authentication

package
v1.0.0-preupgrade Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2026 License: MIT Imports: 7 Imported by: 0

README

Authentication Package

OAuth 2.0 authentication providers for gRPC connections in Chainlink Canton. Supports Authorization Code Flow ( interactive user login) and Client Credentials Flow (machine-to-machine).

Quick Start

Client Credentials

For server-to-server authentication:

import "github.com/smartcontractkit/chainlink-canton/deployment/authentication/clientcredentials"

provider, err := clientcredentials.NewDiscoveryProvider(
    ctx,
    "https://auth.example.com",
    "client-id",
    "client-secret",
)
Authorization Code (Interactive Login)

For user login flows:

import "github.com/smartcontractkit/chainlink-canton/deployment/authentication/authorizationcode"

provider, err := authorizationcode.NewDiscoveryProvider(
    ctx,
    "https://auth.example.com",
    "client-id",
)

Authorization Code Flow

For interactive user authentication via browser login. Requires OAuth server to support PKCE with S256 challenge method. Automatically handles state validation to prevent CSRF attacks. By default, automatically opens the authorization URL in your browser.

Metadata Discovery

Automatically discovers authorization and token endpoints via RFC 8414:

import "github.com/smartcontractkit/chainlink-canton/deployment/authentication/authorizationcode"

provider, err := authorizationcode.NewDiscoveryProvider(
    ctx,
    "https://auth.example.com",
    "client-id",
    authorizationcode.WithScopes("daml_ledger_api", "offline_access"),
    authorizationcode.WithOpenBrowser(false), // Disables automatically opening the login URL in the default browser
)
Direct Configuration

If metadata discovery is unavailable:

provider, err := authorizationcode.NewProvider(
    ctx,
    "https://auth.example.com/oauth/authorize",
    "https://auth.example.com/oauth/token",
    "client-id",
)

Additional options are available via the functional options pattern (see package documentation for WithScopes, WithCallbackURL, WithOpenBrowser, etc).

Client Credentials Flow

For server-to-server authentication. Ideal for automated systems, CI/CD pipelines, and service-to-service communication.

Metadata Discovery

Automatically discovers token endpoint via RFC 8414:

import "github.com/smartcontractkit/chainlink-canton/deployment/authentication/clientcredentials"

provider, err := clientcredentials.NewDiscoveryProvider(
    ctx,
    "https://auth.example.com",
    "client-id",
    "client-secret",
    clientcredentials.WithScopes("daml_ledger_api", "admin"),
)
Direct Configuration

If metadata discovery is unavailable:

provider, err := clientcredentials.NewProvider(
    ctx,
    "https://auth.example.com/oauth/token",
    "client-id",
    "client-secret",
)

Additional options are available via the functional options pattern (see package documentation for WithScopes, WithTransportCredentials, etc).

Token Management

Both providers automatically handle token lifecycle management: caching, automatic refresh, and thread-safe operations.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthorizationServerMetadata

type AuthorizationServerMetadata struct {
	// The authorization server's issuer identifier, which is a URL.
	// Contrary to RFC 8414, this is not checked to be using the "https" scheme.
	Issuer string `json:"issuer"`
	// URL of the authorization server's authorization endpoint.
	AuthorizationEndpoint string `json:"authorization_endpoint"`
	// URL of the authorization server's token endpoint.
	TokenEndpoint string `json:"token_endpoint"`
	// JSON array containing a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by this
	// authorization server. If omitted, the authorization server does not support PKCE.
	// See RFC 7636, Section 4.3 for valid values:
	// https://datatracker.ietf.org/doc/html/rfc7636#section-4.2
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
}

AuthorizationServerMetadata represents a subset of the metadata provided by an OAuth 2.0 Authorization Server. See RFC 8414, Section 2 for the full specification: https://datatracker.ietf.org/doc/html/rfc8414#section-2

func GetAuthorizationServerMetadata

func GetAuthorizationServerMetadata(ctx context.Context, authorizationServerURL string) (*AuthorizationServerMetadata, error)

GetAuthorizationServerMetadata retrieves the OAuth 2.0 authorization server's metadata from the well-known endpoint.

Directories

Path Synopsis
Package authorizationcode provides OAuth2 authorization code flow authentication for gRPC connections.
Package authorizationcode provides OAuth2 authorization code flow authentication for gRPC connections.
Package clientcredentials provides OAuth2 client credentials flow authentication for gRPC connections.
Package clientcredentials provides OAuth2 client credentials flow authentication for gRPC connections.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL