Documentation
¶
Overview ¶
Package mtls implements OAuth 2.0 Mutual-TLS client authentication and certificate-bound access tokens (RFC 8705).
It provides:
- Middleware to extract the client TLS certificate from the request
- Client authentication using mTLS (Section 3)
- Certificate-bound access tokens (Section 3.1, cnf.x5t#S256)
- Introspection binding verification (Section 6)
Index ¶
- func AuthenticateClient(r *http.Request, clientID string) (bool, error)
- func CNFClaim(cert *x509.Certificate) map[string]any
- func CertThumbprint(cert *x509.Certificate) string
- func ClientCertFromContext(ctx context.Context) *x509.Certificate
- func ClientCertMiddleware(next http.Handler) http.Handler
- func ContextWithClientCert(ctx context.Context, cert *x509.Certificate) context.Context
- func ExtractClientIDFromCert(cert *x509.Certificate) string
- func RequireClientCertMiddleware(next http.Handler) http.Handler
- func ValidateCertChain(cert *x509.Certificate, roots *x509.CertPool) error
- type Plugin
- func (p *Plugin) Category() storm.PluginCategory
- func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
- func (p *Plugin) Middleware(next http.Handler) http.Handler
- func (p *Plugin) Name() string
- func (p *Plugin) Register(r chi.Router)
- func (p *Plugin) Requires() []string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthenticateClient ¶
AuthenticateClient authenticates the client using the TLS client certificate per RFC 8705 Section 3. It checks that a certificate was presented and extracts the client ID. Certificate chain validation is the responsibility of the TLS layer (for tls_client_auth) or should be done separately via ValidateCertChain (for self_signed_tls_client_auth).
func CNFClaim ¶
func CNFClaim(cert *x509.Certificate) map[string]any
CNFClaim returns the cnf claim for certificate-bound tokens (RFC 8705 §3.1).
func CertThumbprint ¶
func CertThumbprint(cert *x509.Certificate) string
CertThumbprint computes the SHA-256 thumbprint of a certificate as a base64url-encoded string (RFC 8705 §3.1, x5t#S256).
func ClientCertFromContext ¶
func ClientCertFromContext(ctx context.Context) *x509.Certificate
ClientCertFromContext retrieves the client certificate from the context. Returns nil if no certificate was presented.
func ClientCertMiddleware ¶
ClientCertMiddleware extracts the client certificate from the TLS connection and stores it in the request context.
This middleware should be applied to all routes that need to check client certificates. It does NOT enforce that a certificate is present; individual handlers decide whether to require one.
func ContextWithClientCert ¶
ContextWithClientCert stores the client certificate in the request context.
func ExtractClientIDFromCert ¶
func ExtractClientIDFromCert(cert *x509.Certificate) string
ExtractClientIDFromCert extracts the client ID from a certificate. Checks the CommonName first, then the SAN URI.
func RequireClientCertMiddleware ¶
RequireClientCertMiddleware rejects requests without a valid client certificate.
func ValidateCertChain ¶
func ValidateCertChain(cert *x509.Certificate, roots *x509.CertPool) error
ValidateCertChain verifies the certificate chain against trusted roots.
Types ¶
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin implements mTLS client authentication and certificate-bound tokens.
func NewWithEndpointResolver ¶ added in v2.2.0
func NewWithEndpointResolver(resolver shared.EndpointResolver) *Plugin
NewWithEndpointResolver creates a new mTLS plugin with an endpoint resolver.
func (*Plugin) Category ¶
func (p *Plugin) Category() storm.PluginCategory
Category returns CategoryStandard — mTLS is optional.
func (*Plugin) Contribute ¶
func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
Contribute returns discovery fields for mTLS.
func (*Plugin) Middleware ¶
Middleware implements storm.MiddlewareProvider. It extracts the client TLS certificate from the connection and stores it in the request context.
Source Files