Documentation
¶
Overview ¶
Package types provides shared auth-related types for Virtual MCP Server.
+groupName=toolhive.stacklok.dev +versionName=authtypes
Package types provides shared auth-related types for Virtual MCP Server.
This package is designed as a leaf package with no dependencies on other pkg/vmcp/* packages, breaking potential import cycles between config, strategies, and other auth-related packages.
Types defined here include:
- Strategy type constants (StrategyTypeUnauthenticated, etc.)
- Backend auth configuration structs (BackendAuthStrategy, etc.)
Index ¶
Constants ¶
const ( // StrategyTypeUnauthenticated identifies the unauthenticated strategy. // This strategy performs no authentication and is used when a backend // requires no authentication. StrategyTypeUnauthenticated = "unauthenticated" // StrategyTypeHeaderInjection identifies the header injection strategy. // This strategy injects a static header value into request headers. StrategyTypeHeaderInjection = "header_injection" // StrategyTypeTokenExchange identifies the token exchange strategy. // This strategy exchanges an incoming token for a new token to use // when authenticating to the backend service. StrategyTypeTokenExchange = "token_exchange" // StrategyTypeUpstreamInject identifies the upstream inject strategy. // This strategy injects an upstream IDP token obtained by the embedded // authorization server into requests to the backend service. StrategyTypeUpstreamInject = "upstream_inject" // StrategyTypeAwsSts identifies the AWS STS authentication strategy. // This strategy exchanges incoming tokens for AWS STS temporary credentials // and signs requests using SigV4. StrategyTypeAwsSts = "aws_sts" // StrategyTypeOBO identifies the on-behalf-of (OBO) authentication strategy. // The default upstream implementation returns ErrEnterpriseRequired from // every method; an out-of-tree build registers a real OBO strategy executor // via auth.RegisterOBOStrategy. StrategyTypeOBO = "obo" // StrategyTypeXAA identifies the XAA (Cross-Application Access) strategy. // This strategy implements cross-application access using the Identity // Assertion JWT Authorization Grant (draft-ietf-oauth-identity-assertion-authz-grant, // also known as ID-JAG). It performs a two-step token exchange: // (A) exchange an ID token for an ID-JAG at the IdP, then // (B) exchange the ID-JAG for an access token at the target AS. StrategyTypeXAA = "xaa" )
Strategy type identifiers used to identify authentication strategies.
Variables ¶
var ErrUpstreamTokenNotFound = errors.New("upstream token not found")
ErrUpstreamTokenNotFound is returned when a required upstream provider token is not present in the identity's UpstreamTokens map.
Functions ¶
This section is empty.
Types ¶
type AwsStsConfig ¶ added in v0.26.0
type AwsStsConfig struct {
// Region is the AWS region for the STS endpoint and service.
Region string `json:"region" yaml:"region"`
// Service is the AWS service name for SigV4 signing.
Service string `json:"service,omitempty" yaml:"service,omitempty"`
// FallbackRoleArn is the IAM role ARN to assume when no role mappings match.
FallbackRoleArn string `json:"fallbackRoleArn,omitempty" yaml:"fallbackRoleArn,omitempty"`
// RoleMappings defines claim-based role selection rules.
// +listType=atomic
RoleMappings []RoleMapping `json:"roleMappings,omitempty" yaml:"roleMappings,omitempty"`
// RoleClaim is the JWT claim to use for role mapping evaluation.
RoleClaim string `json:"roleClaim,omitempty" yaml:"roleClaim,omitempty"`
// SessionDuration is the duration in seconds for the STS session.
SessionDuration *int32 `json:"sessionDuration,omitempty" yaml:"sessionDuration,omitempty"`
// SessionNameClaim is the JWT claim to use for the role session name.
SessionNameClaim string `json:"sessionNameClaim,omitempty" yaml:"sessionNameClaim,omitempty"`
// SubjectProviderName selects which upstream provider's token to use as the
// web identity token for AssumeRoleWithWebIdentity. When set, the token is
// looked up from Identity.UpstreamTokens instead of the request's
// Authorization header.
SubjectProviderName string `json:"subjectProviderName,omitempty" yaml:"subjectProviderName,omitempty"`
}
AwsStsConfig configures AWS STS authentication with SigV4 request signing. This strategy exchanges incoming tokens for AWS STS temporary credentials. +kubebuilder:object:generate=true +gendoc
func (*AwsStsConfig) DeepCopy ¶ added in v0.26.0
func (in *AwsStsConfig) DeepCopy() *AwsStsConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsStsConfig.
func (*AwsStsConfig) DeepCopyInto ¶ added in v0.26.0
func (in *AwsStsConfig) DeepCopyInto(out *AwsStsConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type BackendAuthStrategy ¶
type BackendAuthStrategy struct {
// Type is the auth strategy: "unauthenticated", "header_injection", "token_exchange", "upstream_inject", "aws_sts", "obo", "xaa"
Type string `json:"type" yaml:"type"`
// HeaderInjection contains configuration for header injection auth strategy.
// Used when Type = "header_injection".
HeaderInjection *HeaderInjectionConfig `json:"headerInjection,omitempty" yaml:"headerInjection,omitempty"`
// TokenExchange contains configuration for token exchange auth strategy.
// Used when Type = "token_exchange".
TokenExchange *TokenExchangeConfig `json:"tokenExchange,omitempty" yaml:"tokenExchange,omitempty"`
// UpstreamInject contains configuration for upstream inject auth strategy.
// Used when Type = "upstream_inject".
UpstreamInject *UpstreamInjectConfig `json:"upstreamInject,omitempty" yaml:"upstreamInject,omitempty"`
// AwsSts contains configuration for AWS STS auth strategy.
// Used when Type = "aws_sts".
AwsSts *AwsStsConfig `json:"awsSts,omitempty" yaml:"awsSts,omitempty"`
// OBO contains configuration for on-behalf-of (OBO) auth strategy.
// Used when Type = "obo". The default upstream build returns ErrEnterpriseRequired;
// an out-of-tree build registers a real strategy via auth.RegisterOBOStrategy.
OBO *OBOConfig `json:"obo,omitempty" yaml:"obo,omitempty"`
// XAA contains configuration for XAA (Cross-Application Access) auth strategy.
// Used when Type = "xaa".
XAA *XAAConfig `json:"xaa,omitempty" yaml:"xaa,omitempty"`
}
BackendAuthStrategy defines how to authenticate to a specific backend.
This struct provides type-safe configuration for different authentication strategies using HeaderInjection or TokenExchange fields based on the Type field. +kubebuilder:object:generate=true +gendoc
func (*BackendAuthStrategy) DeepCopy ¶ added in v0.6.17
func (in *BackendAuthStrategy) DeepCopy() *BackendAuthStrategy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendAuthStrategy.
func (*BackendAuthStrategy) DeepCopyInto ¶ added in v0.6.17
func (in *BackendAuthStrategy) DeepCopyInto(out *BackendAuthStrategy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type HeaderInjectionConfig ¶
type HeaderInjectionConfig struct {
// HeaderName is the name of the header to inject (e.g., "Authorization").
HeaderName string `json:"headerName" yaml:"headerName"`
// HeaderValue is the static header value to inject.
// Either HeaderValue or HeaderValueEnv should be set, not both.
HeaderValue string `json:"headerValue,omitempty" yaml:"headerValue,omitempty"`
// HeaderValueEnv is the environment variable name containing the header value.
// The value will be resolved at runtime from this environment variable.
// Either HeaderValue or HeaderValueEnv should be set, not both.
HeaderValueEnv string `json:"headerValueEnv,omitempty" yaml:"headerValueEnv,omitempty"`
}
HeaderInjectionConfig configures the header injection auth strategy. This strategy injects a static or environment-sourced header value into requests. +kubebuilder:object:generate=true +gendoc
func (*HeaderInjectionConfig) DeepCopy ¶ added in v0.6.17
func (in *HeaderInjectionConfig) DeepCopy() *HeaderInjectionConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderInjectionConfig.
func (*HeaderInjectionConfig) DeepCopyInto ¶ added in v0.6.17
func (in *HeaderInjectionConfig) DeepCopyInto(out *HeaderInjectionConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OBOConfig ¶ added in v0.32.0
type OBOConfig struct {
// TokenURL is the Entra token endpoint URL for the OBO exchange.
// +kubebuilder:validation:Required
TokenURL string `json:"tokenUrl" yaml:"tokenUrl"`
// ClientID is the OAuth client ID for the OBO request.
ClientID string `json:"clientId,omitempty" yaml:"clientId,omitempty"`
// ClientSecret is the OAuth client secret (use ClientSecretEnv for security).
//nolint:gosec // G117: field legitimately holds sensitive data
ClientSecret string `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty"`
// ClientSecretEnv is the environment variable name containing the client secret.
// The value will be resolved at runtime from this environment variable.
ClientSecretEnv string `json:"clientSecretEnv,omitempty" yaml:"clientSecretEnv,omitempty"`
// Audience is the target audience (resource URI) for the exchanged token.
Audience string `json:"audience,omitempty" yaml:"audience,omitempty"`
// Scopes are the requested scopes for the exchanged token.
// +listType=atomic
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
// SubjectTokenProviderName selects which upstream provider's token to use as the
// subject (assertion) token for the OBO exchange. When set, the token is looked
// up from Identity.UpstreamTokens[SubjectTokenProviderName]; when omitted, the
// inbound end-user token (Identity.Token) is used directly.
// Matches the operator CRD's SubjectTokenProviderName field; the enterprise OBO
// converter maps both to the runtime contract without renaming.
SubjectTokenProviderName string `json:"subjectTokenProviderName,omitempty" yaml:"subjectTokenProviderName,omitempty"`
// CacheSkewSeconds is the number of seconds to subtract from a cached token's
// expiry when deciding whether to refresh it. Defaults to zero (no skew).
// The operator CRD stores this as CacheSkew *metav1.Duration and converts it
// to an integer-seconds value for the vMCP runtime contract.
CacheSkewSeconds *int32 `json:"cacheSkewSeconds,omitempty" yaml:"cacheSkewSeconds,omitempty"`
}
OBOConfig configures the on-behalf-of (OBO) authentication strategy. This strategy uses the Entra jwt-bearer / on_behalf_of grant to exchange the incoming user token for a backend-scoped token on behalf of the user.
Field names follow the OBO runtime contract (the enterprise obo.MiddlewareParameters), not the RFC-8693 TokenExchangeConfig, because OBO uses a distinct Entra-specific grant. +kubebuilder:object:generate=true +gendoc
func (*OBOConfig) DeepCopy ¶ added in v0.32.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OBOConfig.
func (*OBOConfig) DeepCopyInto ¶ added in v0.32.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RoleMapping ¶ added in v0.26.0
type RoleMapping struct {
// Claim is a simple claim value to match against the RoleClaim field.
Claim string `json:"claim,omitempty" yaml:"claim,omitempty"`
// Matcher is a CEL expression for complex matching against JWT claims.
Matcher string `json:"matcher,omitempty" yaml:"matcher,omitempty"`
// RoleArn is the IAM role ARN to assume when this mapping matches.
RoleArn string `json:"roleArn" yaml:"roleArn"`
// Priority determines evaluation order (lower values = higher priority).
// Mirrors awssts.RoleMapping.Priority, which is *int because the role mapper
// uses math.MaxInt for nil-priority semantics in effectivePriority.
Priority *int `json:"priority,omitempty" yaml:"priority,omitempty"`
}
RoleMapping defines a rule for mapping JWT claims to IAM roles. Mappings are evaluated in priority order (lower number = higher priority). +kubebuilder:object:generate=true +gendoc
func (*RoleMapping) DeepCopy ¶ added in v0.26.0
func (in *RoleMapping) DeepCopy() *RoleMapping
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleMapping.
func (*RoleMapping) DeepCopyInto ¶ added in v0.26.0
func (in *RoleMapping) DeepCopyInto(out *RoleMapping)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenExchangeConfig ¶
type TokenExchangeConfig struct {
// TokenURL is the OAuth token endpoint URL for token exchange.
TokenURL string `json:"tokenUrl" yaml:"tokenUrl"`
// ClientID is the OAuth client ID for the token exchange request.
ClientID string `json:"clientId,omitempty" yaml:"clientId,omitempty"`
// ClientSecret is the OAuth client secret (use ClientSecretEnv for security).
//nolint:gosec // G117: field legitimately holds sensitive data
ClientSecret string `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty"`
// ClientSecretEnv is the environment variable name containing the client secret.
// The value will be resolved at runtime from this environment variable.
ClientSecretEnv string `json:"clientSecretEnv,omitempty" yaml:"clientSecretEnv,omitempty"`
// Audience is the target audience for the exchanged token.
Audience string `json:"audience,omitempty" yaml:"audience,omitempty"`
// Scopes are the requested scopes for the exchanged token.
// +listType=atomic
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
// SubjectTokenType is the token type of the incoming subject token.
// Defaults to "urn:ietf:params:oauth:token-type:access_token" if not specified.
SubjectTokenType string `json:"subjectTokenType,omitempty" yaml:"subjectTokenType,omitempty"`
// SubjectProviderName selects which upstream provider's token to use as the
// subject token. When set, the token is looked up from Identity.UpstreamTokens
// instead of using Identity.Token.
// When left empty and an embedded authorization server is configured, the system
// automatically populates this field with the first configured upstream provider name.
// Set it explicitly to override that default or to select a specific provider when
// multiple upstreams are configured.
SubjectProviderName string `json:"subjectProviderName,omitempty" yaml:"subjectProviderName,omitempty"`
}
TokenExchangeConfig configures the OAuth 2.0 token exchange auth strategy. This strategy exchanges incoming tokens for backend-specific tokens using RFC 8693. +kubebuilder:object:generate=true +gendoc
func (*TokenExchangeConfig) DeepCopy ¶ added in v0.6.17
func (in *TokenExchangeConfig) DeepCopy() *TokenExchangeConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenExchangeConfig.
func (*TokenExchangeConfig) DeepCopyInto ¶ added in v0.6.17
func (in *TokenExchangeConfig) DeepCopyInto(out *TokenExchangeConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UpstreamInjectConfig ¶ added in v0.13.0
type UpstreamInjectConfig struct {
// ProviderName is the name of the upstream provider configured in the
// embedded authorization server. Must match an entry in AuthServer.Upstreams.
ProviderName string `json:"providerName" yaml:"providerName"`
}
UpstreamInjectConfig configures the upstream inject auth strategy. This strategy uses the embedded authorization server to obtain and inject upstream IDP tokens into backend requests. +kubebuilder:object:generate=true +gendoc
func (*UpstreamInjectConfig) DeepCopy ¶ added in v0.13.0
func (in *UpstreamInjectConfig) DeepCopy() *UpstreamInjectConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamInjectConfig.
func (*UpstreamInjectConfig) DeepCopyInto ¶ added in v0.13.0
func (in *UpstreamInjectConfig) DeepCopyInto(out *UpstreamInjectConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type XAAConfig ¶ added in v0.32.0
type XAAConfig struct {
// IDPTokenURL is the IdP token endpoint for Step A (RFC 8693 exchange).
IDPTokenURL string `json:"idpTokenUrl" yaml:"idpTokenUrl"`
// IDPClientID is the OAuth client ID at the IdP for Step A.
IDPClientID string `json:"idpClientId,omitempty" yaml:"idpClientId,omitempty"`
// IDPClientSecret is the client secret at the IdP for Step A.
//nolint:gosec // G101: field legitimately holds sensitive data
IDPClientSecret string `json:"idpClientSecret,omitempty" yaml:"idpClientSecret,omitempty"`
// IDPClientSecretEnv is the env var containing the IdP client secret.
IDPClientSecretEnv string `json:"idpClientSecretEnv,omitempty" yaml:"idpClientSecretEnv,omitempty"`
// TargetTokenURL is the target AS token endpoint for Step B (JWT Bearer grant).
TargetTokenURL string `json:"targetTokenUrl" yaml:"targetTokenUrl"`
// InsecureTargetTokenURL allows plain HTTP for TargetTokenURL.
// WARNING: this is insecure and must only be set for in-cluster or
// development/testing endpoints — never in production.
InsecureTargetTokenURL bool `json:"insecureTargetTokenUrl,omitempty" yaml:"insecureTargetTokenUrl,omitempty"`
// TargetClientID is the OAuth client ID at the target AS for Step B.
TargetClientID string `json:"targetClientId,omitempty" yaml:"targetClientId,omitempty"`
// TargetClientSecret is the client secret at the target AS for Step B.
//nolint:gosec // G101: field legitimately holds sensitive data
TargetClientSecret string `json:"targetClientSecret,omitempty" yaml:"targetClientSecret,omitempty"`
// TargetClientSecretEnv is the env var containing the target AS client secret.
TargetClientSecretEnv string `json:"targetClientSecretEnv,omitempty" yaml:"targetClientSecretEnv,omitempty"`
// TargetAudience is the resource AS URL for the ID-JAG audience claim (required).
TargetAudience string `json:"targetAudience" yaml:"targetAudience"`
// TargetResource is the RFC 8707 resource indicator sent as the `resource`
// parameter in Step A's RFC 8693 token exchange (draft §4.3, OPTIONAL). It
// identifies the target resource server — not the access-token audience, which
// is governed by TargetAudience. For MCP backends, set to the MCP server URL.
TargetResource string `json:"targetResource,omitempty" yaml:"targetResource,omitempty"`
// Scopes are the requested scopes for Steps A and B.
// +listType=atomic
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
// SubjectProviderName selects which upstream provider's ID token to use.
// Auto-populated when embedded AS is active.
SubjectProviderName string `json:"subjectProviderName,omitempty" yaml:"subjectProviderName,omitempty"`
}
XAAConfig configures the XAA (Cross-Application Access) auth strategy. XAA implements draft-ietf-oauth-identity-assertion-authz-grant (ID-JAG) as a two-step flow:
- Step A (RFC 8693): Exchange the user's ID token at their IdP for an ID-JAG JWT
- Step B (RFC 7523): Exchange the ID-JAG at the target app's AS for an access token
+kubebuilder:object:generate=true +gendoc
func (*XAAConfig) DeepCopy ¶ added in v0.32.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XAAConfig.
func (*XAAConfig) DeepCopyInto ¶ added in v0.32.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.