authzenclient

package

v0.5.0 Latest Latest Go to latest Published: May 15, 2026 License: BSD-2-Clause-Views Imports: 10 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sirosfoundation/go-trust

Links

Open Source Insights

Documentation ¶

Overview ¶

This package implements a client for making AuthZEN trust evaluation requests to a Policy Decision Point (PDP) server. It supports:

Discovery via .well-known/authzen-configuration endpoint
Trust evaluation requests (/evaluation endpoint)
Resolution-only requests for DID/metadata resolution
Configurable HTTP transport with timeouts and retries

Basic Usage ¶

Create a client with a known PDP URL:

client := authzenclient.New("https://pdp.example.com")
resp, err := client.Evaluate(ctx, &authzen.EvaluationRequest{
    Subject:  authzen.Subject{Type: "key", ID: "did:web:example.com"},
    Resource: authzen.Resource{Type: "jwk", ID: "did:web:example.com", Key: []interface{}{jwk}},
})

Discovery ¶

Use discovery to automatically find the evaluation endpoint:

client, err := authzenclient.Discover(ctx, "https://pdp.example.com")
if err != nil {
    log.Fatal(err)
}
resp, err := client.Evaluate(ctx, req)

Resolution-Only Requests ¶

To resolve DID documents or entity configurations without key validation:

resp, err := client.Resolve(ctx, "did:web:example.com")
if resp.Decision {
    didDoc := resp.Context.TrustMetadata
}

This package is designed to have minimal dependencies on other packages in go-trust, only importing the authzen types package.

Index ¶

Constants
func NewAction(name string) *authzen.Action
func NewActionWithCredentialTypes(name string, credentialTypes ...string) *authzen.Action
func NewActionWithParameters(name string, params map[string]interface{}) *authzen.Action
func ParseBaseURL(rawURL string) (string, error)
type Client
- func Discover(ctx context.Context, baseURL string, opts ...Option) (*Client, error)
- func New(baseURL string, opts ...Option) *Client
type EvaluationError
- func IsEvaluationError(err error) (*EvaluationError, bool)
- func (e *EvaluationError) Error() string
type Option

Constants ¶

View Source

const (
	// DefaultTimeout is the default HTTP request timeout.
	DefaultTimeout = 30 * time.Second

	// WellKnownPath is the discovery endpoint path.
	WellKnownPath = "/.well-known/authzen-configuration"

	// DefaultEvaluationPath is the default evaluation endpoint path.
	DefaultEvaluationPath = "/evaluation"
)

Variables ¶

This section is empty.

Functions ¶

func NewAction ¶ added in v0.4.0

func NewAction(name string) *authzen.Action

NewAction creates a new Action with the given name.

func NewActionWithCredentialTypes ¶ added in v0.4.0

func NewActionWithCredentialTypes(name string, credentialTypes ...string) *authzen.Action

NewActionWithCredentialTypes creates an Action with credential_types in parameters. This is commonly used when evaluating trust for credential issuers or verifiers to specify which SD-JWT VCT values (credential types) are being requested.

Example:

action := authzenclient.NewActionWithCredentialTypes("credential-issuer",
    "eu.europa.ec.eudi.pid.1", "eu.europa.ec.eudi.mdl.1")

func NewActionWithParameters ¶ added in v0.4.0

func NewActionWithParameters(name string, params map[string]interface{}) *authzen.Action

NewActionWithParameters creates an Action with custom parameters. This is useful for setting arbitrary action.parameters values.

Example:

action := authzenclient.NewActionWithParameters("authenticate",
    map[string]interface{}{
        "credential_types": []string{"eu.europa.ec.eudi.pid.1"},
        "query": dcqlQuery,
    })

func ParseBaseURL ¶

func ParseBaseURL(rawURL string) (string, error)

ParseBaseURL parses and validates a PDP base URL.

Types ¶

type Client ¶

type Client struct {
	// BaseURL is the base URL of the PDP server.
	BaseURL string

	// EvaluationEndpoint is the URL for the evaluation endpoint.
	// If empty, BaseURL + DefaultEvaluationPath is used.
	EvaluationEndpoint string

	// HTTPClient is the underlying HTTP client. If nil, a default client is used.
	HTTPClient *http.Client

	// Metadata contains the discovered PDP metadata, if discovery was used.
	Metadata *authzen.PDPMetadata
}

Client is an AuthZEN PDP client.

func Discover ¶

func Discover(ctx context.Context, baseURL string, opts ...Option) (*Client, error)

Discover creates a new AuthZEN client by discovering the PDP configuration from the .well-known/authzen-configuration endpoint.

func New ¶

func New(baseURL string, opts ...Option) *Client

New creates a new AuthZEN client with the given base URL.

func (*Client) Evaluate ¶

func (c *Client) Evaluate(ctx context.Context, req *authzen.EvaluationRequest) (*authzen.EvaluationResponse, error)

Evaluate sends a trust evaluation request to the PDP.

func (*Client) EvaluateJWK ¶

func (c *Client) EvaluateJWK(ctx context.Context, subjectID string, jwk map[string]interface{}, action *authzen.Action) (*authzen.EvaluationResponse, error)

EvaluateJWK is a convenience method for evaluating a JWK.

func (*Client) EvaluateRaw ¶

func (c *Client) EvaluateRaw(ctx context.Context, req *authzen.EvaluationRequest) (*authzen.EvaluationResponse, error)

EvaluateRaw sends a trust evaluation request without client-side validation. Use this if you need to send requests that may not pass strict validation.

func (*Client) EvaluateX5C ¶

func (c *Client) EvaluateX5C(ctx context.Context, subjectID string, certChain []string, action *authzen.Action) (*authzen.EvaluationResponse, error)

EvaluateX5C is a convenience method for evaluating an X.509 certificate chain.

func (*Client) Resolve ¶

func (c *Client) Resolve(ctx context.Context, subjectID string) (*authzen.EvaluationResponse, error)

Resolve sends a resolution-only request to retrieve trust metadata (DID document, entity configuration, etc.) without key validation.

func (*Client) ResolveWithAction ¶

func (c *Client) ResolveWithAction(ctx context.Context, subjectID, actionName string) (*authzen.EvaluationResponse, error)

ResolveWithAction sends a resolution-only request with an action constraint.

type EvaluationError ¶

type EvaluationError struct {
	StatusCode int
	Body       string
}

EvaluationError represents an error response from the PDP.

func IsEvaluationError ¶

func IsEvaluationError(err error) (*EvaluationError, bool)

IsEvaluationError checks if an error is an EvaluationError and returns it.

func (*EvaluationError) Error ¶

func (e *EvaluationError) Error() string

type Option ¶

type Option func(*Client)

Option configures a Client.

func WithEvaluationEndpoint ¶

func WithEvaluationEndpoint(endpoint string) Option

WithEvaluationEndpoint sets a custom evaluation endpoint URL.

func WithHTTPClient ¶

func WithHTTPClient(c *http.Client) Option

WithHTTPClient sets a custom HTTP client.

func WithTimeout ¶

func WithTimeout(d time.Duration) Option

WithTimeout sets the HTTP client timeout.

Source Files ¶

View all Source files

client.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL