oidc

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 8, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultRefreshTokenGracePeriod      = 30 * time.Second
	DefaultRetiredRefreshTokenRetention = 24 * time.Hour
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthStateStore added in v0.2.0

type AuthStateStore interface {
	StorePendingAuth(ctx context.Context, state string, p store.PendingAuth) error
	ConsumePendingAuth(ctx context.Context, state string) (*store.PendingAuth, error)
	StoreAuthCode(ctx context.Context, code string, c store.AuthCode) error
	ConsumeAuthCode(ctx context.Context, code string) (*store.AuthCode, error)
}

AuthStateStore persists transient OAuth2 authorization state.

type ClientStore

type ClientStore interface {
	SaveClient(ctx context.Context, c store.OAuthClient) error
	GetClient(ctx context.Context, clientID string) (*store.OAuthClient, error)
}

ClientStore persists client registrations from Dynamic Client Registration. store.Store satisfies this interface directly.

type Config

type Config struct {
	BaseURL                      string
	GitHubClientID               string
	GitHubClientSecret           string
	Users                        UserUpserter    // optional; nil skips user persistence
	Clients                      ClientStore     // optional; nil skips DCR persistence
	Grants                       GrantStore      // optional; nil skips grant persistence
	AuthState                    AuthStateStore  // required
	Revocation                   RevocationStore // required
	RefreshTokenGracePeriod      *time.Duration  // optional; nil defaults to 30s, 0 disables grace retry
	RetiredRefreshTokenRetention *time.Duration  // optional; nil defaults to 24h
}

Config holds construction parameters for Server.

type GrantStore added in v0.2.0

type GrantStore interface {
	UpsertGrant(ctx context.Context, g store.Grant) error
	GetGrant(ctx context.Context, jti string) (*store.Grant, error)
	GetGrantByRefreshToken(ctx context.Context, token string) (*store.Grant, error)
	GetRetiredRefreshToken(ctx context.Context, tokenHash []byte) (*store.RetiredRefreshToken, error)
	RotateGrant(ctx context.Context, oldToken, oldJTI string, oldJWTExpiry time.Time, g store.Grant, retired *store.RetiredRefreshToken) (*store.Grant, error)
	DeleteGrant(ctx context.Context, jti string, retired *store.RetiredRefreshToken) error
}

GrantStore persists authorization grants with associated GitHub App tokens. RotateGrant atomically swaps the grant row and records the old jti as revoked, so a failure of either step leaves both tokens valid (current state) rather than the new token live and the old one un-revoked.

type RevocationStore added in v0.2.0

type RevocationStore interface {
	RevokeToken(ctx context.Context, jti string, expiresAt time.Time) error
	IsTokenRevoked(ctx context.Context, jti string) (bool, error)
}

RevocationStore persists revoked JWT IDs.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server is the OAuth2/OIDC authorization server for the MCP endpoint.

func NewServer

func NewServer(cfg Config, privkey jwk.Key) (*Server, error)

NewServer constructs an OIDC Server from config and a loaded private key.

func (*Server) AuthServerMeta

func (s *Server) AuthServerMeta() *oauthex.AuthServerMeta

AuthServerMeta returns the pre-built OAuth2 authorization server metadata.

func (*Server) AuthorizeHandler

func (s *Server) AuthorizeHandler() http.Handler

func (*Server) DCRHandler

func (s *Server) DCRHandler() http.Handler

DCRHandler returns an HTTP handler for Dynamic Client Registration (RFC 7591).

func (*Server) DiscoveryHandler

func (s *Server) DiscoveryHandler() http.Handler

DiscoveryHandler serves the OAuth2 authorization server metadata document.

func (*Server) GitHubCallbackHandler

func (s *Server) GitHubCallbackHandler() http.Handler

func (*Server) IssueJWT

func (s *Server) IssueJWT(sub, scope, jti string, exp time.Time) (string, error)

IssueJWT signs and returns a new ES384 JWT for the given subject, scope, JWT ID and expiration. The caller owns expiration so the value matches what's recorded in the grant row and the revoked_tokens entry.

func (*Server) JWKSHandler

func (s *Server) JWKSHandler() http.Handler

JWKSHandler serves the public key set for token verification by clients.

func (*Server) LogoutHandler

func (s *Server) LogoutHandler() http.Handler

LogoutHandler handles POST /auth/logout. It verifies the bearer token, extracts the jti and exp claims, and revokes the token.

func (*Server) ProtectedResourceMeta

func (s *Server) ProtectedResourceMeta() *oauthex.ProtectedResourceMetadata

ProtectedResourceMeta returns the pre-built OAuth2 protected resource metadata.

func (*Server) ResourceMetadataURL

func (s *Server) ResourceMetadataURL() string

ResourceMetadataURL returns the URL of the protected resource metadata endpoint.

func (*Server) TokenHandler

func (s *Server) TokenHandler() http.Handler

func (*Server) VerifyJWT

func (s *Server) VerifyJWT(ctx context.Context, tokenString string, _ *http.Request) (*auth.TokenInfo, error)

VerifyJWT validates a bearer token and returns auth info.

type UserUpserter

type UserUpserter interface {
	UpsertUser(ctx context.Context, githubID int64, email, login string) (*store.User, error)
}

UserUpserter persists user identity on successful GitHub login. Implemented by store.Store via *postgres.Store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL