Documentation
¶
Overview ¶
Package auth provides JWT verification with JWKS caching for the LFX MCP server.
Package auth provides JWT verification with JWKS caching for the LFX MCP server.
Index ¶
Constants ¶
const APIKeyAuthExtraKey = "api_key_auth"
APIKeyAuthExtraKey is the key used in TokenInfo.Extra to signal that the request was authenticated via a static API key rather than a bearer JWT. The lfxv2 token-exchange layer checks this marker to select the client_credentials grant.
Variables ¶
var M2MScopes = []string{"read:all", "manage:all"}
M2MScopes are the scopes granted to every API-key-authenticated request. They mirror what an OAuth2 M2M client_credentials token carries.
Functions ¶
func ExtractScopes ¶
ExtractScopes extracts scopes from a JWT token. Handles both "scope" (space-separated string) and "scopes" (array) claims.
func ExtractUsername ¶ added in v0.4.6
ExtractUsername extracts the LFX username from a verified JWT token. It reads the http://lfx.dev/claims/username custom claim set by the Auth0 custom_claims action for human users.
If the claim is absent (e.g. M2M client_credentials tokens) and the sub ends in "@clients", the full sub is returned as the username so M2M callers are still identifiable in logs and traces.
Returns an empty string if neither source yields a usable value.
Types ¶
type APIKeyVerifier ¶ added in v0.4.3
type APIKeyVerifier struct {
// contains filtered or unexported fields
}
APIKeyVerifier validates Authorization: Bearer header values against a static map of consumer-key → shared-secret pairs.
TEMPORARY — see package-level comment.
func NewAPIKeyVerifier ¶ added in v0.4.3
func NewAPIKeyVerifier(credentials map[string]string) *APIKeyVerifier
NewAPIKeyVerifier creates a new verifier from the supplied key→secret map. Returns nil when credentials is empty so callers can skip wiring it up entirely.
TEMPORARY — see package-level comment.
func (*APIKeyVerifier) VerifyAPIKey ¶ added in v0.4.3
func (v *APIKeyVerifier) VerifyAPIKey(_ context.Context, bearerValue string) (*sdkauth.TokenInfo, bool, error)
VerifyAPIKey checks whether the Authorization: Bearer value in the request matches a known static secret.
Return semantics:
- (TokenInfo, true, nil) — secret present and valid; caller should proceed.
- (nil, true, ErrInvalidToken) — bearer value present but not a known secret; caller must not fall through to JWT verification.
- (nil, false, nil) — no Authorization header present; caller should try the next verifier.
The verifier is called from within the existing verifyToken closure, which already receives the raw bearer value from RequireBearerToken. Callers should invoke this before attempting JWT parsing.
TEMPORARY — see package-level comment.
type JWTVerifier ¶
type JWTVerifier struct {
// contains filtered or unexported fields
}
JWTVerifier verifies JWT tokens using cached JWKS from authorization servers.
func NewJWTVerifier ¶
func NewJWTVerifier(cfg JWTVerifierConfig) (*JWTVerifier, error)
NewJWTVerifier creates a new JWT verifier with JWKS caching.
func (*JWTVerifier) VerifyToken ¶
VerifyToken verifies a JWT token and returns the parsed token.
type JWTVerifierConfig ¶
type JWTVerifierConfig struct {
// AuthServers is the list of authorization server URLs (e.g., ["https://example.auth0.com"]).
// JWKS will be fetched from {authServer}/.well-known/jwks.json for each server.
AuthServers []string
// Audience is the expected audience claim (aud) in the JWT.
Audience string
// HTTPClient is the HTTP client to use for fetching JWKS.
// If nil, a default client with 30s timeout will be created.
HTTPClient *http.Client
// CacheRefreshInterval is how often to refresh the JWKS cache.
// If zero, defaults to 15 minutes.
CacheRefreshInterval time.Duration
}
JWTVerifierConfig holds configuration for JWT verification.
Source Files