handlers

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 27, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package handlers provides HTTP handlers for the OAuth 2.0 authorization server endpoints.

This package implements the HTTP layer for the authorization server, including:

  • OIDC Discovery endpoint (/.well-known/openid-configuration)
  • JWKS endpoint (/.well-known/jwks.json)
  • OAuth endpoints (authorize, token, callback, register) - to be implemented

The Handler struct coordinates all handlers and provides route registration methods for integrating with standard Go HTTP servers.

Index

Constants

View Source 
const (
	// DefaultJWKSCacheMaxAge is the Cache-Control max-age for the JWKS endpoint (1 hour).
	// This balances caching efficiency with timely key rotation propagation.
	DefaultJWKSCacheMaxAge = 3600

	// DefaultDiscoveryCacheMaxAge is the Cache-Control max-age for the discovery endpoint (1 hour).
	// Aligned with Google's OIDC discovery cache policy.
	DefaultDiscoveryCacheMaxAge = 3600
)

Cache-Control max-age values for discovery endpoints. These are not exposed to users but extracted as constants for documentation and maintainability.

Variables

This section is empty.

Functions

This section is empty.

Types

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

Handler provides HTTP handlers for the OAuth authorization server endpoints.

func NewHandler 

func NewHandler(
	provider fosite.OAuth2Provider,
	config *server.AuthorizationServerConfig,
	stor storage.Storage,
	upstreamIDP upstream.OAuth2Provider,
) *Handler

NewHandler creates a new Handler with the given dependencies.

func (*Handler) AuthorizeHandler added in v0.8.1 

func (h *Handler) AuthorizeHandler(w http.ResponseWriter, req *http.Request)

AuthorizeHandler handles GET /oauth/authorize requests. It validates the client's authorization request and redirects to the upstream IDP.

func (*Handler) CallbackHandler added in v0.8.1 

func (h *Handler) CallbackHandler(w http.ResponseWriter, req *http.Request)

CallbackHandler handles GET /oauth/callback requests. It exchanges the upstream authorization code and issues our own authorization code.

func (*Handler) JWKSHandler 

func (h *Handler) JWKSHandler(w http.ResponseWriter, _ *http.Request)

JWKSHandler handles GET /.well-known/jwks.json requests. It returns the public keys used for verifying JWTs.

func (*Handler) OAuthDiscoveryHandler 

func (h *Handler) OAuthDiscoveryHandler(w http.ResponseWriter, _ *http.Request)

OAuthDiscoveryHandler handles GET /.well-known/oauth-authorization-server requests. It returns the OAuth 2.0 Authorization Server Metadata per RFC 8414. This endpoint is useful for non-OIDC OAuth clients.

func (*Handler) OAuthRoutes 

func (h *Handler) OAuthRoutes(r chi.Router)

OAuthRoutes registers OAuth endpoints (authorize, callback, token, register) on the provided router.

func (*Handler) OIDCDiscoveryHandler 

func (h *Handler) OIDCDiscoveryHandler(w http.ResponseWriter, _ *http.Request)

OIDCDiscoveryHandler handles GET /.well-known/openid-configuration requests. It returns the OIDC discovery document describing the authorization server capabilities. This extends the OAuth 2.0 AS Metadata (RFC 8414) with OIDC-specific fields.

func (*Handler) RegisterClientHandler added in v0.8.1 

func (h *Handler) RegisterClientHandler(w http.ResponseWriter, req *http.Request)

RegisterClientHandler handles POST /oauth/register requests. It implements RFC 7591 Dynamic Client Registration for public clients with loopback redirect URIs only.

func (*Handler) Routes 

func (h *Handler) Routes() http.Handler

Routes returns a router with all OAuth/OIDC endpoints registered.

func (*Handler) TokenHandler added in v0.8.1 

func (h *Handler) TokenHandler(w http.ResponseWriter, req *http.Request)

TokenHandler handles POST /oauth/token requests. It processes token requests using fosite's access request/response flow.

func (*Handler) WellKnownRoutes 

func (h *Handler) WellKnownRoutes(r chi.Router)

WellKnownRoutes registers well-known endpoints (JWKS, OAuth/OIDC discovery) on the provided router. Both discovery endpoints are registered per the MCP specification requirement to provide at least one discovery mechanism, with both supported for maximum interoperability: - /.well-known/oauth-authorization-server (RFC 8414) for OAuth-only clients - /.well-known/openid-configuration (OIDC Discovery 1.0) for OIDC clients

type UserResolver added in v0.8.1 

type UserResolver struct {
	// contains filtered or unexported fields
}

UserResolver handles finding or creating users based on provider identity. It manages the mapping between upstream provider subjects and internal user IDs.

func NewUserResolver added in v0.8.1 

func NewUserResolver(stor storage.UserStorage) *UserResolver

NewUserResolver creates a new UserResolver with the given storage.

func (*UserResolver) ResolveUser added in v0.8.1 

func (r *UserResolver) ResolveUser(
	ctx context.Context,
	providerID string,
	providerSubject string,
) (*storage.User, error)

ResolveUser finds an existing user or creates a new one for the provider identity. Returns the user whose ID will be the "sub" claim in our JWTs.

The resolution process: 1. Look up existing identity by (providerID, providerSubject) 2. If found, return the linked user 3. If not found, create a new user and link the identity

func (*UserResolver) UpdateLastAuthenticated added in v0.8.1 

func (r *UserResolver) UpdateLastAuthenticated(
	ctx context.Context,
	providerID string,
	providerSubject string,
)

UpdateLastAuthenticated updates the last authentication timestamp for a provider identity. This supports OIDC max_age parameter enforcement by tracking when users last authenticated. Errors are logged but not fatal - callers should continue with authorization.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.