Documentation
¶
Index ¶
- Constants
- Variables
- func BuildOAuthDiscoveryCandidates(ctx context.Context, client *http.Client, serverURL *url.URL, ...) ([]DiscoveryCandidate, *WWWAuthenticateProbeStatus, error)
- func BuildResourceMetadataURLs(serverURL *url.URL) []*url.URL
- func FetchAuthServerMetadataWithResult(ctx context.Context, client *http.Client, issuerURL string) (*AuthServerMetadata, *AuthServerMetadataFetchResult, error)
- func IsOptionalDiscoveryFailure(result *DiscoveryResult, probe *WWWAuthenticateProbeStatus, err error) bool
- type AuthServerMetadata
- type AuthServerMetadataAttempt
- type AuthServerMetadataDocument
- type AuthServerMetadataFetchResult
- type AuthServerMetadataPathStyle
- type DiscoveryAttempt
- type DiscoveryCandidate
- type DiscoveryResult
- type DiscoverySource
- type DiscoveryState
- type URLBundleOptions
- type WWWAuthenticateProbeStatus
Constants ¶
const DefaultDiscoveryTimeout = 5 * time.Second
DefaultDiscoveryTimeout bounds how long we wait for OAuth ProtectedResourceMetaData discovery.
Variables ¶
var Module = fx.Module( "oauth", fx.Provide(NewDiscoveryState), fx.Invoke(startOAuthDiscovery), )
Module wires OAuth discovery state and fetcher.
Functions ¶
func BuildOAuthDiscoveryCandidates ¶
func BuildOAuthDiscoveryCandidates( ctx context.Context, client *http.Client, serverURL *url.URL, logger *slog.Logger, ) ([]DiscoveryCandidate, *WWWAuthenticateProbeStatus, error)
BuildOAuthDiscoveryCandidates returns the ordered list of OAuth discovery candidates plus probe metadata for UI/reporting. It attempts WWW-Authenticate first, then the RFC 9728 well-known URLs.
func BuildResourceMetadataURLs ¶
BuildResourceMetadataURLs constructs the ordered list of candidate OAuth ProtectedResourceMetaData endpoints derived from the MCP server URL. It follows RFC 9728 discovery rules by prioritizing the path-specific well-known URI, then the root well-known URI.
func FetchAuthServerMetadataWithResult ¶
func FetchAuthServerMetadataWithResult( ctx context.Context, client *http.Client, issuerURL string, ) (*AuthServerMetadata, *AuthServerMetadataFetchResult, error)
FetchAuthServerMetadataWithResult fetches metadata and captures detailed fetch attempts.
func IsOptionalDiscoveryFailure ¶
func IsOptionalDiscoveryFailure( result *DiscoveryResult, probe *WWWAuthenticateProbeStatus, err error, ) bool
IsOptionalDiscoveryFailure reports whether OAuth discovery finished, but the target simply does not advertise protected-resource metadata. This should not block tunnel readiness for plain MCP servers.
Types ¶
type AuthServerMetadata ¶
type AuthServerMetadata struct {
Issuer string
AuthorizationEndpoint string
TokenEndpoint string
JWKSURI string
IntrospectionEndpoint string
RegistrationEndpoint string
RevocationEndpoint string
}
AuthServerMetadata is a narrow projection used by tunnel-client OAuth URL collection.
func FetchAuthServerMetadata ¶
func FetchAuthServerMetadata(ctx context.Context, client *http.Client, issuerURL string) (*AuthServerMetadata, error)
FetchAuthServerMetadata fetches RFC 8414 authorization server metadata for issuerURL.
type AuthServerMetadataAttempt ¶
type AuthServerMetadataAttempt struct {
URL string `json:"url,omitempty"`
Document AuthServerMetadataDocument `json:"document,omitempty"`
PathStyle AuthServerMetadataPathStyle `json:"path_style,omitempty"`
Tried bool `json:"tried,omitempty"`
Selected bool `json:"selected,omitempty"`
StatusCode int `json:"status_code,omitempty"`
Error string `json:"error,omitempty"`
Warning string `json:"warning,omitempty"`
IssuerMismatch bool `json:"issuer_mismatch,omitempty"`
ExpectedIssuerURL string `json:"expected_issuer_url,omitempty"`
MetadataIssuer string `json:"metadata_issuer,omitempty"`
Headers http.Header `json:"headers,omitempty"`
Body json.RawMessage `json:"body,omitempty"`
BodyText string `json:"body_text,omitempty"`
}
type AuthServerMetadataDocument ¶
type AuthServerMetadataDocument string
const ( AuthServerMetadataDocumentOAuthAuthorizationServer AuthServerMetadataDocument = "oauth-authorization-server" AuthServerMetadataDocumentOpenIDConfiguration AuthServerMetadataDocument = "openid-configuration" )
type AuthServerMetadataFetchResult ¶
type AuthServerMetadataFetchResult struct {
IssuerURL string `json:"issuer_url,omitempty"`
SelectedURL string `json:"selected_url,omitempty"`
Attempts []AuthServerMetadataAttempt `json:"attempts,omitempty"`
}
func BuildURLBundleFromPRMDWithAuthServerMetadata ¶
func BuildURLBundleFromPRMDWithAuthServerMetadata( ctx context.Context, client *http.Client, payload []byte, fetchedAt time.Time, sourceURL *url.URL, options URLBundleOptions, logger *slog.Logger, ) (hostbus.URLBundle, *AuthServerMetadataFetchResult, error)
BuildURLBundleFromPRMDWithAuthServerMetadata builds a Harpoon registration bundle from Protected Resource Metadata payload.
Contract: authorization_servers[0] is the source of truth. Additional authorization_servers entries are intentionally ignored for registration and auth-server metadata enrichment.
type AuthServerMetadataPathStyle ¶
type AuthServerMetadataPathStyle string
const ( AuthServerMetadataPathStylePrepend AuthServerMetadataPathStyle = "prepend" AuthServerMetadataPathStyleAppend AuthServerMetadataPathStyle = "append" )
type DiscoveryAttempt ¶
type DiscoveryAttempt struct {
URL string `json:"url"`
Source DiscoverySource `json:"source"`
Tried bool `json:"tried,omitempty"`
StatusCode int `json:"status_code,omitempty"`
Error string `json:"error,omitempty"`
Selected bool `json:"selected,omitempty"`
}
DiscoveryAttempt captures one discovery attempt for UI/reporting.
func FetchOAuthMetadata ¶
func FetchOAuthMetadata( ctx context.Context, client *http.Client, candidates []DiscoveryCandidate, logger *slog.Logger, ) (*types.TunnelResponse, *url.URL, []DiscoveryAttempt, error)
FetchOAuthMetadata attempts to retrieve OAuth ProtectedResourceMetaData from the provided candidates. It returns the first successful response with a non-empty body, falling back on 5xx/404 responses and network errors until all options are exhausted.
type DiscoveryCandidate ¶
type DiscoveryCandidate struct {
URL *url.URL `json:"-"`
Source DiscoverySource `json:"source"`
}
DiscoveryCandidate represents a URL plus its discovery source.
type DiscoveryResult ¶
type DiscoveryResult struct {
URL string `json:"url,omitempty"`
FetchedAt time.Time `json:"fetched_at,omitempty"`
StatusCode int `json:"status_code,omitempty"`
Headers http.Header `json:"headers,omitempty"`
Body json.RawMessage `json:"body,omitempty"`
BodyText string `json:"body_text,omitempty"`
Attempts []DiscoveryAttempt `json:"attempts,omitempty"`
AuthServerMetadata *AuthServerMetadataFetchResult `json:"auth_server_metadata,omitempty"`
}
DiscoveryResult captures OAuth ProtectedResourceMetaData returned by the MCP server.
func BuildDiscoveryResult ¶
func BuildDiscoveryResult( resp *types.TunnelResponse, sourceURL *url.URL, fetchedAt time.Time, attempts []DiscoveryAttempt, ) *DiscoveryResult
BuildDiscoveryResult converts the tunnel response into a UI-friendly payload.
type DiscoverySource ¶
type DiscoverySource string
DiscoverySource labels how a metadata candidate was discovered.
const ( DiscoverySourceWWWAuthenticate DiscoverySource = "www_authenticate" DiscoverySourceWellKnownPath DiscoverySource = "well_known_path" DiscoverySourceWellKnownRoot DiscoverySource = "well_known_root" )
type DiscoveryState ¶
type DiscoveryState struct {
// contains filtered or unexported fields
}
DiscoveryState tracks the result of a background OAuth ProtectedResourceMetaData fetch.
func NewDiscoveryState ¶
func NewDiscoveryState() *DiscoveryState
NewDiscoveryState constructs a DiscoveryState ready for updates.
func (*DiscoveryState) IsDone ¶
func (s *DiscoveryState) IsDone() bool
IsDone reports whether the discovery process has completed.
func (*DiscoveryState) Set ¶
func (s *DiscoveryState) Set( result *DiscoveryResult, err error, probe *WWWAuthenticateProbeStatus, urls []string, )
Set records the OAuth discovery result and signals waiters.
func (*DiscoveryState) Wait ¶
func (s *DiscoveryState) Wait( timeout time.Duration, ) (*DiscoveryResult, *WWWAuthenticateProbeStatus, []string, error, bool)
Wait blocks until the OAuth ProtectedResourceMetaData is available or the timeout elapses.
type URLBundleOptions ¶
URLBundleOptions carries optional generic transport hints for discovered URLs.
type WWWAuthenticateProbeStatus ¶
type WWWAuthenticateProbeStatus struct {
Attempted bool `json:"attempted"`
URL string `json:"url,omitempty"`
Error string `json:"error,omitempty"`
}
WWWAuthenticateProbeStatus captures the outcome of a WWW-Authenticate probe.