oauth-pkce-proxy

command module

v0.0.0-...-a6b5faa Latest Latest Go to latest Published: Jun 1, 2021 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/goeven/oauth-pkce-proxy

Links

Open Source Insights

README ¶

⚠️ This project has not been security audited. Use at your own risk.

oauth-pkce-proxy

A stateless proxy that enables the PKCE extension (RFC 7636) to the OAuth Authorization Code Flow, for authorization servers that don't support it yet.

The server is stateless and, therefore, doesn't depend on a database being deployed or doesn't have to be run as a single instance. This is accomplished by using the state field in the authorization flow to pass data between the authorization request and the authorization callback. All the sensitive data (code_challenge and code from the target authorization server) is signed and encrypted, and only the proxy should be able to access it.

Flow

The client app starts a PKCE authorization flow with the proxy's endpoint (/oauth/authorization)
The proxy encrypts the code_challenge value into the state field and redirects to the target authorization server
The user authorizes the app and will be redirected to the proxy's /callback endpoint
The proxy callback encrypts the code received from the target authorization server and stores it and the already encrypted code_challenge into the authorization code returned to the client app
The client app sends the access token request to the proxy (/oauth/token) alongside the code_verifier, the proxy decrypts the encrypted data (the upstream authorization code and the initial code_challenge), verifies that the PKCE is correct and exchanges the target authorization code for an access token which is passed directly to the client app.

Running the proxy

Configuration

Take a look at .env.sample to see what environment variables you need to configure.

For the OAUTH_ variables, you will need to do a couple of things:

Create an OAuth app on your OAuth provider webpage; for the Redirect URL you should use the proxy's callback URL (depending on where you are hosting the proxy, it will be something like myproxyhost.com/callback); set the OAUTH_REDIRECT_URL with the same callback URL
When creating an OAuth app you should be provided with a client ID and a client secret; these should be set in OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET respectively
The OAuth provider should document its authorization and token endpoints; the URLs should be set in OAUTH_AUTH_URL and OAUTH_TOKEN_URL

You will also need 2 secrets:

A JWT signing key to be stored in the JWT_SIGNING_KEY environment variable
An encryption key used to encrypt the sensitive data that we don't want accessible on the user's device, stored in ENCRYPTION_KEY

PORT defines the port on which the HTTP server will listen.

References

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL