oauth

package
v0.0.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 2, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultDiscoveryTimeout = 5 * time.Second

DefaultDiscoveryTimeout bounds how long we wait for OAuth ProtectedResourceMetaData discovery.

Variables

View Source
var Module = fx.Module(
	"oauth",
	fx.Provide(NewDiscoveryState),
	fx.Invoke(startOAuthDiscovery),
)

Module wires OAuth discovery state and fetcher.

Functions

func BuildOAuthDiscoveryCandidates

func BuildOAuthDiscoveryCandidates(
	ctx context.Context,
	client *http.Client,
	serverURL *url.URL,
	logger *slog.Logger,
) ([]DiscoveryCandidate, *WWWAuthenticateProbeStatus, error)

BuildOAuthDiscoveryCandidates returns the ordered list of OAuth discovery candidates plus probe metadata for UI/reporting. It attempts WWW-Authenticate first, then the RFC 9728 well-known URLs.

func BuildResourceMetadataURLs

func BuildResourceMetadataURLs(serverURL *url.URL) []*url.URL

BuildResourceMetadataURLs constructs the ordered list of candidate OAuth ProtectedResourceMetaData endpoints derived from the MCP server URL. It follows RFC 9728 discovery rules by prioritizing the path-specific well-known URI, then the root well-known URI.

func FetchAuthServerMetadataWithResult

func FetchAuthServerMetadataWithResult(
	ctx context.Context,
	client *http.Client,
	issuerURL string,
) (*AuthServerMetadata, *AuthServerMetadataFetchResult, error)

FetchAuthServerMetadataWithResult fetches metadata and captures detailed fetch attempts.

func IsOptionalDiscoveryFailure

func IsOptionalDiscoveryFailure(
	result *DiscoveryResult,
	probe *WWWAuthenticateProbeStatus,
	err error,
) bool

IsOptionalDiscoveryFailure reports whether OAuth discovery finished, but the target simply does not advertise protected-resource metadata. This should not block tunnel readiness for plain MCP servers.

Types

type AuthServerMetadata

type AuthServerMetadata struct {
	Issuer                string
	AuthorizationEndpoint string
	TokenEndpoint         string
	JWKSURI               string
	IntrospectionEndpoint string
	RegistrationEndpoint  string
	RevocationEndpoint    string
}

AuthServerMetadata is a narrow projection used by tunnel-client OAuth URL collection.

func FetchAuthServerMetadata

func FetchAuthServerMetadata(ctx context.Context, client *http.Client, issuerURL string) (*AuthServerMetadata, error)

FetchAuthServerMetadata fetches RFC 8414 authorization server metadata for issuerURL.

type AuthServerMetadataAttempt

type AuthServerMetadataAttempt struct {
	URL               string                      `json:"url,omitempty"`
	Document          AuthServerMetadataDocument  `json:"document,omitempty"`
	PathStyle         AuthServerMetadataPathStyle `json:"path_style,omitempty"`
	Tried             bool                        `json:"tried,omitempty"`
	Selected          bool                        `json:"selected,omitempty"`
	StatusCode        int                         `json:"status_code,omitempty"`
	Error             string                      `json:"error,omitempty"`
	Warning           string                      `json:"warning,omitempty"`
	IssuerMismatch    bool                        `json:"issuer_mismatch,omitempty"`
	ExpectedIssuerURL string                      `json:"expected_issuer_url,omitempty"`
	MetadataIssuer    string                      `json:"metadata_issuer,omitempty"`
	Headers           http.Header                 `json:"headers,omitempty"`
	Body              json.RawMessage             `json:"body,omitempty"`
	BodyText          string                      `json:"body_text,omitempty"`
}

type AuthServerMetadataDocument

type AuthServerMetadataDocument string
const (
	AuthServerMetadataDocumentOAuthAuthorizationServer AuthServerMetadataDocument = "oauth-authorization-server"
	AuthServerMetadataDocumentOpenIDConfiguration      AuthServerMetadataDocument = "openid-configuration"
)

type AuthServerMetadataFetchResult

type AuthServerMetadataFetchResult struct {
	IssuerURL   string                      `json:"issuer_url,omitempty"`
	SelectedURL string                      `json:"selected_url,omitempty"`
	Attempts    []AuthServerMetadataAttempt `json:"attempts,omitempty"`
}

func BuildURLBundleFromPRMDWithAuthServerMetadata

func BuildURLBundleFromPRMDWithAuthServerMetadata(
	ctx context.Context,
	client *http.Client,
	payload []byte,
	fetchedAt time.Time,
	sourceURL *url.URL,
	options URLBundleOptions,
	logger *slog.Logger,
) (hostbus.URLBundle, *AuthServerMetadataFetchResult, error)

BuildURLBundleFromPRMDWithAuthServerMetadata builds a Harpoon registration bundle from Protected Resource Metadata payload.

Contract: authorization_servers[0] is the source of truth. Additional authorization_servers entries are intentionally ignored for registration and auth-server metadata enrichment.

type AuthServerMetadataPathStyle

type AuthServerMetadataPathStyle string
const (
	AuthServerMetadataPathStylePrepend AuthServerMetadataPathStyle = "prepend"
	AuthServerMetadataPathStyleAppend  AuthServerMetadataPathStyle = "append"
)

type DiscoveryAttempt

type DiscoveryAttempt struct {
	URL        string          `json:"url"`
	Source     DiscoverySource `json:"source"`
	Tried      bool            `json:"tried,omitempty"`
	StatusCode int             `json:"status_code,omitempty"`
	Error      string          `json:"error,omitempty"`
	Selected   bool            `json:"selected,omitempty"`
}

DiscoveryAttempt captures one discovery attempt for UI/reporting.

func FetchOAuthMetadata

func FetchOAuthMetadata(
	ctx context.Context,
	client *http.Client,
	candidates []DiscoveryCandidate,
	logger *slog.Logger,
) (*types.TunnelResponse, *url.URL, []DiscoveryAttempt, error)

FetchOAuthMetadata attempts to retrieve OAuth ProtectedResourceMetaData from the provided candidates. It returns the first successful response with a non-empty body, falling back on 5xx/404 responses and network errors until all options are exhausted.

type DiscoveryCandidate

type DiscoveryCandidate struct {
	URL    *url.URL        `json:"-"`
	Source DiscoverySource `json:"source"`
}

DiscoveryCandidate represents a URL plus its discovery source.

type DiscoveryResult

type DiscoveryResult struct {
	URL                string                         `json:"url,omitempty"`
	FetchedAt          time.Time                      `json:"fetched_at,omitempty"`
	StatusCode         int                            `json:"status_code,omitempty"`
	Headers            http.Header                    `json:"headers,omitempty"`
	Body               json.RawMessage                `json:"body,omitempty"`
	BodyText           string                         `json:"body_text,omitempty"`
	Attempts           []DiscoveryAttempt             `json:"attempts,omitempty"`
	AuthServerMetadata *AuthServerMetadataFetchResult `json:"auth_server_metadata,omitempty"`
}

DiscoveryResult captures OAuth ProtectedResourceMetaData returned by the MCP server.

func BuildDiscoveryResult

func BuildDiscoveryResult(
	resp *types.TunnelResponse,
	sourceURL *url.URL,
	fetchedAt time.Time,
	attempts []DiscoveryAttempt,
) *DiscoveryResult

BuildDiscoveryResult converts the tunnel response into a UI-friendly payload.

type DiscoverySource

type DiscoverySource string

DiscoverySource labels how a metadata candidate was discovered.

const (
	DiscoverySourceWWWAuthenticate DiscoverySource = "www_authenticate"
	DiscoverySourceWellKnownPath   DiscoverySource = "well_known_path"
	DiscoverySourceWellKnownRoot   DiscoverySource = "well_known_root"
)

type DiscoveryState

type DiscoveryState struct {
	// contains filtered or unexported fields
}

DiscoveryState tracks the result of a background OAuth ProtectedResourceMetaData fetch.

func NewDiscoveryState

func NewDiscoveryState() *DiscoveryState

NewDiscoveryState constructs a DiscoveryState ready for updates.

func (*DiscoveryState) IsDone

func (s *DiscoveryState) IsDone() bool

IsDone reports whether the discovery process has completed.

func (*DiscoveryState) Set

func (s *DiscoveryState) Set(
	result *DiscoveryResult,
	err error,
	probe *WWWAuthenticateProbeStatus,
	urls []string,
)

Set records the OAuth discovery result and signals waiters.

func (*DiscoveryState) Wait

Wait blocks until the OAuth ProtectedResourceMetaData is available or the timeout elapses.

type URLBundleOptions

type URLBundleOptions struct {
	UnixSocketPath string
	UnixSocketURL  *url.URL
}

URLBundleOptions carries optional generic transport hints for discovered URLs.

type WWWAuthenticateProbeStatus

type WWWAuthenticateProbeStatus struct {
	Attempted bool   `json:"attempted"`
	URL       string `json:"url,omitempty"`
	Error     string `json:"error,omitempty"`
}

WWWAuthenticateProbeStatus captures the outcome of a WWW-Authenticate probe.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL