Documentation
¶
Index ¶
- func Bearer(ctx context.Context) string
- func EffectiveUserID(ctx context.Context) string
- func EnsureUser(ctx context.Context, cfg *Config) context.Context
- func IDToken(ctx context.Context) string
- func MCPAuthToken(ctx context.Context, useIDToken bool) string
- func Provider(ctx context.Context) string
- func TokensFromContext(ctx context.Context) *scyauth.Token
- func WithBearer(ctx context.Context, token string) context.Context
- func WithIDToken(ctx context.Context, token string) context.Context
- func WithProvider(ctx context.Context, provider string) context.Context
- func WithTokens(ctx context.Context, t *scyauth.Token) context.Context
- func WithUserInfo(ctx context.Context, info *UserInfo) context.Context
- type Config
- type JWT
- type Local
- type OAuth
- type OAuthClient
- type UserInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EffectiveUserID ¶
EffectiveUserID returns a stable user identifier from context (subject or email). Returns empty string when no identity is present.
func EnsureUser ¶
EnsureUser populates a user identity in context when missing using config fallbacks (e.g., local mode default username). Returns the original context when no action is needed.
func MCPAuthToken ¶
MCPAuthToken selects a single token string suitable for outbound MCP calls. When useIDToken is true, it prefers IDToken and falls back to legacy IDToken/Bearer keys. When false, it prefers AccessToken and falls back to the legacy bearer key.
func TokensFromContext ¶
TokensFromContext returns the token bundle from context, if present.
func WithBearer ¶
WithBearer stores a raw bearer token in context.
func WithIDToken ¶
WithIDToken stores a raw ID token in context.
func WithProvider ¶ added in v0.1.5
WithProvider stores an auth provider name in context.
func WithTokens ¶
WithTokens stores a token bundle in context.
Types ¶
type Config ¶
type Config struct {
Enabled bool `yaml:"enabled" json:"enabled"`
CookieName string `yaml:"cookieName" json:"cookieName"`
SessionTTLHours int `yaml:"sessionTTLHours,omitempty" json:"sessionTTLHours,omitempty"` // cookie/session lifetime; default 168h (7 days)
DefaultUsername string `yaml:"defaultUsername" json:"defaultUsername"`
IpHashKey string `yaml:"ipHashKey" json:"ipHashKey"`
TrustedProxies []string `yaml:"trustedProxies" json:"trustedProxies"`
RedirectPath string `yaml:"redirectPath" json:"redirectPath"`
// New unified model
OAuth *OAuth `yaml:"oauth" json:"oauth"`
Local *Local `yaml:"local" json:"local"`
JWT *JWT `yaml:"jwt" json:"jwt,omitempty"`
}
Config defines global authentication settings. Modes:
- local : username-only with HttpOnly session cookie
- bff : backend-for-frontend OAuth (PKCE) setting HttpOnly cookie
- oidc : frontend obtains tokens and calls APIs with Bearer; server validates
- mixed : accept both Bearer and cookie
- jwt : private/public key JWT — server signs tokens and verifies with RSA/HMAC
func (*Config) IsBearerAccepted ¶
IsBearerAccepted returns true when a Bearer token is an acceptable auth credential given the current configuration.
func (*Config) IsCookieAccepted ¶
IsCookieAccepted returns true when a session cookie is an acceptable auth credential given the current configuration.
func (*Config) IsJWTAuth ¶
IsJWTAuth returns true when auth is enabled and JWT (private/public key) mode is the active auth mechanism.
func (*Config) IsLocalAuth ¶
IsLocalAuth returns true when auth is enabled and the effective mode is local-only (i.e. cookie-based session, no OAuth mode configured).
type JWT ¶
type JWT struct {
Enabled bool `yaml:"enabled" json:"enabled"`
// RSA holds one or more scy resource URLs pointing to RSA public keys (PEM).
// Example: "/path/to/public.pem" or "scy://secret/public_key|blowfish://default"
RSA []string `yaml:"rsa,omitempty" json:"rsa,omitempty"`
// HMAC is a scy resource URL pointing to the HMAC shared secret.
HMAC string `yaml:"hmac,omitempty" json:"hmac,omitempty"`
// CertURL is a JWKS endpoint URL for key discovery (alternative to RSA/HMAC).
CertURL string `yaml:"certURL,omitempty" json:"certURL,omitempty"`
// RSAPrivateKey is a scy resource URL pointing to the RSA private key for signing.
// Only needed when the server itself signs tokens (e.g. for local JWT issuance).
RSAPrivateKey string `yaml:"rsaPrivateKey,omitempty" json:"rsaPrivateKey,omitempty"`
}
JWT configures private/public key JWT authentication. When enabled, Bearer tokens are cryptographically verified using the configured RSA public keys or HMAC secret (via scy/auth/jwt/verifier).
type OAuth ¶
type OAuth struct {
Mode string `yaml:"mode" json:"mode"` // bearer|spa|bff|mixed
Name string `yaml:"name" json:"name"`
Label string `yaml:"label" json:"label"`
Client *OAuthClient `yaml:"client" json:"client"`
}
New unified structures
type OAuthClient ¶
type OAuthClient struct {
ConfigURL string `yaml:"configURL" json:"configURL"` // for bff
DiscoveryURL string `yaml:"discoveryURL" json:"discoveryURL"` // for spa/bearer
JWKSURL string `yaml:"jwksURL" json:"jwksURL"` // for bearer verifier
RedirectURI string `yaml:"redirectURI" json:"redirectURI"`
ClientID string `yaml:"clientID" json:"clientID"`
Scopes []string `yaml:"scopes" json:"scopes"`
Issuer string `yaml:"issuer" json:"issuer"` // optional expected iss claim
Audiences []string `yaml:"audiences" json:"audiences"` // optional expected aud claim(s)
}
Source Files
Directories