factory

func NewIncomingAuthMiddleware ¶

func NewIncomingAuthMiddleware(
	ctx context.Context,
	cfg *config.IncomingAuthConfig,
) (func(http.Handler) http.Handler, http.Handler, error)

NewIncomingAuthMiddleware creates HTTP middleware for incoming authentication based on the vMCP configuration.

This factory handles all incoming auth types:

• "oidc": OIDC token validation
• "local": Local OS user authentication
• "anonymous": Anonymous user (no authentication required)

All middleware types now directly create and inject Identity into the context, eliminating the need for a separate conversion layer.

Returns:

• Authentication middleware function
• AuthInfo handler (for /.well-known/oauth-protected-resource endpoint, may be nil)
• Error if middleware creation fails

func NewOutgoingAuthRegistry ¶

func NewOutgoingAuthRegistry(_ context.Context, cfg *config.OutgoingAuthConfig) (auth.OutgoingAuthRegistry, error)

NewOutgoingAuthRegistry creates an OutgoingAuthRegistry from configuration. It registers all strategies found in the configuration (both default and backend-specific).

The factory ALWAYS registers the "unauthenticated" strategy as a default fallback, ensuring that backends without explicit authentication configuration can function. This makes empty/nil configuration safe: the registry will have at least one usable strategy.

Strategy Registration:

• "unauthenticated" is always registered (default fallback)
• Additional strategies are registered based on configuration
• Each strategy is instantiated once and shared across backends
• Strategies are stateless (except token_exchange which has internal caching)

Parameters:

• ctx: Context for any initialization that requires it
• cfg: The outgoing authentication configuration (may be nil)

Returns:

• auth.OutgoingAuthRegistry: Configured registry with registered strategies
• error: Any error during strategy initialization or registration