Skip to content

authn

Transport-agnostic request authentication for Go — API-key, JWT/OIDC, and mTLS verifiers, a verified Identity, and a pluggable authorization predicate. No HTTP or gRPC imports, so the same verifiers plug into either transport, or a tool calling them directly.

go get gitlab.com/phpboyscout/go/authn

gitlab.com/phpboyscout/go/authn separates the two questions every server has to answer — who are you? (a Verifier returns a verified Identity) and what may you do? (a single AuthorizeFunc predicate) — into small, testable primitives. It is the auth layer extracted from go-tool-base, where it backs both server transports.

Why

  • Framework-free. Only cockroachdb/errors and golang-jwt/jwt/v5 — no HTTP, no gRPC, no config framework, no go-tool-base. A depfootprint_test.go guard enforces the boundary.
  • Fail closed, leak nothing. A Verifier never encodes why authentication failed in a user-facing form. Callers map any verify error to a generic 401 / Unauthenticated and log the wrapped detail server-side; the ErrUnauthenticated sentinel never crosses the wire. See the security model.
  • authn ≠ authz. Verifiers authenticate; the AuthorizeFunc predicate authorizes. The package ships no policy engine — compose RequireScopes/RequireClaim or your own.

Where next


Part of the phpboyscout Go toolkit — small, framework-free Go modules extracted from go-tool-base.