Documentation
¶
Overview ¶
Package auth exposes helpers that make it easy to protect an MCP server with OAuth2/OIDC.
It offers two complementary approaches:
- A strict global middleware (`AuthServer`) that validates bearer tokens for every request except explicitly excluded URIs.
- A fallback wrapper (`FallbackAuth`) that automatically tries to obtain the required token from a configurable token source and retries the protected request on behalf of the caller.
The package also contains support code for the experimental fine-grained per-JSON-RPC authorization mode.
Index ¶
- type BackendForFrontend
- type Config
- type FallbackAuth
- type JRPCAuthorizer
- type Service
- func (s *Service) EnsureAuthorized(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
- func (s *Service) Middleware(next http.Handler) http.Handler
- func (s *Service) ProtectedResourcesHandler(w http.ResponseWriter, request *http.Request)
- func (s *Service) RegisterHandlers(mux *http.ServeMux)
- type Verifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BackendForFrontend ¶ added in v0.2.5
type BackendForFrontend struct {
Client *oauth2.Config
RedirectURI string
AuthorizationExchangeHeader string
}
BackendForFrontend is used to support the backend-to-frontend flow
type Config ¶ added in v0.2.5
type Config struct {
Policy *authorization.Policy
BackendForFrontend *BackendForFrontend
MediationMode string //HTTP, JSONRPC
}
Config is used to configure the auth server
func (*Config) IsJSONRPCMediationMode ¶ added in v0.2.5
type FallbackAuth ¶
type FallbackAuth struct {
Strict *Service
TokenSource authorization.ProtectedResourceTokenSource
IdTokenSource authorization.IdTokenSource
}
FallbackAuth is a fallback authorization interceptor
func NewFallbackAuth ¶
func NewFallbackAuth(authServer *Service, tokenSource authorization.ProtectedResourceTokenSource, idTokenSource authorization.IdTokenSource) *FallbackAuth
func (*FallbackAuth) EnsureAuthorized ¶
func (a *FallbackAuth) EnsureAuthorized(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
func (*FallbackAuth) Token ¶ added in v0.2.5
func (a *FallbackAuth) Token(ctx context.Context, anAuthorization *authorization.Authorization) (*authorization.Token, error)
type JRPCAuthorizer ¶ added in v0.2.5
type JRPCAuthorizer func(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
JRPCAuthorizer is an interceptor function for JSON-RPC calls that returns a Token when authorization is successful or nil otherwise.
type Service ¶ added in v0.2.5
type Service struct {
*Config
RoundTripper *transport.RoundTripper
FallBack *FallbackAuth
SessionIdProvider func(r *http.Request) string
// contains filtered or unexported fields
}
Service acts as a broker between clients and external OAuth2/OIDC providers.
func (*Service) EnsureAuthorized ¶ added in v0.2.5
func (s *Service) EnsureAuthorized(ctx context.Context, request *jsonrpc.Request, response *jsonrpc.Response) (*authorization.Token, error)
EnsureAuthorized checks if a request is authorized.
func (*Service) Middleware ¶ added in v0.2.5
func (*Service) ProtectedResourcesHandler ¶ added in v0.2.5
func (s *Service) ProtectedResourcesHandler(w http.ResponseWriter, request *http.Request)
ProtectedResourcesHandler provides metadata about protected resources.
Source Files