Documentation
¶
Overview ¶
Package authz provides the transport-independent authorization foundation for Dockyard protected resources. HTTP integration supplies a bearer token to a Validator and places the resulting Principal in the request context.
Index ¶
- Variables
- func Challenge(metadataURL string, err error, requiredScopes []string) string
- func Drivers() []string
- func ParseBearer(values []string) (string, error)
- func RegisterDriver(name string, factory Factory)
- func RequireScopes(p Principal, required ...string) error
- func WithPrincipal(ctx context.Context, p Principal) context.Context
- type Config
- type Factory
- type Principal
- type ProtectedResourceMetadata
- type Validator
Constants ¶
This section is empty.
Variables ¶
var ( // ErrMissingToken indicates that no bearer token was supplied. ErrMissingToken = errors.New("authz: bearer token missing") // ErrInvalidToken indicates that a bearer token is malformed or failed validation. ErrInvalidToken = errors.New("authz: invalid token") // ErrInsufficientScope indicates that the principal lacks a required scope. ErrInsufficientScope = errors.New("authz: insufficient scope") )
Functions ¶
func Drivers ¶
func Drivers() []string
Drivers returns registered driver names in deterministic order.
func ParseBearer ¶
ParseBearer strictly accepts exactly one Authorization value containing the case-insensitive Bearer scheme, one SP, and a non-empty token68 value.
func RegisterDriver ¶
RegisterDriver registers a process-wide validator driver. Duplicate or invalid registrations panic because they are programming errors at startup.
func RequireScopes ¶
RequireScopes requires every listed scope and returns the missing scopes.
Types ¶
type Config ¶
type Config struct {
Driver string
Resource string
Issuer string
// Scopes are advertised as supported in protected-resource metadata. Each
// value must be a non-empty RFC 6749 scope-token other than offline_access.
Scopes []string
// RequiredScopes are required on every protected MCP operation and follow
// the same syntax restrictions as Scopes.
RequiredScopes []string
DriverConfig any
// ContinuationKey authenticates framework-owned MRTR continuation state.
// It must contain at least 32 bytes and is never exposed on the wire.
ContinuationKey []byte
}
Config is the authorization configuration consumed by HTTP server options. Resource and Issuer must be canonical HTTPS URLs. Scope values must satisfy RFC 6749's scope-token grammar; offline_access is rejected because Dockyard is a resource server and does not issue refresh tokens. DriverConfig is interpreted only by the selected driver.
func (Config) Metadata ¶
func (c Config) Metadata() ProtectedResourceMetadata
Metadata returns defensively copied RFC 9728 handler data.
func (Config) MetadataHandler ¶
MetadataHandler serves immutable RFC 9728 metadata.
func (Config) MetadataURL ¶
MetadataURL returns the RFC 9728 path-aware well-known URL. A resource path is appended after /.well-known/oauth-protected-resource.
type Principal ¶
Principal is identity established by a Validator. Scopes is always copied at context boundaries so callers cannot mutate another component's identity.
func PrincipalFromContext ¶
PrincipalFromContext returns a defensive copy of the verified principal.
func (Principal) BindingKey ¶
BindingKey returns a stable, non-reversible identity suitable for persistence. Length-prefixing prevents tuple ambiguity; SHA-256 makes collisions computationally infeasible without requiring a deployment secret.
type ProtectedResourceMetadata ¶
type ProtectedResourceMetadata struct {
Resource string `json:"resource"`
AuthorizationServers []string `json:"authorization_servers"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
BearerMethodsSupported []string `json:"bearer_methods_supported"`
}
ProtectedResourceMetadata is the RFC 9728 response shape used by Dockyard.