Documentation
¶
Index ¶
- func ContextWithAuthToken(ctx context.Context, token string) context.Context
- func NewAuthRoundTripper(jar http.CookieJar, base http.RoundTripper, rejectTTL time.Duration) (*authtransport.RoundTripper, error)
- func NewAuthRoundTripperWithPrompt(jar http.CookieJar, base http.RoundTripper, rejectTTL time.Duration, ...) (*authtransport.RoundTripper, error)
- func NewClientWithAuthInterceptor(client *mcpclient.Client, rt *authtransport.RoundTripper) *mcpclient.Client
- func NewOOBRoundTripper(inner http.RoundTripper, prompt OAuthPrompt) http.RoundTripper
- func OpenSSEWithAuth(ctx context.Context, open SSEOpenFunc, ...) (io.ReadCloser, *http.Response, error)
- func RunWithAuthReconnect(ctx context.Context, tokenFn func(context.Context) (string, time.Time, error), ...) error
- func SSEOpenHTTP(ctx context.Context, hc *http.Client, url string, token string, ...) (io.ReadCloser, *http.Response, error)
- func SubscribeWithAuth(ctx context.Context, client *mcpclient.Client, ...) (*schema.SubscribeResult, error)
- func TokenFnFromResolver(r *resolver.Resolver, key tokens.Key) func(context.Context) (string, time.Time, error)
- func WithTokenOption(token string) mcpclient.RequestOption
- type BootstrapConfig
- type McpOOBElicitationPrompt
- type OAuthMeta
- type OAuthPrompt
- type OSBrowserPrompt
- type ProviderClient
- type SSEOpenFunc
- type SubscribeRunner
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ContextWithAuthToken ¶
ContextWithAuthToken returns a context that carries a bearer token for the auth RoundTripper.
func NewAuthRoundTripper ¶
func NewAuthRoundTripper(jar http.CookieJar, base http.RoundTripper, rejectTTL time.Duration) (*authtransport.RoundTripper, error)
NewAuthRoundTripper builds an auth RoundTripper configured for BFF exchange and cookie reuse. Pass a shared cookie jar tied to the app's BFF authority. Optionally override base transport.
func NewAuthRoundTripperWithPrompt ¶
func NewAuthRoundTripperWithPrompt(jar http.CookieJar, base http.RoundTripper, rejectTTL time.Duration, prompt OAuthPrompt) (*authtransport.RoundTripper, error)
NewAuthRoundTripperWithPrompt wraps the provided base transport with an OOB prompt trigger and builds the auth RoundTripper on top. When the resource responds 401 with an authorization_uri, the prompt is invoked (non-blocking), and the original response is returned to the caller.
func NewClientWithAuthInterceptor ¶
func NewClientWithAuthInterceptor(client *mcpclient.Client, rt *authtransport.RoundTripper) *mcpclient.Client
NewClientWithAuthInterceptor attaches an Authorizer that auto-retries once on 401. Provide a pre-built transport.Transport when constructing the MCP client elsewhere; this helper only binds the interceptor to the MCP client.
func NewOOBRoundTripper ¶
func NewOOBRoundTripper(inner http.RoundTripper, prompt OAuthPrompt) http.RoundTripper
NewOOBRoundTripper wraps inner with an out-of-band prompt trigger.
func OpenSSEWithAuth ¶
func OpenSSEWithAuth(ctx context.Context, open SSEOpenFunc, tokenFn func(context.Context) (string, time.Time, error)) (io.ReadCloser, *http.Response, error)
OpenSSEWithAuth opens an SSE stream with bearer-first auth, and performs a single re-open on auth-related failures using a freshly obtained token. The provided open function should create a new HTTP request using the bearer token.
func RunWithAuthReconnect ¶
func RunWithAuthReconnect(ctx context.Context, tokenFn func(context.Context) (string, time.Time, error), reconnect func(context.Context) error, runner SubscribeRunner) error
RunWithAuthReconnect runs a streaming subscription with bearer-first auth and performs a single reconnect attempt using a fresh token when the first error is received from the runner. The reconnect callback should rebuild any underlying transports, if necessary.
func SSEOpenHTTP ¶
func SSEOpenHTTP(ctx context.Context, hc *http.Client, url string, token string, headers map[string]string) (io.ReadCloser, *http.Response, error)
SSEOpenHTTP opens an SSE stream with the provided http.Client (whose Transport should be an auth RoundTripper). It sets the Authorization header and standard SSE headers.
func SubscribeWithAuth ¶
func SubscribeWithAuth(ctx context.Context, client *mcpclient.Client, params *schema.SubscribeRequestParams, tokenFn func(context.Context) (string, time.Time, error)) (*schema.SubscribeResult, error)
SubscribeWithAuth performs a streamable subscription with bearer-first auth. It acquires a token via tokenFn, attaches it using WithAuthToken, and calls the client's Subscribe. The caller should configure the MCP client with an auth Authorizer + RoundTripper so a 401 at handshake triggers a single automatic retry.
func TokenFnFromResolver ¶
func TokenFnFromResolver(r *resolver.Resolver, key tokens.Key) func(context.Context) (string, time.Time, error)
TokenFnFromResolver adapts a Resolver + Key into a token function usable by streaming helpers. It returns the access token and its expiry.
func WithTokenOption ¶
func WithTokenOption(token string) mcpclient.RequestOption
WithTokenOption returns a request option that injects the bearer token for the MCP request.
Types ¶
type BootstrapConfig ¶
type BootstrapConfig struct {
// Identity and transport
Name string
Version string
Transport transport.Transport // required: underlying MCP transport already connected to provider
Reconnect func(context.Context) (transport.Transport, error) // optional: to rebuild transport on reconnect
// Authorities and allowlists
AppAuthority authority.AuthAuthority // app's OAuth/BFF authority
MCPAuthority authority.AuthAuthority // provider's MCP server authority
OriginAllowlist []string // MCP server origins allowed to receive Authorization
AudienceAllowlist []string // allowed audiences for tokens
AllowInsecure bool // if true, allow auth over http (not recommended)
// If true (default), fail bootstrap when AppAuthority and MCPAuthority do not match.
// Set to false only if you intentionally allow non-reuse scenarios handled elsewhere.
RequireSameAuthority bool
// Token acquisition
Resolver *resolver.Resolver // required: token resolver backed by BFF broker
TokenKey tokens.Key // required: identifies subject/audience under authority
// HTTP/BFF infrastructure
CookieJar http.CookieJar // shared jar for BFF authority (required for BFF exchange flows)
BaseRoundTripper http.RoundTripper // optional: base HTTP transport
RejectCacheTTL time.Duration // optional: suppress reuse of rejected ctx token
}
BootstrapConfig contains inputs to build an auth-enabled MCP client and SSE http client for a provider.
type McpOOBElicitationPrompt ¶
type McpOOBElicitationPrompt struct {
Elic *elicitation.Service
Conv apiconv.Client
}
McpOOBElicitationPrompt uses Agently's elicitation service and conversation client to record an out-of-band interaction message instructing the user to open the authorization URL in a browser. It does not block for completion.
type OAuthMeta ¶
type OAuthMeta struct {
ProviderName string
Scopes []string
ConversationID string
Audience string
Origin string
Timeout time.Duration
}
OAuthMeta carries context about the OAuth interaction that the prompt may show to the user.
type OAuthPrompt ¶
type OAuthPrompt interface {
// PromptOOB presents the authorizationURL to the user (oob mode).
// Do not block for completion; simply present the URL and return
// nil, or return an error if the prompt could not be displayed.
PromptOOB(ctx context.Context, authorizationURL string, meta OAuthMeta) error
}
OAuthPrompt presents an out‑of‑band (OOB) authorization URL to the user. Implementations should return nil when the URL has been presented (e.g. MCP OOB elicitation recorded, or OS browser opened). The transport will still treat the auth as pending and the caller should retry after completion.
type OSBrowserPrompt ¶
type OSBrowserPrompt struct{}
OSBrowserPrompt opens the authorization URL in the system browser.
type ProviderClient ¶
type ProviderClient struct {
Client *mcpclient.Client
SSEClient *http.Client
TokenFn func(context.Context) (string, time.Time, error)
// Guards
SameAuthority bool
}
ProviderClient bundles an MCP client with auth interceptor, an SSE http client with auth RoundTripper, and a token function for bearer-first injection.
func Bootstrap ¶
func Bootstrap(cfg BootstrapConfig) (*ProviderClient, error)
Bootstrap builds a ProviderClient with bearer-first auth behavior for both streamable and SSE transports.
type SSEOpenFunc ¶
SSEOpenFunc opens an SSE/streaming HTTP request and returns a ReadCloser for the event stream. The function implementation should honor the Authorization header present on the request context (via ContextWithAuthToken) and/or an explicit header set by the caller.
type SubscribeRunner ¶
type SubscribeRunner func(ctx context.Context, token string) (stop func(), errCh <-chan error, err error)
SubscribeRunner starts a streaming subscription and returns a stop function and an error channel. Implementations should close errCh when the stream ends normally; send a non-nil error on auth/transport failures.
Source Files