Documentation
¶
Overview ¶
Package jwtbearer provides an OAuth 2.0 JWT Bearer Grant (RFC 7523) implementation. It exchanges a JWT assertion (such as an ID-JAG) for an access token at a target authorization server.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// TokenURL is the target authorization server's token endpoint (required).
TokenURL string
// ClientID is the OAuth client identifier at the target AS. When both ClientID
// and ClientSecret are set, the request is authenticated with HTTP Basic per
// RFC 6749 Section 2.3.1. Public-client identification via a body client_id
// parameter (RFC 6749 Section 3.2.1) is not supported — the ID-JAG draft
// (§9.1, Security Considerations) RECOMMENDS (SHOULD) confidential clients,
// which is the only intended consumer here, and this engine only supports
// client_secret/HTTP Basic client authentication.
ClientID string
// ClientSecret is the OAuth client secret at the target AS.
ClientSecret string //nolint:gosec // G101: field name, not a credential
// Scopes are the requested scopes for the access token.
Scopes []string
// AssertionProvider returns the JWT assertion (e.g., the ID-JAG from Step A).
// Called on each Token() invocation; must not be nil. The returned JWT must
// satisfy RFC 7523 Section 3 (iss/sub/aud/exp). For an ID-JAG the aud is the
// Resource AS issuer identifier (per draft-ietf-oauth-identity-assertion-authz-grant),
// not the token endpoint URL. The provider must be safe for concurrent use —
// Token() may be called from multiple goroutines (e.g., when wrapped in
// oauth2.ReuseTokenSource).
AssertionProvider func() (string, error)
// HTTPClient is the HTTP client to use. If nil, oauthproto.DefaultHTTPClient()
// is used.
HTTPClient *http.Client
// InsecureAllowHTTP allows plain HTTP for the TokenURL. Only set this for
// in-cluster HTTP endpoints (e.g., development or testing environments).
InsecureAllowHTTP bool
}
Config holds configuration for an OAuth 2.0 JWT Bearer Grant (RFC 7523).
func (*Config) TokenSource ¶
func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource
TokenSource returns an oauth2.TokenSource that performs the JWT Bearer grant.
Click to show internal directories.
Click to hide internal directories.