oauth2

package
v1.2.19 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 10, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GeneratePKCEChallenge 

func GeneratePKCEChallenge() (verifier, challenge string, err error)

GeneratePKCEChallenge generates code_verifier and code_challenge for PKCE (RFC 7636) Returns:

  • verifier: Random 128-character string (stored securely, never sent to server)
  • challenge: SHA256 hash of verifier, base64url encoded (sent in authorization request)

func SetLogger 

func SetLogger(l schemas.Logger)

func ValidatePKCEChallenge 

func ValidatePKCEChallenge(verifier, challenge string) bool

ValidatePKCEChallenge validates that a code_verifier matches the expected code_challenge Used during testing or debugging

Types

type DynamicClientRegistrationRequest 

type DynamicClientRegistrationRequest struct {
	ClientName              string   `json:"client_name"`
	RedirectURIs            []string `json:"redirect_uris"`
	GrantTypes              []string `json:"grant_types"`
	ResponseTypes           []string `json:"response_types"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method"`
	Scope                   string   `json:"scope,omitempty"`
	LogoURI                 string   `json:"logo_uri,omitempty"`
	ClientURI               string   `json:"client_uri,omitempty"`
	Contacts                []string `json:"contacts,omitempty"`
}

DynamicClientRegistrationRequest represents the client registration request (RFC 7591)

type DynamicClientRegistrationResponse 

type DynamicClientRegistrationResponse struct {
	ClientID                string `json:"client_id"`
	ClientSecret            string `json:"client_secret,omitempty"`
	ClientIDIssuedAt        int64  `json:"client_id_issued_at,omitempty"`
	ClientSecretExpiresAt   int64  `json:"client_secret_expires_at,omitempty"`
	RegistrationAccessToken string `json:"registration_access_token,omitempty"`
	RegistrationClientURI   string `json:"registration_client_uri,omitempty"`
}

DynamicClientRegistrationResponse represents the server's response (RFC 7591)

func RegisterDynamicClient 

func RegisterDynamicClient(ctx context.Context, registrationURL string, req *DynamicClientRegistrationRequest) (*DynamicClientRegistrationResponse, error)

RegisterDynamicClient performs dynamic client registration with the OAuth provider (RFC 7591) This allows Bifrost to automatically register as an OAuth client without manual setup.

Parameters:

  • ctx: Context for the registration request
  • registrationURL: The registration endpoint (discovered or user-provided)
  • req: Client registration details

Returns client_id and optional client_secret that can be used for OAuth flows.

type OAuth2Provider 

type OAuth2Provider struct {
	// contains filtered or unexported fields
}

OAuth2Provider implements the schemas.OAuth2Provider interface It provides OAuth 2.0 authentication functionality with database persistence

func NewOAuth2Provider 

func NewOAuth2Provider(configStore configstore.ConfigStore, logger schemas.Logger) *OAuth2Provider

NewOAuth2Provider creates a new OAuth provider instance

func (*OAuth2Provider) CompleteOAuthFlow 

func (p *OAuth2Provider) CompleteOAuthFlow(ctx context.Context, state, code string) error

CompleteOAuthFlow handles the OAuth callback and exchanges code for tokens Supports PKCE verification

func (*OAuth2Provider) GetAccessToken 

func (p *OAuth2Provider) GetAccessToken(ctx context.Context, oauthConfigID string) (string, error)

GetAccessToken retrieves the access token for a given oauth_config_id

func (*OAuth2Provider) GetPendingMCPClient 

func (p *OAuth2Provider) GetPendingMCPClient(oauthConfigID string) (*schemas.MCPClientConfig, error)

GetPendingMCPClient retrieves an MCP client config by oauth_config_id Returns nil if no pending config is found or if the oauth config has expired

func (*OAuth2Provider) GetPendingMCPClientByState 

func (p *OAuth2Provider) GetPendingMCPClientByState(state string) (*schemas.MCPClientConfig, string, error)

GetPendingMCPClientByState retrieves an MCP client config by OAuth state token This is useful when the callback only has the state parameter

func (*OAuth2Provider) InitiateOAuthFlow 

func (p *OAuth2Provider) InitiateOAuthFlow(ctx context.Context, config *schemas.OAuth2Config) (*schemas.OAuth2FlowInitiation, error)

InitiateOAuthFlow creates an OAuth config and returns the authorization URL Supports OAuth discovery and PKCE

func (*OAuth2Provider) RefreshAccessToken 

func (p *OAuth2Provider) RefreshAccessToken(ctx context.Context, oauthConfigID string) error

RefreshAccessToken refreshes the access token for a given oauth_config_id

func (*OAuth2Provider) RemovePendingMCPClient 

func (p *OAuth2Provider) RemovePendingMCPClient(oauthConfigID string) error

RemovePendingMCPClient clears the pending MCP client config from the oauth config This is called after OAuth completion to clean up

func (*OAuth2Provider) RevokeToken 

func (p *OAuth2Provider) RevokeToken(ctx context.Context, oauthConfigID string) error

RevokeToken revokes the OAuth token

func (*OAuth2Provider) StorePendingMCPClient 

func (p *OAuth2Provider) StorePendingMCPClient(oauthConfigID string, mcpClientConfig schemas.MCPClientConfig) error

StorePendingMCPClient stores an MCP client config that's waiting for OAuth completion The config is persisted in the database (oauth_configs.mcp_client_config_json) to support multi-instance deployments where OAuth callback may hit a different server instance.

func (*OAuth2Provider) ValidateToken 

func (p *OAuth2Provider) ValidateToken(ctx context.Context, oauthConfigID string) (bool, error)

ValidateToken checks if the token is still valid

type OAuthMetadata 

type OAuthMetadata struct {
	AuthorizationURL string   `json:"authorization_endpoint"`
	TokenURL         string   `json:"token_endpoint"`
	RegistrationURL  *string  `json:"registration_endpoint,omitempty"`
	ScopesSupported  []string `json:"scopes_supported,omitempty"`
	Issuer           string   `json:"issuer,omitempty"`
	ResponseTypes    []string `json:"response_types_supported,omitempty"`
	GrantTypes       []string `json:"grant_types_supported,omitempty"`
	TokenAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	PKCEMethods      []string `json:"code_challenge_methods_supported,omitempty"`
}

OAuthMetadata contains discovered OAuth configuration from authorization server

func DiscoverOAuthMetadata 

func DiscoverOAuthMetadata(ctx context.Context, serverURL string) (*OAuthMetadata, error)

DiscoverOAuthMetadata performs OAuth 2.0 discovery for the given MCP server URL Following RFC 8414 (Authorization Server Discovery) and RFC 9728 (Protected Resource Metadata)

Parameters:

  • ctx: Context for the discovery requests
  • serverURL: The MCP server URL to discover OAuth configuration from
  • logger: Logger for discovery progress (can be nil for silent operation)

The discovery process: 1. Attempt to connect to MCP server, expect 401 with WWW-Authenticate header 2. Parse WWW-Authenticate header for resource_metadata URL and scopes 3. Fetch resource metadata to get authorization server URLs 4. Try .well-known discovery if resource metadata is not available 5. Fetch authorization server metadata from discovered URLs 6. Return complete OAuth configuration

type ResourceMetadata 

type ResourceMetadata struct {
	AuthorizationServers []string `json:"authorization_servers"`
	ScopesSupported      []string `json:"scopes_supported,omitempty"`
	Scopes               []string `json:"scopes,omitempty"` // Alternative field name
}

ResourceMetadata contains metadata from protected resource

type TokenRefreshWorker 

type TokenRefreshWorker struct {
	// contains filtered or unexported fields
}

TokenRefreshWorker manages automatic token refresh for expiring OAuth tokens

func NewTokenRefreshWorker 

func NewTokenRefreshWorker(provider *OAuth2Provider, logger schemas.Logger) *TokenRefreshWorker

NewTokenRefreshWorker creates a new token refresh worker

func (*TokenRefreshWorker) SetLookAheadWindow 

func (w *TokenRefreshWorker) SetLookAheadWindow(window time.Duration)

SetLookAheadWindow updates the look-ahead window for token expiry (for testing)

func (*TokenRefreshWorker) SetRefreshInterval 

func (w *TokenRefreshWorker) SetRefreshInterval(interval time.Duration)

SetRefreshInterval updates the refresh check interval (for testing)

func (*TokenRefreshWorker) Start 

func (w *TokenRefreshWorker) Start(ctx context.Context)

Start begins the token refresh worker in a background goroutine

func (*TokenRefreshWorker) Stop 

func (w *TokenRefreshWorker) Stop()

Stop gracefully stops the token refresh worker

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.