jwtbearer

package
v0.34.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package jwtbearer provides an OAuth 2.0 JWT Bearer Grant (RFC 7523) implementation. It exchanges a JWT assertion (such as an ID-JAG) for an access token at a target authorization server. It also exposes ValidateTokenURL, a shared token-endpoint URL validator reused by other OAuth token-exchange strategies in this repo.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ValidateTokenURL added in v0.34.0

func ValidateTokenURL(label, endpoint string, insecureAllowHTTP bool) error

ValidateTokenURL checks that a token endpoint URL is syntactically valid: an http or https scheme, a host, no fragment, and no embedded credentials. The http(s)-only scheme check is enforced unconditionally, even when insecureAllowHTTP is true — insecureAllowHTTP only relaxes the HTTPS requirement (permitting plain HTTP on any host, not just localhost), it does not permit other schemes such as ftp://. label prefixes every error message (e.g. "TokenURL", "IDPTokenURL") so call sites can identify which field failed. Shared by jwtbearer.Config.Validate and the vMCP XAA strategy (pkg/vmcp/auth/strategies), which both validate OAuth token endpoints.

Types

type Config

type Config struct {
	// TokenURL is the target authorization server's token endpoint (required).
	TokenURL string

	// ClientID is the OAuth client identifier at the target AS. When both ClientID
	// and ClientSecret are set, the request is authenticated with HTTP Basic per
	// RFC 6749 Section 2.3.1. Public-client identification via a body client_id
	// parameter (RFC 6749 Section 3.2.1) is not supported — the ID-JAG draft
	// (§9.1, Security Considerations) RECOMMENDS (SHOULD) confidential clients,
	// which is the only intended consumer here, and this engine only supports
	// client_secret/HTTP Basic client authentication.
	ClientID string

	// ClientSecret is the OAuth client secret at the target AS.
	ClientSecret string //nolint:gosec // G101: field name, not a credential

	// Scopes are the requested scopes for the access token.
	Scopes []string

	// AssertionProvider returns the JWT assertion (e.g., the ID-JAG from XAA's IdP exchange).
	// Called on each Token() invocation; must not be nil. The returned JWT must
	// satisfy RFC 7523 Section 3 (iss/sub/aud/exp). For an ID-JAG the aud is the
	// Resource AS issuer identifier (per draft-ietf-oauth-identity-assertion-authz-grant),
	// not the token endpoint URL. The provider must be safe for concurrent use —
	// Token() may be called from multiple goroutines (e.g., when wrapped in
	// oauth2.ReuseTokenSource).
	AssertionProvider func() (string, error)

	// HTTPClient is the HTTP client to use. If nil, oauthproto.DefaultHTTPClient()
	// is used.
	HTTPClient *http.Client

	// InsecureAllowHTTP allows plain HTTP for the TokenURL. Only set this for
	// in-cluster HTTP endpoints (e.g., development or testing environments).
	InsecureAllowHTTP bool
}

Config holds configuration for an OAuth 2.0 JWT Bearer Grant (RFC 7523).

func (*Config) String

func (c *Config) String() string

String implements fmt.Stringer for Config, redacting sensitive fields.

func (*Config) TokenSource

func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource

TokenSource returns an oauth2.TokenSource that performs the JWT Bearer grant.

func (*Config) Validate

func (c *Config) Validate() error

Validate checks that the Config contains all required fields.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL