Documentation
¶
Overview ¶
Package oauth resolves OAuth credentials for the relay's secret layer. The stored secret is an OAuth token blob (access + refresh + expiry, the sdk/oauth.Token wire shape) held as AES-GCM ciphertext in the same secret_values table as KindStored. Resolve returns the access token, transparently refreshing via the refresh token when it has expired and re-persisting the (often rotated) blob.
It is deliberately off the hot path: resolution happens at snapshot load and during KeyAgent heal after an upstream 401, never per request. Concurrent resolves of the same credential single-flight to one refresh.
Layering: imports sdk/oauth (the flow machinery) + pkg/secret (the Ref/Vault contract). It never imports app/ — the provider config is injected as a plain lookup func by the composition root, which reads the live oauth:<provider> settings section.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ProviderConfigFunc ¶
type ProviderConfigFunc func(provider string) (sdkoauth.ProviderConfig, bool)
ProviderConfigFunc returns the OAuth config for a provider name (the oauth:<provider> settings section), or ok=false when unconfigured.
type Resolver ¶
type Resolver struct {
// contains filtered or unexported fields
}
Resolver implements secret.Resolver for KindOAuth.
func NewResolver ¶
func NewResolver(vault Vault, cfg ProviderConfigFunc) *Resolver
NewResolver builds an OAuth resolver. vault provides the AES-GCM persistence (a *secret.StoredResolver); cfg looks up the provider's flow config.
type Vault ¶
type Vault interface {
Resolve(ctx context.Context, ref secret.Ref) ([]byte, error)
Create(ctx context.Context, id string, plaintext []byte) (secret.Ref, error)
}
Vault is the encrypt/decrypt persistence the resolver delegates to — the StoredResolver in practice. The OAuth blob round-trips as a KindStored value.