auth

package

v0.0.45 Latest Latest Go to latest Published: Jun 9, 2025 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth provides authentication and authorization utilities.

Index ¶

Variables
func AnonymousMiddleware(next http.Handler) http.Handler
func GetAuthenticationMiddleware(ctx context.Context, oidcConfig *JWTValidatorConfig) (func(http.Handler) http.Handler, error)
func GetClaimsFromContext(ctx context.Context) (jwt.MapClaims, bool)
func LocalUserMiddleware(username string) func(http.Handler) http.Handler
type ClaimsContextKey
type JWTValidator
- func NewJWTValidator(ctx context.Context, config JWTValidatorConfig) (*JWTValidator, error)
- func (v *JWTValidator) Middleware(next http.Handler) http.Handler
- func (v *JWTValidator) ValidateToken(ctx context.Context, tokenString string) (jwt.MapClaims, error)
type JWTValidatorConfig
- func NewJWTValidatorConfig(issuer, audience, jwksURL, clientID string) *JWTValidatorConfig
type OIDCDiscoveryDocument

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrNoToken                 = errors.New("no token provided")
	ErrInvalidToken            = errors.New("invalid token")
	ErrTokenExpired            = errors.New("token expired")
	ErrInvalidIssuer           = errors.New("invalid issuer")
	ErrInvalidAudience         = errors.New("invalid audience")
	ErrMissingJWKSURL          = errors.New("missing JWKS URL")
	ErrFailedToFetchJWKS       = errors.New("failed to fetch JWKS")
	ErrFailedToDiscoverOIDC    = errors.New("failed to discover OIDC configuration")
	ErrMissingIssuerAndJWKSURL = errors.New("either issuer or JWKS URL must be provided")
)

Common errors

Functions ¶

func AnonymousMiddleware ¶ added in v0.0.38

func AnonymousMiddleware(next http.Handler) http.Handler

AnonymousMiddleware creates an HTTP middleware that sets up anonymous claims. This is useful for testing and local environments where authorization policies need to work without requiring actual authentication.

The middleware sets up basic anonymous claims that can be used by authorization policies, allowing them to function even when authentication is disabled. This is heavily discouraged in production settings but is handy for testing and local development environments.

func GetAuthenticationMiddleware ¶ added in v0.0.38

func GetAuthenticationMiddleware(ctx context.Context, oidcConfig *JWTValidatorConfig) (func(http.Handler) http.Handler, error)

GetAuthenticationMiddleware returns the appropriate authentication middleware based on the configuration. If OIDC config is provided, it returns JWT middleware. Otherwise, it returns local user middleware.

func GetClaimsFromContext ¶ added in v0.0.38

func GetClaimsFromContext(ctx context.Context) (jwt.MapClaims, bool)

GetClaimsFromContext retrieves the claims from the request context. This is a helper function that can be used by authorization policies to access the claims regardless of which middleware was used (JWT, anonymous, or local).

Returns the claims and a boolean indicating whether claims were found.

func LocalUserMiddleware ¶ added in v0.0.38

func LocalUserMiddleware(username string) func(http.Handler) http.Handler

LocalUserMiddleware creates an HTTP middleware that sets up local user claims. This allows specifying a local username while still bypassing authentication.

This middleware is useful for development and testing scenarios where you want to simulate a specific user without going through the full authentication flow. Like AnonymousMiddleware, this is heavily discouraged in production settings.

Types ¶

type ClaimsContextKey ¶

type ClaimsContextKey struct{}

ClaimsContextKey is the key used to store claims in the request context.

type JWTValidator ¶

type JWTValidator struct {
	// contains filtered or unexported fields
}

JWTValidator validates JWT tokens.

func NewJWTValidator ¶

func NewJWTValidator(ctx context.Context, config JWTValidatorConfig) (*JWTValidator, error)

NewJWTValidator creates a new JWT validator.

func (*JWTValidator) Middleware ¶

func (v *JWTValidator) Middleware(next http.Handler) http.Handler

Middleware creates an HTTP middleware that validates JWT tokens.

func (*JWTValidator) ValidateToken ¶

func (v *JWTValidator) ValidateToken(ctx context.Context, tokenString string) (jwt.MapClaims, error)

ValidateToken validates a JWT token.

type JWTValidatorConfig ¶

type JWTValidatorConfig struct {
	// Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)
	Issuer string

	// Audience is the expected audience for the token
	Audience string

	// JWKSURL is the URL to fetch the JWKS from
	JWKSURL string

	// ClientID is the OIDC client ID
	ClientID string
}

JWTValidatorConfig contains configuration for the JWT validator.

func NewJWTValidatorConfig ¶

func NewJWTValidatorConfig(issuer, audience, jwksURL, clientID string) *JWTValidatorConfig

NewJWTValidatorConfig creates a new JWTValidatorConfig with the provided parameters

type OIDCDiscoveryDocument ¶ added in v0.0.39

type OIDCDiscoveryDocument struct {
	Issuer                string `json:"issuer"`
	AuthorizationEndpoint string `json:"authorization_endpoint"`
	TokenEndpoint         string `json:"token_endpoint"`
	UserinfoEndpoint      string `json:"userinfo_endpoint"`
	JWKSURI               string `json:"jwks_uri"`
}

OIDCDiscoveryDocument represents the OIDC discovery document structure

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
oauth Package oauth provides OAuth 2.0 and OIDC authentication functionality.	Package oauth provides OAuth 2.0 and OIDC authentication functionality.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL