanity checks (audience and expiration).
         - If OAuthAudience is set, the token is validated against the audience.
         - The token is then validated against the OIDC Provider.
         - If ValidateToken is set, the token is then used against the Kubernetes API Server for TokenReview.

         see TestAuthorizationOidcToken

    2.3. OIDC Token Exchange (oidcProvider is not nil, StsClientId and StsAudience are set):
         - The token is validated offline for basic sanity checks (audience and expiration).
         - If OAuthAudience is set, the token is validated against the audience.
         - The token is then validated against the OIDC Provider.
         - If the token is valid, an external account token exchange is performed using
           the OIDC Provider to obtain a new token with the specified audience and scopes.
         - If ValidateToken is set, the exchanged token is then used against the Kubernetes API Server for TokenReview.

         see TestAuthorizationOidcTokenExchange

func RequestMiddleware 

func RequestMiddleware(next http.Handler) http.Handler

func Serve 

func Serve(ctx context.Context, mcpServer *mcp.Server, staticConfig *config.StaticConfig, oidcProvider *oidc.Provider, httpClient *http.Client) error

func WellKnownHandler added in v0.0.49 

func WellKnownHandler(staticConfig *config.StaticConfig, httpClient *http.Client) http.Handler

Types

type JWTClaims 

type JWTClaims struct {
	jwt.Claims
	Token string `json:"-"`
	Scope string `json:"scope,omitempty"`
}

func ParseJWTClaims 

func ParseJWTClaims(token string) (*JWTClaims, error)

func (*JWTClaims) GetScopes 

func (c *JWTClaims) GetScopes() []string

func (*JWTClaims) ValidateOffline added in v0.0.49 

func (c *JWTClaims) ValidateOffline(audience string) error

ValidateOffline Checks if the JWT claims are valid and if the audience matches the expected one.

func (*JWTClaims) ValidateWithKubernetesApi added in v0.0.49 

func (c *JWTClaims) ValidateWithKubernetesApi(ctx context.Context, audience, cluster string, verifier KubernetesApiTokenVerifier) error

func (*JWTClaims) ValidateWithProvider added in v0.0.49 

func (c *JWTClaims) ValidateWithProvider(ctx context.Context, audience string, provider *oidc.Provider) error

ValidateWithProvider validates the JWT claims against the OIDC provider.

type KubernetesApiTokenVerifier added in v0.0.49 

type KubernetesApiTokenVerifier interface {
	// KubernetesApiVerifyToken TODO: clarify proper implementation
	KubernetesApiVerifyToken(ctx context.Context, cluster, token, audience string) (*authenticationapiv1.UserInfo, []string, error)
	// GetTargetParameterName returns the parameter name used for target identification in MCP requests
	GetTargetParameterName() string
}

type SecurityTokenService added in v0.0.49 

type SecurityTokenService struct {
	*oidc.Provider
	ClientId                string
	ClientSecret            string
	ExternalAccountAudience string
	ExternalAccountScopes   []string
}

func NewFromConfig added in v0.0.49 

func NewFromConfig(config *config.StaticConfig, provider *oidc.Provider) *SecurityTokenService

func (*SecurityTokenService) ExternalAccountTokenExchange added in v0.0.49 

func (sts *SecurityTokenService) ExternalAccountTokenExchange(ctx context.Context, originalToken *oauth2.Token) (*oauth2.Token, error)

func (*SecurityTokenService) IsEnabled added in v0.0.49 

func (sts *SecurityTokenService) IsEnabled() bool

type WellKnown added in v0.0.49 

type WellKnown struct {
	// contains filtered or unexported fields
}

func (WellKnown) ServeHTTP added in v0.0.49 

func (w WellKnown) ServeHTTP(writer http.ResponseWriter, request *http.Request)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.