Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrInsufficientScope = errors.New("jwtauth: insufficient_scope")
ErrInsufficientScope indicates the token was valid but did not satisfy the required scopes policy; callers should respond with HTTP 403 where relevant.
ErrUnauthorized indicates that the access token failed validation (e.g., signature, issuer, audience, exp/nbf) and the request should be treated as unauthenticated.
Functions ¶
func NewFromDiscovery ¶
NewFromDiscovery performs OIDC discovery to obtain jwks_uri and issuer, and constructs an Authenticator that validates RFC 9068 access tokens using the configured policies in Config. JWKS keys are auto-refreshed.
Types ¶
type Authenticator ¶
type Authenticator interface {
CheckAuthentication(ctx context.Context, tok string) (UserInfo, error)
}
Authenticator validates access tokens and returns a minimal UserInfo that exposes the subject and access to raw claims. Implementations MUST perform signature, issuer, audience and time validations.
type Config ¶
type Config struct {
Issuer string
// ExpectedAudiences contains the primary audience (index 0) followed by any
// additional accepted audiences. The first entry SHOULD be the production
// audience registered with the authorization server; subsequent entries are
// primarily intended for local / testing scenarios where the served MCP
// endpoint base URL differs from the production one. Avoid growing this set
// in production unless deliberately operating a multi-audience design.
ExpectedAudiences []string
RequiredScopes []string
ScopeModeAny bool // if true, any of RequiredScopes is sufficient; else all are required
AllowedAlgs []string
Leeway time.Duration
// HintScopes carries an optional set of scopes that transports may echo
// in WWW-Authenticate "scope" parameters when constructing Bearer
// challenges. They are advisory only and do not affect token validation.
HintScopes []string
// AdvertisedScopesTransform is an optional function that receives the scopes
// discovered from the authorization server's OIDC metadata and returns the
// scopes that should be advertised in the protected resource metadata. If nil,
// the discovered scopes are used as-is.
AdvertisedScopesTransform func(discovered []string) []string
}
Config controls validation behavior for access tokens. It is used by discovery-based authenticators to enforce issuer, audience, scope, algorithm, and clock-skew policies.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a Config with safe defaults for algorithm and leeway.
type DiscoveryMetadata ¶ added in v0.7.0
DiscoveryMetadata exposes optional advertisement-only endpoints learned via OIDC discovery. Implementations may return empty strings if not applicable.
type StaticConfig ¶ added in v0.7.0
type StaticConfig struct {
Issuer string
ExpectedAudiences []string
AllowedAlgs []string
Leeway time.Duration
}
StaticConfig controls validation for manual (non-discovery) JWT access tokens. Caller supplies issuer, one or more expected audiences, and JWKS URI.
func DefaultStaticConfig ¶ added in v0.7.0
func DefaultStaticConfig() *StaticConfig
DefaultStaticConfig returns a StaticConfig with safe algorithm + leeway defaults.
Source Files