Documentation
¶
Overview ¶
Package authserver provides configuration and validation for the OAuth authorization server.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Issuer is the issuer identifier for this authorization server.
// This will be included in the "iss" claim of issued tokens.
Issuer string
// KeyProvider provides signing keys for JWT operations.
// Supports key rotation by returning multiple public keys for JWKS.
// If nil, an ephemeral key will be auto-generated (development only).
//
// Production: Use keys.NewFileProvider() or keys.NewProviderFromConfig()
// Testing: Use a mock or keys.NewGeneratingProvider()
KeyProvider keys.KeyProvider
// HMACSecrets contains the symmetric secrets used for signing authorization codes
// and refresh tokens (opaque tokens). Unlike the asymmetric SigningKey which
// signs JWTs for distributed verification, these secrets are used internally
// by the authorization server only.
// Current secret must be at least 32 bytes and cryptographically random.
// Must be consistent across all replicas in multi-instance deployments.
// Supports secret rotation via the Rotated field.
HMACSecrets *servercrypto.HMACSecrets
// AccessTokenLifespan is the duration that access tokens are valid.
// If zero, defaults to 1 hour.
AccessTokenLifespan time.Duration
// RefreshTokenLifespan is the duration that refresh tokens are valid.
// If zero, defaults to 7 days.
RefreshTokenLifespan time.Duration
// AuthCodeLifespan is the duration that authorization codes are valid.
// If zero, defaults to 10 minutes.
AuthCodeLifespan time.Duration
// Upstreams contains configurations for connecting to upstream IDPs.
// At least one upstream is required - the server delegates authentication to the upstream IDP.
// Currently only a single upstream is supported.
Upstreams []UpstreamConfig
// ScopesSupported lists the OAuth 2.0 scope values advertised in discovery documents.
// If nil or empty, defaults to ["openid", "offline_access"].
// This is advertised in /.well-known/openid-configuration and
// /.well-known/oauth-authorization-server discovery endpoints.
ScopesSupported []string
// AllowedAudiences is the list of valid resource URIs that tokens can be issued for.
// Per RFC 8707, the "resource" parameter in authorization and token requests is
// validated against this list. MCP clients are required to include the resource
// parameter, so this should be configured with the canonical URIs of all MCP servers
// this authorization server issues tokens for.
//
// Security: An empty list means NO audiences are permitted (secure default).
// When empty, any request with a "resource" parameter will be rejected with
// "invalid_target". Configure this for proper MCP specification compliance.
AllowedAudiences []string
}
Config is the pure configuration for the OAuth authorization server. All values must be fully resolved (no file paths, no env vars). This is the interface that consumers should use to configure the server.
func (*Config) GetUpstream ¶
func (c *Config) GetUpstream() *upstream.OAuth2Config
GetUpstream returns the primary upstream configuration. For current single-upstream deployments, this returns the only configured upstream. Returns nil if no upstreams are configured (call Validate first).
type UpstreamConfig ¶
type UpstreamConfig struct {
// Name uniquely identifies this upstream.
// Used for routing decisions and session binding in multi-upstream scenarios.
// If empty when only one upstream is configured, defaults to "default".
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Config contains the OAuth 2.0 provider configuration.
Config *upstream.OAuth2Config `json:"config" yaml:"config"`
}
UpstreamConfig wraps an upstream IDP configuration with identifying metadata.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package server provides the OAuth 2.0 authorization server implementation for ToolHive.
|
Package server provides the OAuth 2.0 authorization server implementation for ToolHive. |
|
crypto
Package crypto provides cryptographic utilities for the OAuth authorization server.
|
Package crypto provides cryptographic utilities for the OAuth authorization server. |
|
handlers
Package handlers provides HTTP handlers for the OAuth 2.0 authorization server endpoints.
|
Package handlers provides HTTP handlers for the OAuth 2.0 authorization server endpoints. |
|
keys
Package keys provides signing key management for the OAuth authorization server.
|
Package keys provides signing key management for the OAuth authorization server. |
|
keys/mocks
Package mocks is a generated GoMock package.
|
Package mocks is a generated GoMock package. |
|
registration
Package registration provides OAuth client types and utilities, including RFC 8252 compliant loopback redirect URI support for native OAuth clients.
|
Package registration provides OAuth client types and utilities, including RFC 8252 compliant loopback redirect URI support for native OAuth clients. |
|
session
Package session provides OAuth session management for the authorization server.
|
Package session provides OAuth session management for the authorization server. |
|
Package storage provides storage interfaces and implementations for the OAuth authorization server.
|
Package storage provides storage interfaces and implementations for the OAuth authorization server. |
|
mocks
Package mocks is a generated GoMock package.
|
Package mocks is a generated GoMock package. |
|
Package upstream provides types and implementations for upstream Identity Provider communication in the OAuth authorization server.
|
Package upstream provides types and implementations for upstream Identity Provider communication in the OAuth authorization server. |
Click to show internal directories.
Click to hide internal directories.