Documentation
¶
Overview ¶
Package identity extracts authenticated user identity from HTTP requests and threads it through context for Kubernetes impersonation.
Two modes of operation are supported:
Trusted proxy mode (default): JWTs are parsed WITHOUT cryptographic signature validation. Use this when MKP runs behind a proxy (e.g., ToolHive) that has already validated the token.
JWKS validation mode: When a JWKS URL is configured, JWTs are validated against the keys fetched from the OIDC provider's JWKS endpoint. This includes signature verification and expiration checking. Use this when MKP is exposed directly without a validating proxy.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HTTPContextFunc ¶
HTTPContextFunc returns a function suitable for use with mcp-go's WithHTTPContextFunc or WithSSEContextFunc. It extracts identity from the Authorization header and stores it in the request context.
Types ¶
type Config ¶
type Config struct {
// UserClaim is the JWT claim to use for the impersonated username.
// Defaults to "email".
UserClaim string
// GroupsClaim is the JWT claim to use for impersonated groups.
// Defaults to "groups".
GroupsClaim string
// JWKSClient is an optional JWKS client for JWT signature validation.
// When set, JWTs are validated against the keys from the JWKS endpoint
// (signature + expiration). When nil, JWTs are parsed without validation
// (trusted proxy mode).
JWKSClient *JWKSClient
// Issuer is the expected JWT issuer (iss claim). When set and JWKSClient
// is configured, the JWT issuer is validated. This prevents token replay
// from different issuers sharing the same IdP keys.
Issuer string
// Audience is the expected JWT audience (aud claim). When set and JWKSClient
// is configured, the JWT audience is validated. Per OIDC Core Section 3.1.3.7,
// relying parties must validate the audience to prevent token confusion.
Audience string
}
Config holds configuration for identity extraction from JWTs.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a Config with default claim names.
type Identity ¶
type Identity struct {
// User is the username to impersonate in Kubernetes API calls.
User string
// Groups are the group memberships to impersonate in Kubernetes API calls.
Groups []string
}
Identity represents an authenticated user's identity extracted from a JWT.
func ExtractFromJWT ¶
ExtractFromJWT extracts an Identity from a JWT token string. When cfg.JWKSClient is set, the JWT signature and expiration are validated. Otherwise, the JWT is parsed without signature validation (trusted proxy mode).
func ExtractFromRequest ¶
ExtractFromRequest extracts an Identity from the HTTP request's Authorization header. Returns nil (no error) if no Authorization header is present. Returns an error if the header is present but the JWT is malformed or claims are invalid.
func FromContext ¶
FromContext extracts the Identity from the context, or returns nil if none is present.
type JWKSClient ¶
type JWKSClient struct {
// contains filtered or unexported fields
}
JWKSClient fetches and caches JSON Web Key Sets from a remote endpoint. It delegates to lestrrat-go/jwx for key parsing, caching, background refresh, and concurrent request coalescing. Supports RSA, ECDSA, and EdDSA key types.
func NewJWKSClient ¶
func NewJWKSClient(ctx context.Context, jwksURL string) (*JWKSClient, error)
NewJWKSClient creates a new JWKS client that fetches keys from the given URL. The URL must use HTTPS, except for localhost addresses which allow HTTP for development. Call Stop() to clean up the background goroutines.
func (*JWKSClient) Keyfunc ¶
func (c *JWKSClient) Keyfunc() golangJWT.Keyfunc
Keyfunc returns a jwt.Keyfunc suitable for use with golangJWT.Parse. It looks up the key by kid from the cached JWKS and exports the raw crypto key (RSA, ECDSA, or EdDSA) for signature verification.
func (*JWKSClient) Stop ¶
func (c *JWKSClient) Stop()
Stop stops the background JWKS refresh goroutines.