authn¶
Transport-agnostic request authentication for Go — API-key, JWT/OIDC, and mTLS
verifiers, a verified Identity, and a pluggable authorization predicate. No HTTP or
gRPC imports, so the same verifiers plug into either transport, or a tool calling them
directly.
gitlab.com/phpboyscout/go/authn separates the two questions every server has to
answer — who are you? (a Verifier returns a verified Identity) and what may you
do? (a single AuthorizeFunc predicate) — into small, testable primitives. It is the
auth layer extracted from go-tool-base,
where it backs both server transports.
Why¶
- Framework-free. Only
cockroachdb/errorsandgolang-jwt/jwt/v5— no HTTP, no gRPC, no config framework, no go-tool-base. Adepfootprint_test.goguard enforces the boundary. - Fail closed, leak nothing. A
Verifiernever encodes why authentication failed in a user-facing form. Callers map any verify error to a generic401/Unauthenticatedand log the wrapped detail server-side; theErrUnauthenticatedsentinel never crosses the wire. See the security model. - authn ≠ authz. Verifiers authenticate; the
AuthorizeFuncpredicate authorizes. The package ships no policy engine — composeRequireScopes/RequireClaimor your own.
Where next¶
- Getting started — verify a
credential and read the
Identityin a few lines. - Choose a verifier — API key vs JWT/OIDC vs mTLS, and how to configure each.
- Authorize requests —
AuthorizeFunc,RequireScopes,RequireClaim. - Security model — fail-closed verification and the authn/authz split.
Part of the phpboyscout Go toolkit — small, framework-free Go modules extracted from go-tool-base.