Documentation
¶
Overview ¶
Package jwtbearer provides an OAuth 2.0 JWT Bearer Grant (RFC 7523) implementation. It exchanges a JWT assertion (such as an ID-JAG) for an access token at a target authorization server. It also exposes ValidateTokenURL, a shared token-endpoint URL validator reused by other OAuth token-exchange strategies in this repo.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ValidateTokenURL ¶ added in v0.34.0
ValidateTokenURL checks that a token endpoint URL is syntactically valid: an http or https scheme, a host, no fragment, and no embedded credentials. The http(s)-only scheme check is enforced unconditionally, even when insecureAllowHTTP is true — insecureAllowHTTP only relaxes the HTTPS requirement (permitting plain HTTP on any host, not just localhost), it does not permit other schemes such as ftp://. label prefixes every error message (e.g. "TokenURL", "IDPTokenURL") so call sites can identify which field failed. Shared by jwtbearer.Config.Validate and the vMCP XAA strategy (pkg/vmcp/auth/strategies), which both validate OAuth token endpoints.
Types ¶
type Config ¶
type Config struct {
// TokenURL is the target authorization server's token endpoint (required).
TokenURL string
// ClientID is the OAuth client identifier at the target AS. When both ClientID
// and ClientSecret are set, the request is authenticated with HTTP Basic per
// RFC 6749 Section 2.3.1. Public-client identification via a body client_id
// parameter (RFC 6749 Section 3.2.1) is not supported — the ID-JAG draft
// (§9.1, Security Considerations) RECOMMENDS (SHOULD) confidential clients,
// which is the only intended consumer here, and this engine only supports
// client_secret/HTTP Basic client authentication.
ClientID string
// ClientSecret is the OAuth client secret at the target AS.
ClientSecret string //nolint:gosec // G101: field name, not a credential
// Scopes are the requested scopes for the access token.
Scopes []string
// AssertionProvider returns the JWT assertion (e.g., the ID-JAG from XAA's IdP exchange).
// Called on each Token() invocation; must not be nil. The returned JWT must
// satisfy RFC 7523 Section 3 (iss/sub/aud/exp). For an ID-JAG the aud is the
// Resource AS issuer identifier (per draft-ietf-oauth-identity-assertion-authz-grant),
// not the token endpoint URL. The provider must be safe for concurrent use —
// Token() may be called from multiple goroutines (e.g., when wrapped in
// oauth2.ReuseTokenSource).
AssertionProvider func() (string, error)
// HTTPClient is the HTTP client to use. If nil, oauthproto.DefaultHTTPClient()
// is used.
HTTPClient *http.Client
// InsecureAllowHTTP allows plain HTTP for the TokenURL. Only set this for
// in-cluster HTTP endpoints (e.g., development or testing environments).
InsecureAllowHTTP bool
}
Config holds configuration for an OAuth 2.0 JWT Bearer Grant (RFC 7523).
func (*Config) TokenSource ¶
func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource
TokenSource returns an oauth2.TokenSource that performs the JWT Bearer grant.