mcp

package
v0.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2026 License: Apache-2.0 Imports: 50 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CodeTypeAuthorization = oauth21proto.CodeType_CODE_TYPE_AUTHORIZATION
	CodeTypeRefresh       = oauth21proto.CodeType_CODE_TYPE_REFRESH
	CodeTypeAccess        = oauth21proto.CodeType_CODE_TYPE_ACCESS
)
View Source 
const (
	WellKnownAuthorizationServerEndpoint = "/.well-known/oauth-authorization-server"
	WellKnownProtectedResourceEndpoint   = "/.well-known/oauth-protected-resource"

	DefaultPrefix = endpoints.PathPomeriumMCP
)
View Source 
const InternalConnectClientID = "pomerium-connect-7549ebe0-a67d-4d2b-a90d-d0a483b85f72"
View Source 
const MaxClientMetadataDocumentSize = 5 * 1024

MaxClientMetadataDocumentSize is the maximum size of a client metadata document (5KB per draft recommendation).

View Source 
const (
	// RefreshTokenTTL is the lifetime for MCP refresh tokens.
	// The actual validity depends on whether the upstream IdP token can still be refreshed.
	RefreshTokenTTL = 365 * 24 * time.Hour
)

Variables

View Source 
var DefaultHTTPClient *http.Client

DefaultHTTPClient is the default HTTP client used for fetching client metadata documents. This can be overridden to provide custom TLS configuration or security measures. If nil, http.DefaultClient is used.

View Source 
var ErrClientMetadataFetch = errors.New("failed to fetch client metadata")

ErrClientMetadataFetch represents an error fetching client metadata.

View Source 
var ErrClientMetadataValidation = errors.New("client metadata validation failed")

ErrClientMetadataValidation represents a validation error for client metadata.

View Source 
var ErrDomainNotAllowed = errors.New("client_id domain not allowed")

ErrDomainNotAllowed is returned when a client ID URL's domain is not in the allowed list.

Functions

func AuthorizationServerMetadataHandler 

func AuthorizationServerMetadataHandler(prefix string) http.HandlerFunc

func BuildHostInfo 

func BuildHostInfo(cfg *config.Config, prefix string) (map[string]ServerHostInfo, map[string]ClientHostInfo)

BuildHostInfo indexes all policies by host and builds the oauth2.Config for each host if present.

func CheckPKCE 

func CheckPKCE(
	codeChallengeMethod string,
	codeChallenge string,
	codeVerifier string,
) error

func CreateCode 

func CreateCode(
	typ oauth21proto.CodeType,
	id string,
	expires time.Time,
	ad string,
	cipher cipher.AEAD,
) (string, error)

func DecryptCode 

func DecryptCode(
	typ oauth21proto.CodeType,
	code string,
	cipher cipher.AEAD,
	ad string,
	now time.Time,
) (*oauth21proto.Code, error)

func IsClientIDMetadataURL added in v0.32.0 

func IsClientIDMetadataURL(clientID string) (bool, error)

IsClientIDMetadataURL checks if the client_id is a URL pointing to a metadata document. Per draft-ietf-oauth-client-id-metadata-document Section 3, client identifier URLs: - MUST have "https" scheme - MUST contain a path component - MUST NOT contain single-dot or double-dot path segments - MUST NOT contain a fragment component - MUST NOT contain username or password - SHOULD NOT include a query string component - MAY contain a port

Returns (false, nil) if clientID is not a URL (e.g., a regular client ID string). Returns (false, error) if clientID is a URL but violates RFC requirements. Returns (true, nil) if clientID is a valid client ID metadata URL.

func OAuth2TokenToPB 

func OAuth2TokenToPB(src *oauth2.Token) *oauth21proto.TokenResponse

func PBToOAuth2Token 

func PBToOAuth2Token(src *oauth21proto.TokenResponse) *oauth2.Token

func ProtectedResourceMetadataHandler added in v0.31.0 

func ProtectedResourceMetadataHandler(prefix string) http.HandlerFunc

func ProtectedResourceMetadataURL added in v0.31.0 

func ProtectedResourceMetadataURL(host string) string

func SetWWWAuthenticateHeader added in v0.32.0 

func SetWWWAuthenticateHeader(dst http.Header, host string) error

Types

type AuthenticatorGetter added in v0.32.0 

type AuthenticatorGetter func(ctx context.Context, idpID string) (identity.Authenticator, error)

AuthenticatorGetter is a function that returns an authenticator for the given IdP ID.

type AuthorizationServerMetadata 

type AuthorizationServerMetadata struct {
	// Issuer is REQUIRED. The authorization server's issuer identifier, a URL using the "https" scheme with no query or fragment.
	Issuer string `json:"issuer"`

	// AuthorizationEndpoint is the URL of the authorization server's authorization endpoint. REQUIRED unless no grant types use the authorization endpoint.
	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`

	// TokenEndpoint is the URL of the authorization server's token endpoint. REQUIRED unless only the implicit grant type is supported.
	TokenEndpoint string `json:"token_endpoint,omitempty"`

	// JwksURI is OPTIONAL. URL of the authorization server's JWK Set document.
	JwksURI string `json:"jwks_uri,omitempty"`

	// RegistrationEndpoint is OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint.
	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`

	// ScopesSupported is RECOMMENDED. JSON array of supported OAuth 2.0 "scope" values.
	ScopesSupported []string `json:"scopes_supported,omitempty"`

	// ResponseTypesSupported is REQUIRED. JSON array of supported OAuth 2.0 "response_type" values.
	ResponseTypesSupported []string `json:"response_types_supported"`

	// ResponseModesSupported is OPTIONAL. JSON array of supported OAuth 2.0 "response_mode" values. Default: ["query", "fragment"].
	ResponseModesSupported []string `json:"response_modes_supported,omitempty"`

	// GrantTypesSupported is OPTIONAL. JSON array of supported OAuth 2.0 grant type values. Default: ["authorization_code", "implicit"].
	GrantTypesSupported []string `json:"grant_types_supported,omitempty"`

	// TokenEndpointAuthMethodsSupported is OPTIONAL. JSON array of client authentication methods supported by the token endpoint. Default: "client_secret_basic".
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`

	// TokenEndpointAuthSigningAlgValuesSupported is OPTIONAL. JSON array of JWS signing algorithms supported by the token endpoint for JWT client authentication.
	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`

	// ServiceDocumentation is OPTIONAL. URL of a page with human-readable information for developers.
	ServiceDocumentation string `json:"service_documentation,omitempty"`

	// UILocalesSupported is OPTIONAL. JSON array of supported languages and scripts for the UI, as BCP 47 language tags.
	UILocalesSupported []string `json:"ui_locales_supported,omitempty"`

	// OpPolicyURI is OPTIONAL. URL for the authorization server's policy on client data usage.
	OpPolicyURI string `json:"op_policy_uri,omitempty"`

	// OpTosURI is OPTIONAL. URL for the authorization server's terms of service.
	OpTosURI string `json:"op_tos_uri,omitempty"`

	// RevocationEndpoint is OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint.
	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`

	// RevocationEndpointAuthMethodsSupported is OPTIONAL. JSON array of client authentication methods supported by the revocation endpoint. Default: "client_secret_basic".
	RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`

	// RevocationEndpointAuthSigningAlgValuesSupported is OPTIONAL. JSON array of JWS signing algorithms supported by the revocation endpoint for JWT client authentication.
	RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`

	// IntrospectionEndpoint is OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint.
	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`

	// IntrospectionEndpointAuthMethodsSupported is OPTIONAL. JSON array of client authentication methods supported by the introspection endpoint.
	IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`

	// IntrospectionEndpointAuthSigningAlgValuesSupported is OPTIONAL. JSON array of JWS signing algorithms supported by the introspection endpoint for JWT client authentication.
	IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`

	// CodeChallengeMethodsSupported is OPTIONAL. JSON array of PKCE code challenge methods supported by this authorization server.
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`

	// ClientIDMetadataDocumentSupported is OPTIONAL. Boolean value specifying whether the authorization server
	// supports retrieving client metadata from a client_id URL as described in draft-ietf-oauth-client-id-metadata-document.
	ClientIDMetadataDocumentSupported bool `json:"client_id_metadata_document_supported,omitempty"`
}

AuthorizationServerMetadata represents the OAuth 2.0 Authorization Server Metadata (RFC 8414). https://datatracker.ietf.org/doc/html/rfc8414#section-2

type ClientHostInfo 

type ClientHostInfo struct{}

type ClientIDMetadataDocument added in v0.32.0 

type ClientIDMetadataDocument struct {
	// ClientID MUST match the URL of the document.
	ClientID string `json:"client_id"`

	// ClientName is OPTIONAL but RECOMMENDED.
	ClientName string `json:"client_name,omitempty"`

	// ClientURI is OPTIONAL.
	ClientURI string `json:"client_uri,omitempty"`

	// LogoURI is OPTIONAL.
	LogoURI string `json:"logo_uri,omitempty"`

	// RedirectURIs is REQUIRED for authorization code flow.
	RedirectURIs []string `json:"redirect_uris"`

	// GrantTypes is OPTIONAL. Defaults to ["authorization_code"].
	GrantTypes []string `json:"grant_types,omitempty"`

	// ResponseTypes is OPTIONAL. Defaults to ["code"].
	ResponseTypes []string `json:"response_types,omitempty"`

	// TokenEndpointAuthMethod is OPTIONAL. Defaults to "none" for public clients.
	// Per draft, MUST NOT be client_secret_basic, client_secret_post, client_secret_jwt.
	TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`

	// Scope is OPTIONAL.
	Scope string `json:"scope,omitempty"`

	// Contacts is OPTIONAL.
	Contacts []string `json:"contacts,omitempty"`

	// TOSURI is OPTIONAL.
	TOSURI string `json:"tos_uri,omitempty"`

	// PolicyURI is OPTIONAL.
	PolicyURI string `json:"policy_uri,omitempty"`

	// JWKSURI is OPTIONAL.
	JWKSURI string `json:"jwks_uri,omitempty"`

	// SoftwareID is OPTIONAL.
	SoftwareID string `json:"software_id,omitempty"`

	// SoftwareVersion is OPTIONAL.
	SoftwareVersion string `json:"software_version,omitempty"`
}

ClientIDMetadataDocument represents the metadata document fetched from a URL-based client_id. Per draft-ietf-oauth-client-id-metadata-document, the document must contain a client_id that matches the URL exactly.

func (*ClientIDMetadataDocument) ToClientRegistration added in v0.32.0 

func (doc *ClientIDMetadataDocument) ToClientRegistration() *rfc7591v1.ClientRegistration

ToClientRegistration converts a ClientIDMetadataDocument to a ClientRegistration for use in the authorization flow.

func (*ClientIDMetadataDocument) ValidateRedirectURI added in v0.32.0 

func (doc *ClientIDMetadataDocument) ValidateRedirectURI(redirectURI string) error

ValidateRedirectURI checks if the given redirect_uri is in the list of allowed redirect URIs.

type ClientMetadataFetcher added in v0.32.0 

type ClientMetadataFetcher struct {
	// contains filtered or unexported fields
}

ClientMetadataFetcher fetches and validates client metadata documents.

func NewClientMetadataFetcher added in v0.32.0 

func NewClientMetadataFetcher(httpClient *http.Client, domainMatcher *DomainMatcher) *ClientMetadataFetcher

NewClientMetadataFetcher creates a new ClientMetadataFetcher. If httpClient is nil, DefaultHTTPClient is used (or http.DefaultClient if DefaultHTTPClient is also nil). If domainMatcher is nil, all domains are rejected (empty allowlist behavior). Callers may provide a custom http.Client to implement SSRF protection or other security measures.

func (*ClientMetadataFetcher) Fetch added in v0.32.0 

func (f *ClientMetadataFetcher) Fetch(ctx context.Context, clientIDURL string) (*ClientIDMetadataDocument, error)

Fetch retrieves and validates a client metadata document from the given URL.

type DomainMatcher added in v0.32.0 

type DomainMatcher struct {
	// contains filtered or unexported fields
}

DomainMatcher checks if domains match against a list of allowed patterns.

func NewDomainMatcher added in v0.32.0 

func NewDomainMatcher(allowedDomains []string) *DomainMatcher

NewDomainMatcher creates a new DomainMatcher with the given allowed domain patterns. Patterns support wildcards like "*.example.com".

func (*DomainMatcher) IsAllowed added in v0.32.0 

func (m *DomainMatcher) IsAllowed(hostname string) bool

IsAllowed checks if the given hostname matches any of the allowed domain patterns. Uses certmagic.MatchWildcard for wildcard pattern matching (e.g., "*.github.com").

func (*DomainMatcher) ValidateURLDomain added in v0.32.0 

func (m *DomainMatcher) ValidateURLDomain(u *url.URL) error

ValidateURLDomain checks if the URL's hostname is in the allowed domains list. Returns an error if the domain is not allowed.

type Handler 

type Handler struct {
	// contains filtered or unexported fields
}

func New 

func New(
	ctx context.Context,
	prefix string,
	cfg *config.Config,
	outboundGrpcConn *grpc.CachedOutboundGRPClientConn,
	opts ...HandlerOption,
) (*Handler, error)

func (*Handler) AuthorizationResponse 

func (srv *Handler) AuthorizationResponse(
	ctx context.Context,
	w http.ResponseWriter,
	r *http.Request,
	id string,
	req *oauth21proto.AuthorizationRequest,
)

AuthorizationResponse generates the successful authorization response see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-4.1.2

func (*Handler) Authorize 

func (srv *Handler) Authorize(w http.ResponseWriter, r *http.Request)

Authorize handles the /authorize endpoint.

func (*Handler) ConnectGet added in v0.31.0 

func (srv *Handler) ConnectGet(w http.ResponseWriter, r *http.Request)

ConnectGet is a helper method for MCP clients to ensure that the current user has an active upstream Oauth2 session for the route. GET /mcp/connect?redirect_url=<url> It will redirect to the provided redirect_url once the user has an active session.

func (*Handler) CreateRefreshToken added in v0.32.0 

func (srv *Handler) CreateRefreshToken(sessionID string, clientID string, expiresAt time.Time) (string, error)

CreateRefreshToken creates a refresh token for a given session and client.

func (*Handler) DecryptRefreshToken added in v0.32.0 

func (srv *Handler) DecryptRefreshToken(refreshToken string, clientID string) (*oauth21proto.Code, error)

DecryptRefreshToken decrypts and validates a refresh token.

func (*Handler) DisconnectRoutes added in v0.31.0 

func (srv *Handler) DisconnectRoutes(w http.ResponseWriter, r *http.Request)

DisconnectRoutes is a bulk helper method for MCP clients to purge upstream OAuth2 tokens for multiple routes. This is necessary because frontend clients cannot execute direct DELETE calls to other routes.

POST /mcp/routes/disconnect

Request body should contain a JSON object with a "routes" array: 

{
  "routes": ["https://server1.example.com", "https://server2.example.com"]
}

Response returns the same format as GET /mcp/routes, showing the updated connection status: 

{
  "servers": [
    {
      "name": "Server 1",
      "url": "https://server1.example.com",
      "connected": false,
      "needs_oauth": true
    },
    {
      "name": "Server 2",
      "url": "https://server2.example.com",
      "connected": false,
      "needs_oauth": true
    }
  ]
}

func (*Handler) GetAccessTokenForSession 

func (srv *Handler) GetAccessTokenForSession(sessionID string, sessionExpiresAt time.Time) (string, error)

GetAccessTokenForSession returns an access token for a given session and expiration time.

func (*Handler) GetSessionIDFromAccessToken 

func (srv *Handler) GetSessionIDFromAccessToken(accessToken string) (string, error)

DecryptAuthorizationCode decrypts the authorization code and returns the underlying session ID

func (*Handler) GetUpstreamOAuth2Token 

func (srv *Handler) GetUpstreamOAuth2Token(
	ctx context.Context,
	host string,
	userID string,
) (string, error)

GetUpstreamOAuth2Token retrieves the OAuth2 token for a given host and user ID. it also checks if the token is still valid and refreshes it if necessary.

func (*Handler) HandlerFunc 

func (h *Handler) HandlerFunc() http.HandlerFunc

HandlerFunc returns a http.HandlerFunc that handles the mcp endpoints.

func (*Handler) ListRoutes 

func (srv *Handler) ListRoutes(w http.ResponseWriter, r *http.Request)

ListMCPServers returns a list of MCP servers that are registered, and whether the current user has access to them.

func (*Handler) OAuthCallback 

func (srv *Handler) OAuthCallback(w http.ResponseWriter, r *http.Request)

func (*Handler) RegisterClient 

func (srv *Handler) RegisterClient(w http.ResponseWriter, r *http.Request)

RegisterClient handles the /register endpoint. It is used to register a new client with the MCP server.

func (*Handler) SetClientMetadataFetcher added in v0.32.0 

func (h *Handler) SetClientMetadataFetcher(fetcher *ClientMetadataFetcher)

SetClientMetadataFetcher replaces the client metadata fetcher. This is exposed for testing purposes only.

func (*Handler) Token 

func (srv *Handler) Token(w http.ResponseWriter, r *http.Request)

Token handles the /token endpoint.

type HandlerOption added in v0.32.0 

type HandlerOption func(*Handler)

HandlerOption is a functional option for configuring a Handler.

func WithAuthenticatorGetter added in v0.32.0 

func WithAuthenticatorGetter(getter AuthenticatorGetter) HandlerOption

WithAuthenticatorGetter sets the authenticator getter function. This is used to refresh upstream OAuth tokens when recreating sessions.

func WithClientMetadataFetcher added in v0.32.0 

func WithClientMetadataFetcher(fetcher *ClientMetadataFetcher) HandlerOption

WithClientMetadataFetcher sets the client metadata fetcher. This is primarily useful for testing.

func WithSessionExpiry added in v0.32.0 

func WithSessionExpiry(d time.Duration) HandlerOption

WithSessionExpiry sets the session expiry duration. This overrides the default from config.Options.CookieExpire.

type HostInfo 

type HostInfo struct {
	// contains filtered or unexported fields
}

func NewHostInfo 

func NewHostInfo(
	cfg *config.Config,
	httpClient *http.Client,
) *HostInfo

func (*HostInfo) All 

func (r *HostInfo) All() iter.Seq[ServerHostInfo]

func (*HostInfo) CodeExchangeForHost 

func (r *HostInfo) CodeExchangeForHost(
	ctx context.Context,
	host string,
	code string,
) (*oauth2.Token, error)

func (*HostInfo) GetLoginURLForHost 

func (r *HostInfo) GetLoginURLForHost(host string, state string) (string, bool)

func (*HostInfo) GetOAuth2ConfigForHost 

func (r *HostInfo) GetOAuth2ConfigForHost(host string) (*oauth2.Config, bool)

func (*HostInfo) HasOAuth2ConfigForHost 

func (r *HostInfo) HasOAuth2ConfigForHost(host string) bool

func (*HostInfo) IsMCPClientForHost 

func (r *HostInfo) IsMCPClientForHost(host string) bool

type ProtectedResourceMetadata added in v0.31.0 

type ProtectedResourceMetadata struct {
	// Resource is REQUIRED. The protected resource's resource identifier.
	Resource string `json:"resource"`

	// AuthorizationServers is OPTIONAL. List of OAuth authorization server issuer identifiers (RFC 8414).
	AuthorizationServers []string `json:"authorization_servers,omitempty"`

	// JwksURI is OPTIONAL. URL of the protected resource's JWK Set (must use https).
	JwksURI string `json:"jwks_uri,omitempty"`

	// ScopesSupported is RECOMMENDED. List of scope values used in authorization requests to access this resource.
	ScopesSupported []string `json:"scopes_supported,omitempty"`

	// BearerMethodsSupported is OPTIONAL. Supported methods of sending a bearer token (RFC 6750): header, body, query.
	BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`

	// ResourceSigningAlgValuesSupported is OPTIONAL. JWS signing algorithms supported for signing resource responses (value "none" MUST NOT be used).
	ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"`

	// ResourceName is RECOMMENDED. Human‑readable, end‑user display name (internationalizable).
	ResourceName string `json:"resource_name,omitempty"`

	// ResourceDocumentation is OPTIONAL. URL with human‑readable developer information (internationalizable).
	ResourceDocumentation string `json:"resource_documentation,omitempty"`

	// ResourcePolicyURI is OPTIONAL. URL describing data usage requirements (internationalizable).
	ResourcePolicyURI string `json:"resource_policy_uri,omitempty"`

	// ResourceTOSURI is OPTIONAL. URL with terms of service (internationalizable).
	ResourceTOSURI string `json:"resource_tos_uri,omitempty"`

	// TLSClientCertificateBoundAccessTokens is OPTIONAL. Indicates support for mutual‑TLS certificate-bound access tokens (RFC 8705). Default false when omitted.
	TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"`

	// AuthorizationDetailsTypesSupported is OPTIONAL. Authorization details type values supported (RFC 9396).
	AuthorizationDetailsTypesSupported []string `json:"authorization_details_types_supported,omitempty"`

	// DPoPSigningAlgValuesSupported is OPTIONAL. JWS alg values supported for validating DPoP proofs (RFC 9449).
	DPoPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported,omitempty"`

	// DPoPBoundAccessTokensRequired is OPTIONAL. Whether DPoP-bound access tokens are always required. Default false when omitted.
	DPoPBoundAccessTokensRequired bool `json:"dpop_bound_access_tokens_required,omitempty"`
}

ProtectedResourceMetadata represents OAuth Protected Resource Metadata. see https://datatracker.ietf.org/doc/html/rfc9728#name-protected-resource-metadata

type ServerHostInfo 

type ServerHostInfo struct {
	Name        string
	Description string
	LogoURL     string
	Host        string
	URL         string
	Config      *oauth2.Config
}

func NewServerHostInfoFromPolicy added in v0.31.0 

func NewServerHostInfoFromPolicy(p *config.Policy) (ServerHostInfo, error)

type Storage 

type Storage struct {
	// contains filtered or unexported fields
}

Storage implements handlerStorage using a databroker client.

func NewStorage 

func NewStorage(
	client databroker.DataBrokerServiceClient,
) *Storage

NewStorage creates a new Storage instance.

func (*Storage) CreateAuthorizationRequest 

func (storage *Storage) CreateAuthorizationRequest(
	ctx context.Context,
	req *oauth21proto.AuthorizationRequest,
) (string, error)

func (*Storage) DeleteAuthorizationRequest 

func (storage *Storage) DeleteAuthorizationRequest(
	ctx context.Context,
	id string,
) error

func (*Storage) DeleteMCPRefreshToken added in v0.32.0 

func (storage *Storage) DeleteMCPRefreshToken(
	ctx context.Context,
	id string,
) error

DeleteMCPRefreshToken removes an MCP refresh token record.

func (*Storage) DeleteUpstreamOAuth2Token added in v0.31.0 

func (storage *Storage) DeleteUpstreamOAuth2Token(
	ctx context.Context,
	host string,
	userID string,
) error

DeleteUpstreamOAuth2Token removes the upstream OAuth2 token for a given host and user ID

func (*Storage) GetAuthorizationRequest 

func (storage *Storage) GetAuthorizationRequest(
	ctx context.Context,
	id string,
) (*oauth21proto.AuthorizationRequest, error)

func (*Storage) GetClient 

func (storage *Storage) GetClient(
	ctx context.Context,
	id string,
) (*rfc7591v1.ClientRegistration, error)

func (*Storage) GetMCPRefreshToken added in v0.32.0 

func (storage *Storage) GetMCPRefreshToken(
	ctx context.Context,
	id string,
) (*oauth21proto.MCPRefreshToken, error)

GetMCPRefreshToken retrieves an MCP refresh token record by ID.

func (*Storage) GetSession 

func (storage *Storage) GetSession(ctx context.Context, id string) (*session.Session, error)

func (*Storage) GetUpstreamOAuth2Token 

func (storage *Storage) GetUpstreamOAuth2Token(
	ctx context.Context,
	host string,
	userID string,
) (*oauth21proto.TokenResponse, error)

GetUpstreamOAuth2Token loads the upstream OAuth2 token for a given session and a host

func (*Storage) PutMCPRefreshToken added in v0.32.0 

func (storage *Storage) PutMCPRefreshToken(
	ctx context.Context,
	token *oauth21proto.MCPRefreshToken,
) error

PutMCPRefreshToken stores an MCP refresh token record.

func (*Storage) PutSession added in v0.32.0 

func (storage *Storage) PutSession(ctx context.Context, s *session.Session) error

PutSession stores a session in the databroker.

func (*Storage) RegisterClient 

func (storage *Storage) RegisterClient(
	ctx context.Context,
	req *rfc7591v1.ClientRegistration,
) (string, error)

func (*Storage) StoreUpstreamOAuth2Token 

func (storage *Storage) StoreUpstreamOAuth2Token(
	ctx context.Context,
	host string,
	userID string,
	token *oauth21proto.TokenResponse,
) error

StoreUpstreamOAuth2Token stores the upstream OAuth2 token for a given session and a host

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.