README
¶
Go OAuth2 Server
An OAuth2 server in Go. This project uses an embedded RangeDB event store.
Docs
Docker
docker run -p 8080:8080 inklabs/goauth2
Client Credentials Grant
+---------+ +---------------+
| | | |
| |>--(A)- Client Authentication --->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+---------+ +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=client_credentials" \
-d "scope=read_write"
{
"access_token": "d5f4985587ea46028c0946e4a240a9c1",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write"
}
Resource Owner Password Credentials
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=password" \
-d "username=john@example.com" \
-d "password=Pass123!" \
-d "scope=read_write"
{
"access_token": "a3c5300be4d24e65a68176c7ba521c50",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "3a801b1fc3d847599b3d5719d82bca7b"
}
Refresh Token
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=refresh_token" \
-d "refresh_token=3a801b1fc3d847599b3d5719d82bca7b"
{
"access_token": "97ed11d0d399454eb5ab2cab8b29f600",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "b4c69a71124641739f6a83b786b332d3"
}
Authorization Code
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=code&state=somestate&scope=read_write
- Login via the web form (john@example.com | Pass123!)
- Click button to grant access
- The authorization server redirects back to the redirection URI including an authorization code and any state provided by the client
https://example.com/oauth2/callback?code=36e2807ee1f94252ac2d9b1d3adf2ba2&state=somestate
curl localhost:8080/token \
-u client_id_hash:client_secret_hash \
-d "grant_type=authorization_code" \
-d "code=36e2807ee1f94252ac2d9b1d3adf2ba2" \
-d "redirect_uri=https://example.com/oauth2/callback"
{
"access_token": "865382b944024b2394167d519fa80cba",
"expires_at": 1574371565,
"token_type": "Bearer",
"scope": "read_write",
"refresh_token": "48403032170e46e8af72b7cca1612b43"
}
Implicit
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI --->| |
| User- | | Authorization |
| Agent -|----(B)-- User authenticates -->| Server |
| | | |
| |<---(C)--- Redirection URI ----<| |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<| |
| | +---------------+
+-|--------+
| |
(A) (G) Access Token
| |
^ v
+---------+
| |
| Client |
| |
+---------+
open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=token&state=somestate&scope=read_write
- Login via the web form (john@example.com | Pass123!)
- Click button to grant access
- The authorization server redirects back to the redirection URI including an access token and any state provided by the client in the URI fragment
https://example.com/oauth2/callback#access_token=1e21103279e549779a9b5c07d50e641d&expires_at=1574371565&scope=read_write&state=somestate&token_type=Bearer
Documentation
¶
Index ¶
- Constants
- Variables
- func AuthorizationCodeCommandTypes() []string
- func ClientApplicationCommandTypes() []string
- func GeneratePasswordHash(password string) string
- func RefreshTokenCommandTypes() []string
- func ResourceOwnerCommandTypes() []string
- func VerifyPassword(hash string, password string) bool
- type AccessTokenWasIssuedToClientApplicationViaClientCredentialsGrant
- type AccessTokenWasIssuedToUserViaAuthorizationCodeGrant
- type AccessTokenWasIssuedToUserViaImplicitGrant
- type AccessTokenWasIssuedToUserViaROPCGrant
- type AccessTokenWasIssuedToUserViaRefreshTokenGrant
- type AccessTokenWasRevokedDueToPreviouslyUsedRefreshToken
- type App
- type AuthorizationCodeRefreshTokens
- type AuthorizationCodeWasIssuedToUser
- type AuthorizationCodeWasIssuedToUserViaAuthorizationCodeGrant
- type AuthorizeUserToOnBoardClientApplications
- type AuthorizeUserToOnBoardClientApplicationsWasRejectedDueToMissingAuthorizingUser
- type AuthorizeUserToOnBoardClientApplicationsWasRejectedDueToMissingTargetUser
- type AuthorizeUserToOnBoardClientApplicationsWasRejectedDueToNonAdministrator
- type ClientApplicationWasOnBoarded
- type Command
- type CommandDispatcher
- type CommandHandler
- type CommandHandlerFactory
- type GrantUserAdministratorRole
- type GrantUserAdministratorRoleWasRejectedDueToMissingGrantingUser
- type GrantUserAdministratorRoleWasRejectedDueToMissingTargetUser
- type GrantUserAdministratorRoleWasRejectedDueToNonAdministrator
- type IssueAuthorizationCodeToUser
- type IssueRefreshTokenToUser
- type OnBoardClientApplication
- type OnBoardClientApplicationWasRejectedDueToInsecureRedirectURI
- type OnBoardClientApplicationWasRejectedDueToInvalidRedirectURI
- type OnBoardClientApplicationWasRejectedDueToUnAuthorizeUser
- type OnBoardUser
- type OnBoardUserWasRejectedDueToExistingUser
- type OnBoardUserWasRejectedDueToInsecurePassword
- type OnBoardUserWasRejectedDueToNonAdministrator
- type Option
- type PendingEvents
- type PreCommandHandler
- type RefreshTokenWasIssuedToUser
- type RefreshTokenWasIssuedToUserViaAuthorizationCodeGrant
- type RefreshTokenWasIssuedToUserViaROPCGrant
- type RefreshTokenWasIssuedToUserViaRefreshTokenGrant
- type RefreshTokenWasRevokedFromUser
- type RequestAccessTokenViaAuthorizationCodeGrant
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToExpiredAuthorizationCode
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToInvalidAuthorizationCode
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationID
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectURI
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationSecret
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToPreviouslyUsedAuthorizationCode
- type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToUnmatchedClientApplicationID
- type RequestAccessTokenViaClientCredentialsGrant
- type RequestAccessTokenViaClientCredentialsGrantWasRejectedDueToInvalidClientApplicationID
- type RequestAccessTokenViaClientCredentialsGrantWasRejectedDueToInvalidClientApplicationSecret
- type RequestAccessTokenViaImplicitGrant
- type RequestAccessTokenViaImplicitGrantWasRejectedDueToInvalidClientApplicationID
- type RequestAccessTokenViaImplicitGrantWasRejectedDueToInvalidClientApplicationRedirectURI
- type RequestAccessTokenViaImplicitGrantWasRejectedDueToInvalidUser
- type RequestAccessTokenViaImplicitGrantWasRejectedDueToInvalidUserPassword
- type RequestAccessTokenViaROPCGrant
- type RequestAccessTokenViaROPCGrantWasRejectedDueToInvalidClientApplicationCredentials
- type RequestAccessTokenViaROPCGrantWasRejectedDueToInvalidUser
- type RequestAccessTokenViaROPCGrantWasRejectedDueToInvalidUserPassword
- type RequestAccessTokenViaRefreshTokenGrant
- type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToInvalidClientApplicationCredentials
- type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToInvalidRefreshToken
- type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToInvalidScope
- type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToPreviouslyUsedRefreshToken
- type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToRevokedRefreshToken
- type RequestAuthorizationCodeViaAuthorizationCodeGrant
- type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationID
- type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectURI
- type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUser
- type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidUserPassword
- type RevokeRefreshTokenFromUser
- type TokenGenerator
- type UserWasAuthorizedToOnBoardClientApplications
- type UserWasGrantedAdministratorRole
- type UserWasOnBoarded
Constants ¶
View Source
const Version = "0.1.0-dev"
Version for Go OAuth2.
Variables ¶
View Source
var ErrAuthorizationCodeNotFound = fmt.Errorf("authorization code not found")
ErrAuthorizationCodeNotFound is a defined error for missing authorization code.
Functions ¶
func AuthorizationCodeCommandTypes ¶
func AuthorizationCodeCommandTypes() []string
AuthorizationCodeCommandTypes returns all command types goauth2.authorizationCode supports.
func ClientApplicationCommandTypes ¶
func ClientApplicationCommandTypes() []string
ClientApplicationCommandTypes returns all command types goauth2.clientApplication supports.
func GeneratePasswordHash ¶
GeneratePasswordHash returns a password using bcrypt.GenerateFromPassword.
func RefreshTokenCommandTypes ¶
func RefreshTokenCommandTypes() []string
RefreshTokenCommandTypes returns all command types goauth2.refreshToken supports.
func ResourceOwnerCommandTypes ¶
func ResourceOwnerCommandTypes() []string
ResourceOwnerCommandTypes returns all command types goauth2.resourceOwner supports.
func VerifyPassword ¶
VerifyPassword verifies a password using bcrypt.CompareHashAndPassword.
Types ¶
type AccessTokenWasRevokedDueToPreviouslyUsedRefreshToken ¶
type AccessTokenWasRevokedDueToPreviouslyUsedRefreshToken struct {
RefreshToken string `json:"refreshToken"`
}
type App ¶
type App struct {
// contains filtered or unexported fields
}
App is the OAuth2 CQRS application.
func (*App) SubscribeAndReplay ¶
func (a *App) SubscribeAndReplay(subscribers ...rangedb.RecordSubscriber) error
SubscribeAndReplay subscribes and replays all events starting with zero.
type AuthorizationCodeRefreshTokens ¶
type AuthorizationCodeRefreshTokens struct {
// contains filtered or unexported fields
}
AuthorizationCodeRefreshTokens is a projection mapping authorization codes to refresh tokens.
func NewAuthorizationCodeRefreshTokens ¶
func NewAuthorizationCodeRefreshTokens() *AuthorizationCodeRefreshTokens
NewAuthorizationCodeRefreshTokens constructs an AuthorizationCodeRefreshTokens projection.
func (*AuthorizationCodeRefreshTokens) Accept ¶
func (a *AuthorizationCodeRefreshTokens) Accept(record *rangedb.Record)
Accept receives a rangedb.Record.
func (*AuthorizationCodeRefreshTokens) GetAuthorizationCode ¶
func (a *AuthorizationCodeRefreshTokens) GetAuthorizationCode(refreshToken string) (string, error)
GetAuthorizationCode returns a single authorization code from a refresh token.
func (*AuthorizationCodeRefreshTokens) GetTokens ¶
func (a *AuthorizationCodeRefreshTokens) GetTokens(authorizationCode string) []string
GetTokens returns all refresh tokens by authorizationCode.
type Command ¶
type Command interface {
rangedb.AggregateMessage
CommandType() string
}
Command is the interface for CQRS commands.
type CommandDispatcher ¶
type CommandHandler ¶
type CommandHandler interface {
PendingEvents
Handle(command Command)
}
type CommandHandlerFactory ¶
type CommandHandlerFactory func(command Command) CommandHandler
type IssueRefreshTokenToUser ¶
type OnBoardUser ¶
type Option ¶
type Option func(*App)
Option defines functional option parameters for App.
func WithLogger ¶
WithLogger is a functional option to inject a Logger.
func WithTokenGenerator ¶
func WithTokenGenerator(generator TokenGenerator) Option
WithTokenGenerator is a functional option to inject a token generator.
type PendingEvents ¶
PendingEvents is the interface for retrieving CQRS events that will be saved to the event store.
type PreCommandHandler ¶
type PreCommandHandler interface {
PendingEvents
CommandTypes() []string
Handle(command Command) (shouldContinue bool)
}
type RequestAccessTokenViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectURI ¶
type RequestAccessTokenViaClientCredentialsGrantWasRejectedDueToInvalidClientApplicationID ¶
type RequestAccessTokenViaClientCredentialsGrantWasRejectedDueToInvalidClientApplicationID struct {
ClientID string `json:"clientID"`
}
type RequestAccessTokenViaClientCredentialsGrantWasRejectedDueToInvalidClientApplicationSecret ¶
type RequestAccessTokenViaClientCredentialsGrantWasRejectedDueToInvalidClientApplicationSecret struct {
ClientID string `json:"clientID"`
}
type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToPreviouslyUsedRefreshToken ¶
type RequestAccessTokenViaRefreshTokenGrantWasRejectedDueToPreviouslyUsedRefreshToken struct {
RefreshToken string `json:"refreshToken"`
}
type RequestAuthorizationCodeViaAuthorizationCodeGrantWasRejectedDueToInvalidClientApplicationRedirectURI ¶
type TokenGenerator ¶
type TokenGenerator interface {
New() string
}
TokenGenerator defines a token generator for refresh tokens and authorization codes.
Source Files
¶
- authorization_code.go
- authorization_code_commands.go
- authorization_code_events.go
- authorization_code_process_manager.go
- authorization_code_refresh_tokens_projection.go
- client_application.go
- client_application_command_authorization.go
- client_application_commands.go
- client_application_events.go
- commands.go
- events.go
- goauth2.go
- passwords.go
- refresh_token.go
- refresh_token_commands.go
- refresh_token_events.go
- refresh_token_process_manager.go
- resource_owner.go
- resource_owner_command_authorization.go
- resource_owner_commands.go
- resource_owner_events.go
Directories
Click to show internal directories.
Click to hide internal directories.