Documentation
¶
Overview ¶
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth provides OAuth 2.0 and OIDC authentication functionality.
Package oauth contains OAuth/OIDC protocol implementation for ToolHive.
Index ¶
- Constants
- func GenerateUniqueSecretNameWithProvider(workloadName string, secretManager secrets.Provider) (string, error)
- func ProcessOAuthClientSecret(workloadName, clientSecret string) (string, error)
- func ProcessOAuthClientSecretWithProvider(workloadName, clientSecret string, secretManager secrets.Provider) (string, error)
- func StoreSecretInManager(ctx context.Context, secretName, secretValue string) error
- func StoreSecretInManagerWithProvider(ctx context.Context, secretName, secretValue string, ...) error
- type Config
- type DynamicClientRegistrationRequest
- type DynamicClientRegistrationResponse
- type Flow
- type OIDCDiscoveryDocument
- type ScopeList
- type TokenResult
Constants ¶
const AuthorizationCode = "authorization_code"
AuthorizationCode is the grant type for authorization code
const ResponseTypeCode = "code"
ResponseTypeCode is the response type for code
const TokenEndpointAuthMethodNone = "none"
TokenEndpointAuthMethodNone is the token endpoint auth method for none
const ToolHiveMCPClientName = "ToolHive MCP Client"
ToolHiveMCPClientName is the name of the ToolHive MCP client
const UserAgent = "ToolHive/1.0"
UserAgent is the user agent for the ToolHive MCP client
Variables ¶
This section is empty.
Functions ¶
func GenerateUniqueSecretNameWithProvider ¶ added in v0.6.0
func GenerateUniqueSecretNameWithProvider(workloadName string, secretManager secrets.Provider) (string, error)
GenerateUniqueSecretNameWithProvider generates a unique secret name using the provided secret manager This version is testable with dependency injection
func ProcessOAuthClientSecret ¶ added in v0.6.0
ProcessOAuthClientSecret processes an OAuth client secret, converting plain text to CLI format if needed
func ProcessOAuthClientSecretWithProvider ¶ added in v0.6.0
func ProcessOAuthClientSecretWithProvider(workloadName, clientSecret string, secretManager secrets.Provider) (string, error)
ProcessOAuthClientSecretWithProvider processes an OAuth client secret using the provided secret manager This version is testable with dependency injection
func StoreSecretInManager ¶ added in v0.6.0
StoreSecretInManager stores a secret in the configured secret manager
func StoreSecretInManagerWithProvider ¶ added in v0.6.0
func StoreSecretInManagerWithProvider(ctx context.Context, secretName, secretValue string, secretManager secrets.Provider) error
StoreSecretInManagerWithProvider stores a secret using the provided secret manager This version is testable with dependency injection
Types ¶
type Config ¶
type Config struct {
// ClientID is the OAuth client ID
ClientID string
// ClientSecret is the OAuth client secret (optional for PKCE flow)
ClientSecret string
// RedirectURL is the redirect URL for the OAuth flow
RedirectURL string
// AuthURL is the authorization endpoint URL
AuthURL string
// TokenURL is the token endpoint URL
TokenURL string
// Scopes are the OAuth scopes to request
Scopes []string
// UsePKCE enables PKCE (Proof Key for Code Exchange) for enhanced security
UsePKCE bool
// CallbackPort is the port for the OAuth callback server (optional, 0 means auto-select)
CallbackPort int
// IntrospectionEndpoint is the optional introspection endpoint for validating tokens
IntrospectionEndpoint string
// Resource is the OAuth 2.0 resource indicator (RFC 8707).
Resource string
// OAuthParams are additional parameters to pass to the authorization URL
OAuthParams map[string]string
}
Config contains configuration for OAuth authentication
func CreateOAuthConfigFromOIDC ¶
func CreateOAuthConfigFromOIDC( ctx context.Context, issuer, clientID, clientSecret string, scopes []string, usePKCE bool, callbackPort int, resource string, ) (*Config, error)
CreateOAuthConfigFromOIDC creates an OAuth config from OIDC discovery
func CreateOAuthConfigManual ¶ added in v0.2.4
func CreateOAuthConfigManual( clientID, clientSecret string, authURL, tokenURL string, scopes []string, usePKCE bool, callbackPort int, resource string, oauthParams map[string]string, ) (*Config, error)
CreateOAuthConfigManual creates an OAuth config with manually provided endpoints
type DynamicClientRegistrationRequest ¶ added in v0.2.14
type DynamicClientRegistrationRequest struct {
// Required field according to RFC 7591
RedirectURIs []string `json:"redirect_uris"`
// Essential fields for OAuth flow
ClientName string `json:"client_name,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"`
Scopes ScopeList `json:"scope,omitempty"`
}
DynamicClientRegistrationRequest represents the request for dynamic client registration (RFC 7591)
func NewDynamicClientRegistrationRequest ¶ added in v0.2.14
func NewDynamicClientRegistrationRequest(scopes []string, callbackPort int) *DynamicClientRegistrationRequest
NewDynamicClientRegistrationRequest creates a new dynamic client registration request
type DynamicClientRegistrationResponse ¶ added in v0.2.14
type DynamicClientRegistrationResponse struct {
// Required fields
ClientID string `json:"client_id"`
ClientSecret string `json:"client_secret,omitempty"`
// Optional fields that may be returned
ClientIDIssuedAt int64 `json:"client_id_issued_at,omitempty"`
ClientSecretExpiresAt int64 `json:"client_secret_expires_at,omitempty"`
RegistrationAccessToken string `json:"registration_access_token,omitempty"`
RegistrationClientURI string `json:"registration_client_uri,omitempty"`
// Echo back the essential request fields
ClientName string `json:"client_name,omitempty"`
RedirectURIs []string `json:"redirect_uris,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"`
Scopes ScopeList `json:"scope,omitempty"`
}
DynamicClientRegistrationResponse represents the response from dynamic client registration (RFC 7591)
func RegisterClientDynamically ¶ added in v0.2.14
func RegisterClientDynamically( ctx context.Context, registrationEndpoint string, request *DynamicClientRegistrationRequest, ) (*DynamicClientRegistrationResponse, error)
RegisterClientDynamically performs dynamic client registration (RFC 7591)
type Flow ¶
type Flow struct {
// contains filtered or unexported fields
}
Flow handles the OAuth authentication flow
func (*Flow) TokenSource ¶ added in v0.0.48
func (f *Flow) TokenSource() oauth2.TokenSource
TokenSource returns the OAuth2 token source for refreshing tokens
type OIDCDiscoveryDocument ¶
type OIDCDiscoveryDocument struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
JWKSURI string `json:"jwks_uri"`
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}
OIDCDiscoveryDocument represents the OIDC discovery document structure This is a simplified wrapper around the Zitadel OIDC discovery
func DiscoverActualIssuer ¶ added in v0.3.0
func DiscoverActualIssuer(ctx context.Context, metadataURL string) (*OIDCDiscoveryDocument, error)
DiscoverActualIssuer discovers the actual issuer from a URL that might be different from the issuer itself This is useful when the resource metadata points to a URL that hosts the authorization server metadata but the actual issuer identifier is different (e.g., Stripe's case)
func DiscoverOIDCEndpoints ¶
func DiscoverOIDCEndpoints(ctx context.Context, issuer string) (*OIDCDiscoveryDocument, error)
DiscoverOIDCEndpoints discovers OAuth endpoints from an OIDC issuer
type ScopeList ¶ added in v0.3.7
type ScopeList []string
ScopeList represents the "scope" field in both dynamic client registration requests and responses.
Marshaling (requests): Per RFC 7591 Section 2, scopes are serialized as a space-delimited string. Examples:
- []string{"openid", "profile", "email"} → "openid profile email"
- []string{"openid"} → "openid"
- nil or []string{} → omitted (via omitempty)
Unmarshaling (responses): Some servers return scopes as a space-delimited string per RFC 7591, while others return a JSON array. This type normalizes both formats into []string. Examples:
- "openid profile email" → []string{"openid", "profile", "email"}
- ["openid","profile","email"] → []string{"openid", "profile", "email"}
- null → nil
- "" or ["", " "] → nil
func (ScopeList) MarshalJSON ¶ added in v0.6.6
MarshalJSON implements custom encoding for ScopeList. It converts the slice of scopes into a space-delimited string as required by RFC 7591 Section 2.
Important: This method does NOT handle empty slices. Go's encoding/json package evaluates omitempty by checking if the Go value is "empty" (len(slice) == 0) BEFORE calling MarshalJSON. Empty slices are omitted at the struct level, so this method is never invoked for empty slices. This means we don't need to return null or handle the empty case - omitempty does it for us automatically.
See: https://pkg.go.dev/encoding/json (omitempty checks zero values before marshaling)
func (*ScopeList) UnmarshalJSON ¶ added in v0.3.7
UnmarshalJSON implements custom decoding for ScopeList. It supports both string and array encodings of the "scope" field, trimming whitespace and normalizing empty values to nil for consistent semantics.
Source Files