oauth

package
v0.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package oauth resolves OAuth credentials for the relay's secret layer. The stored secret is an OAuth token blob (access + refresh + expiry, the sdk/oauth.Token wire shape) held as AES-GCM ciphertext in the same secret_values table as KindStored. Resolve returns the access token, transparently refreshing via the refresh token when it has expired and re-persisting the (often rotated) blob.

It is deliberately off the hot path: resolution happens at snapshot load and during KeyAgent heal after an upstream 401, never per request. Concurrent resolves of the same credential single-flight to one refresh.

Layering: imports sdk/oauth (the flow machinery) + pkg/secret (the Ref/Vault contract). It never imports app/ — the provider config is injected as a plain lookup func by the composition root, which reads the live oauth:<provider> settings section.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ProviderConfigFunc

type ProviderConfigFunc func(provider string) (sdkoauth.ProviderConfig, bool)

ProviderConfigFunc returns the OAuth config for a provider name (the oauth:<provider> settings section), or ok=false when unconfigured.

type Resolver

type Resolver struct {
	// contains filtered or unexported fields
}

Resolver implements secret.Resolver for KindOAuth.

func NewResolver

func NewResolver(vault Vault, cfg ProviderConfigFunc) *Resolver

NewResolver builds an OAuth resolver. vault provides the AES-GCM persistence (a *secret.StoredResolver); cfg looks up the provider's flow config.

func (*Resolver) Resolve

func (r *Resolver) Resolve(ctx context.Context, ref secret.Ref) ([]byte, error)

Resolve returns the current access token for an OAuth credential, refreshing first if it has expired (within a small skew). A refresh that yields a new token re-persists the blob so the rotated refresh token is not lost.

type Vault

type Vault interface {
	Resolve(ctx context.Context, ref secret.Ref) ([]byte, error)
	Create(ctx context.Context, id string, plaintext []byte) (secret.Ref, error)
}

Vault is the encrypt/decrypt persistence the resolver delegates to — the StoredResolver in practice. The OAuth blob round-trips as a KindStored value.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL