upstreamtoken

package

v0.12.0 Latest Latest Go to latest Published: Mar 13, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Documentation ¶

Overview ¶

Package upstreamtoken provides a service for managing upstream IDP token lifecycle, including transparent refresh of expired access tokens.

Index ¶

Constants
Variables
type InProcessService
- func NewInProcessService(stor storage.UpstreamTokenStorage, refresher storage.UpstreamTokenRefresher) *InProcessService
- func (s *InProcessService) GetValidTokens(ctx context.Context, sessionID string) (*UpstreamCredential, error)
type Service
type UpstreamCredential

Constants ¶

View Source

const TokenSessionIDClaimKey = "tsid"

TokenSessionIDClaimKey is the JWT claim key for the token session ID. This links JWT access tokens to stored upstream IDP tokens. We use "tsid" instead of "sid" to avoid confusion with OIDC session management which defines "sid" for different purposes (RFC 7519, OIDC Session Management).

Variables ¶

View Source

var (
	// ErrSessionNotFound indicates no upstream tokens exist for the session.
	ErrSessionNotFound = errors.New("upstream tokens not found for session")

	// ErrNoRefreshToken indicates the access token is expired but no refresh
	// token is available to perform a refresh.
	ErrNoRefreshToken = errors.New("no refresh token available")

	// ErrRefreshFailed indicates a refresh failure (e.g., the
	// refresh token was revoked by the upstream IDP).
	ErrRefreshFailed = errors.New("upstream token refresh failed")

	// ErrInvalidBinding indicates token binding validation failed (e.g.,
	// subject or client ID mismatch between the stored token and the session).
	ErrInvalidBinding = errors.New("upstream token binding validation failed")
)

Sentinel errors returned by Service.GetValidTokens.

Functions ¶

This section is empty.

Types ¶

type InProcessService ¶

type InProcessService struct {
	// contains filtered or unexported fields
}

InProcessService implements the Service interface for in-process use. It composes storage (read), refresher (refresh + persist), and singleflight (dedup) to provide a single GetValidTokens call.

func NewInProcessService ¶

func NewInProcessService(
	stor storage.UpstreamTokenStorage,
	refresher storage.UpstreamTokenRefresher,
) *InProcessService

NewInProcessService creates a new InProcessService. The refresher may be nil if upstream token refresh is not configured; expired tokens will return ErrNoRefreshToken in that case.

func (*InProcessService) GetValidTokens ¶

func (s *InProcessService) GetValidTokens(ctx context.Context, sessionID string) (*UpstreamCredential, error)

GetValidTokens returns a valid upstream credential for a session. It transparently refreshes expired access tokens using the refresh token.

type Service ¶

type Service interface {
	// GetValidTokens returns a valid upstream credential for a session.
	// It transparently refreshes expired access tokens using the refresh token.
	//
	// Returns:
	//   - *UpstreamCredential on success
	//   - ErrSessionNotFound if no upstream tokens exist for the session
	//   - ErrNoRefreshToken if the access token is expired and no refresh token is available
	//   - ErrRefreshFailed if the refresh attempt fails (e.g., revoked refresh token)
	GetValidTokens(ctx context.Context, sessionID string) (*UpstreamCredential, error)
}

Service owns the upstream token lifecycle: read, refresh, error handling.

type UpstreamCredential ¶

type UpstreamCredential struct {
	AccessToken string
}

UpstreamCredential is the opaque result of GetValidTokens. The caller only needs the access token to inject into upstream requests.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL