Documentation
¶
Overview ¶
Package identity provides layered identity composition for AI agents.
The identity model consists of three complementary layers:
- Human Identity (ID-JAG): "Which user is this agent acting for?"
- Agent Identity (AAuth): "Which autonomous agent is this?"
- Workload Identity (SPIFFE): "Which workload/service is hosting this?"
These layers are composed, not chosen between. A fully authenticated agent request includes all three layers linked together.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrAgentIdentityRequired = errors.New("agent identity is required") ErrInvalidAAuthToken = errors.New("invalid AAuth token") ErrInvalidIDJAGAssertion = errors.New("invalid ID-JAG assertion") ErrInvalidWorkloadIdentity = errors.New("invalid workload identity") ErrCompositionFailed = errors.New("identity composition failed") )
Errors for identity composition.
Functions ¶
func WithContext ¶
func WithContext(ctx context.Context, identity *ComposedIdentity) context.Context
WithContext returns a new context with the ComposedIdentity attached.
Types ¶
type AAuthVerifier ¶
type AAuthVerifier interface {
// VerifyAAuth verifies an AAuth token and returns the agent identity.
VerifyAAuth(ctx context.Context, token string) (*AgentIdentity, error)
}
AAuthVerifier verifies AAuth tokens and extracts agent identity.
type AgentIdentity ¶
type AgentIdentity struct {
// AgentID uniquely identifies the agent
AgentID string `json:"agent_id"`
// MissionID identifies the current mission (optional)
MissionID string `json:"mission_id,omitempty"`
// Issuer is the authorization server that authenticated the agent
Issuer string `json:"iss"`
// Capabilities are what the agent can do
Capabilities []string `json:"capabilities,omitempty"`
// Scopes are the granted OAuth scopes
Scopes []string `json:"scopes,omitempty"`
// DelegatedBy indicates which agent delegated to this one (for sub-agents)
DelegatedBy string `json:"delegated_by,omitempty"`
// AAuthToken is the original AAuth access token
AAuthToken string `json:"aauth_token,omitempty"`
// VerifiedAt is when the AAuth token was verified
VerifiedAt time.Time `json:"verified_at,omitempty"`
}
AgentIdentity represents the autonomous agent. This comes from AAuth authentication.
type ComposeOptions ¶
type ComposeOptions struct {
// AAuthToken is the AAuth access token (required)
AAuthToken string
// IDJAGAssertion is the ID-JAG assertion for human identity (optional)
IDJAGAssertion string
// IncludeWorkload indicates whether to extract workload identity
IncludeWorkload bool
// TraceID for distributed tracing
TraceID string
}
ComposeOptions specifies the credentials to compose.
type ComposedIdentity ¶
type ComposedIdentity struct {
// Human identity (from ID-JAG delegation)
Human *HumanIdentity `json:"human,omitempty"`
// Agent identity (from AAuth)
Agent *AgentIdentity `json:"agent"`
// Workload identity (from SPIFFE)
Workload *WorkloadIdentity `json:"workload,omitempty"`
// BindingID uniquely identifies this composed identity binding
BindingID string `json:"binding_id"`
// BoundAt is when the identities were linked
BoundAt time.Time `json:"bound_at"`
// ExpiresAt is when the binding expires (earliest of component expirations)
ExpiresAt time.Time `json:"expires_at,omitempty"`
// TraceID for distributed tracing
TraceID string `json:"trace_id,omitempty"`
}
ComposedIdentity links all three identity layers together. This is the primary abstraction for authenticated agent requests.
func FromContext ¶
func FromContext(ctx context.Context) (*ComposedIdentity, bool)
FromContext extracts the ComposedIdentity from context, if present.
func (*ComposedIdentity) AuditString ¶
func (c *ComposedIdentity) AuditString() string
AuditString returns a string suitable for audit logs.
func (*ComposedIdentity) HasHuman ¶
func (c *ComposedIdentity) HasHuman() bool
HasHuman returns true if human identity is present.
func (*ComposedIdentity) HasWorkload ¶
func (c *ComposedIdentity) HasWorkload() bool
HasWorkload returns true if workload identity is present.
func (*ComposedIdentity) IsExpired ¶
func (c *ComposedIdentity) IsExpired() bool
IsExpired returns true if the binding has expired.
func (*ComposedIdentity) IsValid ¶
func (c *ComposedIdentity) IsValid() bool
IsValid checks if the composed identity has required components. At minimum, an agent identity is required.
type Composer ¶
type Composer struct {
// contains filtered or unexported fields
}
Composer creates and validates composed identities from credentials.
func NewComposer ¶
func NewComposer(opts ...ComposerOption) *Composer
NewComposer creates a new identity composer.
func (*Composer) Compose ¶
func (c *Composer) Compose(ctx context.Context, opts ComposeOptions) (*ComposedIdentity, error)
Compose creates a ComposedIdentity from available credentials. At minimum, an AAuth token is required for agent identity.
type ComposerOption ¶
type ComposerOption func(*Composer)
ComposerOption configures the Composer.
func WithAAuthVerifier ¶
func WithAAuthVerifier(v AAuthVerifier) ComposerOption
WithAAuthVerifier sets the AAuth verifier.
func WithIDJAGVerifier ¶
func WithIDJAGVerifier(v IDJAGVerifier) ComposerOption
WithIDJAGVerifier sets the ID-JAG verifier.
func WithWorkloadVerifier ¶
func WithWorkloadVerifier(v WorkloadVerifier) ComposerOption
WithWorkloadVerifier sets the workload identity verifier.
type HumanIdentity ¶
type HumanIdentity struct {
// Subject is the human user's identifier
Subject string `json:"sub"`
// Issuer is the identity provider that authenticated the human
Issuer string `json:"iss"`
// Email is the user's email (optional)
Email string `json:"email,omitempty"`
// Name is the user's display name (optional)
Name string `json:"name,omitempty"`
// Roles are the user's roles from the IdP
Roles []string `json:"roles,omitempty"`
// IDJAGToken is the original ID-JAG assertion token
IDJAGToken string `json:"idjag_token,omitempty"`
// VerifiedAt is when the ID-JAG assertion was verified
VerifiedAt time.Time `json:"verified_at,omitempty"`
}
HumanIdentity represents the human user the agent is acting for. This comes from ID-JAG assertions for cross-application access.
type IDJAGVerifier ¶
type IDJAGVerifier interface {
// VerifyIDJAG verifies an ID-JAG assertion and returns the human identity.
VerifyIDJAG(ctx context.Context, assertion string) (*HumanIdentity, error)
}
IDJAGVerifier verifies ID-JAG assertions and extracts human identity.
type WorkloadIdentity ¶
type WorkloadIdentity struct {
// SPIFFEID is the SPIFFE identifier (e.g., spiffe://domain/path)
SPIFFEID string `json:"spiffe_id"`
// TrustDomain is the SPIFFE trust domain
TrustDomain string `json:"trust_domain,omitempty"`
// ServiceName is the service name from the SPIFFE ID path
ServiceName string `json:"service_name,omitempty"`
// SVID is the X.509 SVID certificate (PEM encoded, optional)
SVID string `json:"svid,omitempty"`
// VerifiedAt is when the SPIFFE identity was verified
VerifiedAt time.Time `json:"verified_at,omitempty"`
}
WorkloadIdentity represents the infrastructure workload hosting the agent. This comes from SPIFFE/SPIRE.
type WorkloadVerifier ¶
type WorkloadVerifier interface {
// VerifyWorkload extracts and verifies the workload identity.
VerifyWorkload(ctx context.Context) (*WorkloadIdentity, error)
}
WorkloadVerifier extracts and verifies workload identity (e.g., from TLS).