identity

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 9, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package identity extracts authenticated user identity from HTTP requests and threads it through context for Kubernetes impersonation.

Two modes of operation are supported:

  • Trusted proxy mode (default): JWTs are parsed WITHOUT cryptographic signature validation. Use this when MKP runs behind a proxy (e.g., ToolHive) that has already validated the token.

  • JWKS validation mode: When a JWKS URL is configured, JWTs are validated against the keys fetched from the OIDC provider's JWKS endpoint. This includes signature verification and expiration checking. Use this when MKP is exposed directly without a validating proxy.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func HTTPContextFunc

func HTTPContextFunc(cfg *Config) func(ctx context.Context, r *http.Request) context.Context

HTTPContextFunc returns a function suitable for use with mcp-go's WithHTTPContextFunc or WithSSEContextFunc. It extracts identity from the Authorization header and stores it in the request context.

func WithContext

func WithContext(ctx context.Context, id *Identity) context.Context

WithContext returns a new context with the given Identity stored in it.

Types

type Config

type Config struct {
	// UserClaim is the JWT claim to use for the impersonated username.
	// Defaults to "email".
	UserClaim string
	// GroupsClaim is the JWT claim to use for impersonated groups.
	// Defaults to "groups".
	GroupsClaim string
	// JWKSClient is an optional JWKS client for JWT signature validation.
	// When set, JWTs are validated against the keys from the JWKS endpoint
	// (signature + expiration). When nil, JWTs are parsed without validation
	// (trusted proxy mode).
	JWKSClient *JWKSClient
	// Issuer is the expected JWT issuer (iss claim). When set and JWKSClient
	// is configured, the JWT issuer is validated. This prevents token replay
	// from different issuers sharing the same IdP keys.
	Issuer string
	// Audience is the expected JWT audience (aud claim). When set and JWKSClient
	// is configured, the JWT audience is validated. Per OIDC Core Section 3.1.3.7,
	// relying parties must validate the audience to prevent token confusion.
	Audience string
}

Config holds configuration for identity extraction from JWTs.

func DefaultConfig

func DefaultConfig() *Config

DefaultConfig returns a Config with default claim names.

type Identity

type Identity struct {
	// User is the username to impersonate in Kubernetes API calls.
	User string
	// Groups are the group memberships to impersonate in Kubernetes API calls.
	Groups []string
}

Identity represents an authenticated user's identity extracted from a JWT.

func ExtractFromJWT

func ExtractFromJWT(token string, cfg *Config) (*Identity, error)

ExtractFromJWT extracts an Identity from a JWT token string. When cfg.JWKSClient is set, the JWT signature and expiration are validated. Otherwise, the JWT is parsed without signature validation (trusted proxy mode).

func ExtractFromRequest

func ExtractFromRequest(r *http.Request, cfg *Config) (*Identity, error)

ExtractFromRequest extracts an Identity from the HTTP request's Authorization header. Returns nil (no error) if no Authorization header is present. Returns an error if the header is present but the JWT is malformed or claims are invalid.

func FromContext

func FromContext(ctx context.Context) *Identity

FromContext extracts the Identity from the context, or returns nil if none is present.

type JWKSClient

type JWKSClient struct {
	// contains filtered or unexported fields
}

JWKSClient fetches and caches JSON Web Key Sets from a remote endpoint. It delegates to lestrrat-go/jwx for key parsing, caching, background refresh, and concurrent request coalescing. Supports RSA, ECDSA, and EdDSA key types.

func NewJWKSClient

func NewJWKSClient(ctx context.Context, jwksURL string) (*JWKSClient, error)

NewJWKSClient creates a new JWKS client that fetches keys from the given URL. The URL must use HTTPS, except for localhost addresses which allow HTTP for development. Call Stop() to clean up the background goroutines.

func (*JWKSClient) Keyfunc

func (c *JWKSClient) Keyfunc() golangJWT.Keyfunc

Keyfunc returns a jwt.Keyfunc suitable for use with golangJWT.Parse. It looks up the key by kid from the cached JWKS and exports the raw crypto key (RSA, ECDSA, or EdDSA) for signature verification.

func (*JWKSClient) Stop

func (c *JWKSClient) Stop()

Stop stops the background JWKS refresh goroutines.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL