client

package
v0.0.73 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 17, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package client provides client-side authentication utilities for oneauth. It includes credential storage, automatic token refresh, and HTTP client helpers.

Index

Constants

View Source
const DefaultASCacheTTL = 1 * time.Hour

DefaultASCacheTTL is the default time-to-live for cached AS metadata entries. AS metadata changes rarely (endpoint rotations, scope additions), so a 1-hour TTL balances freshness against redundant HTTP fetches.

View Source
const RefreshThreshold = 5 * time.Minute

RefreshThreshold is how long before expiry to proactively refresh

Variables

This section is empty.

Functions

func FollowRedirects added in v0.0.65

func FollowRedirects(httpClient *http.Client) func(string) error

FollowRedirects returns an OpenBrowser function that performs the OAuth authorization flow by following HTTP redirects instead of opening a browser. This enables headless environments: CI, conformance testing, CLI tools.

The returned function GETs the authorization URL using the provided HTTP client. The authorization server redirects to the loopback callback URI, which the LoginWithBrowser loopback server catches — exactly as a browser would.

Usage:

cred, err := authClient.LoginWithBrowser(client.BrowserLoginConfig{
    ClientID:    "my-cli",
    OpenBrowser: client.FollowRedirects(nil),
})

The httpClient should follow redirects (default http.Client behavior). If nil, a default client is used. For authorization servers that require form-based login (e.g., Keycloak), the httpClient must handle cookie/session management and form POST — FollowRedirects is designed for AS endpoints that auto-approve (test/mock servers) or for pre-authenticated sessions.

See: https://github.com/panyam/oneauth/issues/71

func IsLocalhost added in v0.0.68

func IsLocalhost(rawURL string) bool

IsLocalhost returns true if the URL points to a loopback address (localhost, 127.0.0.1, or ::1). This is used to exempt local development servers from HTTPS enforcement.

See: https://www.rfc-editor.org/rfc/rfc8252#section-8.3

func ValidateCIMDURL added in v0.0.68

func ValidateCIMDURL(rawURL string) error

ValidateCIMDURL validates a Client ID Metadata Document URL. Per draft-ietf-oauth-client-id-metadata-document:

  • MUST use HTTPS (except localhost for development/testing)
  • MUST contain a non-root path (the URL must identify a specific document)

See: https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html

func ValidateHTTPS added in v0.0.68

func ValidateHTTPS(meta *ASMetadata) error

ValidateHTTPS checks that Authorization Server endpoints use HTTPS. Localhost URLs are exempt for development and testing. Returns nil if metadata is nil (nothing to validate).

See: https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.1

Types

type ASMetadata added in v0.0.56

type ASMetadata struct {
	// Required
	Issuer        string `json:"issuer"`
	TokenEndpoint string `json:"token_endpoint"`

	// Recommended
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
	JWKSURI               string `json:"jwks_uri,omitempty"`

	// Optional
	RegistrationEndpoint  string `json:"registration_endpoint,omitempty"`
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
	RevocationEndpoint    string `json:"revocation_endpoint,omitempty"`
	UserinfoEndpoint      string `json:"userinfo_endpoint,omitempty"`

	// Supported features
	ScopesSupported               []string `json:"scopes_supported,omitempty"`
	ResponseTypesSupported        []string `json:"response_types_supported,omitempty"`
	GrantTypesSupported           []string `json:"grant_types_supported,omitempty"`
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
	TokenEndpointAuthMethods      []string `json:"token_endpoint_auth_methods_supported,omitempty"`
}

ASMetadata holds OAuth 2.0 Authorization Server metadata discovered from a well-known endpoint. Fields follow RFC 8414 and OpenID Connect Discovery 1.0.

See: https://www.rfc-editor.org/rfc/rfc8414#section-2

func DiscoverAS added in v0.0.56

func DiscoverAS(issuerURL string, opts ...DiscoveryOption) (*ASMetadata, error)

DiscoverAS fetches OAuth Authorization Server metadata from well-known endpoints.

It tries the following URLs in order (per RFC 8414 + OIDC Discovery):

For issuer "https://auth.example.com" (no path):

  1. https://auth.example.com/.well-known/oauth-authorization-server
  2. https://auth.example.com/.well-known/openid-configuration

For issuer "https://auth.example.com/tenant1" (with path):

  1. https://auth.example.com/.well-known/oauth-authorization-server/tenant1
  2. https://auth.example.com/tenant1/.well-known/openid-configuration

Returns the first successful response. Returns an error if all attempts fail.

See: https://www.rfc-editor.org/rfc/rfc8414#section-3

type ASMetadataStore added in v0.0.69

type ASMetadataStore interface {
	// Get returns the cached metadata for an issuer if present and not expired.
	// Returns (nil, false) on cache miss or expiry.
	Get(issuer string) (*ASMetadata, bool)

	// Put stores metadata for an issuer with the given TTL. A TTL of 0 means
	// use the store's default. Put replaces any existing entry for the issuer.
	Put(issuer string, md *ASMetadata, ttl time.Duration)
}

ASMetadataStore caches OAuth Authorization Server metadata by issuer URL. Implementations must be safe for concurrent use by multiple goroutines.

A store is typically shared across multiple [OAuthTokenSource] instances in the same process, so that N resource servers sharing one AS only trigger one discovery fetch instead of N.

The store is a hot-path optimization: discovery is cheap (one HTTP fetch) but redundant across concurrent token sources. Callers opt in by passing a store to WithASMetadataStore.

type AuthClient

type AuthClient struct {

	// OnToken is an optional callback invoked after a successful token
	// refresh (the refresh_token grant path through refreshTokenLocked).
	// It fires AFTER the new credential has been stored via CredentialStore,
	// so consumers can use the callback for side-effects (logging, metrics,
	// external persistence) that should observe the post-refresh state.
	//
	// Thread safety: the callback is invoked synchronously from whichever
	// goroutine triggered the refresh. Implementations must be thread-safe
	// if the AuthClient is shared across goroutines.
	//
	// Lock contract: the callback runs while the AuthClient internal mutex
	// is held — same as CredentialStore.SetCredential. Callbacks must NOT
	// re-enter AuthClient methods (GetToken, GetCredential, Login,
	// refreshTokenLocked) or they will deadlock. Callbacks should be
	// lightweight and non-blocking.
	//
	// Does NOT fire for initial logins (Login, LoginWithBrowser) — those
	// return the credential directly to the caller, who can persist it
	// explicitly. Only the automatic refresh_token grant path fires this.
	OnToken func(*ServerCredential)
	// contains filtered or unexported fields
}

AuthClient is an HTTP client with automatic token management

func NewAuthClient

func NewAuthClient(serverURL string, store CredentialStore, opts ...ClientOption) *AuthClient

NewAuthClient creates a new authenticated HTTP client for a server. If store is nil, a no-op store is used — methods that return credentials (Login, LoginWithBrowser, ClientCredentialsToken) still work and return the credential to the caller, but tokens are not persisted between calls.

func (*AuthClient) ClientCredentialsToken added in v0.0.56

func (c *AuthClient) ClientCredentialsToken(clientID, clientSecret string, scopes []string) (*ServerCredential, error)

ClientCredentialsToken authenticates using the client_credentials grant (RFC 6749 §4.4). This is for machine-to-machine authentication where there is no user context — the client authenticates on its own behalf using its client_id and client_secret. No refresh token is issued.

The request is sent as application/x-www-form-urlencoded (RFC 6749 §4.4.2). Client credentials are sent using the negotiated auth method:

  • If AS metadata was provided via WithASMetadata, SelectAuthMethod picks the best method from token_endpoint_auth_methods_supported
  • Without metadata, defaults to client_secret_basic (RFC 6749 §2.3.1)

The resulting access token is stored in the credential store for use by subsequent API calls via the AuthClient's HTTP transport.

See: https://www.rfc-editor.org/rfc/rfc6749#section-4.4 See: https://github.com/panyam/oneauth/issues/72

func (*AuthClient) GetCredential

func (c *AuthClient) GetCredential() (*ServerCredential, error)

GetCredential returns the stored credential for this server

func (*AuthClient) GetToken

func (c *AuthClient) GetToken() (string, error)

GetToken returns the current access token, refreshing if needed

func (*AuthClient) HTTPClient

func (c *AuthClient) HTTPClient() *http.Client

HTTPClient returns the underlying HTTP client with auth handling

func (*AuthClient) IsLoggedIn

func (c *AuthClient) IsLoggedIn() bool

IsLoggedIn returns true if there is a valid (non-expired) credential

func (*AuthClient) Login

func (c *AuthClient) Login(username, password, scope string) (*ServerCredential, error)

Login authenticates with username/password and stores the credential

func (*AuthClient) LoginWithBrowser added in v0.0.56

func (c *AuthClient) LoginWithBrowser(cfg BrowserLoginConfig) (*ServerCredential, error)

LoginWithBrowser performs an OAuth 2.0 authorization code flow with PKCE for CLI/headless clients (RFC 8252). It:

  1. Generates PKCE verifier + challenge
  2. Generates a random state parameter for CSRF protection
  3. Starts a temporary loopback HTTP server to catch the redirect
  4. Opens the user's browser to the authorization URL
  5. Waits for the callback with the authorization code
  6. Validates the state parameter
  7. Exchanges the code for tokens using the code_verifier
  8. Stores the credential via the AuthClient's CredentialStore

See: https://www.rfc-editor.org/rfc/rfc8252 (OAuth 2.0 for Native Apps) See: https://www.rfc-editor.org/rfc/rfc7636 (PKCE)

func (*AuthClient) Logout

func (c *AuthClient) Logout() error

Logout removes the credential for this server

func (*AuthClient) ServerURL

func (c *AuthClient) ServerURL() string

ServerURL returns the server URL this client is configured for

type AuthTransport

type AuthTransport struct {
	Base  http.RoundTripper
	Token string
}

AuthTransport wraps an http.RoundTripper to add Authorization headers

func NewAuthTransport

func NewAuthTransport(token string) *AuthTransport

NewAuthTransport creates an AuthTransport with the given token

func NewAuthTransportWithBase

func NewAuthTransportWithBase(base http.RoundTripper, token string) *AuthTransport

NewAuthTransportWithBase creates an AuthTransport with a custom base transport

func (*AuthTransport) RoundTrip

func (t *AuthTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper

type BrowserLoginConfig added in v0.0.56

type BrowserLoginConfig struct {
	// AuthorizationEndpoint is the AS authorization URL.
	// If empty, auto-discovered via DiscoverAS(serverURL) using the
	// AuthClient's server URL.
	AuthorizationEndpoint string

	// TokenEndpoint is the AS token URL for code exchange.
	// If empty, uses the AuthClient's configured tokenEndpoint.
	TokenEndpoint string

	// ClientID identifies this client to the authorization server.
	// Required.
	ClientID string

	// Scopes to request (e.g., []string{"openid", "read", "write"}).
	Scopes []string

	// CallbackPort is the port for the loopback redirect server.
	// If 0, a random available port is chosen.
	CallbackPort int

	// Timeout for the entire flow (waiting for user to complete browser login).
	// Defaults to 5 minutes.
	Timeout time.Duration

	// OpenBrowser is called to open the authorization URL in the user's browser.
	// If nil, uses the platform default (open/xdg-open/start).
	// Set to a custom function for testing or headless environments.
	OpenBrowser func(url string) error

	// HTTPClient is used for the token exchange request.
	// If nil, uses http.DefaultClient.
	HTTPClient *http.Client

	// Resource is the RFC 8707 resource indicator — the canonical URI of the
	// target resource server (e.g., "https://api.example.com"). When set, it's
	// included in both the authorization request and token exchange to bind the
	// token to a specific audience. MCP spec requires this parameter.
	//
	// See: https://www.rfc-editor.org/rfc/rfc8707
	Resource string

	// ClientSecret is the client's secret for confidential clients.
	// If empty, the client is treated as a public client (auth method "none")
	// and only client_id is sent in the token exchange.
	// When set, the auth method is negotiated based on AS metadata
	// (token_endpoint_auth_methods_supported) per RFC 6749 §2.3.
	//
	// See: https://github.com/panyam/oneauth/issues/72
	ClientSecret string

	// TokenEndpointAuthMethods specifies the auth methods supported by the AS
	// token endpoint (e.g., ["client_secret_post", "client_secret_basic"]).
	// This is used when AuthorizationEndpoint and TokenEndpoint are explicitly
	// provided and discovery is skipped — without this field, the client
	// defaults to client_secret_basic which may not be what the AS supports.
	//
	// Callers that perform their own AS discovery (e.g., via PRM → AS metadata)
	// should pass token_endpoint_auth_methods_supported here so the client
	// negotiates the correct auth method per RFC 6749 §2.3.
	//
	// If empty and discovery is skipped, defaults to client_secret_basic
	// per RFC 6749 §2.3.1.
	//
	// See: https://www.rfc-editor.org/rfc/rfc6749#section-2.3
	// See: https://github.com/panyam/oneauth/issues/74
	TokenEndpointAuthMethods []string
}

BrowserLoginConfig configures the authorization code + PKCE flow for CLI and headless clients.

type ClientCredentialsSource added in v0.0.68

type ClientCredentialsSource struct {
	// TokenEndpoint is the authorization server's token URL.
	TokenEndpoint string

	// ClientID identifies this client to the authorization server.
	ClientID string

	// ClientSecret authenticates this client.
	ClientSecret string

	// Scopes to request.
	Scopes []string

	// Audience is the resource server's canonical URI (RFC 8707 resource indicator).
	Audience string

	// Refresher enables proactive token refresh before expiry. When nil or
	// Refresher.Buffer == 0, refresh is reactive — happens on the next
	// Token() call after expiry.
	//
	// Typical values: Buffer of 30s-60s for tokens with 5-15 minute lifetimes.
	// The goroutine starts lazily on the first Token() call and runs until
	// Close() is called on the source.
	Refresher *ProactiveRefresher

	// OnToken is an optional callback invoked after every successful token
	// acquisition — both the initial fetch and all subsequent refreshes
	// (reactive and proactive). Use this to persist the credential to an
	// external store (file, database) without implementing a full
	// CredentialStore.
	//
	// Thread safety: the callback may be invoked from the caller's
	// goroutine (initial/reactive path) or from the background refresh
	// goroutine (proactive path). Implementations must be thread-safe.
	//
	// The callback holds no locks of the source, so calling back into
	// Token() from within the callback is safe (but useless — it will
	// return the same token that was just passed in).
	//
	// The credential passed to the callback is the same value returned
	// from AuthClient.ClientCredentialsToken. Mutating it from within the
	// callback is not safe.
	OnToken func(*ServerCredential)
	// contains filtered or unexported fields
}

ClientCredentialsSource implements TokenSource for machine-to-machine auth using the OAuth 2.0 client_credentials grant (RFC 6749 §4.4).

It caches the access token and automatically refreshes it when expired. TokenForScopes supports scope step-up by merging additional scopes and invalidating the cache.

See: https://www.rfc-editor.org/rfc/rfc6749#section-4.4

func (*ClientCredentialsSource) Close added in v0.0.69

func (s *ClientCredentialsSource) Close() error

Close stops the background refresh goroutine if one is running. Safe to call multiple times. Returns nil always (io.Closer compliance). After Close, subsequent Token() calls still work reactively.

func (*ClientCredentialsSource) Token added in v0.0.68

func (s *ClientCredentialsSource) Token() (string, error)

Token returns a cached access token if still valid, or fetches a new one via the client_credentials grant.

If Refresher.Buffer > 0, the background refresh goroutine starts lazily on the first Token() call.

Invokes OnToken (if set) after a successful fetch, outside the source's mutex — callbacks are free to call back into Token() without deadlock.

func (*ClientCredentialsSource) TokenForScopes added in v0.0.68

func (s *ClientCredentialsSource) TokenForScopes(scopes []string) (string, error)

TokenForScopes invalidates the cached token, merges the requested scopes with the existing scope set (using core.UnionScopes), and fetches a fresh token with the combined scopes.

type ClientOption

type ClientOption func(*AuthClient)

ClientOption configures an AuthClient

func WithASMetadata added in v0.0.65

func WithASMetadata(meta *ASMetadata) ClientOption

WithASMetadata pre-populates AS discovery metadata, enabling auth method negotiation in ClientCredentialsToken without a separate discovery request. Useful when DiscoverAS has already been called or for testing.

See: https://github.com/panyam/oneauth/issues/72

func WithHTTPClient

func WithHTTPClient(client *http.Client) ClientOption

WithHTTPClient sets a custom base HTTP client (for timeouts, TLS config, etc.) The transport from this client will be wrapped with auth handling.

func WithTokenEndpoint

func WithTokenEndpoint(path string) ClientOption

WithTokenEndpoint sets a custom token endpoint path

func WithTransport

func WithTransport(transport http.RoundTripper) ClientOption

WithTransport sets a custom base transport (for connection pooling, proxies, etc.)

type ClientRegistrationRequest added in v0.0.68

type ClientRegistrationRequest struct {
	ClientName              string   `json:"client_name"`
	RedirectURIs            []string `json:"redirect_uris"`
	GrantTypes              []string `json:"grant_types,omitempty"`
	ResponseTypes           []string `json:"response_types,omitempty"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
}

ClientRegistrationRequest is the payload for RFC 7591 Dynamic Client Registration. This represents a client requesting registration at an authorization server's registration endpoint.

See: https://www.rfc-editor.org/rfc/rfc7591#section-2

type ClientRegistrationResponse added in v0.0.68

type ClientRegistrationResponse struct {
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret,omitempty"`
}

ClientRegistrationResponse is the parsed response from a DCR endpoint, containing the assigned client_id and optional client_secret.

See: https://www.rfc-editor.org/rfc/rfc7591#section-3.2.1

func RegisterClient added in v0.0.68

func RegisterClient(endpoint string, meta ClientRegistrationRequest, httpClient *http.Client) (*ClientRegistrationResponse, error)

RegisterClient performs RFC 7591 Dynamic Client Registration against the given endpoint. Returns the assigned client_id and optional client_secret.

If httpClient is nil, http.DefaultClient is used.

See: https://www.rfc-editor.org/rfc/rfc7591#section-3

type CredentialStore

type CredentialStore interface {
	// GetCredential retrieves a credential for a server URL
	// Returns nil, nil if no credential exists for the server
	GetCredential(serverURL string) (*ServerCredential, error)

	// SetCredential stores a credential for a server URL
	SetCredential(serverURL string, cred *ServerCredential) error

	// RemoveCredential removes a credential for a server URL
	RemoveCredential(serverURL string) error

	// ListServers returns all server URLs with stored credentials
	ListServers() ([]string, error)

	// Save persists any pending changes (for stores that batch writes)
	Save() error
}

CredentialStore defines the interface for storing and retrieving credentials

type DiscoveryOption added in v0.0.56

type DiscoveryOption func(*discoveryConfig)

DiscoveryOption configures the discovery request.

func WithASCacheTTL added in v0.0.69

func WithASCacheTTL(ttl time.Duration) DiscoveryOption

WithASCacheTTL sets a custom TTL for cache writes during discovery. Only applies when a store is also provided via WithASMetadataStore. A TTL of 0 uses the store's default TTL.

func WithASMetadataStore added in v0.0.69

func WithASMetadataStore(store ASMetadataStore) DiscoveryOption

WithASMetadataStore enables caching of AS metadata via the given store. When set, DiscoverAS checks the store first and returns the cached value on hit. On miss, it fetches from the well-known endpoint and stores the result with the configured TTL (or the store's default).

Typical usage is to share a single store across multiple token sources in the same process:

cache := client.NewMemoryASMetadataStore(0)
md1, _ := client.DiscoverAS("https://auth.example.com", client.WithASMetadataStore(cache))
md2, _ := client.DiscoverAS("https://auth.example.com", client.WithASMetadataStore(cache))
// md2 returned from cache; no second HTTP fetch.

func WithHTTPClientForDiscovery added in v0.0.56

func WithHTTPClientForDiscovery(client *http.Client) DiscoveryOption

WithHTTPClientForDiscovery sets a custom HTTP client for the discovery request. Useful for testing (httptest) and custom TLS configuration.

type MemoryASMetadataStore added in v0.0.69

type MemoryASMetadataStore struct {
	// contains filtered or unexported fields
}

MemoryASMetadataStore is an in-memory ASMetadataStore backed by a sync.RWMutex-protected map. Suitable for single-process deployments where all token sources run in the same binary.

Entries expire lazily on Get — there is no background eviction goroutine. Expired entries stay in the map until a Get or Put touches them, which is fine for bounded-size workloads (one entry per unique issuer URL).

func NewMemoryASMetadataStore added in v0.0.69

func NewMemoryASMetadataStore(defaultTTL time.Duration) *MemoryASMetadataStore

NewMemoryASMetadataStore creates a new in-memory AS metadata store. If defaultTTL is 0, DefaultASCacheTTL is used.

func (*MemoryASMetadataStore) Get added in v0.0.69

func (s *MemoryASMetadataStore) Get(issuer string) (*ASMetadata, bool)

Get returns cached metadata for an issuer if present and not expired. Expired entries are removed lazily on access.

func (*MemoryASMetadataStore) Put added in v0.0.69

func (s *MemoryASMetadataStore) Put(issuer string, md *ASMetadata, ttl time.Duration)

Put stores metadata for an issuer with the given TTL. If ttl is 0, the store's default TTL is used.

type OAuth2TokenRequest

type OAuth2TokenRequest struct {
	GrantType    string `json:"grant_type"`
	Username     string `json:"username,omitempty"`
	Password     string `json:"password,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	Scope        string `json:"scope,omitempty"`
	ClientID     string `json:"client_id,omitempty"`
	ClientSecret string `json:"client_secret,omitempty"`
	Code         string `json:"code,omitempty"`          // For authorization_code grant
	CodeVerifier string `json:"code_verifier,omitempty"` // PKCE verifier for authorization_code grant
	RedirectURI  string `json:"redirect_uri,omitempty"`  // Redirect URI for authorization_code grant
}

OAuth2TokenRequest is the request body for token endpoint

type OAuth2TokenResponse

type OAuth2TokenResponse struct {
	AccessToken  string `json:"access_token"`
	TokenType    string `json:"token_type"`
	ExpiresIn    int64  `json:"expires_in"`
	RefreshToken string `json:"refresh_token,omitempty"`
	Scope        string `json:"scope,omitempty"`
	Error        string `json:"error,omitempty"`
	ErrorDesc    string `json:"error_description,omitempty"`
}

OAuth2TokenResponse is the response from token endpoint

type ProactiveRefresher added in v0.0.69

type ProactiveRefresher struct {
	// Buffer is how long before token expiry to refresh. Must be positive
	// to enable proactive refresh. A buffer of 30s means the refresh fires
	// 30 seconds before the token would have expired reactively.
	Buffer time.Duration
	// contains filtered or unexported fields
}

ProactiveRefresher configures and manages background token refresh before expiry. It bundles the refresh policy (Buffer) with the runtime state needed to coordinate the background goroutine lifecycle.

type ScopeAwareTokenSource added in v0.0.68

type ScopeAwareTokenSource interface {
	TokenSource
	TokenForScopes(scopes []string) (string, error)
}

ScopeAwareTokenSource extends TokenSource with scope step-up capability. When additional scopes are required, the cached token is invalidated and a new token is obtained with the merged scope set.

type ServerCredential

type ServerCredential struct {
	AccessToken  string    `json:"access_token"`
	RefreshToken string    `json:"refresh_token,omitempty"`
	TokenType    string    `json:"token_type,omitempty"`
	UserID       string    `json:"user_id,omitempty"`
	UserEmail    string    `json:"user_email,omitempty"`
	Scope        string    `json:"scope,omitempty"`
	ExpiresAt    time.Time `json:"expires_at"`
	CreatedAt    time.Time `json:"created_at"`
}

ServerCredential holds authentication info for a single server

func (*ServerCredential) HasRefreshToken

func (c *ServerCredential) HasRefreshToken() bool

HasRefreshToken returns true if a refresh token is available

func (*ServerCredential) IsExpired

func (c *ServerCredential) IsExpired() bool

IsExpired returns true if the access token has expired

func (*ServerCredential) IsExpiringSoon

func (c *ServerCredential) IsExpiringSoon(within time.Duration) bool

IsExpiringSoon returns true if the token expires within the given duration

type TokenEndpointAuthMethod added in v0.0.65

type TokenEndpointAuthMethod string

TokenEndpointAuthMethod represents an OAuth 2.0 token endpoint authentication method as defined in RFC 6749 §2.3 and advertised by authorization servers via the "token_endpoint_auth_methods_supported" metadata field (RFC 8414 §2). The client uses SelectAuthMethod to negotiate which method to use based on what the AS supports.

See: https://www.rfc-editor.org/rfc/rfc6749#section-2.3 See: https://www.rfc-editor.org/rfc/rfc8414#section-2 (discovery metadata)

const (
	// AuthMethodNone indicates a public client with no client secret.
	// Only the client_id is sent as a form body parameter. This is the
	// correct method for native/SPA clients using PKCE without a secret.
	AuthMethodNone TokenEndpointAuthMethod = "none"

	// AuthMethodClientSecretPost sends client_id and client_secret as
	// form body parameters in the token request. Less secure than Basic
	// because credentials appear in the request body (potentially logged
	// by proxies or WAFs), but required by some AS implementations.
	AuthMethodClientSecretPost TokenEndpointAuthMethod = "client_secret_post"

	// AuthMethodClientSecretBasic sends client credentials via the HTTP
	// Basic authentication scheme (RFC 7617) in the Authorization header:
	// "Authorization: Basic base64(client_id:client_secret)". This is the
	// RFC 6749 §2.3.1 default and preferred method because credentials
	// stay out of the request body.
	AuthMethodClientSecretBasic TokenEndpointAuthMethod = "client_secret_basic"
)

func SelectAuthMethod added in v0.0.65

func SelectAuthMethod(clientSecret string, asMethods []string) TokenEndpointAuthMethod

SelectAuthMethod chooses the appropriate token endpoint authentication method based on the client's credentials and the AS's advertised token_endpoint_auth_methods_supported metadata.

Decision logic:

  1. No client secret → "none" (public client, e.g., PKCE-only native apps)
  2. AS advertises methods → pick best supported match, preferring client_secret_basic over client_secret_post (credentials in header are less likely to be logged than credentials in body)
  3. AS doesn't advertise methods (nil/empty) → default to client_secret_basic per RFC 6749 §2.3.1
  4. AS advertises only unknown methods (e.g., private_key_jwt) → fall back to client_secret_basic as a safe default

This function is used by both LoginWithBrowser (auth code + PKCE flow) and ClientCredentialsToken (machine-to-machine flow) to negotiate how credentials are sent to the token endpoint.

See: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13#section-3.2.1 See: https://github.com/panyam/oneauth/issues/72

type TokenSource added in v0.0.68

type TokenSource interface {
	Token() (string, error)
}

TokenSource provides OAuth2 access tokens. This interface matches mcpkit/core.TokenSource by structural typing — no cross-module import needed.

Directories

Path Synopsis
stores
fs
Package fs provides a file system-based credential store for oneauth client.
Package fs provides a file system-based credential store for oneauth client.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL