Documentation
¶
Overview ¶
Package auth provides authentication middleware for vinculum servers. It implements the auth "basic", "oidc", "oauth2", "custom", and "none" modes defined in HTTP-AUTH-SPEC.md.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewAuthMiddleware ¶
func NewAuthMiddleware(authenticator Authenticator, evalCtx *hcl.EvalContext, logger *zap.Logger, next http.Handler) http.Handler
NewAuthMiddleware wraps next with authentication enforcement using auth. On success the auth value is stored in the request context (as ctx.auth). On failure an appropriate HTTP error is written and the request is aborted.
Types ¶
type AuthFailure ¶
type AuthFailure struct {
// Status is the HTTP status code to return (401 or 403).
Status int
// WWWAuthenticate is the value for the WWW-Authenticate response header.
// Empty string means no header.
WWWAuthenticate string
// Response, if non-nil, is written directly as the HTTP response instead
// of the default status + header (used by auth "custom" for redirects).
Response *types.HTTPResponseWrapper
}
AuthFailure describes a failed authentication attempt.
type Authenticator ¶
type Authenticator interface {
Authenticate(r *http.Request, evalCtx *hcl.EvalContext) (cty.Value, *AuthFailure, error)
}
Authenticator validates an incoming HTTP request and returns the value to expose as ctx.auth on success, or an AuthFailure on rejection.
func BuildAuthenticator ¶
func BuildAuthenticator(ac *cfg.AuthConfig, serverName string, evalCtx *hcl.EvalContext) (Authenticator, error)
BuildAuthenticator constructs an Authenticator from the given AuthConfig. Returns nil, nil when ac is nil or ac.Mode == "none" (no authentication). The serverName is used as the default Basic auth realm when not specified. evalCtx is the global configuration eval context, used for evaluating static expressions (e.g. credentials maps) at construction time if needed.
type OIDCMetadata ¶
type OIDCMetadata struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
JWKSUri string `json:"jwks_uri"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
}
OIDCMetadata holds the fields from an OpenID Connect discovery document that vinculum exposes (for MCP's /.well-known/oauth-authorization-server endpoint).
Source Files