oauth

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

Package oauth provides OAuth 2.0 Protected Resource Metadata (RFC 9728) support for the GitHub MCP Server HTTP mode.

Index

Constants

View Source 
const (
	// OAuthProtectedResourcePrefix is the well-known path prefix for OAuth protected resource metadata.
	OAuthProtectedResourcePrefix = "/.well-known/oauth-protected-resource"
)

Variables

View Source 
var SupportedScopes = []string{
	"repo",
	"read:org",
	"read:user",
	"user:email",
	"read:packages",
	"write:packages",
	"read:project",
	"project",
	"gist",
	"notifications",
	"workflow",
	"codespace",
}

SupportedScopes lists all OAuth scopes that may be required by MCP tools.

Functions

func BuildResourceMetadataURL 

func BuildResourceMetadataURL(r *http.Request, cfg *Config, resourcePath string) string

BuildResourceMetadataURL constructs the full URL to the OAuth protected resource metadata endpoint.

func GetEffectiveHostAndScheme 

func GetEffectiveHostAndScheme(r *http.Request, cfg *Config) (host, scheme string)

GetEffectiveHostAndScheme returns the effective host and scheme for a request.

X-Forwarded-Host and X-Forwarded-Proto are only honored when cfg.TrustProxyHeaders is true. Without that opt-in, an untrusted client could otherwise influence the OAuth resource metadata URL advertised to MCP clients.

func ResolveResourcePath 

func ResolveResourcePath(r *http.Request, cfg *Config) string

ResolveResourcePath returns the externally visible resource path for a request. Exported for use by middleware.

Types

type AuthHandler 

type AuthHandler struct {
	// contains filtered or unexported fields
}

AuthHandler handles OAuth-related HTTP endpoints.

func NewAuthHandler 

func NewAuthHandler(cfg *Config, apiHost utils.APIHostResolver) (*AuthHandler, error)

NewAuthHandler creates a new OAuth auth handler.

func (*AuthHandler) RegisterRoutes 

func (h *AuthHandler) RegisterRoutes(r chi.Router)

RegisterRoutes registers the OAuth protected resource metadata routes.

type Config 

type Config struct {
	// BaseURL is the publicly accessible URL where this server is hosted.
	// This is used to construct the OAuth resource URL.
	BaseURL string

	// AuthorizationServer is the OAuth authorization server URL.
	// Defaults to GitHub's OAuth server if not specified.
	AuthorizationServer string

	// ResourcePath is the externally visible base path for the MCP server (e.g., "/mcp").
	// This is used to restore the original path when a proxy strips a base path before forwarding.
	// If empty, requests are treated as already using the external path.
	ResourcePath string

	// TrustProxyHeaders indicates whether X-Forwarded-Host and X-Forwarded-Proto
	// should be honored when deriving the effective host and scheme for OAuth
	// resource URLs. This must only be enabled when the server is deployed
	// behind a trusted proxy that sets these headers; otherwise an untrusted
	// client can influence the OAuth resource metadata URL advertised to MCP
	// clients. When BaseURL is set, it always takes precedence and these
	// headers are unused.
	TrustProxyHeaders bool
}

Config holds the OAuth configuration for the MCP server.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.