repositorypackage
0.0.0-20211118052253-4806e31e4f6b
Repository: https://github.com/inklabs/goauth2.git
Documentation: pkg.go.dev
# Packages
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
# README
Go OAuth2 Server
An OAuth2 server in Go. This project uses an embedded RangeDB event store.
Docs
Docker
docker run -p 8080:8080 inklabs/goauth2
Client Credentials Grant
+---------+ +---------------+
| | | |
| |>--(A)- Client Authentication --->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+---------+ +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=client_credentials" \
-d "scope=read_write"
{
"access_token": "d5f4985587ea46028c0946e4a240a9c1",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write"
}
Resource Owner Password Credentials
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=password" \
-d "[email protected]" \
-d "password=Pass123!" \
-d "scope=read_write"
{
"access_token": "a3c5300be4d24e65a68176c7ba521c50",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "3a801b1fc3d847599b3d5719d82bca7b"
}
Refresh Token
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=refresh_token" \
-d "refresh_token=3a801b1fc3d847599b3d5719d82bca7b"
{
"access_token": "97ed11d0d399454eb5ab2cab8b29f600",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "b4c69a71124641739f6a83b786b332d3"
}
Authorization Code
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=code&state=somestate&scope=read_write
- Login via the web form ([email protected] | Pass123!)
- Click button to grant access
- The authorization server redirects back to the redirection URI including an authorization code and any state provided by the client
https://example.com/oauth2/callback?code=36e2807ee1f94252ac2d9b1d3adf2ba2&state=somestate
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=authorization_code" \
-d "code=36e2807ee1f94252ac2d9b1d3adf2ba2" \
-d "redirect_uri=https://example.com/oauth2/callback"
{
"access_token": "865382b944024b2394167d519fa80cba",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "48403032170e46e8af72b7cca1612b43"
}
Implicit
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI --->| |
| User- | | Authorization |
| Agent -|----(B)-- User authenticates -->| Server |
| | | |
| |<---(C)--- Redirection URI ----<| |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<| |
| | +---------------+
+-|--------+
| |
(A) (G) Access Token
| |
^ v
+---------+
| |
| Client |
| |
+---------+
open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=token&state=somestate&scope=read_write
- Login via the web form ([email protected] | Pass123!)
- Click button to grant access
- The authorization server redirects back to the redirection URI including an access token and any state provided by the client in the URI fragment
https://example.com/oauth2/callback#access_token=1e21103279e549779a9b5c07d50e641d&expires_at=1574371565&scope=read_write&state=somestate&token_type=Bearer