Documentation
¶
Overview ¶
Package tokensource provides a shared OIDC-backed OAuth token source used by both the LLM gateway client and the registry authentication client.
The shared OAuthTokenSource implements a four-tier token strategy:
- In-memory cached oauth2.TokenSource (auto-refreshes transparently)
- Secrets-provider cached access token (cross-process reuse to avoid racing)
- Refresh token stored in the secrets provider (restores across CLI invocations)
- Browser-based OIDC+PKCE flow (only when interactive is true)
Callers parameterise the source via Options: an OIDC config struct, a key provider function (which determines the secrets-provider key and its prefix), and a ConfigPersister callback that persists the token reference into the application config.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DeriveSecretKey ¶
DeriveSecretKey computes a secrets-provider key for an OAuth refresh token. The formula is: <prefix><8 hex chars> where the hex is derived from sha256(resourceURL + "\x00" + issuer)[:4].
func EnsureOfflineAccess ¶
EnsureOfflineAccess returns scopes with "offline_access" appended if absent. This scope is required for the provider to return a refresh token.
func LLMAccessTokenEnvVar ¶ added in v0.26.1
LLMAccessTokenEnvVar returns the environment-variable name under which the environment secrets provider expects a cached LLM access token for the given gateway and issuer URLs. The format is:
TOOLHIVE_SECRET___thv_llm_<DeriveSecretKey("LLM_OAUTH_", gateway, issuer)>_AT
This is the canonical source of truth for the key construction used by both the proxy/token commands and the e2e tests that inject fake tokens.
Types ¶
type ConfigPersister ¶
ConfigPersister is called when the refresh token key or expiry changes — after a successful browser flow (initial login) or when the OIDC provider rotates the refresh token during a refresh. Callers wire this to their config persistence layer. It is NOT called on routine access-token refreshes where the refresh token is unchanged.
type OAuthTokenSource ¶
type OAuthTokenSource struct {
// contains filtered or unexported fields
}
OAuthTokenSource provides OIDC-backed access tokens via a four-tier strategy. It is safe for concurrent use.
func New ¶
func New(opts Options) *OAuthTokenSource
New creates an OAuthTokenSource from the given Options. It panics if opts.KeyProvider is nil, as this is a required field. If opts.OIDC.CallbackPort is zero, it defaults to remote.DefaultCallbackPort.
type OIDCParams ¶
type OIDCParams struct {
Issuer string
ClientID string
Scopes []string // "offline_access" is appended automatically if absent
Audience string
CallbackPort int
}
OIDCParams holds the OIDC connection parameters for a token source.
type Options ¶
type Options struct {
OIDC OIDCParams
// SecretsProvider is used to persist and restore refresh and access tokens.
// May be nil; in that case tier 2/3 return an actionable error rather than
// the FallbackErr, so the caller sees the real cause.
SecretsProvider secrets.Provider
// Interactive controls whether the browser OIDC+PKCE flow is allowed.
Interactive bool
// KeyProvider returns the secrets-provider key for the refresh token.
// May be called multiple times per Token() invocation; must be deterministic
// and free of side effects. Typically returns a cached config ref if set,
// otherwise derives a key from url+issuer.
KeyProvider func() string
// ConfigPersister is called when a new refresh token is persisted (login or
// rotation). May be nil to skip config persistence.
ConfigPersister ConfigPersister
// FallbackErr is returned in non-interactive mode when no cached credentials
// exist and no actionable lastErr is available. Defaults to a generic error.
FallbackErr error
}
Options configures an OAuthTokenSource.
Source Files