cimd

package

v0.28.1 Latest Latest Go to latest Published: May 20, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Documentation ¶

Overview ¶

Package cimd implements fetching and validation of OAuth 2.0 Client ID Metadata Documents (CIMD) per draft-ietf-oauth-client-id-metadata-document.

This package is a sub-package of pkg/oauthproto and is allowed to import pkg/networking (for SSRF utilities) without violating the leaf-package invariant of the parent package.

Index ¶

func ValidateClientMetadataDocument(doc *ClientMetadataDocument, fetchedFrom string) error
type ClientMetadataDocument
- func FetchClientMetadataDocument(ctx context.Context, rawURL string) (*ClientMetadataDocument, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ValidateClientMetadataDocument ¶

func ValidateClientMetadataDocument(doc *ClientMetadataDocument, fetchedFrom string) error

ValidateClientMetadataDocument validates a parsed ClientMetadataDocument against the URL it was fetched from. Per the CIMD draft spec, the client_id field must exactly equal the URL — no normalization is applied, because allowing normalization would permit subtle spoofing attacks where a document at URL A claims the identity of URL B.

Types ¶

type ClientMetadataDocument ¶

type ClientMetadataDocument struct {
	// Required
	ClientID     string   `json:"client_id"`
	RedirectURIs []string `json:"redirect_uris"`

	// Recommended
	ClientName string `json:"client_name,omitempty"`
	LogoURI    string `json:"logo_uri,omitempty"`
	ClientURI  string `json:"client_uri,omitempty"`

	// Optional
	TosURI                  string   `json:"tos_uri,omitempty"`
	PolicyURI               string   `json:"policy_uri,omitempty"`
	GrantTypes              []string `json:"grant_types,omitempty"`
	ResponseTypes           []string `json:"response_types,omitempty"`
	Scope                   string   `json:"scope,omitempty"`
	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
	ApplicationType         string   `json:"application_type,omitempty"`
	PostLogoutRedirectURIs  []string `json:"post_logout_redirect_uris,omitempty"`
}

ClientMetadataDocument represents an OAuth 2.0 Client ID Metadata Document per draft-ietf-oauth-client-id-metadata-document.

func FetchClientMetadataDocument ¶

func FetchClientMetadataDocument(ctx context.Context, rawURL string) (*ClientMetadataDocument, error)

FetchClientMetadataDocument fetches and validates a Client ID Metadata Document from the given URL. The URL must use the HTTPS scheme (http://localhost is accepted in development). The document is fetched with a 5-second timeout, a 1-hop redirect limit, a 10 KB body cap, and SSRF protection via a per-dial IP check. After fetching, ValidateClientMetadataDocument is called and any validation error is returned.

Source Files ¶

View all Source files

fetch.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL