meta

package
v0.3.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 9, 2025 License: Apache-2.0 Imports: 15 Imported by: 7

Documentation

Overview

Package meta contains Go representations of standard OAuth 2.0 / OpenID Connect discovery documents such as *Authorization Server Metadata* (RFC 8414), *Protected Resource Metadata* and *JSON Web Key Sets* (JWKS).

The helpers exposed by the package make it straightforward to fetch and parse those metadata documents as part of an MCP server or client – for instance to discover token endpoints, download signing keys or advertise public‐facing capabilities.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FetchJSONWebKeySet 

func FetchJSONWebKeySet(ctx context.Context, jwksURL string, client *http.Client) (map[string]crypto.PublicKey, error)

FetchJSONWebKeySet downloads a JWKS and returns a map kid → crypto.PublicKey. Supports RSA, EC (P-256 / P-384 / P-521) and OKP (Ed25519) keys.

Types

type AuthorizationServerMetadata 

type AuthorizationServerMetadata struct {
	// REQUIRED
	Issuer                string `json:"issuer"` // Base URL
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
	TokenEndpoint         string `json:"token_endpoint,omitempty"`
	JSONWebKeySetURI      string `json:"jwks_uri,omitempty"`

	// RECOMMENDED
	RegistrationEndpoint string   `json:"registration_endpoint,omitempty"`
	ScopesSupported      []string `json:"scopes_supported,omitempty"`

	// Common OPTIONAL sets
	ResponseTypesSupported                     []string `json:"response_types_supported,omitempty"`
	ResponseModesSupported                     []string `json:"response_modes_supported,omitempty"`
	GrantTypesSupported                        []string `json:"grant_types_supported,omitempty"`
	CodeChallengeMethodsSupported              []string `json:"code_challenge_methods_supported,omitempty"`
	TokenEndpointAuthMethodsSupported          []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`

	// RFC 8414 §2 – UI / policy pages
	ServiceDocumentation string   `json:"service_documentation,omitempty"`
	UILocalesSupported   []string `json:"ui_locales_supported,omitempty"`
	OPPolicyURI          string   `json:"op_policy_uri,omitempty"`
	OPTosURI             string   `json:"op_tos_uri,omitempty"`

	// RFC 8414 §2 – Revocation & Introspection (RFC 7009 / RFC 7662)
	RevocationEndpoint                        string   `json:"revocation_endpoint,omitempty"`
	RevocationEndpointAuthMethodsSupported    []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
	RevocationEndpointAuthSigningAlgValues    []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
	IntrospectionEndpoint                     string   `json:"introspection_endpoint,omitempty"`
	IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
	IntrospectionEndpointAuthSigningAlgValues []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`

	// JAR, PAR, Device Code, CIBA, etc. (registered extensions)
	PushedAuthorizationRequestEndpoint string   `json:"pushed_authorization_request_endpoint,omitempty"`
	RequirePushedAuthorizationRequests bool     `json:"require_pushed_authorization_requests,omitempty"`
	RequestObjectSigningAlgsSupported  []string `json:"request_object_signing_alg_values_supported,omitempty"`
	DeviceAuthorizationEndpoint        string   `json:"device_authorization_endpoint,omitempty"`
	BackchannelAuthenticationEndpoint  string   `json:"backchannel_authentication_endpoint,omitempty"`
	BackchannelTokenDeliveryModes      []string `json:"backchannel_token_delivery_modes_supported,omitempty"`
	BackchannelAuthRequestSigningAlgs  []string `json:"backchannel_authentication_request_signing_alg_values_supported,omitempty"`
	BackchannelUserCodeParameter       bool     `json:"backchannel_user_code_parameter_supported,omitempty"`

	// OpenID Connect (if the AS is also an OIDC OP)
	IDTokenSigningAlgsSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`

	// Catch-all for undeclared / future metadata
	Extra map[string]any `json:"-"`
}

AuthorizationServerMetadata models the JSON object defined in RFC 8414 (OAuth 2.0 Authorization Server Metadata).

func FetchAuthorizationServerMetadata 

func FetchAuthorizationServerMetadata(ctx context.Context, issuer string, client *http.Client) (*AuthorizationServerMetadata, error)

FetchAuthorizationServerMetadata fetches the Authorization Server

type JSONWebKey 

type JSONWebKey struct {
	// REQUIRED
	Kty string `json:"kty"` // Key Type (RSA, EC, oct, OKP …)

	// Public-key use or permitted operations
	Use    string   `json:"use,omitempty"`     // "sig"|"enc"
	KeyOps []string `json:"key_ops,omitempty"` // ["sign","verify", …]

	Alg string `json:"alg,omitempty"` // Algorithm (e.g. "RS256")
	Kid string `json:"kid,omitempty"` // Key ID (hint for key selection)

	// ----- RSA fields (kty == "RSA") -----
	N string `json:"n,omitempty"` // Modulus   (base64url-encoded)
	E string `json:"e,omitempty"` // Exponent  (base64url-encoded)

	// ----- EC fields (kty == "EC") -----
	Crv string `json:"crv,omitempty"` // Curve  ("P-256", "secp256k1", …)
	X   string `json:"x,omitempty"`   // X coordinate (base64url)
	Y   string `json:"y,omitempty"`   // Y coordinate (base64url)

	// ----- Symmetric / octet fields (kty == "oct") -----
	K string `json:"k,omitempty"` // Key material (base64url)

	// ----- X.509 certificate chain / thumbprints -----
	X5u     string   `json:"x5u,omitempty"`      // URL for cert set
	X5c     []string `json:"x5c,omitempty"`      // PEM-encoded cert chain
	X5t     string   `json:"x5t,omitempty"`      // SHA-1 thumbprint
	X5tS256 string   `json:"x5t#S256,omitempty"` // SHA-256 thumbprint

	// Catch-all for any future / private parameters
	Extra map[string]any `json:"-"`
}

JSONWebKey represents one JSON Web Key.

Supported key types (kty):

  • "RSA" – modulus N, exponent E
  • "EC" – curve crv, coordinates x & y
  • "oct" – symmetric key material k

All common metadata fields are included; unknown members round-trip via Extra.

func (JSONWebKey) MarshalJSON 

func (j JSONWebKey) MarshalJSON() ([]byte, error)

MarshalJSON writes Extra back out.

func (*JSONWebKey) UnmarshalJSON 

func (j *JSONWebKey) UnmarshalJSON(data []byte) error

UnmarshalJSON custom unmarshal to preserve unknown members in Extra.

type JSONWebKeySet 

type JSONWebKeySet struct {
	Keys []JSONWebKey `json:"keys"`
}

JSONWebKeySet represents a set of JSON Web Keys.

type ProtectedResourceMetadata 

type ProtectedResourceMetadata struct {
	// REQUIRED
	Resource string `json:"resource"`

	// OPTIONAL (but very common)
	AuthorizationServers              []string       `json:"authorization_servers,omitempty"`
	JSONWebKeySetURI                  string         `json:"jwks_uri,omitempty"`
	JSONWebKeySet                     *JSONWebKeySet `json:"jwks,omitempty"` // embedded JSONWebKey Set
	ScopesSupported                   []string       `json:"scopes_supported,omitempty"`
	BearerMethodsSupported            []string       `json:"bearer_methods_supported,omitempty"`
	ResourceSigningAlgValuesSupported []string       `json:"resource_signing_alg_values_supported,omitempty"`

	// Human-readable & docs (all OPTIONAL / i18n-capable)
	ResourceName          string `json:"resource_name,omitempty"`
	ResourceDocumentation string `json:"resource_documentation,omitempty"`
	ResourcePolicyURI     string `json:"resource_policy_uri,omitempty"`
	ResourceTOSURI        string `json:"resource_tos_uri,omitempty"`

	// MTLS / Authz-Details / DPoP (OPTIONAL feature flags)
	TLSClientCertificateBoundAccessTokens bool     `json:"tls_client_certificate_bound_access_tokens,omitempty"`
	AuthorizationDetailsTypesSupported    []string `json:"authorization_details_types_supported,omitempty"`
	DPOPSigningAlgValuesSupported         []string `json:"dpop_signing_alg_values_supported,omitempty"`
	DPOPBoundAccessTokensRequired         bool     `json:"dpop_bound_access_tokens_required,omitempty"`

	// Catch-all for any future or proprietary fields
	Extra map[string]any `json:"-"`
}

ProtectedResourceMetadata represents the full JSON object defined in RFC 9728 §2 “OAuth 2.0 Protected Resource Metadata”.

Notes

  • Only the “resource” member is REQUIRED by the RFC; everything else is OPTIONAL.
  • `omitempty` keeps absent OPTIONAL members out of the marshalled JSON.
  • `JWKS` is a raw slice of bytes so you can unmarshal it into whatever JSONWebKey-Set library you prefer (e.g. go-jose/v4). `jwks_uri` and `jwks` MUST NOT both be present in the same document.
  • `Extra` captures extension parameters so your code continues to round-trip unknown future fields.

func FetchProtectedResourceMetadata 

func FetchProtectedResourceMetadata(ctx context.Context, metadataURL string, client *http.Client) (*ProtectedResourceMetadata, error)

FetchProtectedResourceMetadata fetches the protected resource metadata from the given URL.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.