Documentation
¶
Overview ¶
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Index ¶
Constants ¶
const AuthorizationCode = "authorization_code"
AuthorizationCode is the grant type for authorization code
const ResponseTypeCode = "code"
ResponseTypeCode is the response type for code
const TokenEndpointAuthMethodNone = "none"
TokenEndpointAuthMethodNone is the token endpoint auth method for none
const ToolHiveMCPClientName = "ToolHive MCP Client"
ToolHiveMCPClientName is the name of the ToolHive MCP client
const UserAgent = "ToolHive/1.0"
UserAgent is the user agent for the ToolHive MCP client
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// ClientID is the OAuth client ID
ClientID string
// ClientSecret is the OAuth client secret (optional for PKCE flow)
ClientSecret string
// RedirectURL is the redirect URL for the OAuth flow
RedirectURL string
// AuthURL is the authorization endpoint URL
AuthURL string
// TokenURL is the token endpoint URL
TokenURL string
// Scopes are the OAuth scopes to request
Scopes []string
// UsePKCE enables PKCE (Proof Key for Code Exchange) for enhanced security
UsePKCE bool
// CallbackPort is the port for the OAuth callback server (optional, 0 means auto-select)
CallbackPort int
// IntrospectionEndpoint is the optional introspection endpoint for validating tokens
IntrospectionEndpoint string
// OAuthParams are additional parameters to pass to the authorization URL
OAuthParams map[string]string
}
Config contains configuration for OAuth authentication
func CreateOAuthConfigFromOIDC ¶
func CreateOAuthConfigFromOIDC( ctx context.Context, issuer, clientID, clientSecret string, scopes []string, usePKCE bool, callbackPort int, ) (*Config, error)
CreateOAuthConfigFromOIDC creates an OAuth config from OIDC discovery
func CreateOAuthConfigManual ¶ added in v0.2.4
func CreateOAuthConfigManual( clientID, clientSecret string, authURL, tokenURL string, scopes []string, usePKCE bool, callbackPort int, oauthParams map[string]string, ) (*Config, error)
CreateOAuthConfigManual creates an OAuth config with manually provided endpoints
type DynamicClientRegistrationRequest ¶ added in v0.2.14
type DynamicClientRegistrationRequest struct {
// Required field according to RFC 7591
RedirectURIs []string `json:"redirect_uris"`
// Essential fields for OAuth flow
ClientName string `json:"client_name,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"`
Scopes []string `json:"scope,omitempty"`
}
DynamicClientRegistrationRequest represents the request for dynamic client registration (RFC 7591)
func NewDynamicClientRegistrationRequest ¶ added in v0.2.14
func NewDynamicClientRegistrationRequest(scopes []string, callbackPort int) *DynamicClientRegistrationRequest
NewDynamicClientRegistrationRequest creates a new dynamic client registration request
type DynamicClientRegistrationResponse ¶ added in v0.2.14
type DynamicClientRegistrationResponse struct {
// Required fields
ClientID string `json:"client_id"`
ClientSecret string `json:"client_secret,omitempty"`
// Optional fields that may be returned
ClientIDIssuedAt int64 `json:"client_id_issued_at,omitempty"`
ClientSecretExpiresAt int64 `json:"client_secret_expires_at,omitempty"`
RegistrationAccessToken string `json:"registration_access_token,omitempty"`
RegistrationClientURI string `json:"registration_client_uri,omitempty"`
// Echo back the essential request fields
ClientName string `json:"client_name,omitempty"`
RedirectURIs []string `json:"redirect_uris,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"`
Scopes ScopeList `json:"scope,omitempty"`
}
DynamicClientRegistrationResponse represents the response from dynamic client registration (RFC 7591)
func RegisterClientDynamically ¶ added in v0.2.14
func RegisterClientDynamically( ctx context.Context, registrationEndpoint string, request *DynamicClientRegistrationRequest, ) (*DynamicClientRegistrationResponse, error)
RegisterClientDynamically performs dynamic client registration (RFC 7591)
type Flow ¶
type Flow struct {
// contains filtered or unexported fields
}
Flow handles the OAuth authentication flow
func (*Flow) TokenSource ¶ added in v0.0.48
func (f *Flow) TokenSource() oauth2.TokenSource
TokenSource returns the OAuth2 token source for refreshing tokens
type OIDCDiscoveryDocument ¶
type OIDCDiscoveryDocument struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
JWKSURI string `json:"jwks_uri"`
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}
OIDCDiscoveryDocument represents the OIDC discovery document structure This is a simplified wrapper around the Zitadel OIDC discovery
func DiscoverActualIssuer ¶ added in v0.3.0
func DiscoverActualIssuer(ctx context.Context, metadataURL string) (*OIDCDiscoveryDocument, error)
DiscoverActualIssuer discovers the actual issuer from a URL that might be different from the issuer itself This is useful when the resource metadata points to a URL that hosts the authorization server metadata but the actual issuer identifier is different (e.g., Stripe's case)
func DiscoverOIDCEndpoints ¶
func DiscoverOIDCEndpoints(ctx context.Context, issuer string) (*OIDCDiscoveryDocument, error)
DiscoverOIDCEndpoints discovers OAuth endpoints from an OIDC issuer
type ScopeList ¶ added in v0.3.7
type ScopeList []string
ScopeList represents the "scope" field in a dynamic client registration response. Some servers return this as a space-delimited string per RFC 7591, while others return it as a JSON array of strings. This type normalizes both into a []string.
Examples of supported inputs:
"openid profile email" → []string{"openid", "profile", "email"}
["openid","profile","email"] → []string{"openid", "profile", "email"}
null → nil
"" or ["", " "] → nil
func (*ScopeList) UnmarshalJSON ¶ added in v0.3.7
UnmarshalJSON implements custom decoding for ScopeList. It supports both string and array encodings of the "scope" field, trimming whitespace and normalizing empty values to nil for consistent semantics.
Source Files