oauth

package

v0.28.0 Latest Latest Go to latest Published: Nov 14, 2025 License: MIT Imports: 25 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/mcp-gateway

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func HelperBinaryName(credsStore string) string
func IsCEMode() bool
func NewReadWriteCredentialHelper() credentials.Helper
func RegisterProviderForLazySetup(ctx context.Context, serverName string) error
func ValidateCredsStore(credsStore string) error
type CallbackData
type CallbackServer
- func NewCallbackServer() (*CallbackServer, error)
- func (s *CallbackServer) Port() int
- func (s *CallbackServer) Shutdown(ctx context.Context) error
- func (s *CallbackServer) Start() error
- func (s *CallbackServer) URL() string
- func (s *CallbackServer) Wait(ctx context.Context) (code string, state string, err error)
type CommandChecker
type ConfigReader
type CredentialHelper
- func NewOAuthCredentialHelper() *CredentialHelper
- func (h *CredentialHelper) GetHelper() credentials.Helper
- func (h *CredentialHelper) GetOAuthToken(ctx context.Context, serverName string) (string, error)
- func (h *CredentialHelper) GetTokenStatus(ctx context.Context, serverName string) (TokenStatus, error)
type DCRProvider
- func NewDCRProvider(dcrClient dcr.Client, redirectURL string) *DCRProvider
- func (p *DCRProvider) Config() *oauth2.Config
- func (p *DCRProvider) GeneratePKCE() string
- func (p *DCRProvider) Name() string
- func (p *DCRProvider) ResourceURL() string
type DockerConfig
- func ParseDockerConfig(data []byte) (*DockerConfig, error)
type Event
type EventType
type Manager
- func NewManager(credHelper credentials.Helper) *Manager
- func (m *Manager) BuildAuthorizationURL(_ context.Context, serverName string, scopes []string, callbackURL string) (string, string, string, error)
- func (m *Manager) DeleteDCRClient(serverName string) error
- func (m *Manager) EnsureDCRClient(ctx context.Context, serverName string, scopes string) error
- func (m *Manager) ExchangeCode(ctx context.Context, code string, state string) error
- func (m *Manager) RevokeToken(_ context.Context, serverName string) error
- func (m *Manager) SetRedirectURI(uri string)
type ModeDetector
type NotificationMonitor
- func NewNotificationMonitor() *NotificationMonitor
- func (m *NotificationMonitor) Start(ctx context.Context)
type Provider
- func NewProvider(name string, reloadFn func(context.Context, string) error) *Provider
- func (p *Provider) Run(ctx context.Context)
- func (p *Provider) SendEvent(event Event)
- func (p *Provider) Stop()
type Resolver
- func NewResolver() *Resolver
- func (r *Resolver) Resolve() (string, error)
type StateManager
- func NewStateManager() *StateManager
- func (s *StateManager) Clear(state string)
- func (s *StateManager) Generate(serverName string, verifier string) string
- func (s *StateManager) Validate(state string) (serverName string, verifier string, err error)
type TokenStatus
type TokenStore
- func NewTokenStore(credentialHelper credentials.Helper) *TokenStore
- func (t *TokenStore) Delete(dcrClient dcr.Client) error
- func (t *TokenStore) Retrieve(dcrClient dcr.Client) (*oauth2.Token, error)
- func (t *TokenStore) Save(dcrClient dcr.Client, token *oauth2.Token) error

Constants ¶

View Source

const DefaultOAuthPort = 5000

DefaultOAuthPort is the default port for the OAuth callback server Can be overridden with MCP_GATEWAY_OAUTH_PORT environment variable

View Source

const DefaultRedirectURI = "https://mcp.docker.com/oauth/callback"

DefaultRedirectURI is the OAuth callback endpoint

Variables ¶

This section is empty.

Functions ¶

func HelperBinaryName ¶ added in v0.28.0

func HelperBinaryName(credsStore string) string

HelperBinaryName returns credential helper binary name

func IsCEMode ¶ added in v0.28.0

func IsCEMode() bool

IsCEMode returns true if running in Docker CE mode (standalone OAuth flows). When false, uses Docker Desktop for OAuth orchestration.

Set the environment variable DOCKER_MCP_USE_CE=true to enable CE mode.

func NewReadWriteCredentialHelper ¶ added in v0.28.0

func NewReadWriteCredentialHelper() credentials.Helper

NewReadWriteCredentialHelper creates a READ-WRITE credential helper for CE mode This is used for DCR client storage and token storage operations

func RegisterProviderForLazySetup ¶ added in v0.22.0

func RegisterProviderForLazySetup(ctx context.Context, serverName string) error

RegisterProviderForLazySetup registers a DCR provider with Docker Desktop This allows 'docker mcp oauth authorize' to work before full DCR is complete Idempotent - safe to call multiple times for the same server

func ValidateCredsStore ¶ added in v0.28.0

func ValidateCredsStore(credsStore string) error

ValidateCredsStore validates credential store name

Types ¶

type CallbackData ¶ added in v0.28.0

type CallbackData struct {
	Code  string
	State string
}

CallbackData represents the data received from an OAuth callback

type CallbackServer ¶ added in v0.28.0

type CallbackServer struct {
	// contains filtered or unexported fields
}

CallbackServer is a temporary HTTP server that receives OAuth callbacks on localhost

func NewCallbackServer ¶ added in v0.28.0

func NewCallbackServer() (*CallbackServer, error)

NewCallbackServer creates a new callback server on a fixed port (default 5000) The port can be customized via MCP_GATEWAY_OAUTH_PORT environment variable

func (*CallbackServer) Port ¶ added in v0.28.0

func (s *CallbackServer) Port() int

Port returns the port the server is listening on

func (*CallbackServer) Shutdown ¶ added in v0.28.0

func (s *CallbackServer) Shutdown(ctx context.Context) error

Shutdown gracefully shuts down the callback server

func (*CallbackServer) Start ¶ added in v0.28.0

func (s *CallbackServer) Start() error

Start starts the HTTP server Should be called in a goroutine

func (*CallbackServer) URL ¶ added in v0.28.0

func (s *CallbackServer) URL() string

URL returns the full callback URL

func (*CallbackServer) Wait ¶ added in v0.28.0

func (s *CallbackServer) Wait(ctx context.Context) (code string, state string, err error)

Wait blocks until a callback is received, an error occurs, or the context is cancelled Returns the authorization code and state parameter

type CommandChecker ¶ added in v0.28.0

type CommandChecker interface {
	CommandExists(cmd string) bool
}

CommandChecker checks command existence

type ConfigReader ¶ added in v0.28.0

type ConfigReader interface {
	ReadConfig() ([]byte, error)
}

ConfigReader reads Docker config

type CredentialHelper ¶

type CredentialHelper struct {
	// contains filtered or unexported fields
}

CredentialHelper provides secure access to OAuth tokens via credential helpers

func NewOAuthCredentialHelper ¶

func NewOAuthCredentialHelper() *CredentialHelper

NewOAuthCredentialHelper creates a new OAuth credential helper

func (*CredentialHelper) GetHelper ¶ added in v0.28.0

func (h *CredentialHelper) GetHelper() credentials.Helper

GetHelper returns the underlying credential helper

func (*CredentialHelper) GetOAuthToken ¶

func (h *CredentialHelper) GetOAuthToken(ctx context.Context, serverName string) (string, error)

GetOAuthToken retrieves an OAuth token for the specified server It follows this flow: 1. Get DCR client info to retrieve provider name and authorization endpoint 2. Construct credential key using: [AuthorizationEndpoint]/[ProviderName] 3. Retrieve token from credential helper

func (*CredentialHelper) GetTokenStatus ¶ added in v0.22.0

func (h *CredentialHelper) GetTokenStatus(ctx context.Context, serverName string) (TokenStatus, error)

GetTokenStatus checks if an OAuth token is valid and whether it needs refresh

type DCRProvider ¶ added in v0.28.0

type DCRProvider struct {
	// contains filtered or unexported fields
}

DCRProvider represents a dynamically registered OAuth provider Implements public client + PKCE for security

func NewDCRProvider ¶ added in v0.28.0

func NewDCRProvider(dcrClient dcr.Client, redirectURL string) *DCRProvider

NewDCRProvider creates a new DCR provider from a registered DCR client

func (*DCRProvider) Config ¶ added in v0.28.0

func (p *DCRProvider) Config() *oauth2.Config

Config returns the OAuth2 configuration

func (*DCRProvider) GeneratePKCE ¶ added in v0.28.0

func (p *DCRProvider) GeneratePKCE() string

GeneratePKCE generates a new PKCE code verifier The challenge is automatically computed by oauth2 library when using S256ChallengeOption

func (*DCRProvider) Name ¶ added in v0.28.0

func (p *DCRProvider) Name() string

Name returns the provider name

func (*DCRProvider) ResourceURL ¶ added in v0.28.0

func (p *DCRProvider) ResourceURL() string

ResourceURL returns the resource URL for RFC 8707 token audience binding

type DockerConfig ¶ added in v0.28.0

type DockerConfig struct {
	CredsStore string `json:"credsStore"`
}

DockerConfig represents Docker's config.json

func ParseDockerConfig ¶ added in v0.28.0

func ParseDockerConfig(data []byte) (*DockerConfig, error)

ParseDockerConfig parses config JSON

type Event ¶ added in v0.22.0

type Event struct {
	Type     EventType
	Provider string
	Message  string
	Error    string
}

Event represents a parsed OAuth notification event

type EventType ¶ added in v0.22.0

type EventType string

EventType represents the type of OAuth event from Docker Desktop

const (
	EventLoginStart    EventType = "login-start"
	EventCodeReceived  EventType = "code-received"
	EventLoginSuccess  EventType = "login-success"
	EventTokenRefresh  EventType = "token-refresh"
	EventLogoutSuccess EventType = "logout-success"
	EventError         EventType = "error"
)

type Manager ¶ added in v0.28.0

type Manager struct {
	// contains filtered or unexported fields
}

Manager orchestrates OAuth flows for DCR-based providers

func NewManager ¶ added in v0.28.0

func NewManager(credHelper credentials.Helper) *Manager

NewManager creates a new OAuth manager for CE mode

func (*Manager) BuildAuthorizationURL ¶ added in v0.28.0

func (m *Manager) BuildAuthorizationURL(_ context.Context, serverName string, scopes []string, callbackURL string) (string, string, string, error)

BuildAuthorizationURL generates the OAuth authorization URL with PKCE If callbackURL is provided, extracts port and embeds in state for mcp-oauth proxy routing Returns: authURL, baseState, verifier, error

func (*Manager) DeleteDCRClient ¶ added in v0.28.0

func (m *Manager) DeleteDCRClient(serverName string) error

DeleteDCRClient removes a DCR client registration

func (*Manager) EnsureDCRClient ¶ added in v0.28.0

func (m *Manager) EnsureDCRClient(ctx context.Context, serverName string, scopes string) error

EnsureDCRClient ensures a DCR client is registered for the server If no client exists or it's incomplete, performs discovery and registration

func (*Manager) ExchangeCode ¶ added in v0.28.0

func (m *Manager) ExchangeCode(ctx context.Context, code string, state string) error

ExchangeCode exchanges an authorization code for an access token

func (*Manager) RevokeToken ¶ added in v0.28.0

func (m *Manager) RevokeToken(_ context.Context, serverName string) error

RevokeToken revokes an OAuth token for a server

func (*Manager) SetRedirectURI ¶ added in v0.28.0

func (m *Manager) SetRedirectURI(uri string)

SetRedirectURI sets a custom redirect URI (for testing or custom deployments)

type ModeDetector ¶ added in v0.28.0

type ModeDetector interface {
	IsCEMode() bool
}

ModeDetector detects CE vs Desktop mode

type NotificationMonitor ¶ added in v0.22.0

type NotificationMonitor struct {
	OnOAuthEvent func(event Event)
	// contains filtered or unexported fields
}

NotificationMonitor subscribes to Docker Desktop's OAuth notification stream

func NewNotificationMonitor ¶ added in v0.22.0

func NewNotificationMonitor() *NotificationMonitor

NewNotificationMonitor creates a new notification monitor

func (*NotificationMonitor) Start ¶ added in v0.22.0

func (m *NotificationMonitor) Start(ctx context.Context)

Start begins monitoring OAuth notifications from Docker Desktop

type Provider ¶ added in v0.22.0

type Provider struct {
	// contains filtered or unexported fields
}

Provider manages OAuth token lifecycle for a single MCP server This is used for background token refresh loops in the gateway

func NewProvider ¶ added in v0.22.0

func NewProvider(name string, reloadFn func(context.Context, string) error) *Provider

NewProvider creates a new OAuth provider for token refresh

func (*Provider) Run ¶ added in v0.22.0

func (p *Provider) Run(ctx context.Context)

Run starts the provider's background loop Loop dynamically adjusts timing based on token expiry

func (*Provider) SendEvent ¶ added in v0.22.0

func (p *Provider) SendEvent(event Event)

SendEvent sends an SSE event to this provider's event channel

func (*Provider) Stop ¶ added in v0.22.0

func (p *Provider) Stop()

Stop signals the provider to shutdown gracefully

type Resolver ¶ added in v0.28.0

type Resolver struct {
	ConfigReader   ConfigReader
	CommandChecker CommandChecker
	ModeDetector   ModeDetector
}

Resolver resolves credential helper names

func NewResolver ¶ added in v0.28.0

func NewResolver() *Resolver

NewResolver creates resolver with production dependencies

func (*Resolver) Resolve ¶ added in v0.28.0

func (r *Resolver) Resolve() (string, error)

Resolve determines credential helper to use

type StateManager ¶ added in v0.28.0

type StateManager struct {
	// contains filtered or unexported fields
}

StateManager manages OAuth state parameters and PKCE verifiers States and verifiers are stored in memory and cleared after use

func NewStateManager ¶ added in v0.28.0

func NewStateManager() *StateManager

NewStateManager creates a new state manager

func (*StateManager) Clear ¶ added in v0.28.0

func (s *StateManager) Clear(state string)

Clear removes a state and its associated verifier without validation Useful for cleanup on errors

func (*StateManager) Generate ¶ added in v0.28.0

func (s *StateManager) Generate(serverName string, verifier string) string

Generate creates a new state parameter and stores the associated server name and PKCE verifier Returns the state UUID

func (*StateManager) Validate ¶ added in v0.28.0

func (s *StateManager) Validate(state string) (serverName string, verifier string, err error)

Validate checks if a state parameter is valid and returns the associated server name and verifier The state and verifier are removed after validation (single-use)

type TokenStatus ¶ added in v0.22.0

type TokenStatus struct {
	Valid        bool
	ExpiresAt    time.Time
	NeedsRefresh bool
}

TokenStatus represents the validity status of an OAuth token

type TokenStore ¶ added in v0.28.0

type TokenStore struct {
	// contains filtered or unexported fields
}

TokenStore provides storage for OAuth tokens via credential helper

func NewTokenStore ¶ added in v0.28.0

func NewTokenStore(credentialHelper credentials.Helper) *TokenStore

NewTokenStore creates a new token store

func (*TokenStore) Delete ¶ added in v0.28.0

func (t *TokenStore) Delete(dcrClient dcr.Client) error

Delete removes an OAuth token from the credential helper

func (*TokenStore) Retrieve ¶ added in v0.28.0

func (t *TokenStore) Retrieve(dcrClient dcr.Client) (*oauth2.Token, error)

Retrieve retrieves an OAuth token from the credential helper

func (*TokenStore) Save ¶ added in v0.28.0

func (t *TokenStore) Save(dcrClient dcr.Client, token *oauth2.Token) error

Save stores an OAuth token in the credential helper Key format: {authorizationEndpoint}/{providerName}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
dcr

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL