Documentation
¶
Index ¶
- Constants
- type AuthStateStore
- type ClientStore
- type Config
- type GrantStore
- type RevocationStore
- type Server
- func (s *Server) AuthServerMeta() *oauthex.AuthServerMeta
- func (s *Server) AuthorizeHandler() http.Handler
- func (s *Server) DCRHandler() http.Handler
- func (s *Server) DiscoveryHandler() http.Handler
- func (s *Server) GitHubCallbackHandler() http.Handler
- func (s *Server) IssueJWT(sub, scope, jti string, exp time.Time) (string, error)
- func (s *Server) JWKSHandler() http.Handler
- func (s *Server) LogoutHandler() http.Handler
- func (s *Server) ProtectedResourceMeta() *oauthex.ProtectedResourceMetadata
- func (s *Server) ResourceMetadataURL() string
- func (s *Server) TokenHandler() http.Handler
- func (s *Server) VerifyJWT(ctx context.Context, tokenString string, _ *http.Request) (*auth.TokenInfo, error)
- type UserUpserter
Constants ¶
const ( DefaultRefreshTokenGracePeriod = 30 * time.Second DefaultRetiredRefreshTokenRetention = 24 * time.Hour )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthStateStore ¶ added in v0.2.0
type AuthStateStore interface {
StorePendingAuth(ctx context.Context, state string, p store.PendingAuth) error
ConsumePendingAuth(ctx context.Context, state string) (*store.PendingAuth, error)
StoreAuthCode(ctx context.Context, code string, c store.AuthCode) error
ConsumeAuthCode(ctx context.Context, code string) (*store.AuthCode, error)
}
AuthStateStore persists transient OAuth2 authorization state.
type ClientStore ¶
type ClientStore interface {
SaveClient(ctx context.Context, c store.OAuthClient) error
GetClient(ctx context.Context, clientID string) (*store.OAuthClient, error)
}
ClientStore persists client registrations from Dynamic Client Registration. store.Store satisfies this interface directly.
type Config ¶
type Config struct {
BaseURL string
GitHubClientID string
GitHubClientSecret string
Users UserUpserter // optional; nil skips user persistence
Clients ClientStore // optional; nil skips DCR persistence
Grants GrantStore // optional; nil skips grant persistence
AuthState AuthStateStore // required
Revocation RevocationStore // required
RefreshTokenGracePeriod *time.Duration // optional; nil defaults to 30s, 0 disables grace retry
RetiredRefreshTokenRetention *time.Duration // optional; nil defaults to 24h
}
Config holds construction parameters for Server.
type GrantStore ¶ added in v0.2.0
type GrantStore interface {
UpsertGrant(ctx context.Context, g store.Grant) error
GetGrant(ctx context.Context, jti string) (*store.Grant, error)
GetGrantByRefreshToken(ctx context.Context, token string) (*store.Grant, error)
GetRetiredRefreshToken(ctx context.Context, tokenHash []byte) (*store.RetiredRefreshToken, error)
RotateGrant(ctx context.Context, oldToken, oldJTI string, oldJWTExpiry time.Time, g store.Grant, retired *store.RetiredRefreshToken) (*store.Grant, error)
DeleteGrant(ctx context.Context, jti string, retired *store.RetiredRefreshToken) error
}
GrantStore persists authorization grants with associated GitHub App tokens. RotateGrant atomically swaps the grant row and records the old jti as revoked, so a failure of either step leaves both tokens valid (current state) rather than the new token live and the old one un-revoked.
type RevocationStore ¶ added in v0.2.0
type RevocationStore interface {
RevokeToken(ctx context.Context, jti string, expiresAt time.Time) error
IsTokenRevoked(ctx context.Context, jti string) (bool, error)
}
RevocationStore persists revoked JWT IDs.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the OAuth2/OIDC authorization server for the MCP endpoint.
func (*Server) AuthServerMeta ¶
func (s *Server) AuthServerMeta() *oauthex.AuthServerMeta
AuthServerMeta returns the pre-built OAuth2 authorization server metadata.
func (*Server) AuthorizeHandler ¶
func (*Server) DCRHandler ¶
DCRHandler returns an HTTP handler for Dynamic Client Registration (RFC 7591).
func (*Server) DiscoveryHandler ¶
DiscoveryHandler serves the OAuth2 authorization server metadata document.
func (*Server) GitHubCallbackHandler ¶
func (*Server) IssueJWT ¶
IssueJWT signs and returns a new ES384 JWT for the given subject, scope, JWT ID and expiration. The caller owns expiration so the value matches what's recorded in the grant row and the revoked_tokens entry.
func (*Server) JWKSHandler ¶
JWKSHandler serves the public key set for token verification by clients.
func (*Server) LogoutHandler ¶
LogoutHandler handles POST /auth/logout. It verifies the bearer token, extracts the jti and exp claims, and revokes the token.
func (*Server) ProtectedResourceMeta ¶
func (s *Server) ProtectedResourceMeta() *oauthex.ProtectedResourceMetadata
ProtectedResourceMeta returns the pre-built OAuth2 protected resource metadata.
func (*Server) ResourceMetadataURL ¶
ResourceMetadataURL returns the URL of the protected resource metadata endpoint.