modulepackage
0.0.0-20211118052253-4806e31e4f6b
Repository: https://github.com/inklabs/goauth2.git
Documentation: pkg.go.dev
# README
Go OAuth2 Server
An OAuth2 server in Go. This project uses an embedded RangeDB event store.
Docs
Docker
docker run -p 8080:8080 inklabs/goauth2
Client Credentials Grant
+---------+ +---------------+
| | | |
| |>--(A)- Client Authentication --->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+---------+ +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=client_credentials" \
-d "scope=read_write"
{
"access_token": "d5f4985587ea46028c0946e4a240a9c1",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write"
}
Resource Owner Password Credentials
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=password" \
-d "[email protected]" \
-d "password=Pass123!" \
-d "scope=read_write"
{
"access_token": "a3c5300be4d24e65a68176c7ba521c50",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "3a801b1fc3d847599b3d5719d82bca7b"
}
Refresh Token
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=refresh_token" \
-d "refresh_token=3a801b1fc3d847599b3d5719d82bca7b"
{
"access_token": "97ed11d0d399454eb5ab2cab8b29f600",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "b4c69a71124641739f6a83b786b332d3"
}
Authorization Code
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=code&state=somestate&scope=read_write
- Login via the web form ([email protected] | Pass123!)
- Click button to grant access
- The authorization server redirects back to the redirection URI including an authorization code and any state provided by the client
https://example.com/oauth2/callback?code=36e2807ee1f94252ac2d9b1d3adf2ba2&state=somestate
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=authorization_code" \
-d "code=36e2807ee1f94252ac2d9b1d3adf2ba2" \
-d "redirect_uri=https://example.com/oauth2/callback"
{
"access_token": "865382b944024b2394167d519fa80cba",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "48403032170e46e8af72b7cca1612b43"
}
Implicit
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI --->| |
| User- | | Authorization |
| Agent -|----(B)-- User authenticates -->| Server |
| | | |
| |<---(C)--- Redirection URI ----<| |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<| |
| | +---------------+
+-|--------+
| |
(A) (G) Access Token
| |
^ v
+---------+
| |
| Client |
| |
+---------+
open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=token&state=somestate&scope=read_write
- Login via the web form ([email protected] | Pass123!)
- Click button to grant access
- The authorization server redirects back to the redirection URI including an access token and any state provided by the client in the URI fragment
https://example.com/oauth2/callback#access_token=1e21103279e549779a9b5c07d50e641d&expires_at=1574371565&scope=read_write&state=somestate&token_type=Bearer
# Packages
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
# Functions
AuthorizationCodeCommandTypes returns all command types goauth2.authorizationCode supports.
ClientApplicationCommandTypes returns all command types goauth2.clientApplication supports.
GeneratePasswordHash returns a password using bcrypt.GenerateFromPassword.
New constructs an OAuth2 CQRS application.
NewAuthorizationCodeRefreshTokens constructs an AuthorizationCodeRefreshTokens projection.
RefreshTokenCommandTypes returns all command types goauth2.refreshToken supports.
ResourceOwnerCommandTypes returns all command types goauth2.resourceOwner supports.
VerifyPassword verifies a password using bcrypt.CompareHashAndPassword.
WithClock is a functional option to inject a clock.
WithLogger is a functional option to inject a Logger.
WithStore is a functional option to inject a RangeDB Event Store.
WithTokenGenerator is a functional option to inject a token generator.
# Constants
Version for Go OAuth2.
# Variables
ErrAuthorizationCodeNotFound is a defined error for missing authorization code.
# Structs
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
App is the OAuth2 CQRS application.
AuthorizationCodeRefreshTokens is a projection mapping authorization codes to refresh tokens.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectURI
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
# Interfaces
Command is the interface for CQRS commands.
No description provided by the author
PendingEvents is the interface for retrieving CQRS events that will be saved to the event store.
No description provided by the author
TokenGenerator defines a token generator for refresh tokens and authorization codes.
# Type aliases
No description provided by the author
No description provided by the author
Option defines functional option parameters for App.