Documentation
¶
Index ¶
- Variables
- func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string) (string, error)
- func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string) (string, error)
- type APIKeyAuth
- type AdminAuth
- type AppQuota
- type AppRegistrar
- type AppRegistration
- type DCRHandler
- type DCRRequest
- type DCRResponse
- type NoAuth
Constants ¶
This section is empty.
Variables ¶
var ( ErrAdminForbidden = fmt.Errorf("admin access denied") )
Common errors for admin auth
Functions ¶
func MintResourceToken ¶
func MintResourceToken(userID, appClientID, appSecret string, quota AppQuota, scopes []string) (string, error)
MintResourceToken creates a resource-scoped JWT for a user on behalf of a registered App, signed with the app's shared secret (HS256). This is the backwards-compatible API.
func MintResourceTokenWithKey ¶
func MintResourceTokenWithKey(userID, appClientID string, signingKey any, quota AppQuota, scopes []string) (string, error)
MintResourceTokenWithKey creates a resource-scoped JWT signed with the provided key. The signing algorithm is auto-detected from the key type:
- []byte → HS256
- *rsa.PrivateKey → RS256
- *ecdsa.PrivateKey → ES256
Types ¶
type APIKeyAuth ¶
type APIKeyAuth struct {
// contains filtered or unexported fields
}
APIKeyAuth authenticates requests using a shared API key passed in the X-Admin-Key header.
func NewAPIKeyAuth ¶
func NewAPIKeyAuth(key string) *APIKeyAuth
NewAPIKeyAuth creates an AdminAuth that validates the X-Admin-Key header.
func (*APIKeyAuth) Authenticate ¶
func (a *APIKeyAuth) Authenticate(r *http.Request) error
type AdminAuth ¶
type AdminAuth interface {
// Authenticate checks whether the request is authorized.
// Returns nil if authorized, or an error describing why not.
Authenticate(r *http.Request) error
}
AdminAuth authenticates admin requests to protected endpoints (e.g., Host registration, key rotation).
type AppQuota ¶
type AppQuota struct {
MaxRooms int `json:"max_rooms,omitempty"`
MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
}
AppQuota contains per-app quota limits embedded as custom claims in resource-scoped JWTs.
type AppRegistrar ¶
type AppRegistrar struct {
KeyStore keys.KeyStorage
Auth AdminAuth
// KidStore retains old keys during rotation grace periods so that
// in-flight tokens signed with the previous key remain verifiable.
// If nil, rotation replaces the key immediately with no grace period.
KidStore *keys.KidStore
// DefaultGracePeriod is the default grace period for key rotation
// when not specified in the request. Defaults to 24h.
DefaultGracePeriod time.Duration
// contains filtered or unexported fields
}
AppRegistrar is an embeddable HTTP handler for App registration CRUD. Mount it on any admin service's mux to let apps register and obtain signing credentials. Create with NewAppRegistrar().
func NewAppRegistrar ¶ added in v0.0.53
func NewAppRegistrar(keyStore keys.KeyStorage, auth AdminAuth) *AppRegistrar
NewAppRegistrar creates an AppRegistrar with initialized internal state.
func (*AppRegistrar) Handler ¶
func (h *AppRegistrar) Handler() http.Handler
Handler returns an http.Handler for app registration endpoints. Includes both custom OneAuth API and RFC 7591 DCR endpoint:
POST /apps/register — OneAuth custom registration
POST /apps/dcr — RFC 7591 Dynamic Client Registration
GET /apps — List all apps
GET /apps/{id} — Get app metadata
DELETE /apps/{id} — Delete app
POST /apps/{id}/rotate — Rotate secret/key
func (*AppRegistrar) RLockApps ¶
func (h *AppRegistrar) RLockApps(fn func(map[string]*AppRegistration))
RLockApps calls fn with a read-locked view of all registered apps.
type AppRegistration ¶
type AppRegistration struct {
ClientID string `json:"client_id"`
ClientDomain string `json:"client_domain"`
SigningAlg string `json:"signing_alg"`
MaxRooms int `json:"max_rooms,omitempty"`
MaxMsgRate float64 `json:"max_msg_rate,omitempty"`
CreatedAt time.Time `json:"created_at"`
Revoked bool `json:"revoked"`
}
AppRegistration holds metadata about a registered App.
type DCRHandler ¶ added in v0.0.62
type DCRHandler struct {
// KeyStore stores client credentials (same KeyStore as AppRegistrar).
KeyStore keys.KeyStorage
// Auth authenticates the caller. Supports both:
// - Initial access token via Authorization: Bearer header (RFC 7591 §3)
// - X-Admin-Key header (OneAuth custom, backward-compatible)
// If nil, registration is open (not recommended for production).
Auth AdminAuth
// Registrar is the underlying AppRegistrar for metadata storage.
// If nil, client metadata is not persisted (only KeyStore is used).
Registrar *AppRegistrar
}
DCRHandler implements OAuth 2.0 Dynamic Client Registration (RFC 7591) as a conformance wrapper around AppRegistrar. It accepts standard DCR request format and maps to/from the internal AppRegistrar model.
Automatically mounted by AppRegistrar.Handler() at POST /apps/dcr. Existing /apps/* endpoints continue working unchanged.
See: https://www.rfc-editor.org/rfc/rfc7591
func (*DCRHandler) ServeHTTP ¶ added in v0.0.62
func (h *DCRHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP handles POST /register per RFC 7591.
type DCRRequest ¶ added in v0.0.62
type DCRRequest struct {
// Client metadata
ClientName string `json:"client_name,omitempty"`
ClientURI string `json:"client_uri,omitempty"`
RedirectURIs []string `json:"redirect_uris,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
Scope string `json:"scope,omitempty"`
// Authentication method
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
// Keys — for asymmetric auth methods (private_key_jwt)
JWKS *utils.JWKSet `json:"jwks,omitempty"`
}
DCRRequest is the RFC 7591 client registration request. See: https://www.rfc-editor.org/rfc/rfc7591#section-2
type DCRResponse ¶ added in v0.0.62
type DCRResponse struct {
ClientID string `json:"client_id"`
ClientSecret string `json:"client_secret,omitempty"`
ClientIDIssuedAt int64 `json:"client_id_issued_at"`
ClientSecretExpiresAt int64 `json:"client_secret_expires_at"`
ClientName string `json:"client_name,omitempty"`
ClientURI string `json:"client_uri,omitempty"`
RedirectURIs []string `json:"redirect_uris,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
Scope string `json:"scope,omitempty"`
}
DCRResponse is the RFC 7591 client registration response. See: https://www.rfc-editor.org/rfc/rfc7591#section-3.2.1