package lazyoauth ¶
import "golazy.dev/lazyoauth"
Variables ¶
var ErrInvalidClient, ErrInvalidRequest, ErrInvalidGrant, ErrUnauthorized, ErrUnsupportedFlow ¶
var (
ErrInvalidClient = errors.New("lazyoauth: invalid client")
ErrInvalidRequest = errors.New("lazyoauth: invalid request")
ErrInvalidGrant = errors.New("lazyoauth: invalid grant")
ErrUnauthorized = errors.New("lazyoauth: unauthorized")
ErrUnsupportedFlow = errors.New("lazyoauth: unsupported flow")
)
Types ¶
type AuthCode ¶
AuthCode is an authorization code record.
type AuthCode struct {
Code string `json:"code"`
ClientID string `json:"client_id"`
RedirectURI string `json:"redirect_uri"`
CodeChallenge string `json:"code_challenge,omitempty"`
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
User lazyauth.User `json:"user"`
Scope []string `json:"scope,omitempty"`
ExpiresAt time.Time `json:"expires_at"`
}
type ClaimsMapper ¶
ClaimsMapper maps an authenticated user and OAuth client to JWT claims.
type ClaimsMapper interface {
ClaimsFor(context.Context, lazyauth.User, Client) (lazyjwt.Claims, error)
}
type ClaimsMapperFunc ¶
ClaimsMapperFunc adapts a function to ClaimsMapper.
type ClaimsMapperFunc func(context.Context, lazyauth.User, Client) (lazyjwt.Claims, error)
func (fn ClaimsMapperFunc) ClaimsFor ¶
func (fn ClaimsMapperFunc) ClaimsFor(ctx context.Context, user lazyauth.User, client Client) (lazyjwt.Claims, error)
type Client ¶
Client is an OAuth client.
type Client struct {
ID string `json:"id"`
Name string `json:"name,omitempty"`
RedirectURIs []string `json:"redirect_uris"`
Domain string `json:"domain,omitempty"`
}
type Config ¶
Config configures an OAuth authorization server and resource server.
type Config struct {
Issuer string
Resource string
Auth lazyauth.Config
Store Store
Signer lazyjwt.Signer
// Validator overrides the resource-server JWT validator. When empty, a
// validator is derived from Signer, Issuer, and Resource.
Validator lazyjwt.ValidatorConfig
ClaimsMapper ClaimsMapper
AuthorizePath string
TokenPath string
RegisterPath string
JWKSPath string
AccessTokenTTL time.Duration
RefreshTokenTTL time.Duration
AllowDynamicClients bool
}
type MemoryStore ¶
MemoryStore is an in-memory OAuth store.
type MemoryStore struct {
Clients map[string]Client `json:"clients"`
Codes map[string]AuthCode `json:"codes"`
Refresh map[string]RefreshToken `json:"refresh"`
// contains filtered or unexported fields
}
func NewDiskStore ¶
NewDiskStore loads or creates a JSON OAuth store at path.
func NewDiskStore(path string) (*MemoryStore, error)
func NewMemoryStore ¶
NewMemoryStore creates an empty in-memory store.
func NewMemoryStore() *MemoryStore
func (store *MemoryStore) GetClient ¶
func (store *MemoryStore) GetClient(_ context.Context, id string) (Client, error)
func (store *MemoryStore) GetRefreshToken ¶
func (store *MemoryStore) GetRefreshToken(_ context.Context, token string) (RefreshToken, error)
func (store *MemoryStore) SaveAuthCode ¶
func (store *MemoryStore) SaveAuthCode(_ context.Context, code AuthCode) error
func (store *MemoryStore) SaveClient ¶
func (store *MemoryStore) SaveClient(_ context.Context, client Client) error
func (store *MemoryStore) SaveRefreshToken ¶
func (store *MemoryStore) SaveRefreshToken(_ context.Context, token RefreshToken) error
func (store *MemoryStore) TakeAuthCode ¶
func (store *MemoryStore) TakeAuthCode(_ context.Context, code string) (AuthCode, error)
type RefreshToken ¶
RefreshToken is a refresh token record.
type RefreshToken struct {
Token string `json:"token"`
ClientID string `json:"client_id"`
User lazyauth.User `json:"user"`
Scope []string `json:"scope,omitempty"`
ExpiresAt time.Time `json:"expires_at"`
}
type Server ¶
Server serves OAuth endpoints and validates bearer tokens.
type Server struct {
// contains filtered or unexported fields
}
func New ¶
New creates an OAuth server.
func New(config Config) (*Server, error)
func (server *Server) Handler ¶
Handler serves OAuth endpoints and protects non-OAuth requests with bearer token validation.
func (server *Server) Handler(next http.Handler) http.Handler
func (server *Server) HandlesPath ¶
HandlesPath reports whether path belongs to this OAuth server.
func (server *Server) HandlesPath(path string) bool
func (server *Server) Protect ¶
Protect validates bearer tokens before calling next.
func (server *Server) Protect(next http.Handler) http.Handler
func (server *Server) ServeHTTP ¶
ServeHTTP serves OAuth metadata and endpoint requests.
func (server *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)
type Store ¶
Store persists OAuth clients and transient tokens.
type Store interface {
SaveClient(context.Context, Client) error
GetClient(context.Context, string) (Client, error)
SaveAuthCode(context.Context, AuthCode) error
TakeAuthCode(context.Context, string) (AuthCode, error)
SaveRefreshToken(context.Context, RefreshToken) error
GetRefreshToken(context.Context, string) (RefreshToken, error)
}
Package lazyoauth provides OAuth server and resource-server primitives.
It is intentionally independent from specific account databases and from MCP. Applications provide lazyauth authenticators, token stores, and claim mapping policy. lazyapp can then use the same OAuth server for MCP clients such as Codex or Claude, browser-integrated companion applications, or other dependent clients.