Documentation
¶
Overview ¶
Package auth exposes helpers that make it easy to protect an MCP server with OAuth2/OIDC.
It offers two complementary approaches:
- A strict global middleware (`AuthServer`) that validates bearer tokens for every request except explicitly excluded URIs.
- A fallback wrapper (`FallbackAuth`) that automatically tries to obtain the required token from a configurable token source and retries the protected request on behalf of the caller.
The package also contains support code for the experimental fine-grained per-JSON-RPC authorization mode.
Index ¶
- func SetDefaultBFFAuthCookieName(name string)
- func SetDefaultBFFAuthStore(store streamauth.Store)
- type BackendForFrontend
- type Config
- type FallbackAuth
- type JRPCAuthorizer
- type Service
- func (s *Service) EnsureAuthorized(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
- func (s *Service) Middleware(next http.Handler) http.Handler
- func (s *Service) ProtectedResourcesHandler(w http.ResponseWriter, request *http.Request)
- func (s *Service) RegisterHandlers(mux *http.ServeMux)
- type Verifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SetDefaultBFFAuthCookieName ¶ added in v0.8.0
func SetDefaultBFFAuthCookieName(name string)
SetDefaultBFFAuthCookieName sets the default cookie name for the BFF auth session id.
func SetDefaultBFFAuthStore ¶ added in v0.8.0
func SetDefaultBFFAuthStore(store streamauth.Store)
SetDefaultBFFAuthStore sets the shared auth grant store used by the auth middleware to mint or touch BFF auth cookies. Typically provided by the jsonrpc transport setup.
Types ¶
type BackendForFrontend ¶ added in v0.2.5
type BackendForFrontend struct {
Client *oauth2.Config
RedirectURI string
AuthorizationExchangeHeader string
}
BackendForFrontend is used to support the backend-to-frontend flow
type Config ¶ added in v0.2.5
type Config struct {
Policy *authorization.Policy
BackendForFrontend *BackendForFrontend
MediationMode string //HTTP, JSONRPC
}
Config is used to configure the auth server
func (*Config) IsJSONRPCMediationMode ¶ added in v0.2.5
type FallbackAuth ¶
type FallbackAuth struct {
Strict *Service
TokenSource authorization.ProtectedResourceTokenSource
IdTokenSource authorization.IdTokenSource
}
FallbackAuth is a fallback authorization interceptor
func NewFallbackAuth ¶
func NewFallbackAuth(authServer *Service, tokenSource authorization.ProtectedResourceTokenSource, idTokenSource authorization.IdTokenSource) *FallbackAuth
func (*FallbackAuth) EnsureAuthorized ¶
func (a *FallbackAuth) EnsureAuthorized(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
func (*FallbackAuth) Token ¶ added in v0.2.5
func (a *FallbackAuth) Token(ctx context.Context, anAuthorization *authorization.Authorization) (*authorization.Token, error)
type JRPCAuthorizer ¶ added in v0.2.5
type JRPCAuthorizer func(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
JRPCAuthorizer is an interceptor function for JSON-RPC calls that returns a Token when authorization is successful or nil otherwise.
type Service ¶ added in v0.2.5
type Service struct {
*Config
RoundTripper *transport.RoundTripper
FallBack *FallbackAuth
SessionIdProvider func(r *http.Request) string
// contains filtered or unexported fields
}
Service acts as a broker between clients and external OAuth2/OIDC providers.
func (*Service) EnsureAuthorized ¶ added in v0.2.5
func (s *Service) EnsureAuthorized(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
EnsureAuthorized checks if a request is authorized.
func (*Service) Middleware ¶ added in v0.2.5
func (*Service) ProtectedResourcesHandler ¶ added in v0.2.5
func (s *Service) ProtectedResourcesHandler(w http.ResponseWriter, request *http.Request)
ProtectedResourcesHandler provides metadata about protected resources.
Source Files