auth

package
v0.1.15-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 23, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package auth provides authentication and authorization functionality for StreamNative MCP Server. It implements OAuth 2.0 flows including client credentials and device authorization grants.

Index

Constants

View Source 
const (
	// KeyFileTypeServiceAccount identifies service account key files.
	KeyFileTypeServiceAccount = "sn_service_account"
	// FILE indicates a file:// key file reference.
	FILE = "file://"
	// DATA indicates a data:// inline key file reference.
	DATA = "data://"
)
View Source 
const (
	// ClaimNameUserName is the JWT claim name for the username.
	ClaimNameUserName = "https://streamnative.io/username"
)

Variables

This section is empty.

Functions

func DumpToken 

func DumpToken(out io.Writer, token oauth2.Token)

DumpToken outputs token information to the provided writer for debugging.

func ExtractUserName 

func ExtractUserName(token oauth2.Token) (string, error)

ExtractUserName extracts the username claim from an authorization grant

Types

type AuthorizationCodeExchangeRequest 

type AuthorizationCodeExchangeRequest struct {
	ClientID     string
	CodeVerifier string
	Code         string
	RedirectURI  string
}

AuthorizationCodeExchangeRequest is used to request the exchange of an authorization code for a token

type AuthorizationGrant 

type AuthorizationGrant struct {
	// Type describes the type of authorization grant represented by this structure
	Type AuthorizationGrantType `json:"type"`

	// ClientCredentials is credentials data for the client credentials grant type
	ClientCredentials *KeyFile `json:"client_credentials,omitempty"`

	// Token contains an access token in the client credentials grant type,
	// and a refresh token in the device authorization grant type
	Token *oauth2.Token `json:"token,omitempty"`
}

AuthorizationGrant is a credential representing the resource owner's authorization to access its protected resources, and is used by the client to obtain an access token

type AuthorizationGrantRefresher 

type AuthorizationGrantRefresher interface {
	// Refresh refreshes an authorization grant to contain a fresh access token
	Refresh(grant *AuthorizationGrant) (*AuthorizationGrant, error)
}

AuthorizationGrantRefresher refreshes OAuth 2.0 authorization grant

type AuthorizationGrantType 

type AuthorizationGrantType string

AuthorizationGrantType defines the supported OAuth2 grant types. 

const (
	// GrantTypeClientCredentials represents a client credentials grant
	GrantTypeClientCredentials AuthorizationGrantType = "client_credentials"
)

type AuthorizationTokenResponse 

type AuthorizationTokenResponse struct {
	AccessToken  string `json:"access_token"`
	ExpiresIn    int    `json:"expires_in"`
	IDToken      string `json:"id_token"`
	RefreshToken string `json:"refresh_token"`
	TokenType    string `json:"token_type"`
}

AuthorizationTokenResponse is the HTTP response when asking for a new token. Note that not all fields will contain data based on what kind of request was sent

type ClientCredentialsExchangeRequest 

type ClientCredentialsExchangeRequest struct {
	ClientID     string
	ClientSecret string
	Audience     string
}

ClientCredentialsExchangeRequest is used to request the exchange of client credentials for a token

type ClientCredentialsExchanger 

type ClientCredentialsExchanger interface {
	ExchangeClientCredentials(req ClientCredentialsExchangeRequest) (*TokenResult, error)
}

ClientCredentialsExchanger abstracts exchanging client credentials for tokens

type ClientCredentialsFlow 

type ClientCredentialsFlow struct {
	// contains filtered or unexported fields
}

ClientCredentialsFlow takes care of the mechanics needed for getting an access token using the OAuth 2.0 "Client Credentials Flow"

func NewClientCredentialsFlow 

func NewClientCredentialsFlow(
	issuerData Issuer,
	provider ClientCredentialsProvider,
	exchanger ClientCredentialsExchanger,
	clock clock.Clock) *ClientCredentialsFlow

NewClientCredentialsFlow creates a new client credentials flow with the given components.

func NewDefaultClientCredentialsFlow 

func NewDefaultClientCredentialsFlow(issuerData Issuer, keyFile string) (*ClientCredentialsFlow, error)

NewDefaultClientCredentialsFlow provides an easy way to build up a default client credentials flow with all the correct configuration.

func NewDefaultClientCredentialsFlowWithKeyFileStruct 

func NewDefaultClientCredentialsFlowWithKeyFileStruct(issuerData Issuer, keyFile *KeyFile) (*ClientCredentialsFlow, error)

NewDefaultClientCredentialsFlowWithKeyFileStruct provides an easy way to build up a default client credentials flow with all the correct configuration.

func (*ClientCredentialsFlow) Authorize 

func (c *ClientCredentialsFlow) Authorize() (*AuthorizationGrant, error)

Authorize requests an authorization grant using the client credentials flow.

type ClientCredentialsGrantRefresher 

type ClientCredentialsGrantRefresher struct {
	// contains filtered or unexported fields
}

ClientCredentialsGrantRefresher refreshes client-credentials grants using the token endpoint.

func NewDefaultClientCredentialsGrantRefresher 

func NewDefaultClientCredentialsGrantRefresher(issuerData Issuer,
	clock clock.Clock) (*ClientCredentialsGrantRefresher, error)

NewDefaultClientCredentialsGrantRefresher creates a default client credentials grant refresher.

func (*ClientCredentialsGrantRefresher) Refresh 

func (g *ClientCredentialsGrantRefresher) Refresh(grant *AuthorizationGrant) (*AuthorizationGrant, error)

Refresh exchanges the client credentials for a fresh authorization grant.

type ClientCredentialsProvider 

type ClientCredentialsProvider interface {
	GetClientCredentials() (*KeyFile, error)
}

ClientCredentialsProvider abstracts getting client credentials

type ConfigBackedCachingProvider 

type ConfigBackedCachingProvider struct {
	// contains filtered or unexported fields
}

ConfigBackedCachingProvider wraps a configProvider in order to conform to the cachingProvider interface

func NewConfigBackedCachingProvider 

func NewConfigBackedCachingProvider(clientID, audience string, config configProvider) *ConfigBackedCachingProvider

NewConfigBackedCachingProvider builds and returns a CachingTokenProvider that utilizes a configProvider to cache tokens

func (*ConfigBackedCachingProvider) CacheTokens 

func (c *ConfigBackedCachingProvider) CacheTokens(toCache *TokenResult) error

CacheTokens caches the id and refresh token from TokenResult in the configProvider

func (*ConfigBackedCachingProvider) GetTokens 

func (c *ConfigBackedCachingProvider) GetTokens() (*TokenResult, error)

GetTokens gets the tokens from the cache and returns them as a TokenResult

type DeviceCodeExchangeRequest 

type DeviceCodeExchangeRequest struct {
	ClientID     string
	DeviceCode   string
	PollInterval time.Duration
}

DeviceCodeExchangeRequest is used to request the exchange of a device code for a token

type Flow 

type Flow interface {
	// Authorize obtains an authorization grant based on an OAuth 2.0 authorization flow.
	// The method returns a grant which may contain an initial access token.
	Authorize() (*AuthorizationGrant, error)
}

Flow abstracts an OAuth 2.0 authentication and authorization flow

type HTTPAuthTransport 

type HTTPAuthTransport interface {
	Do(request *http.Request) (*http.Response, error)
}

HTTPAuthTransport abstracts how an HTTP exchange request is sent and received

type Issuer 

type Issuer struct {
	IssuerEndpoint string
	ClientID       string
	Audience       string
}

Issuer holds information about the issuer of tokens

type KeyFile 

type KeyFile struct {
	Type         string `json:"type"`
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
	ClientEmail  string `json:"client_email"`
}

KeyFile holds service account credentials from a JSON key file.

type KeyFileProvider 

type KeyFileProvider struct {
	KeyFile string
}

KeyFileProvider provides client credentials from a key file path.

func NewClientCredentialsProviderFromKeyFile 

func NewClientCredentialsProviderFromKeyFile(keyFile string) *KeyFileProvider

NewClientCredentialsProviderFromKeyFile creates a provider from a key file path.

func (*KeyFileProvider) GetClientCredentials 

func (k *KeyFileProvider) GetClientCredentials() (*KeyFile, error)

GetClientCredentials loads client credentials from the configured key file source.

type KeyFileStructProvider 

type KeyFileStructProvider struct {
	KeyFile *KeyFile
}

KeyFileStructProvider provides client credentials from an in-memory KeyFile struct.

func NewClientCredentialsProviderFromKeyFileStruct 

func NewClientCredentialsProviderFromKeyFileStruct(keyFile *KeyFile) *KeyFileStructProvider

NewClientCredentialsProviderFromKeyFileStruct creates a provider from an in-memory KeyFile.

func (*KeyFileStructProvider) GetClientCredentials 

func (k *KeyFileStructProvider) GetClientCredentials() (*KeyFile, error)

GetClientCredentials returns the client credentials from the in-memory KeyFile.

type OIDCWellKnownEndpoints 

type OIDCWellKnownEndpoints struct {
	AuthorizationEndpoint       string `json:"authorization_endpoint"`
	TokenEndpoint               string `json:"token_endpoint"`
	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
}

OIDCWellKnownEndpoints holds the well known OIDC endpoints

func GetOIDCWellKnownEndpointsFromIssuerURL 

func GetOIDCWellKnownEndpointsFromIssuerURL(issuerURL string) (*OIDCWellKnownEndpoints, error)

GetOIDCWellKnownEndpointsFromIssuerURL gets the well known endpoints for the passed in issuer url

type RefreshTokenExchangeRequest 

type RefreshTokenExchangeRequest struct {
	ClientID     string
	RefreshToken string
}

RefreshTokenExchangeRequest is used to request the exchange of a refresh token for a refreshed token

type TokenError 

type TokenError struct {
	ErrorCode        string
	ErrorDescription string
}

TokenError represents an error response from the token endpoint.

func (*TokenError) Error 

func (e *TokenError) Error() string

type TokenErrorResponse 

type TokenErrorResponse struct {
	Error            string `json:"error"`
	ErrorDescription string `json:"error_description"`
}

TokenErrorResponse is used to parse error responses from the token endpoint

type TokenResult 

type TokenResult struct {
	AccessToken  string `json:"access_token"`
	IDToken      string `json:"id_token"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int    `json:"expires_in"`
}

TokenResult holds token information

type TokenRetriever 

type TokenRetriever struct {
	// contains filtered or unexported fields
}

TokenRetriever implements AuthTokenExchanger in order to facilitate getting Tokens

func NewTokenRetriever 

func NewTokenRetriever(
	oidcWellKnownEndpoints OIDCWellKnownEndpoints,
	authTransport HTTPAuthTransport) *TokenRetriever

NewTokenRetriever allows a TokenRetriever the internal of a new TokenRetriever to be easily set up

func (*TokenRetriever) ExchangeClientCredentials 

func (ce *TokenRetriever) ExchangeClientCredentials(req ClientCredentialsExchangeRequest) (*TokenResult, error)

ExchangeClientCredentials uses the ClientCredentialsExchangeRequest to exchange client credentials for tokens

func (*TokenRetriever) ExchangeCode 

func (ce *TokenRetriever) ExchangeCode(req AuthorizationCodeExchangeRequest) (*TokenResult, error)

ExchangeCode uses the AuthCodeExchangeRequest to exchange an authorization code for tokens

func (*TokenRetriever) ExchangeDeviceCode 

func (ce *TokenRetriever) ExchangeDeviceCode(ctx context.Context, req DeviceCodeExchangeRequest) (*TokenResult, error)

ExchangeDeviceCode uses the DeviceCodeExchangeRequest to exchange a device code for tokens

func (*TokenRetriever) ExchangeRefreshToken 

func (ce *TokenRetriever) ExchangeRefreshToken(req RefreshTokenExchangeRequest) (*TokenResult, error)

ExchangeRefreshToken uses the RefreshTokenExchangeRequest to exchange a refresh token for refreshed tokens

Source Files

View all Source files

Directories

Path Synopsis
Package cache provides cached token sources for authentication flows.
 Package cache provides cached token sources for authentication flows.
Package store provides token storage implementations for authentication credentials.
 Package store provides token storage implementations for authentication credentials.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.