This library provides "social login" with Github, Google, Facebook, Microsoft, Twitter, Yandex, Battle.net, Apple and Telegram as well as custom auth providers and email verification.
- Multiple oauth2 providers can be used at the same time
- Special
dev
provider allows local testing and development - JWT stored in a secure cookie with XSRF protection. Cookies can be session-only
- Minimal scopes with user name, id and picture (avatar) only
- Direct authentication with user's provided credential checker
- Verified authentication with user's provided sender (email, im, etc)
- Custom oauth2 server and ability to use any third party provider
- Integrated avatar proxy with an FS, boltdb and gridfs storage
- Support of user-defined storage for avatars
- Identicon for default avatars
- Black list with user-defined validator
- Multiple aud (audience) supported
- Secure key with customizable
SecretReader
- Ability to store an extra information to token and retrieve on login
- Pre-auth and post-auth hooks to handle custom use cases.
- Middleware for easy integration into http routers
- Wrappers to extract user info from the request
- Role based access control
go get -u github.com/go-pkgz/auth
Example with chi router:
func main() {
// define options
options := auth.Opts{
SecretReader: token.SecretFunc(func(id string) (string, error) { // secret key for JWT
return "secret", nil
}),
TokenDuration: time.Minute * 5, // token expires in 5 minutes
CookieDuration: time.Hour * 24, // cookie expires in 1 day and will enforce re-login
Issuer: "my-test-app",
URL: "http://127.0.0.1:8080",
AvatarStore: avatar.NewLocalFS("/tmp"),
Validator: token.ValidatorFunc(func(_ string, claims token.Claims) bool {
// allow only dev_* names
return claims.User != nil && strings.HasPrefix(claims.User.Name, "dev_")
}),
}
// create auth service with providers
service := auth.NewService(options)
service.AddProvider("github", "<Client ID>", "<Client Secret>") // add github provider
service.AddProvider("facebook", "<Client ID>", "<Client Secret>") // add facebook provider
// retrieve auth middleware
m := service.Middleware()
// setup http server
router := chi.NewRouter()
router.Get("/open", openRouteHandler) // open api
router.With(m.Auth).Get("/private", protectedRouteHandler) // protected api
// setup auth routes
authRoutes, avaRoutes := service.Handlers()
router.Mount("/auth", authRoutes) // add auth handlers
router.Mount("/avatar", avaRoutes) // add avatar handler
log.Fatal(http.ListenAndServe(":8080", router))
}
github.com/go-pkgz/auth/middleware
provides ready-to-use middleware.
middleware.Auth
- requires authenticated usermiddleware.Admin
- requires authenticated admin usermiddleware.Trace
- doesn't require authenticated user, but adds user info to requestmiddleware.RBAC
- requires authenticated user with passed role(s)
Also, there is a special middleware middleware.UpdateUser
for population and modifying UserInfo in every request. See "Customization" for more details.
Generally, adding support of auth
includes a few relatively simple steps:
- Setup
auth.Opts
structure with all parameters. Each of them documented and most of parameters are optional and have sane defaults. - Create the new
auth.Service
with provided options. - Add all desirable authentication providers.
- Retrieve middleware and http handlers from
auth.Service
- Wire auth and avatar handlers into http router as sub–routes.
For the example above authentication handlers wired as /auth
and provides:
/auth/<provider>/login?site=<site_id>&from=<redirect_url>
- site_id used asaud
claim for the token and can be processed bySecretReader
to load/retrieve/define different secrets. redirect_url is the url to redirect after successful login./avatar/<avatar_id>
- returns the avatar (image). Links to those pictures added into user info automatically, for details see "Avatar proxy"/auth/<provider>/logout
and/auth/logout
- invalidate "session" by removing JWT cookie/auth/list
- gives a json list of active providers/auth/user
- returnstoken.User
(json)
Middleware populates token.User
to request's context. It can be loaded with token.GetUserInfo(r *http.Request) (user User, err error)
or token.MustGetUserInfo(r *http.Request) User
functions.
token.User
object includes all fields retrieved from oauth2 provider:
Name
- user nameID
- hash of user idPicture
- full link to proxied avatar (see "Avatar proxy")
It also has placeholders for fields application can populate with custom token.ClaimsUpdater
(see "Customization")
IP
- hash of user's IP addressEmail
- user's emailAttributes
- map of string:any-value. To simplify management of this map some setters and getters provided, for exampleusers.StrAttr
,user.SetBoolAttr
and so on. See user.go for more details.
Direct links to avatars won't survive any real-life usage if they linked from a public page. For example, page like this may have hundreds of avatars and, most likely, will trigger throttling on provider's side. To eliminate such restriction auth
library provides an automatic proxy
- On each login the proxy will retrieve user's picture and save it to
AvatarStore
- Local (proxied) link to avatar included in user's info (jwt token)
- API for avatar removal provided as a part of
AvatarStore
- User can leverage one of the provided stores:
- In case of need custom implementations of other stores can be passed in and used by
auth
library. Each store has to implementavatar.Store
interface. - All avatar-related setup done as a part of
auth.Opts
and needs:AvatarStore
- avatar store to use, i.e.avatar.NewLocalFS("/tmp/avatars")
or more genericavatar.NewStore(uri)
- file system uri -
file:///tmp/location
or just/tmp/location
- boltdb -
bolt://tmp/avatars.bdb
- mongo -
"mongodb://127.0.0.1:27017/test?ava_db=db1&ava_coll=coll1
- file system uri -
AvatarRoutePath
- route prefix for direct links to proxied avatar. For example/api/v1/avatars
will make full links like this -http://example.com/api/v1/avatars/1234567890123.image
. The url will be stored in user's token and retrieved by middleware (see "User Info")AvatarResizeLimit
- size (in pixels) used to resize the avatar. Pls note - resize happens once as a part ofPut
call, i.e. on login. 0 size (default) disables resizing.
In addition to oauth2 providers auth.Service
allows to use direct user-defined authentication. This is done by adding direct provider with auth.AddDirectProvider
.
service.AddDirectProvider("local", provider.CredCheckerFunc(func(user, password string) (ok bool, err error) {
ok, err := checkUserSomehow(user, password)
return ok, err
}))
Such provider acts like any other, i.e. will be registered as /auth/local/login
.
The API for this provider supports both GET and POST requests:
- GET request with user credentials provided as query params:
GET /auth/<name>/login?user=<user>&passwd=<password>&aud=<site_id>&session=[1|0]
- POST request could be encoded as application/x-www-form-urlencoded or application/json:
POST /auth/<name>/login?session=[1|0] body: application/x-www-form-urlencoded user=<user>&passwd=<password>&aud=<site_id>
POST /auth/<name>/login?session=[1|0] body: application/json { "user": "name", "passwd": "xyz", "aud": "bar", }
note: password parameter doesn't have to be naked/real password and can be any kind of password hash prepared by caller.
Another non-oauth2 provider allowing user-confirmed authentication, for example by email or slack or telegram. This is
done by adding confirmed provider with auth.AddVerifProvider
.
msgTemplate := "Confirmation email, token: {{.Token}}"
service.AddVerifProvider("email", msgTemplate, sender)
Message template may use the follow elements:
{{.Address}}
- user address, for example email{{.User}}
- user name{{.Token}}
- confirmation token{{.Site}}
- site ID
Sender should be provided by end-user and implements a single function interface
type Sender interface {
Send(address string, text string) error
}
For convenience a functional wrapper SenderFunc
provided. Email sender provided in provider/sender
package and can be
used as Sender
.
The API for this provider:
GET /auth/<name>/login?user=<user>&address=<adsress>&aud=<site_id>&from=<url>
- send confirmation request to userGET /auth/<name>/login?token=<conf.token>&sess=[1|0]
- authorize with confirmation token
The provider acts like any other, i.e. will be registered as /auth/email/login
.
Telegram provider allows your users to log in with Telegram account. First, you will need to create your bot. Contact @BotFather and follow his instructions to create your own bot (call it, for example, "My site auth bot")
Next initialize TelegramHandler with following parameters:
ProviderName
- Any unique name to distinguish between providersSuccessMsg
- Message sent to user on successfull authenticationErrorMsg
- Message sent on errors (e.g. login request expired)Telegram
- Telegram API implementation. Use provider.NewTelegramAPI with following arguments- The secret token bot father gave you
- An http.Client for accessing Telegram API's
token := os.Getenv("TELEGRAM_TOKEN")
telegram := provider.TelegramHandler{
ProviderName: "telegram",
ErrorMsg: "❌ Invalid auth request. Please try clicking link again.",
SuccessMsg: "✅ You have successfully authenticated!",
Telegram: provider.NewTelegramAPI(token, http.DefaultClient),
L: log.Default(),
TokenService: service.TokenService(),
AvatarSaver: service.AvatarProxy(),
}
After that run provider and register it's handlers:
// Run Telegram provider in the background
go func() {
err := telegram.Run(context.Background())
if err != nil {
log.Fatalf("[PANIC] failed to start telegram: %v", err)
}
}()
// Register Telegram provider
service.AddCustomHandler(&telegram)
Now all your users have to do is click one of the following links and press start
tg://resolve?domain=<botname>&start=<token>
or https://t.me/<botname>/?start=<token>
Use the following routes to interact with provider:
-
/auth/<providerName>/login
- Obtain auth token. Returns JSON object withbot
(bot username) andtoken
(token itself) fields. -
/auth/<providerName>/login?token=<token>
- Check if auth request has been confirmed (i.e. user pressed start). Sets session cookie and returns user info on success, errors with 404 otherwise. -
/auth/<providerName>/logout
- Invalidate user session.
This provider brings two extra functions:
- Adds ability to use any third-party oauth2 providers in addition to the list of directly supported. Included example demonstrates how to do it for bitbucket.
In order to add a new oauth2 provider following input is required:
Name
- any name is allowed except the names from list of supported providers. It is possible to register more than one client for one given oauth2 provider (for example using different namesbitbucket_dev
andbitbucket_prod
)Client
- ID and secret of clientEndpoint
- auth URL and token URL. This information could be obtained from auth2 provider pageInfoURL
- oauth2 provider API method to read information of logged in user. This method could be found in documentation of oauth2 provider (e.g. for bitbucket https://developer.atlassian.com/bitbucket/api/2/reference/resource/user)MapUserFn
- function to convert the response fromInfoURL
totoken.User
(s. example below)Scopes
- minimal needed scope to read user information. Client should be authorized to these scopes
c := auth.Client{ Cid: os.Getenv("AEXMPL_BITBUCKET_CID"), Csecret: os.Getenv("AEXMPL_BITBUCKET_CSEC"), } service.AddCustomProvider("bitbucket", c, provider.CustomHandlerOpt{ Endpoint: oauth2.Endpoint{ AuthURL: "https://bitbucket.org/site/oauth2/authorize", TokenURL: "https://bitbucket.org/site/oauth2/access_token", }, InfoURL: "https://api.bitbucket.org/2.0/user/", MapUserFn: func(data provider.UserData, _ []byte) token.User { userInfo := token.User{ ID: "bitbucket_" + token.HashID(sha1.New(), data.Value("username")), Name: data.Value("nickname"), } return userInfo }, Scopes: []string{"account"}, })
- Adds local oauth2 server user can fully customize. It uses
gopkg.in/oauth2.v3
library and example shows how to initialize the server and setup a provider.- to start local oauth2 server following options are required:
URL
- url of oauth2 server with portWithLoginPage
- flag to define whether login page should be shownLoginPageHandler
- function to handle login request. If not specified default login page will be shown
sopts := provider.CustomServerOpt{ URL: "http://127.0.0.1:9096", L: options.Logger, WithLoginPage: true, } prov := provider.NewCustomServer(srv, sopts) // Start server go prov.Run(context.Background())
- to register handler for local oauth2 following option are required:
Name
- any name except the names from list of supported providersClient
- ID and secret of clientHandlerOpt
- handler options of custom oauth provider
service.AddCustomProvider("custom123", auth.Client{Cid: "cid", Csecret: "csecret"}, prov.HandlerOpt)
- to start local oauth2 server following options are required:
Additionally it is possible to implement own auth handler. It may be useful if auth provider does not conform to oauth standard. Self-implemented handler has to implement provider.Provider
interface.
// customHandler implements provider.Provider interface
c := customHandler{}
// add customHandler to stack of auth handlers
service.AddCustomHandler(c)
There are several ways to adjust functionality of the library:
SecretReader
- interface with a single methodGet(aud string) string
to return the secret used for JWT signing and verificationClaimsUpdater
- interface withUpdate(claims Claims) Claims
method. This is the primary way to alter a token at login time and add any attributes, set ip, email, admin status, roles and so on.Validator
- interface withValidate(token string, claims Claims) bool
method. This is post-token hook and will be called on each request wrapped withAuth
middleware. This will be the place for special logic to reject some tokens or users.UserUpdater
- interface withUpdate(claims token.User) token.User
method. This method will be called on each request wrapped withUpdateUser
middleware. This will be the place for special logic modify User Info in request context. Example of usage.
All of the interfaces above have corresponding Func adapters - SecretFunc
, ClaimsUpdFunc
, ValidatorFunc
and UserUpdFunc
.
Restricting some users or some tokens is two step process:
ClaimsUpdater
sets an attribute, likeblocked
(orallowed
)Validator
checks the attribute and returns true/false
This technique used in the example code
The process can be simplified by doing all checks directly in Validator
, but depends on particular case such solution
can be too expensive because Validator
runs on each request as a part of auth middleware. In contrast, ClaimsUpdater
called on token creation/refresh only.
For complex systems a single authenticator may serve multiple distinct subsystems or multiple set of independent users. For example some SaaS offerings may need to provide different authentications for different customers and prevent use of tokens/cookies made by another customer.
Such functionality can be implemented in 3 different ways:
- Different instances of
auth.Service
each one with different secret. Doing this way will ensure the highest level of isolation and cookies/tokens won't be even parsable across the instances. Practically such architecture can be too complicated and not always possible. – Handling "allowed audience" as a part ofClaimsUpdater
andValidator
chain. I.e.ClaimsUpdater
sets a claim indicating expected audience code/id andValidator
making sure it matches. This way a singleauth.Service
could handle multiple groups of auth tokens and reject some based on the audience. - Using the standard JWT
aud
claim. This method conceptually very similar to the previous one, but done by library internally and consumer don't need to define specialClaimsUpdater
andValidator
logic.
In order to allow aud
support the list of allowed audiences should be passed in as opts.Audiences
parameter. Non-empty value will trigger internal checks for token generation (will reject token creation for alien aud
) as well as Auth
middleware.
Working with oauth2 providers can be a pain, especially during development phase. A special, development-only provider dev
can make it less painful. This one can be registered directly, i.e. service.AddProvider("dev", "", "")
or service.AddDevProvider(port)
and should be activated like this:
// runs dev oauth2 server on :8084 by default
go func() {
devAuthServer, err := service.DevAuth()
if err != nil {
log.Fatal(err)
}
devAuthServer.Run()
}()
It will run fake aouth2 "server" on port :8084 and user could login with any user name. See example for more details.
Warning: this is not the real oauth2 server but just a small fake thing for development and testing only. Don't use dev
provider with any production code.
In addition to the primary method (i.e. JWT cookie with XSRF header) there are two more ways to authenticate:
- Send JWT header as
X-JWT
. This shouldn't be used for web application, however can be helpful for service-to-service authentication. - Send JWT token as query parameter, i.e.
/something?token=<jwt>
- Basic access authentication, for more details see below Basic authentication.
In some cases the middleware.Authenticator
allow use Basic access authentication, which transmits credentials as user-id/password pairs, encoded using Base64 (RFC7235).
When basic authentication used, client doesn't get auth token in response. It's auth type expect credentials in a header Authorization
at every client request. It can be helpful, if client side not support cookie/token store (e.g. embedded device or custom apps).
This mode disabled by default and will be enabled with options.
The auth
package has two options of basic authentication:
- simple basic auth will be enabled if
Opts.AdminPasswd
defined. This will allow access with basic auth admin:<Opts.AdminPasswd> with user admin. Such method can be used for automation scripts. - basic auth with custom checker function, which allow adding user data from store to context of request. It will be enabled if
Opts.BasicAuthChecker
defined. WhenBasicAuthChecker
defined thenOpts.AdminPasswd
option will be ignore.
options := auth.Opts{
//...
AdminPasswd: "admin_secret_password", // will ignore if BasicAuthChecker defined
BasicAuthChecker: func(user, passwd string) (bool, token.User, error) {
if user == "basic_user" && passwd == "123456" {
return true, token.User{Name: user, Role: "test_r"}, nil
}
return false, token.User{}, errors.New("basic auth credentials check failed")
}
//...
}
By default, this library doesn't print anything to stdout/stderr, however user can pass a logger implementing logger.L
interface with a single method Logf(format string, args ...interface{})
. Functional adapter for this interface included as logger.Func
. There are two predefined implementations in the logger
package - NoOp
(prints nothing, default) and Std
wrapping log.Printf
from stdlib.
Authentication handled by external providers. You should setup oauth2 for all (or some) of them to allow users to authenticate. It is not mandatory to have all of them, but at least one should be correctly configured.
To configure this provider, a user requires an Apple developer account (without it setting up a sign in with Apple is impossible). Sign in with Apple lets users log in to your app using their two-factor authentication Apple ID.
Follow to next steps for configuring on the Apple side:
- Log in to the developer account.
- If you don't have an App ID yet, create one. Later on, you'll need TeamID, which is an "App ID Prefix" value.
- Enable the "Sign in with Apple" capability for your App ID in the Certificates, Identifiers & Profiles section.
- Create Service ID and bind with App ID from the previous step. Apple will display the description field value to end-users on sign-in. You'll need that service Identifier as a ClientID later on**.**
- Configure "Sign in with Apple" for created Service ID. Add domain where you will use that auth on to "Domains and subdomains" and its main page URL (like
https://example.com/
to "Return URLs". - Register a New Key (private key) for the "Sign in with Apple" feature and download it. Write down the Key ID. This key will be used to create JWT Client Secret.
- Add your domain name and sender email in the Certificates, Identifiers & Profiles >> More section as a new Email Source.
After completing the previous steps, you can proceed with configuring the Apple auth provider. Here are the parameters for AppleConfig:
- ClientID (required) - Service ID identifier which is used for Sign with Apple
- TeamID (required) - Identifier a developer account (use as prefix for all App ID)
- KeyID (required) - Identifier a generated key for Sign with Apple
// apple config parameters
appleCfg := provider.AppleConfig{
TeamID: os.Getenv("AEXMPL_APPLE_TID"), // developer account identifier
ClientID: os.Getenv("AEXMPL_APPLE_CID"), // service identifier
KeyID: os.Getenv("AEXMPL_APPLE_KEYID"), // private key identifier
}
Then add an Apple provider that accepts the following parameters:
appleConfig (provider.AppleConfig)
created aboveprivateKeyLoader (PrivateKeyLoaderInterface)
PrivateKeyLoaderInterface
implements a loader for the private key (which you downloaded above) to create a client_secret
. The user can use a pre-defined function provider.LoadApplePrivateKeyFromFile(filePath string)
to load the private key from local file.
AddAppleProvide
tries to load private key at call and return an error if load failed. Always check error when calling this provider.
if err := service.AddAppleProvider(appleCfg, provider.LoadApplePrivateKeyFromFile("PATH_TO_PRIVATE_KEY_FILE")); err != nil {
log.Fatalf("[ERROR] failed create to AppleProvider: %v", err)
}
Limitation:
-
Map a userName (if specific scope defined) is only sent in the upon initial user sign up. Subsequent logins to your app using Sign In with Apple with the same account do not share any user info and will only return a user identifier in IDToken claims. This behaves correctly until a user delete sign in for you service with Apple ID in own Apple account profile (security section). It is recommend that you securely cache the at first login containing the user info for bind it with a user UID at next login. Provider always get user
UID
(sub
claim) inIDToken
. -
Apple doesn't have an API for fetch avatar and user info.
See example before use.
- Create a new project: https://console.developers.google.com/project
- Choose the new project from the top right project dropdown (only if another project is selected)
- In the project Dashboard center pane, choose "API Manager"
- In the left Nav pane, choose "Credentials"
- In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
- In the center pane, choose "Credentials" tab.
- Open the "New credentials" drop down
- Choose "OAuth client ID"
- Choose "Web application"
- Application name is freeform, choose something appropriate
- Authorized origins is your domain ex:
https://example.mysite.com
- Authorized redirect URIs is the location of oauth2/callback constructed as domain +
/auth/google/callback
, ex:https://example.mysite.com/auth/google/callback
- Choose "Create"
- Take note of the Client ID and Client Secret
instructions for google oauth2 setup borrowed from oauth2_proxy
- Register a new application using the Azure portal.
- Under "Authentication/Platform configurations/Web" enter the correct url constructed as domain +
/auth/microsoft/callback
. i.e.https://example.mysite.com/auth/microsoft/callback
- In "Overview" take note of the Application (client) ID
- Choose the new project from the top right project dropdown (only if another project is selected)
- Select "Certificates & secrets" and click on "+ New Client Secret".
- Create a new "OAuth App": https://github.com/settings/developers
- Fill "Application Name" and "Homepage URL" for your site
- Under "Authorization callback URL" enter the correct url constructed as domain +
/auth/github/callback
. iehttps://example.mysite.com/auth/github/callback
- Take note of the Client ID and Client Secret
- From https://developers.facebook.com select "My Apps" / "Add a new App"
- Set "Display Name" and "Contact email"
- Choose "Facebook Login" and then "Web"
- Set "Site URL" to your domain, ex:
https://example.mysite.com
- Under "Facebook login" / "Settings" fill "Valid OAuth redirect URIs" with your callback url constructed as domain +
/auth/facebook/callback
- Select "App Review" and turn public flag on. This step may ask you to provide a link to your privacy policy.
- Create a new "OAuth App": https://oauth.yandex.com/client/new
- Fill "App name" for your site
- Under Platforms select "Web services" and enter "Callback URI #1" constructed as domain +
/auth/yandex/callback
. iehttps://example.mysite.com/auth/yandex/callback
- Select Permissions. You need following permissions only from the "Yandex.Passport API" section:
- Access to user avatar
- Access to username, first name and surname, gender
- Fill out the rest of fields if needed
- Take note of the ID and Password
For more details refer to Yandex OAuth and Yandex.Passport API documentation.
- Log into Battle.net as a developer: https://develop.battle.net/nav/login-redirect
- Click "+ CREATE CLIENT" https://develop.battle.net/access/clients/create
- For "Client name", enter whatever you want
- For "Redirect URLs", one of the lines must be "http[s]://your_remark_installation:port//auth/battlenet/callback", e.g. https://localhost:8443/auth/battlenet/callback or https://remark.mysite.com/auth/battlenet/callback
- For "Service URL", enter the URL to your site or check "I do not have a service URL for this client." checkbox if you don't have any
- For "Intended use", describe the application you're developing
- Click "Save".
- You can see your client ID and client secret at https://develop.battle.net/access/clients by clicking the client you created
For more details refer to Complete Guide of Battle.net OAuth API and Login Button or the official Battle.net OAuth2 guide
- Create a new twitter application https://developer.twitter.com/en/apps
- Fill App name and Description and URL of your site
- In the field Callback URLs enter the correct url of your callback handler e.g. https://example.mysite.com/{route}/twitter/callback
- Under Key and tokens take note of the Consumer API Key and Consumer API Secret key. Those will be used as
cid
andcsecret
The library extracted from remark42 project. The original code in production use on multiple sites and seems to work fine.
go-pkgz/auth
library still in development and until version 1 released some breaking changes possible.