Versions in this module Expand all Collapse all v0 v0.2.0 Jun 28, 2026 Changes in this version + var ErrConsentDenied = errors.New("consent denied") + var ErrConsentRequired = errors.New("human consent required") + var ErrConsentTimeout = errors.New("consent timeout") + var ErrProviderNotConfigured = errors.New("provider not configured") + var ErrUnauthorized = errors.New("unauthorized") + func IsJWT(s string) bool + type AAuthConfig struct + AgentID string + Algorithm string + DefaultAudience []string + DefaultInteractionType string + DefaultMissionDuration time.Duration + Enabled bool + KeyID string + PersonServer string + PrivateKey string + func (c *AAuthConfig) Validate() error + type AAuthProvider struct + func NewAAuthProvider(config *AAuthConfig, opts ...AAuthProviderOption) (*AAuthProvider, error) + func (p *AAuthProvider) Authorize(ctx context.Context, req *AuthRequest) (*AuthResult, error) + func (p *AAuthProvider) CheckConsent(ctx context.Context, statusURI string) (*AuthResult, error) + func (p *AAuthProvider) HTTPClient(ctx context.Context, req *AuthRequest) (*http.Client, error) + func (p *AAuthProvider) InitializeAgent(privateKey crypto.PrivateKey) error + func (p *AAuthProvider) Protocol() Protocol + func (p *AAuthProvider) Revoke(ctx context.Context, token string) error + func (p *AAuthProvider) SetAgent(agent *aauth.Agent) + func (p *AAuthProvider) WaitForConsent(ctx context.Context, statusURI string, timeout time.Duration) (*AuthResult, error) + type AAuthProviderOption func(*AAuthProvider) + func WithAAuthAgent(agent *aauth.Agent) AAuthProviderOption + func WithAAuthConsentMode(mode ConsentMode) AAuthProviderOption + func WithAAuthPollConfig(interval, timeout time.Duration) AAuthProviderOption + type ActorClaims struct + Issuer string + Subject string + type AuthRequest struct + Audience []string + Duration time.Duration + ForceProtocol Protocol + InteractionType string + Metadata map[string]any + MissionDescription string + MissionName string + RedirectURI string + Resource string + Scopes []string + State string + Subject string + type AuthResult struct + ConsentURI string + ExpiresAt time.Time + Message string + Metadata map[string]any + PollInterval time.Duration + Protocol Protocol + Scopes []string + Status AuthStatus + StatusURI string + Token string + TokenType string + func (r *AuthResult) IsApproved() bool + func (r *AuthResult) IsPending() bool + type AuthStatus string + const StatusApproved + const StatusDenied + const StatusExpired + const StatusPending + type CacheConfig struct + Enabled bool + MaxSize int + TTL time.Duration + type Config struct + AAuth *AAuthConfig + AgentID string + Cache *CacheConfig + Consent *ConsentConfig + IDJAG *IDJAGConfig + Policy *Policy + func DefaultConfig(agentID string) *Config + func (c *Config) Validate() error + type ConsentConfig struct + ListenAddr string + Mode ConsentMode + OnConsentRequired func(consentURI string) + OpenBrowser bool + PollInterval time.Duration + PollTimeout time.Duration + RedirectURI string + ShowQRCode bool + type ConsentHandler interface + HandleCallback func(ctx context.Context, code, state string) (*AuthResult, error) + ServeHTTP func(w http.ResponseWriter, r *http.Request) + StartConsent func(ctx context.Context, req *AuthRequest) (consentURI string, state string, err error) + type ConsentMode string + const ConsentModeDeferred + const ConsentModeDevice + const ConsentModeRedirect + type HybridProvider struct + func NewHybridProvider(config *Config, opts ...HybridProviderOption) (*HybridProvider, error) + func (h *HybridProvider) Authorize(ctx context.Context, req *AuthRequest) (*AuthResult, error) + func (h *HybridProvider) CheckConsent(ctx context.Context, statusURI string) (*AuthResult, error) + func (h *HybridProvider) ClearCache() + func (h *HybridProvider) GetProviderForScopes(scopes []string) (Protocol, Provider) + func (h *HybridProvider) HTTPClient(ctx context.Context, req *AuthRequest) (*http.Client, error) + func (h *HybridProvider) PolicyMatcher() *PolicyMatcher + func (h *HybridProvider) Protocol() Protocol + func (h *HybridProvider) Revoke(ctx context.Context, token string) error + func (h *HybridProvider) WaitForConsent(ctx context.Context, statusURI string, timeout time.Duration) (*AuthResult, error) + type HybridProviderOption func(*HybridProvider) + func WithAAuthProvider(p Provider) HybridProviderOption + func WithIDJAGProvider(p Provider) HybridProviderOption + type IDJAGConfig struct + Algorithm string + AssertionTTL time.Duration + DefaultAudience []string + Enabled bool + Issuer string + KeyID string + PrivateKey string + TokenEndpoint string + func (c *IDJAGConfig) Validate() error + type IDJAGProvider struct + func NewIDJAGProvider(config *IDJAGConfig, opts ...IDJAGProviderOption) (*IDJAGProvider, error) + func (p *IDJAGProvider) Authorize(ctx context.Context, req *AuthRequest) (*AuthResult, error) + func (p *IDJAGProvider) CheckConsent(ctx context.Context, statusURI string) (*AuthResult, error) + func (p *IDJAGProvider) HTTPClient(ctx context.Context, req *AuthRequest) (*http.Client, error) + func (p *IDJAGProvider) Protocol() Protocol + func (p *IDJAGProvider) Revoke(ctx context.Context, token string) error + func (p *IDJAGProvider) SetPrivateKey(key crypto.PrivateKey) + func (p *IDJAGProvider) WaitForConsent(ctx context.Context, statusURI string, timeout time.Duration) (*AuthResult, error) + type IDJAGProviderOption func(*IDJAGProvider) + func WithIDJAGHTTPClient(client *http.Client) IDJAGProviderOption + func WithIDJAGPrivateKey(key crypto.PrivateKey) IDJAGProviderOption + type Policy struct + AutoScopes []string + DefaultProtocol Protocol + Mode PolicyMode + ScopePolicies []ScopePolicy + SensitiveScopes []string + func DefaultPolicy() *Policy + type PolicyMatcher struct + func NewPolicyMatcher(policy *Policy) *PolicyMatcher + func (m *PolicyMatcher) GetScopePolicy(scope string) *ScopePolicy + func (m *PolicyMatcher) Match(scopes []string) Protocol + func (m *PolicyMatcher) RequiresConsent(scopes []string) bool + func (m *PolicyMatcher) SplitByProtocol(scopes []string) (auto, human []string) + type PolicyMode string + const PolicyModeAuto + const PolicyModeHuman + const PolicyModeHybrid + type Protocol string + const ProtocolAAuth + const ProtocolIDJAG + func DetectTokenProtocol(token string) Protocol + type Provider interface + Authorize func(ctx context.Context, req *AuthRequest) (*AuthResult, error) + CheckConsent func(ctx context.Context, statusURI string) (*AuthResult, error) + HTTPClient func(ctx context.Context, req *AuthRequest) (*http.Client, error) + Protocol func() Protocol + Revoke func(ctx context.Context, token string) error + WaitForConsent func(ctx context.Context, statusURI string, timeout time.Duration) (*AuthResult, error) + type ScopePolicy struct + Description string + InteractionType string + MaxDuration string + Pattern string + Priority int + Protocol Protocol + RequireConsent bool + type TokenClaims struct + Actor *ActorClaims + Audience []string + ExpiresAt time.Time + IssuedAt time.Time + Issuer string + Protocol Protocol + Raw map[string]any + Scopes []string + Subject string + func (c *TokenClaims) HasAnyScope(scopes ...string) bool + func (c *TokenClaims) HasScope(scope string) bool + type TokenRefresher interface + NeedsRefresh func(expiresAt time.Time) bool + Refresh func(ctx context.Context, token string) (*AuthResult, error) + type TokenVerifier struct + func NewTokenVerifier(config *VerifierConfig) *TokenVerifier + func (v *TokenVerifier) AddAAuthIssuer(issuerURL, jwksURL string) + func (v *TokenVerifier) AddIDJAGIssuer(issuerURL, jwksURL string) + func (v *TokenVerifier) GetRequiredProtocol(action string) Protocol + func (v *TokenVerifier) IsSensitiveAction(action string) bool + func (v *TokenVerifier) Verify(ctx context.Context, token string) (*TokenClaims, error) + func (v *TokenVerifier) VerifyForAction(ctx context.Context, token, action string) (*TokenClaims, error) + type VerifierConfig struct + AAuthAudience string + AAuthEnabled bool + AAuthIssuers map[string]string + ActionPolicy map[string]Protocol + CacheTTL time.Duration + DefaultProtocol Protocol + IDJAGAudience string + IDJAGEnabled bool + IDJAGIssuers map[string]string + SensitiveActions []string + func DefaultVerifierConfig() *VerifierConfig v0.1.0 Jun 27, 2026