auth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package auth provides credential mechanisms for mcpmux's backend connections. The exec credential helper obtains a bearer token by running an external command (e.g. "chainctl auth token --audience <resource>"), re-running it only when the cached token is near expiry or has been rejected.

The types here implement golang.org/x/oauth2.TokenSource and the MCP SDK's auth.OAuthHandler interface (structurally), so they plug directly into a streamable-HTTP transport without this package depending on the SDK.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewOAuthHandler

func NewOAuthHandler(ctx context.Context, log *slog.Logger, o OAuthOptions) (sdkauth.OAuthHandler, error)

NewOAuthHandler builds an OAuthHandler that performs the authorization-code flow in a browser, reserving a loopback callback endpoint for the daemon's lifetime (bounded by ctx). The SDK handles discovery, dynamic client registration, PKCE, token exchange and in-memory refresh.

func RunString added in v0.3.0

func RunString(ctx context.Context, argv []string) (string, error)

RunString runs argv and returns its trimmed stdout. It is used to source a config value (e.g. an OAuth client id/secret) from a helper command such as "pass" or "secret-tool".

Types

type ExecHandler

type ExecHandler struct {
	// contains filtered or unexported fields
}

ExecHandler adapts an ExecTokenSource to the MCP SDK's auth.OAuthHandler interface: the transport sets the bearer header from TokenSource on every request, and calls Authorize on a 401/403 to force a fresh token.

func NewExecHandler

func NewExecHandler(ts *ExecTokenSource) *ExecHandler

NewExecHandler wraps an ExecTokenSource as an OAuthHandler.

func (*ExecHandler) Authorize

func (h *ExecHandler) Authorize(_ context.Context, _ *http.Request, resp *http.Response) error

Authorize is invoked by the transport when a request fails with 401/403. It discards the cached token and mints a fresh one; on success the transport retries the request. It is responsible for closing the response body.

func (*ExecHandler) TokenSource

func (h *ExecHandler) TokenSource(context.Context) (oauth2.TokenSource, error)

TokenSource returns the underlying token source.

type ExecTokenSource

type ExecTokenSource struct {
	// contains filtered or unexported fields
}

ExecTokenSource is an oauth2.TokenSource that runs an external command to mint a bearer token, caching it until shortly before it expires. It is safe for concurrent use.

func NewExecTokenSource

func NewExecTokenSource(ctx context.Context, argv []string, ttl time.Duration) *ExecTokenSource

NewExecTokenSource returns a token source that runs argv to obtain tokens. ttl caps how long an opaque (non-JWT) token is cached; for JWTs the "exp" claim takes precedence. ctx bounds the lifetime of all invocations.

func (*ExecTokenSource) Invalidate

func (s *ExecTokenSource) Invalidate()

Invalidate drops the cached token so the next Token call re-runs the command.

func (*ExecTokenSource) Token

func (s *ExecTokenSource) Token() (*oauth2.Token, error)

Token returns a cached token if still valid, otherwise runs the command.

type OAuthOptions

type OAuthOptions struct {
	// Label identifies the backend in prompts and logs.
	Label string
	// Scopes optionally requested at registration/authorization.
	Scopes []string
	// ClientName is the DCR client_name presented to the user (default "mcpmux").
	ClientName string
	// OpenBrowser controls whether the auth URL is launched automatically. The
	// URL is always printed regardless, so headless/SSH use still works.
	OpenBrowser bool
	// CallbackPort fixes the loopback callback port; 0 picks an ephemeral one.
	CallbackPort int
	// ClientID/ClientSecret select a pre-registered ("confidential") client
	// instead of dynamic client registration, for servers that don't support
	// DCR. ClientSecret may be empty for a pre-registered public client.
	ClientID     string
	ClientSecret string
	// AllowIssuerMismatch tolerates an authorization server whose metadata
	// declares an issuer different from the URL it is served from (RFC 8414
	// §3.3 violation), by normalizing the issuer client-side. Needed for Slack.
	AllowIssuerMismatch bool
}

OAuthOptions configures the interactive (authorization-code + PKCE) OAuth flow for a backend. The client is registered dynamically (RFC 7591).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL