Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func PerformOIDCLogin ¶
func PerformOIDCLogin( ctx context.Context, config *OIDCLoginConfig, authCodeFetcher auth.AuthorizationCodeFetcher, ) (*oauth2.Token, error)
PerformOIDCLogin performs the complete OIDC Authorization Code flow with PKCE in a single function call. This is the recommended approach for obtaining an ID Token for use with EnterpriseHandler.
Returns an oauth2.Token where:
- Extra("id_token") contains the OpenID Connect ID Token (JWT)
- AccessToken contains the OAuth2 access token (if issued by IdP)
- RefreshToken contains the OAuth2 refresh token (if issued by IdP)
- TokenType is the token type (typically "Bearer")
- Expiry is when the token expires
Types ¶
type EnterpriseHandler ¶
type EnterpriseHandler struct {
// contains filtered or unexported fields
}
EnterpriseHandler is an implementation of auth.OAuthHandler that uses Enterprise Managed Authorization (SEP-990) to obtain access tokens.
The flow consists of:
- OIDC Login: User authenticates with enterprise IdP → ID Token
- Token Exchange (RFC 8693): ID Token → ID-JAG at IdP
- JWT Bearer Grant (RFC 7523): ID-JAG → Access Token at MCP Server
func NewEnterpriseHandler ¶
func NewEnterpriseHandler(config *EnterpriseHandlerConfig) (*EnterpriseHandler, error)
NewEnterpriseHandler creates a new EnterpriseHandler. It performs validation of the configuration and returns an error if invalid.
func (*EnterpriseHandler) Authorize ¶
func (h *EnterpriseHandler) Authorize(ctx context.Context, req *http.Request, resp *http.Response) error
Authorize performs the Enterprise Managed Authorization flow. It is called when a request fails with 401 or 403.
func (*EnterpriseHandler) TokenSource ¶
func (h *EnterpriseHandler) TokenSource(ctx context.Context) (oauth2.TokenSource, error)
TokenSource returns the token source for outgoing requests. Returns nil if authorization has not been performed yet.
type EnterpriseHandlerConfig ¶
type EnterpriseHandlerConfig struct {
// IdPIssuerURL is the enterprise IdP's issuer URL (e.g., "https://acme.okta.com").
// Used for OIDC discovery to find the token endpoint.
// REQUIRED.
IdPIssuerURL string
// IdPCredentials contains the MCP Client's credentials registered at the IdP.
// REQUIRED. These credentials are used for token exchange at the IdP.
// The ClientID is always required. ClientSecretAuth is optional and only needed
// if the IdP requires client authentication (confidential clients).
IdPCredentials *oauthex.ClientCredentials
// MCPAuthServerURL is the MCP Server's authorization server issuer URL.
// Used as the audience for token exchange and for metadata discovery.
// REQUIRED.
MCPAuthServerURL string
// MCPResourceURI is the MCP Server's resource identifier (RFC 9728).
// Used as the resource parameter in token exchange.
// REQUIRED.
MCPResourceURI string
// MCPCredentials contains the MCP Client's credentials registered at the MCP Server.
// REQUIRED. These credentials are used for JWT Bearer grant at the MCP Server.
// The ClientID is always required. ClientSecretAuth is optional and only needed
// if the MCP Server requires client authentication.
MCPCredentials *oauthex.ClientCredentials
// MCPScopes is the list of scopes to request at the MCP Server.
// OPTIONAL.
MCPScopes []string
// IDTokenFetcher is called to obtain an ID Token when authorization is needed.
// The implementation should handle the OIDC login flow (e.g., browser redirect,
// callback handling) and return the ID token.
// REQUIRED.
IDTokenFetcher IDTokenFetcher
// HTTPClient is an optional HTTP client for customization.
// If nil, http.DefaultClient is used.
// OPTIONAL.
HTTPClient *http.Client
}
EnterpriseHandlerConfig is the configuration for EnterpriseHandler.
type IDTokenFetcher ¶
IDTokenFetcher is called to obtain an ID Token from the enterprise IdP. This is typically done via OIDC login flow where the user authenticates with their enterprise identity provider.
Returns an oauth2.Token where Extra("id_token") contains the OpenID Connect ID Token (JWT).
type OIDCLoginConfig ¶
type OIDCLoginConfig struct {
// IssuerURL is the IdP's issuer URL (e.g., "https://acme.okta.com").
// REQUIRED.
IssuerURL string
// Credentials contains the MCP Client's credentials registered at the IdP.
// The ClientID field is REQUIRED. The ClientSecret field is OPTIONAL
// (only required if the client is confidential, not a public client).
// REQUIRED (struct itself), but ClientSecret field can be empty.
Credentials *oauthex.ClientCredentials
// RedirectURL is the OAuth2 redirect URI registered with the IdP.
// This must match exactly what was registered with the IdP.
// REQUIRED.
RedirectURL string
// Scopes are the OAuth2/OIDC scopes to request.
// "openid" is REQUIRED for OIDC. Common values: ["openid", "profile", "email"]
// REQUIRED.
Scopes []string
// LoginHint is a hint to the IdP about the user's identity.
// Some IdPs may require this (e.g., as an email address for routing to SSO providers).
// Example: "user@example.com"
// OPTIONAL.
LoginHint string
// HTTPClient is the HTTP client for making requests.
// If nil, http.DefaultClient is used.
// OPTIONAL.
HTTPClient *http.Client
}
OIDCLoginConfig configures the OIDC Authorization Code flow for obtaining an ID Token. This is used with PerformOIDCLogin to authenticate users with an enterprise IdP before calling the Enterprise Managed Authorization flow.
Source Files