adhocore/goicPublic

NotificationsYou must be signed in to change notification settings
Fork3
Star31

Golang OpenID Connect Client

License

MIT license

31 stars 3 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 109 Commits
.github		.github
examples		examples
.editorconfig		.editorconfig
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
LICENSE		LICENSE
README.md		README.md
VERSION		VERSION
go.mod		go.mod
go.sum		go.sum
goic.go		goic.go
provider.go		provider.go
user.go		user.go
util.go		util.go

Repository files navigation

adhocore/goic

GOIC,Go Open ID Connect, is OpenID connect client library for Golang.It supports theAuthorization Code Flow of OpenID Connect specification.

Installation

go get -u github.com/adhocore/goic

Usage

Decide an endpoint (aka URI) in your server where you would likegoic to intercept and add OpenID Connect flow.Let's say/auth/o8. Then the provider name follows it.All the OpenID providers that your server should support will need a unique name and each of theproviders get a URI like so/auth/o8/<name>. Example:

Provider	Name	OpenID URI	Revocation	Signout
Google	google	`/auth/o8/google`	Yes	No
Facebook	facebook	`/auth/o8/facebook`	No	No
Microsoft	microsoft	`/auth/o8/microsoft`	No	Yes
Yahoo	yahoo	`/auth/o8/yahoo`	Yes	No
Paypal	paypal	`/auth/o8/paypal`	No	No

Important: All the providersmust provide .well-known configurations for OpenID auto discovery.

Get ready with OpenID provider credentials (client id and secret).For Google, checkthis.To use the example below you need to exportGOOGLE_CLIENT_ID andGOOGLE_CLIENT_SECRET env vars.

You also need to configure application domain and redirect URI in the Provider console/dashboard.(redirect URI is same as OpenID URI in above table).

Below is an example for authorization code flow but instead of copy/pasting it entirely you can use it for reference.

package mainimport ("log""net/http""os""github.com/adhocore/goic")funcmain() {// Init GOIC with a root uri and verbose mode (=true)g:=goic.New("/auth/o8",true)// Register Google provider with name google and its auth URI// It will preemptively load well-known config and jwks keysp:=g.NewProvider("google","https://accounts.google.com")// Configure credentials for Google providerp.WithCredential(os.Getenv("GOOGLE_CLIENT_ID"),os.Getenv("GOOGLE_CLIENT_SECRET"))// Configure scopep.WithScope("openid email profile")// Define a callback that will receive token and user info on successful verificationg.UserCallback(func(t*goic.Token,u*goic.User,w http.ResponseWriter,r*http.Request) {// Persist token and user info as you wish! Be sure to check for error in `u.Error` first// Use the available `w` and `r` params to show some nice page with message to your user// OR redirect them to homepage/dashboard etc// However, for the example, here I just dump it in backend consolelog.Println("token: ",t)log.Println("user: ",u)// and tell the user it is all good:_,_=w.Write([]byte("All good, check backend console"))})// Listen address for server, 443 for https as OpenID connect mandates it!addr:="localhost:443"// You need to find a way to run your localhost in HTTPS as well.// You may also alias it something like `goic.lvh.me` (lvh is local virtual host)// *.lvh.me is automatically mapped to 127.0.0.1 in unix systems.// A catch-all dummy handlerhandler:=func(w http.ResponseWriter,r*http.Request) {_,_=w.Write([]byte(r.Method+" "+r.URL.Path))}log.Println("Server running on https://localhost")log.Println("            Visit https://localhost/auth/o8/google")// This is just example (don't copy it)useMux:=os.Getenv("GOIC_HTTP_MUX")=="1"ifuseMux {mux:=http.NewServeMux()// If you use http mux, wrap your handler with g.MiddlewareHandlermux.Handle("/",g.MiddlewareHandler(http.HandlerFunc(handler)))server:=&http.Server{Addr:addr,Handler:mux}log.Fatal(server.ListenAndServeTLS("server.crt","server.key"))}else {// If you just use plain simple handler func,// wrap your handler with g.MiddlewareFunchttp.HandleFunc("/",g.MiddlewareFunc(handler))log.Fatal(http.ListenAndServeTLS(addr,"server.crt","server.key",nil))}}

// OR, you can use shorthand syntax to register providers:g:=goic.New("/auth/o8",false)g.AddProvider(goic.Google.WithCredential(os.Getenv("GOOGLE_CLIENT_ID"),os.Getenv("GOOGLE_CLIENT_SECRET")))g.AddProvider(goic.Microsoft.WithCredential(os.Getenv("MICROSOFT_CLIENT_ID"),os.Getenv("MICROSOFT_CLIENT_SECRET")))g.AddProvider(goic.Yahoo.WithCredential(os.Getenv("YAHOO_CLIENT_ID"),os.Getenv("YAHOO_CLIENT_SECRET")))// ...

After having code like that, build the binary (go build) and run server program (./<binary>).

You need to pointSign in with <provider> button tohttps://localhost/auth/o8/<provider> for your end user.For example:

<ahref="https://localhost/auth/o8/google">Sign in with Google</a><ahref="https://localhost/auth/o8/microsoft">Sign in with Microsoft</a><ahref="https://localhost/auth/o8/yahoo">Sign in with Yahoo</a>

The complete flow is managed and handled by GOIC for you and on successful verification,You will be able to receive user and token info in your callback viag.UserCallback!That is where you persist the user data, set some cookie etc.

Checkexamples directory later for more, as it will be updatedwhen GOIC has new features.

The example and discussion here assumelocalhost domain so adjust that accordingly for your domains.

Signing out

For signing out you need to manually invokeg.SignOut() from within http context. See theAPI below.There is also a workingexample. Note that not all Providers support signing out.

Revocation

To revoke a token manually, invokeg.RevokeToken() from any context. See theAPI below.There is also a workingexample. Note that not all Providers support revocation.

GOIC API

GOIC supports full end-to-end for Authorization Code Flow, however if you want to manually interact, here's summary of API:

Supports

Use it to check if a provider is supported.

g:=goic.New("/auth/o8",false)g.NewProvider("abc","...").WithCredential("...","...")g.Supports("abc")// trueg.Supports("xyz")// false

RequestAuth

Manually request authentication from OpenID Provider. Must be called from within http context.

g:=goic.New("/auth/o8",false)p:=g.NewProvider("abc","...").WithCredential("...","...")// Generate random unique state and noncestate,nonce:=goic.RandomString(24),goic.RandomString(24)// You must save them to cookie/session, so it can be retrieved later for crosscheck// redir is the redirect url in your host for provider of interestredir:="https://localhost/auth/o8/"+p.Name// Redirects to provider first and then back to above redir url// res = http.ResponseWriter, req = *http.Requesterr:=g.RequestAuth(p,state,nonce,redir,res,req)

Authenticate

Manually attempt to authenticate after the request comes back from OpenID Provider.

g:=goic.New("/auth/o8",false)p:=g.NewProvider("abc","...").WithCredential("...","...")// Read openid provider code from query param, and nonce from cookie/session etc// PS: Validate that the nonce is relevant to the state sent by openid providercode,nonce:="",""// redir is the redirect url in your host for provider of interestredir:="https://localhost/auth/o8/"+p.Nametok,err:=g.Authenticate(p,code,nonce,redir)

RefreshToken

Use it to request Access token by using refresh token.

g:=goic.New("/auth/o8",false)// ... add providersold:=&goic.Token{RefreshToken:"your refresh token",Provider:goic.Microsoft.Name}tok,err:=g.RefreshToken(old)// Do something with new tok.AccessToken

Userinfo

Manually request Userinfo by using the token returned by Authentication above.

g:=goic.New("/auth/o8",false)p:=g.NewProvider("abc","...").WithCredential("...","...")// ...tok,err:=g.Authenticate(p,code,nonce,redir)user:=g.UserInfo(tok)err:=user.Error

SignOut

Use it to sign out the user from OpenID Provider. Must be called from within http context.Ideally, you would clear the session and logout user from your own system first and then invoke SignOut.

g:=goic.New("/auth/o8",false)p:=g.NewProvider("abc","...").WithCredential("...","...")// ...tok:=&goic.Token{AccessToken:"current session token",Provider:p.Name}err:=g.SignOut(tok,"http://some/preconfigured/redir/uri",res,req)// redir uri is optionalerr:=g.SignOut(tok,"",res,req)

RevokeToken

Use it to revoke the token so that is incapacitated.

g:=goic.New("/auth/o8",false)p:=g.NewProvider("abc","...").WithCredential("...","...")// ...tok:=&goic.Token{AccessToken:"current session token",Provider:p.Name}err:=g.RevokeToken(tok)

Demo

GOIC has been implemented in opensource projectadhocore/urlsh:

Provider	Name	Demo URL
Google	google	urlssh.xyz/auth/o8/google
Microsoft	microsoft	urlssh.xyz/auth/o8/microsoft
Yahoo	yahoo	urlssh.xyz/auth/o8/yahoo

On successful verification your information isechoed back to you as JSON butnot saved in server (pinky promise).

TODO

~~Support refresh token grant_type~~Check #2
Tests and more tests
Release stable version
~~Support OpenIDImplicit Flow~~Check #3

License

©MIT | 2021-2099, Jitendra Adhikari

Credits

Release managed byplease.

Other projects

My other golang projects you might find interesting and useful:

gronx - Lightweight, fast and dependency-free Cron expression parser (due checker), task scheduler and/or daemon for Golang (tested on v1.13 and above) and standalone usage.
urlsh - URL shortener and bookmarker service with UI, API, Cache, Hits Counter and forwarder using postgres and redis in backend, bulma in frontend; hasweb and cli client
fast - Check your internet speed with ease and comfort right from the terminal
chin - A GO lang command line tool to show a spinner as user waits for some long running jobs to finish.