factory

func NewIncomingAuthMiddleware ¶

func NewIncomingAuthMiddleware(
	ctx context.Context,
	cfg *config.IncomingAuthConfig,
) (func(http.Handler) http.Handler, http.Handler, error)

NewIncomingAuthMiddleware creates HTTP middleware for incoming authentication and authorization based on the vMCP configuration.

This factory handles all incoming auth types:

• "oidc": OIDC token validation
• "local": Local OS user authentication
• "anonymous": Anonymous user (no authentication required)

If Authz is configured, authorization middleware is also created and composed with the authentication middleware (auth runs first, then authz).

All middleware types now directly create and inject Identity into the context, eliminating the need for a separate conversion layer.

Returns:

• Composed middleware function (auth + authz if configured)
• AuthInfo handler (for /.well-known/oauth-protected-resource endpoint, may be nil)
• Error if middleware creation fails

func NewOutgoingAuthRegistry ¶

func NewOutgoingAuthRegistry(
	_ context.Context,
	envReader env.Reader,
) (auth.OutgoingAuthRegistry, error)

NewOutgoingAuthRegistry creates an OutgoingAuthRegistry with all available strategies.

All strategies are registered upfront since they're cheap and mostly stateless (except token_exchange which has internal caching). This simplifies the factory and eliminates the need for on-demand strategy registration based on configuration.

Registered Strategies:

• "unauthenticated": Default fallback for backends without auth
• "header_injection": Custom HTTP header injection
• "token_exchange": RFC-8693 OAuth 2.0 token exchange

Parameters:

• ctx: Context for any initialization that requires it
• envReader: Environment variable reader for dependency injection

Returns:

• auth.OutgoingAuthRegistry: Registry with all strategies registered
• error: Any error during strategy initialization or registration