README
¶
OAuth2 For Humans
It supports both 'installed app' and 'service account' flows. The user can use each of these seamlessly.
The use case is to simplify supporting a client app to use either a role account (via a private key) or impersonate a user (via a client key). HTTP token renewal is done automatically and transparently.
Documentation
¶
Overview ¶
Package ofh is OAuth2 For Humans.
It supports both 'installed app' and 'service account' flows. The user can use each of these seamlessly.
The use case is to simplify supporting a client app to use either a role account (via a private key) or impersonate a user (via a client key). Token renewal is done automatically.
Index ¶
- func Prompt(authURL string) string
- type InstalledApp
- func (i *InstalledApp) ClearDirtyBit()
- func (i *InstalledApp) GetClient(scope string, r http.RoundTripper) (*http.Client, error)
- func (i *InstalledApp) GetClientPrompt(scope string, r http.RoundTripper, prompt PromptFunc) (*http.Client, error)
- func (i *InstalledApp) Lock()
- func (i *InstalledApp) ShouldSave() bool
- func (i *InstalledApp) Unlock()
- type OAuth2ClientProvider
- type OAuth2Settings
- type PromptFunc
- type ServiceAccount
- type StubProvider
- type TokenCache
- Bugs
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type InstalledApp ¶
type InstalledApp struct {
ClientID string
ClientSecret string
AuthURL string
TokenURL string
ScopedTokenCache map[string]*TokenCache // The cache is important to reduce redundant requests.
// contains filtered or unexported fields
}
An InstalledApp OAuth2 credential is not a proper identity by itself. It is a token to be used to denote that the application or server is secure just enough to ask a third party (a user) to lend his identity to the application on his behalf. It can be used in multiple ways but the most frequent should be:
- A web service application wanting to identify the user or to access a third party service on the user's behalf, e.g. accessing his Google Drive files. See https://developers.google.com/accounts/docs/OAuth2WebServer for details.
- An installed application (e.g. mobile app or CLI app) to do the same thing as a web service application but as an app running on the user's machine. See https://developers.google.com/accounts/docs/OAuth2InstalledApp for details.
This struct also stores a cache of tokens for serialization so creating multiple entries will reuse the same token automatically.
func MakeInstalledApp ¶
func MakeInstalledApp() *InstalledApp
MakeInstalledApp returns an initialized InstalledApp instance with commonly used parameters.
func (*InstalledApp) ClearDirtyBit ¶
func (i *InstalledApp) ClearDirtyBit()
ClearDirtyBit resets the dirty bit, which should be set after saving the token cache.
func (*InstalledApp) GetClient ¶
func (i *InstalledApp) GetClient(scope string, r http.RoundTripper) (*http.Client, error)
GetClient returns an OAuth2 enabled *http.Client using the installed app workflow.
It asks a third party (a user) to lends his personality for this application to use on his behalf. This prompts the user to generate an authentication code.
Redirecting to localhost is currently not supported.
func (*InstalledApp) GetClientPrompt ¶
func (i *InstalledApp) GetClientPrompt(scope string, r http.RoundTripper, prompt PromptFunc) (*http.Client, error)
GetClientPrompt permits specifying a Prompt function over GetClient.
func (*InstalledApp) Lock ¶
func (i *InstalledApp) Lock()
Lock is to be used during serialization of the object.
func (*InstalledApp) ShouldSave ¶
func (i *InstalledApp) ShouldSave() bool
ShouldSave returns true if the cache is dirty and should be saved.
func (*InstalledApp) Unlock ¶
func (i *InstalledApp) Unlock()
Unlock is to be used during serialization of the object.
type OAuth2ClientProvider ¶
type OAuth2ClientProvider interface {
// GetClient returns an *http.Client enabled for the corresponding scope on
// the specified http.RoundTripper. If r is nil, a default transport will be
// used.
GetClient(scope string, r http.RoundTripper) (*http.Client, error)
}
OAuth2ClientProvider is a reference to an OAuth2 enabled *http.Client provider.
All of OAuth2Settings, InstalledApp and ServiceAccount implement this interface.
type OAuth2Settings ¶
type OAuth2Settings struct {
InstalledApp InstalledApp
ServiceAccount ServiceAccount
}
OAuth2Settings is a serializable struct that holds the oauth2 information to identify this server to a remote service.
It is a grab bag instance that can be used when you don't know in advance if the application will use a user token or a service account token. The service account will be used first if configured.
func MakeOAuth2Settings ¶
func MakeOAuth2Settings() *OAuth2Settings
MakeOAuth2Settings returns an initialized OAuth2Settings instance with commonly used parameters.
func (*OAuth2Settings) GetClient ¶
func (o *OAuth2Settings) GetClient(scope string, r http.RoundTripper) (*http.Client, error)
GetClient returns a local client style OAuth2 http.Client with the configured credentials.
type PromptFunc ¶
PromptFunc is used by installed client applications for authentication without a web browser. This is useful for example when using an application on an headless machine (e.g. without a graphical interface).
This function will be called during the authentication phase.
type ServiceAccount ¶
type ServiceAccount struct {
// It should be a number that can be retrieved via
// https://code.google.com/apis/console/ through a twisted maze of links.
// See https://developers.google.com/storage/docs/projects for more details.
ProjectID string
ClientID string // Currently not used.
EmailAddress string
PrivateKey string
}
A ServiceAccount is a proper identity. This is why the private key must be kept secure since anyone having the private key can present itself as this service account. A service account is not strictly speaking 'a user'.
A service account can impersonate a user but this requires a "prn" claim and the author of this document has no idea how to do this.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount describes how to use the server's identity.
When obtaining a key from the Google API console it will be downloaded in a PKCS12 encoding. To use this key you will need to convert it to a PEM file. This can be achieved with openssl.
$ openssl pkcs12 -in <key.p12> -nocerts -passin pass:notasecret -nodes -out <key.pem>
func (*ServiceAccount) GetClient ¶
func (s *ServiceAccount) GetClient(scope string, r http.RoundTripper) (*http.Client, error)
GetClient returns an OAuth2 authenticated http.Client that uses the identity of the server.
A private key is required to assert the identity.
type StubProvider ¶
type StubProvider struct {
Scopes []string
// contains filtered or unexported fields
}
StubProvider implements OAuth2ClientProvider but doesn't do anything, it is only meant for testing.
func MakeStubProvider ¶
func MakeStubProvider(client *http.Client) *StubProvider
MakeStubProvider returns an initialized StubProvider.
func (*StubProvider) GetClient ¶
func (s *StubProvider) GetClient(scope string, r http.RoundTripper) (*http.Client, error)
GetClient implements OAuth2ClientProvider.
type TokenCache ¶
TokenCache specifies the methods that implements an oauth2.Token cache. An oauth2.Token contains the AccessToken and RefreshToken, so that as soon as a connection is authenticated, other connections using the same cache will be able to reuse the token as-is.
It is exported so it can be serialized safely.
Notes ¶
Bugs ¶
This is cheezy to prompt the user during an HTTP request.
Add option of http://localhost:<port> to remove the need of copy-pasting.
Source Files