Documentation
¶
Overview ¶
Package lfxv2 provides client configuration for LFX v2 API services.
Token Exchange ¶
The package supports automatic OAuth2 token exchange (RFC 8693) for converting MCP access tokens into LFX API tokens. Token exchange is performed per-request using tokens stored in the request context.
Usage in MCP Tools ¶
Tools should extract the raw MCP token from the request and attach it to the context before making LFX API calls:
func handleMyTool(ctx context.Context, req *mcp.CallToolRequest, args MyToolArgs) (*mcp.CallToolResult, any, error) {
// Extract raw MCP token from request.
mcpToken, err := lfxv2.ExtractMCPToken(req.Extra.TokenInfo)
if err != nil {
return nil, nil, err
}
// Attach token to context for LFX API calls.
ctx = lfxv2.WithMCPToken(ctx, mcpToken)
// Create clients with token exchange enabled.
clients, err := lfxv2.NewClients(ctx, lfxv2.ClientConfig{
APIDomain: "https://api.lfx.dev",
TokenExchangeClient: tokenExchangeClient, // shared instance
})
if err != nil {
return nil, nil, err
}
// Make API calls - token exchange happens automatically.
result, err := clients.Project.GetOneProjectBase(ctx, &projectservice.GetOneProjectBasePayload{})
// ...
}
Token Caching ¶
Exchanged tokens are cached per MCP token to avoid redundant exchanges. The cache is thread-safe and automatically expires tokens with a 5-minute buffer.
Package lfxv2 provides client configuration for LFX v2 API services.
Package lfxv2 provides client utilities for interacting with LFX v2 APIs, including OAuth2 token exchange.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ErrorMessage ¶ added in v0.1.2
ErrorMessage returns the most informative string available for an error returned by a Goa-generated service client. Until the LFX SDK codegen is fixed, Error() returns "" on all typed API errors; this helper recovers the actual message via the struct fields instead. For all other error types the result of Error() is returned as-is.
func ExtractMCPToken ¶
ExtractMCPToken extracts the raw MCP token from auth.TokenInfo.Extra. This token can be passed to WithMCPToken for use in LFX API calls. Returns an error if the token cannot be extracted.
Types ¶
type ClientConfig ¶
type ClientConfig struct {
// APIDomain is the LFX API base domain.
APIDomain string
// HTTPClient is the HTTP client to use for API calls.
// If nil, a default client with 30s timeout will be created.
HTTPClient *http.Client
// TokenExchangeClient is the RFC 8693 OAuth2 token exchange client.
// If provided, the client will automatically exchange MCP tokens (from request context)
// for target API tokens.
TokenExchangeClient *TokenExchangeClient
// DebugLogger is used for debug-level HTTP request/response logging.
// If nil, debug logging is disabled.
DebugLogger *slog.Logger
}
ClientConfig holds configuration for LFX v2 API clients.
type Clients ¶
type Clients struct {
Committee *committeeservice.Client
MailingList *mailinglist.Client
Member *memberservice.Client
Project *projectservice.Client
QuerySvc *querysvc.Client
// contains filtered or unexported fields
}
Clients holds initialized LFX v2 API service clients.
func NewClients ¶
func NewClients(_ context.Context, cfg ClientConfig) (*Clients, error)
NewClients initializes and returns LFX v2 API service clients.
type TokenExchangeClient ¶
type TokenExchangeClient struct {
// contains filtered or unexported fields
}
TokenExchangeClient handles OAuth2 token exchange per RFC 8693.
func NewTokenExchangeClient ¶
func NewTokenExchangeClient(cfg TokenExchangeConfig) (*TokenExchangeClient, error)
NewTokenExchangeClient creates a new RFC 8693 token exchange client.
func (*TokenExchangeClient) ClientCredentials ¶ added in v0.4.1
func (c *TokenExchangeClient) ClientCredentials(ctx context.Context) (*TokenExchangeResponse, error)
ClientCredentials obtains an LFX API token using the client_credentials grant. This is used when the caller presents an M2M token, which Auth0 cannot exchange via RFC 8693 token exchange (it requires a user subject). Instead, the MCP server mints a fresh LFX token using its own client identity.
func (*TokenExchangeClient) ExchangeToken ¶
func (c *TokenExchangeClient) ExchangeToken(ctx context.Context, subjectToken string) (*TokenExchangeResponse, error)
ExchangeToken exchanges a subject token for a new access token per RFC 8693.
type TokenExchangeConfig ¶
type TokenExchangeConfig struct {
// TokenEndpoint is the OAuth2 token endpoint URL (e.g., "https://example.auth0.com/oauth/token").
TokenEndpoint string
// ClientID is the M2M client ID for token exchange.
ClientID string
// ClientSecret is the M2M client secret for token exchange.
// Ignored if ClientAssertionSigningKey is provided.
ClientSecret string
// ClientAssertionSigningKey is the PEM-encoded RSA private key for generating client assertions.
// If provided, this takes precedence over ClientSecret for client authentication.
// The key is used to sign a JWT assertion per RFC 7523.
ClientAssertionSigningKey string
// SubjectTokenType is the token type of the incoming subject token (e.g., LFX MCP API identifier).
SubjectTokenType string
// Audience is the target audience for the exchanged token (e.g., LFX V2 API identifier).
Audience string
// HTTPClient is the HTTP client to use for token exchange.
// If nil, a default client with 30s timeout will be created.
HTTPClient *http.Client
}
TokenExchangeConfig holds configuration for OAuth2 token exchange (RFC 8693).
type TokenExchangeResponse ¶
type TokenExchangeResponse struct {
AccessToken string `json:"access_token"`
IssuedTokenType string `json:"issued_token_type,omitempty"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
Scope string `json:"scope,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
}
TokenExchangeResponse represents the response from OAuth2 token exchange per RFC 8693.
Source Files