identity

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package identity provides layered identity composition for AI agents.

The identity model consists of three complementary layers:

  • Human Identity (ID-JAG): "Which user is this agent acting for?"
  • Agent Identity (AAuth): "Which autonomous agent is this?"
  • Workload Identity (SPIFFE): "Which workload/service is hosting this?"

These layers are composed, not chosen between. A fully authenticated agent request includes all three layers linked together.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrAgentIdentityRequired   = errors.New("agent identity is required")
	ErrInvalidAAuthToken       = errors.New("invalid AAuth token")
	ErrInvalidIDJAGAssertion   = errors.New("invalid ID-JAG assertion")
	ErrInvalidWorkloadIdentity = errors.New("invalid workload identity")
	ErrCompositionFailed       = errors.New("identity composition failed")
)

Errors for identity composition.

Functions

func WithContext

func WithContext(ctx context.Context, identity *ComposedIdentity) context.Context

WithContext returns a new context with the ComposedIdentity attached.

Types

type AAuthVerifier

type AAuthVerifier interface {
	// VerifyAAuth verifies an AAuth token and returns the agent identity.
	VerifyAAuth(ctx context.Context, token string) (*AgentIdentity, error)
}

AAuthVerifier verifies AAuth tokens and extracts agent identity.

type AgentIdentity

type AgentIdentity struct {
	// AgentID uniquely identifies the agent
	AgentID string `json:"agent_id"`

	// MissionID identifies the current mission (optional)
	MissionID string `json:"mission_id,omitempty"`

	// Issuer is the authorization server that authenticated the agent
	Issuer string `json:"iss"`

	// Capabilities are what the agent can do
	Capabilities []string `json:"capabilities,omitempty"`

	// Scopes are the granted OAuth scopes
	Scopes []string `json:"scopes,omitempty"`

	// DelegatedBy indicates which agent delegated to this one (for sub-agents)
	DelegatedBy string `json:"delegated_by,omitempty"`

	// AAuthToken is the original AAuth access token
	AAuthToken string `json:"aauth_token,omitempty"`

	// VerifiedAt is when the AAuth token was verified
	VerifiedAt time.Time `json:"verified_at,omitempty"`
}

AgentIdentity represents the autonomous agent. This comes from AAuth authentication.

type ComposeOptions

type ComposeOptions struct {
	// AAuthToken is the AAuth access token (required)
	AAuthToken string

	// IDJAGAssertion is the ID-JAG assertion for human identity (optional)
	IDJAGAssertion string

	// IncludeWorkload indicates whether to extract workload identity
	IncludeWorkload bool

	// TraceID for distributed tracing
	TraceID string
}

ComposeOptions specifies the credentials to compose.

type ComposedIdentity

type ComposedIdentity struct {
	// Human identity (from ID-JAG delegation)
	Human *HumanIdentity `json:"human,omitempty"`

	// Agent identity (from AAuth)
	Agent *AgentIdentity `json:"agent"`

	// Workload identity (from SPIFFE)
	Workload *WorkloadIdentity `json:"workload,omitempty"`

	// BindingID uniquely identifies this composed identity binding
	BindingID string `json:"binding_id"`

	// BoundAt is when the identities were linked
	BoundAt time.Time `json:"bound_at"`

	// ExpiresAt is when the binding expires (earliest of component expirations)
	ExpiresAt time.Time `json:"expires_at,omitempty"`

	// TraceID for distributed tracing
	TraceID string `json:"trace_id,omitempty"`
}

ComposedIdentity links all three identity layers together. This is the primary abstraction for authenticated agent requests.

func FromContext

func FromContext(ctx context.Context) (*ComposedIdentity, bool)

FromContext extracts the ComposedIdentity from context, if present.

func (*ComposedIdentity) AuditString

func (c *ComposedIdentity) AuditString() string

AuditString returns a string suitable for audit logs.

func (*ComposedIdentity) HasHuman

func (c *ComposedIdentity) HasHuman() bool

HasHuman returns true if human identity is present.

func (*ComposedIdentity) HasWorkload

func (c *ComposedIdentity) HasWorkload() bool

HasWorkload returns true if workload identity is present.

func (*ComposedIdentity) IsExpired

func (c *ComposedIdentity) IsExpired() bool

IsExpired returns true if the binding has expired.

func (*ComposedIdentity) IsValid

func (c *ComposedIdentity) IsValid() bool

IsValid checks if the composed identity has required components. At minimum, an agent identity is required.

type Composer

type Composer struct {
	// contains filtered or unexported fields
}

Composer creates and validates composed identities from credentials.

func NewComposer

func NewComposer(opts ...ComposerOption) *Composer

NewComposer creates a new identity composer.

func (*Composer) Compose

func (c *Composer) Compose(ctx context.Context, opts ComposeOptions) (*ComposedIdentity, error)

Compose creates a ComposedIdentity from available credentials. At minimum, an AAuth token is required for agent identity.

func (*Composer) Verify

func (c *Composer) Verify(ctx context.Context, identity *ComposedIdentity) error

Verify validates all components of a ComposedIdentity.

type ComposerOption

type ComposerOption func(*Composer)

ComposerOption configures the Composer.

func WithAAuthVerifier

func WithAAuthVerifier(v AAuthVerifier) ComposerOption

WithAAuthVerifier sets the AAuth verifier.

func WithIDJAGVerifier

func WithIDJAGVerifier(v IDJAGVerifier) ComposerOption

WithIDJAGVerifier sets the ID-JAG verifier.

func WithWorkloadVerifier

func WithWorkloadVerifier(v WorkloadVerifier) ComposerOption

WithWorkloadVerifier sets the workload identity verifier.

type HumanIdentity

type HumanIdentity struct {
	// Subject is the human user's identifier
	Subject string `json:"sub"`

	// Issuer is the identity provider that authenticated the human
	Issuer string `json:"iss"`

	// Email is the user's email (optional)
	Email string `json:"email,omitempty"`

	// Name is the user's display name (optional)
	Name string `json:"name,omitempty"`

	// Roles are the user's roles from the IdP
	Roles []string `json:"roles,omitempty"`

	// IDJAGToken is the original ID-JAG assertion token
	IDJAGToken string `json:"idjag_token,omitempty"`

	// VerifiedAt is when the ID-JAG assertion was verified
	VerifiedAt time.Time `json:"verified_at,omitempty"`
}

HumanIdentity represents the human user the agent is acting for. This comes from ID-JAG assertions for cross-application access.

type IDJAGVerifier

type IDJAGVerifier interface {
	// VerifyIDJAG verifies an ID-JAG assertion and returns the human identity.
	VerifyIDJAG(ctx context.Context, assertion string) (*HumanIdentity, error)
}

IDJAGVerifier verifies ID-JAG assertions and extracts human identity.

type WorkloadIdentity

type WorkloadIdentity struct {
	// SPIFFEID is the SPIFFE identifier (e.g., spiffe://domain/path)
	SPIFFEID string `json:"spiffe_id"`

	// TrustDomain is the SPIFFE trust domain
	TrustDomain string `json:"trust_domain,omitempty"`

	// ServiceName is the service name from the SPIFFE ID path
	ServiceName string `json:"service_name,omitempty"`

	// SVID is the X.509 SVID certificate (PEM encoded, optional)
	SVID string `json:"svid,omitempty"`

	// VerifiedAt is when the SPIFFE identity was verified
	VerifiedAt time.Time `json:"verified_at,omitempty"`
}

WorkloadIdentity represents the infrastructure workload hosting the agent. This comes from SPIFFE/SPIRE.

type WorkloadVerifier

type WorkloadVerifier interface {
	// VerifyWorkload extracts and verifies the workload identity.
	VerifyWorkload(ctx context.Context) (*WorkloadIdentity, error)
}

WorkloadVerifier extracts and verifies workload identity (e.g., from TLS).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL