jwtbearer

package
v0.33.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package jwtbearer provides an OAuth 2.0 JWT Bearer Grant (RFC 7523) implementation. It exchanges a JWT assertion (such as an ID-JAG) for an access token at a target authorization server.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// TokenURL is the target authorization server's token endpoint (required).
	TokenURL string

	// ClientID is the OAuth client identifier at the target AS. When both ClientID
	// and ClientSecret are set, the request is authenticated with HTTP Basic per
	// RFC 6749 Section 2.3.1. Public-client identification via a body client_id
	// parameter (RFC 6749 Section 3.2.1) is not supported — the ID-JAG draft
	// (§9.1, Security Considerations) RECOMMENDS (SHOULD) confidential clients,
	// which is the only intended consumer here, and this engine only supports
	// client_secret/HTTP Basic client authentication.
	ClientID string

	// ClientSecret is the OAuth client secret at the target AS.
	ClientSecret string //nolint:gosec // G101: field name, not a credential

	// Scopes are the requested scopes for the access token.
	Scopes []string

	// AssertionProvider returns the JWT assertion (e.g., the ID-JAG from Step A).
	// Called on each Token() invocation; must not be nil. The returned JWT must
	// satisfy RFC 7523 Section 3 (iss/sub/aud/exp). For an ID-JAG the aud is the
	// Resource AS issuer identifier (per draft-ietf-oauth-identity-assertion-authz-grant),
	// not the token endpoint URL. The provider must be safe for concurrent use —
	// Token() may be called from multiple goroutines (e.g., when wrapped in
	// oauth2.ReuseTokenSource).
	AssertionProvider func() (string, error)

	// HTTPClient is the HTTP client to use. If nil, oauthproto.DefaultHTTPClient()
	// is used.
	HTTPClient *http.Client

	// InsecureAllowHTTP allows plain HTTP for the TokenURL. Only set this for
	// in-cluster HTTP endpoints (e.g., development or testing environments).
	InsecureAllowHTTP bool
}

Config holds configuration for an OAuth 2.0 JWT Bearer Grant (RFC 7523).

func (*Config) String

func (c *Config) String() string

String implements fmt.Stringer for Config, redacting sensitive fields.

func (*Config) TokenSource

func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource

TokenSource returns an oauth2.TokenSource that performs the JWT Bearer grant.

func (*Config) Validate

func (c *Config) Validate() error

Validate checks that the Config contains all required fields.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL