auth

package

v1.2.0-pre.1 Latest Latest Go to latest Published: Dec 12, 2025 License: MIT Imports: 8 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/modelcontextprotocol/go-sdk

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func ProtectedResourceMetadataHandler(metadata *oauthex.ProtectedResourceMetadata) http.Handler
func RequireBearerToken(verifier TokenVerifier, opts *RequireBearerTokenOptions) func(http.Handler) http.Handler
type RequireBearerTokenOptions
type TokenInfo
- func TokenInfoFromContext(ctx context.Context) *TokenInfo
type TokenVerifier

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrInvalidToken = errors.New("invalid token")

The error that a TokenVerifier should return if the token cannot be verified.

View Source

var ErrOAuth = errors.New("oauth error")

The error that a TokenVerifier should return for OAuth-specific protocol errors.

Functions ¶

func ProtectedResourceMetadataHandler ¶

func ProtectedResourceMetadataHandler(metadata *oauthex.ProtectedResourceMetadata) http.Handler

ProtectedResourceMetadataHandler returns an http.Handler that serves OAuth 2.0 protected resource metadata (RFC 9728) with CORS support.

This handler allows cross-origin requests from any origin (Access-Control-Allow-Origin: *) because OAuth metadata is public information intended for client discovery (RFC 9728 §3.1). The metadata contains only non-sensitive configuration data about authorization servers and supported scopes.

No validation of metadata fields is performed; ensure metadata accuracy at configuration time.

For more sophisticated CORS policies or to restrict origins, wrap this handler with a CORS middleware like github.com/rs/cors or github.com/jub0bs/cors.

func RequireBearerToken ¶

func RequireBearerToken(verifier TokenVerifier, opts *RequireBearerTokenOptions) func(http.Handler) http.Handler

RequireBearerToken returns a piece of middleware that verifies a bearer token using the verifier. If verification succeeds, the TokenInfo is added to the request's context and the request proceeds. If verification fails, the request fails with a 401 Unauthenticated, and the WWW-Authenticate header is populated to enable protected resource metadata.

Types ¶

type RequireBearerTokenOptions ¶

type RequireBearerTokenOptions struct {
	// The URL for the resource server metadata OAuth flow, to be returned as part
	// of the WWW-Authenticate header.
	ResourceMetadataURL string
	// The required scopes.
	Scopes []string
}

RequireBearerTokenOptions are options for RequireBearerToken.

type TokenInfo ¶

type TokenInfo struct {
	Scopes     []string
	Expiration time.Time
	// UserID is an optional identifier for the authenticated user.
	// If set by a TokenVerifier, it can be used by transports to prevent
	// session hijacking by ensuring that all requests for a given session
	// come from the same user.
	UserID string
	// TODO: add standard JWT fields
	Extra map[string]any
}

TokenInfo holds information from a bearer token.

func TokenInfoFromContext ¶

func TokenInfoFromContext(ctx context.Context) *TokenInfo

TokenInfoFromContext returns the TokenInfo stored in ctx, or nil if none.

type TokenVerifier ¶

type TokenVerifier func(ctx context.Context, token string, req *http.Request) (*TokenInfo, error)

A TokenVerifier checks the validity of a bearer token, and extracts information from it. If verification fails, it should return an error that unwraps to ErrInvalidToken. The HTTP request is provided in case verifying the token involves checking it.

Source Files ¶

View all Source files

auth.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL