Documentation
¶
Index ¶
- Variables
- func AuthorizationMiddleware(cfgState *config.StaticConfigState, oauthState *oauth.State) func(http.Handler) http.Handler
- func MaxBodyMiddleware(cfgState *config.StaticConfigState) func(http.Handler) http.Handler
- func RequestMiddleware(cfgState *config.StaticConfigState) func(http.Handler) http.Handler
- func Serve(ctx context.Context, mcpServer *mcp.Server, cfgState *config.StaticConfigState, ...) error
- func WellKnownHandler(cfgState *config.StaticConfigState, oauthState *oauth.State) http.Handler
- func WellKnownHandlerWithGenerator(cfgState *config.StaticConfigState, oauthState *oauth.State, ...) http.Handler
- type DefaultMetadataGenerator
- type JWTClaims
- type Middleware
- type WellKnown
- type WellKnownMetadataGenerator
Constants ¶
This section is empty.
Variables ¶
var WellKnownEndpoints = []string{
oauthAuthorizationServerEndpoint,
oauthProtectedResourceEndpoint,
openIDConfigurationEndpoint,
}
Functions ¶
func AuthorizationMiddleware ¶
func AuthorizationMiddleware(cfgState *config.StaticConfigState, oauthState *oauth.State) func(http.Handler) http.Handler
AuthorizationMiddleware validates the OAuth flow for protected resources.
The flow is skipped for unprotected resources, such as health checks and well-known endpoints.
There are several auth scenarios supported by this middleware:
1. requireOAuth is false:
- The OAuth flow is skipped, and the server is effectively unprotected.
- The request is passed to the next handler without any validation.
see TestAuthorizationRequireOAuthFalse
2. requireOAuth is set to true, server is protected:
2.1. Raw Token Validation (oidcProvider is nil, SkipJWTVerification is true):
- Requires skip_jwt_verification=true; otherwise the request is rejected with 500.
- The token is validated offline for basic sanity checks (expiration).
- If OAuthAudience is set, the token is validated against the audience.
- No cryptographic signature verification is performed.
see TestAuthorizationRawToken
2.2. OIDC Provider Validation (oidcProvider is not nil):
- The token is validated offline for basic sanity checks (audience and expiration).
- If OAuthAudience is set, the token is validated against the audience.
- The token is then validated against the OIDC Provider.
see TestAuthorizationOidcToken
func MaxBodyMiddleware ¶ added in v0.0.61
MaxBodyMiddleware limits the size of incoming request bodies. It wraps the request body with http.MaxBytesReader to enforce the limit. Requests exceeding the limit receive a 413 Request Entity Too Large response. The max_body_bytes limit is read per request from cfgState so SIGHUP-reloaded values take effect immediately.
func RequestMiddleware ¶
RequestMiddleware creates OpenTelemetry spans for HTTP requests. The trust_proxy_headers config flag is read per request from cfgState so SIGHUP-reloaded values take effect immediately. When enabled, X-Forwarded-* and X-Real-IP headers are used for client IP and scheme detection. Only enable when behind a trusted reverse proxy.
func WellKnownHandler ¶ added in v0.0.49
func WellKnownHandlerWithGenerator ¶ added in v0.0.61
func WellKnownHandlerWithGenerator(cfgState *config.StaticConfigState, oauthState *oauth.State, generator WellKnownMetadataGenerator) http.Handler
WellKnownHandlerWithGenerator creates a WellKnown handler with a custom metadata generator. This allows customizing how metadata is generated for different OIDC providers.
Types ¶
type DefaultMetadataGenerator ¶ added in v0.0.61
type DefaultMetadataGenerator struct{}
DefaultMetadataGenerator provides standard metadata generation for OIDC providers that only implement openid-configuration (e.g., Entra ID, Auth0, etc.)
func (*DefaultMetadataGenerator) GenerateAuthorizationServerMetadata ¶ added in v0.0.61
func (g *DefaultMetadataGenerator) GenerateAuthorizationServerMetadata(oidcConfig map[string]interface{}) map[string]interface{}
GenerateAuthorizationServerMetadata returns the openid-configuration as-is, since it contains the required OAuth 2.0 Authorization Server Metadata fields.
func (*DefaultMetadataGenerator) GenerateProtectedResourceMetadata ¶ added in v0.0.61
func (g *DefaultMetadataGenerator) GenerateProtectedResourceMetadata(oidcConfig map[string]interface{}, authorizationServerURL string) map[string]interface{}
GenerateProtectedResourceMetadata generates RFC 9728 compliant metadata for the MCP server acting as an OAuth 2.0 protected resource.
type JWTClaims ¶
func ParseJWTClaims ¶
func (*JWTClaims) ValidateOffline ¶ added in v0.0.49
ValidateOffline Checks if the JWT claims are valid and if the audience matches the expected one.
type Middleware ¶ added in v0.0.62
Middleware decorates an http.Handler. It is the shape returned by RequestMiddleware, AuthorizationMiddleware, and MaxBodyMiddleware so they can be composed via chain.
type WellKnown ¶ added in v0.0.49
type WellKnown struct {
// contains filtered or unexported fields
}
type WellKnownMetadataGenerator ¶ added in v0.0.61
type WellKnownMetadataGenerator interface {
// GenerateAuthorizationServerMetadata generates oauth-authorization-server metadata
// from the openid-configuration. Returns nil if generation is not possible.
GenerateAuthorizationServerMetadata(oidcConfig map[string]interface{}) map[string]interface{}
// GenerateProtectedResourceMetadata generates oauth-protected-resource metadata (RFC 9728)
// for the MCP server. authorizationServerURL is where OAuth metadata can be fetched.
GenerateProtectedResourceMetadata(oidcConfig map[string]interface{}, authorizationServerURL string) map[string]interface{}
}
WellKnownMetadataGenerator generates well-known metadata when the upstream authorization server doesn't provide certain endpoints. This allows supporting OIDC providers that only implement openid-configuration.
Source Files