oauth

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 7, 2026 License: MIT Imports: 22 Imported by: 0

Documentation

Overview

Package oauth implements an OAuth 2.1 credential provider for Moat.

It supports browser-based authorization code flow with PKCE, automatic token refresh via refresh_token grant, and MCP OAuth discovery (RFC 9728, RFC 8414, RFC 7591).

Credentials are stored under "oauth:<name>" in the encrypted credential store, allowing multiple independent OAuth integrations.

Configuration can come from CLI flags, a YAML file at ~/.moat/oauth/<name>.yaml, or automatic MCP server discovery.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultConfigDir 

func DefaultConfigDir() string

DefaultConfigDir returns the default directory for OAuth configs (~/.moat/oauth/).

func LookupServerURL 

func LookupServerURL(name string) string

LookupServerURL returns the well-known MCP server URL for a named OAuth grant, or "" if the name is not in the registry.

func RunGrant 

func RunGrant(ctx context.Context, name string, cfg *Config, resource string) (*provider.Credential, error)

RunGrant orchestrates the full OAuth authorization code flow with PKCE.

func SaveConfig 

func SaveConfig(dir, name string, cfg *Config) error

SaveConfig writes an OAuth config to <dir>/<name>.yaml. Creates the directory if it does not exist.

Types

type AuthServerMetadata 

type AuthServerMetadata struct {
	AuthorizationEndpoint string `json:"authorization_endpoint"`
	TokenEndpoint         string `json:"token_endpoint"`
	RegistrationEndpoint  string `json:"registration_endpoint,omitempty"`
}

AuthServerMetadata represents RFC 8414 authorization server metadata.

type ClientRegistration 

type ClientRegistration struct {
	ClientID string `json:"client_id"`
}

ClientRegistration holds the result of RFC 7591 dynamic client registration.

type Config 

type Config struct {
	AuthURL      string `yaml:"auth_url"`
	TokenURL     string `yaml:"token_url"`
	ClientID     string `yaml:"client_id"`
	ClientSecret string `yaml:"client_secret,omitempty"`
	Scopes       string `yaml:"scopes,omitempty"`

	// RegistrationEndpoint is set by discovery when Dynamic Client
	// Registration (RFC 7591) is available. It is not persisted to YAML;
	// once DCR succeeds the resulting ClientID is cached instead.
	RegistrationEndpoint string `yaml:"-"`
}

Config holds the OAuth provider configuration for a named grant. Stored at ~/.moat/oauth/<name>.yaml.

func DiscoverFromMCPServer 

func DiscoverFromMCPServer(ctx context.Context, mcpServerURL string) (*Config, string, error)

DiscoverFromMCPServer performs full OAuth discovery from an MCP server URL. It returns the discovered Config, the resource identifier (for RFC 8707), and any error.

func LoadConfig 

func LoadConfig(dir, name string) (*Config, error)

LoadConfig loads an OAuth config from <dir>/<name>.yaml.

func (*Config) Validate 

func (c *Config) Validate() error

Validate checks that required fields are present and URLs use HTTPS.

type ProtectedResourceMetadata 

type ProtectedResourceMetadata struct {
	Resource             string   `json:"resource"`
	AuthorizationServers []string `json:"authorization_servers"`
}

ProtectedResourceMetadata represents RFC 9728 protected resource metadata.

type Provider 

type Provider struct{}

Provider implements provider.CredentialProvider and provider.RefreshableProvider for OAuth-based credentials.

func (*Provider) CanRefresh 

func (p *Provider) CanRefresh(cred *provider.Credential) bool

CanRefresh reports whether this credential supports background refresh. Requires metadata indicating an OAuth token source, a non-zero expiry, and a refresh token.

func (*Provider) Cleanup 

func (p *Provider) Cleanup(_ string)

Cleanup is a no-op.

func (*Provider) ConfigureProxy 

func (p *Provider) ConfigureProxy(_ provider.ProxyConfigurer, _ *provider.Credential)

ConfigureProxy is a no-op. OAuth doesn't know which hosts to configure at registration time; host-specific proxy rules are set up per-grant.

func (*Provider) ContainerEnv 

func (p *Provider) ContainerEnv(_ *provider.Credential) []string

ContainerEnv returns no environment variables.

func (*Provider) ContainerMounts 

func (p *Provider) ContainerMounts(_ *provider.Credential, _ string) ([]provider.MountConfig, string, error)

ContainerMounts returns no mounts.

func (*Provider) Grant 

func (p *Provider) Grant(_ context.Context) (*provider.Credential, error)

Grant returns an error directing users to the proper CLI command. The real grant flow is handled by the CLI command `moat grant oauth <name>`.

func (*Provider) ImpliedDependencies 

func (p *Provider) ImpliedDependencies() []string

ImpliedDependencies returns no dependencies.

func (*Provider) Name 

func (p *Provider) Name() string

Name returns the provider identifier.

func (*Provider) Refresh 

func (p *Provider) Refresh(ctx context.Context, _ provider.ProxyConfigurer, cred *provider.Credential) (*provider.Credential, error)

Refresh attempts to refresh the OAuth token using the refresh_token grant. Returns ErrRefreshNotSupported if the credential is nil or not refreshable.

func (*Provider) RefreshInterval 

func (p *Provider) RefreshInterval() time.Duration

RefreshInterval returns how often to attempt token refresh.

type TokenResponse 

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ExpiresIn    int    `json:"expires_in,omitempty"`
}

TokenResponse holds the JSON response from the token endpoint.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.