barrel_mcp_auth_bearer (barrel_mcp v2.0.2)

View Source

Bearer token authentication provider for barrel_mcp.

Supports JWT validation (HS256 built-in, RS256/ES256 via custom verifier), opaque tokens, and standard claims validation (iss, aud, exp, nbf).

Configuration Options

  • verifier - Custom verification function for tokens
  • secret - HMAC secret for HS256 JWT validation
  • issuer - Expected issuer (iss claim)
  • audience - Expected audience (aud claim)
  • clock_skew - Allowed clock skew in seconds (default: 60)
  • scope_claim - Claim name for scopes (default: scope)
  • realm - Realm for WWW-Authenticate header
  • resource - Resource identifier for RFC 8707

See also: barrel_mcp_auth.

Summary

Functions

authenticate(Request, State)

Authenticate a request using Bearer token.

challenge(Reason, State)

Generate a WWW-Authenticate challenge.

decode_jwt(Token)

Decode a JWT without verification. Returns {ok, Header, Claims, Signature} or {error, Reason}.

init(Opts)

Initialize the Bearer token provider.

validate_claims(Claims, State)

Validate JWT claims.

verify_hs256(Token, Secret)

Verify HS256 signature.

Functions

authenticate(Request, State)

-spec authenticate(map(), map()) ->
                      {ok, barrel_mcp_auth:auth_info()} | {error, barrel_mcp_auth:auth_error()}.

Authenticate a request using Bearer token.

challenge(Reason, State)

-spec challenge(barrel_mcp_auth:auth_error(), map()) -> {integer(), map(), binary()}.

Generate a WWW-Authenticate challenge.

decode_jwt(Token)

-spec decode_jwt(binary()) -> {ok, map(), map(), binary()} | {error, term()}.

Decode a JWT without verification. Returns {ok, Header, Claims, Signature} or {error, Reason}.

init(Opts)

-spec init(map()) -> {ok, map()}.

Initialize the Bearer token provider.

validate_claims(Claims, State)

-spec validate_claims(map(), map()) -> ok | {error, term()}.

Validate JWT claims.

verify_hs256(Token, Secret)

-spec verify_hs256(binary(), binary()) -> boolean().

Verify HS256 signature.