README
¶
Authenticator
A stand-alone gRPC based authentication API. Easily integrate authentication into any custom project. Authenticator takes care of user credential storage and checking. It generates JSON Web tokens for users, which easily can be verified by other servers in your ecosystem using performant and secure EdDSA public key cryptography.
Benefits:
- Added security, the user credentials live in a seperate database schema as you application's one. Creating a strict seperation in database access;
- No more password checking logic in you application. Just send a API call to authenticator and check the generated token on each subseqeuent request;
Fautures
- gRPC based, simply implement a client in your own preferred language by compiling protobuffer files;
- Support for master/slave database setups using our own MultiDB library;
- Admin panel for user management;
- A basic HTTP based login server, based on redirects;
- Argon2 hashed password storage;
- User groups and "audiences" for fine grained authorization checking;
- Comes with the verify Go library, which has ready to use token verification methods to integration even easier;
Status
This project is still under heavy development. We've recently deployed a beta version of the gRPC and admin server.
Future plans
- Two factor authentication
- OAuth2 provider support
Development
When developing against Authenticator, there is a docker-compose.yml file which sets up a development infrastructure. It start a postgresql instance, runs the neccesary migrations and start the server instances. You can download the Compose file or run this from the root of the repository:
docker compose up
- The authenticator gRPC server will be served at port 8765.
- The admin interface will be served at port 1234.
The defaut user is "admin@localhost", password "admin", member of the group "primary" and audience "authenticator".
Protocol buffers
The authenticator server uses gRPC through protocol buffers generation. To regenerate the gRPC definitions, run:
protoc --go_out=plugins=grpc:$(go env GOPATH)/src authenticator.proto
Documentation
¶
Index ¶
- Variables
- func RegisterAuthenticatorServer(s *grpc.Server, srv AuthenticatorServer)
- type AuthReply
- type AuthenticatorClient
- type AuthenticatorServer
- type CallBackUrl
- func (*CallBackUrl) Descriptor() ([]byte, []int)deprecated
- func (x *CallBackUrl) GetBaseUrl() string
- func (x *CallBackUrl) GetParams() map[string]*StringSlice
- func (x *CallBackUrl) GetTokenKey() string
- func (*CallBackUrl) ProtoMessage()
- func (x *CallBackUrl) ProtoReflect() protoreflect.Message
- func (x *CallBackUrl) Reset()
- func (x *CallBackUrl) String() string
- type ChangePwReply
- type Exists
- type KeyID
- type NewUserPassword
- func (*NewUserPassword) Descriptor() ([]byte, []int)deprecated
- func (m *NewUserPassword) GetCredential() isNewUserPassword_Credential
- func (x *NewUserPassword) GetEmail() string
- func (x *NewUserPassword) GetNewPassword() string
- func (x *NewUserPassword) GetOldPassword() string
- func (x *NewUserPassword) GetResetToken() string
- func (*NewUserPassword) ProtoMessage()
- func (x *NewUserPassword) ProtoReflect() protoreflect.Message
- func (x *NewUserPassword) Reset()
- func (x *NewUserPassword) String() string
- type NewUserPassword_OldPassword
- type NewUserPassword_ResetToken
- type PublicKey
- type PublicUser
- type RegistrationData
- func (*RegistrationData) Descriptor() ([]byte, []int)deprecated
- func (x *RegistrationData) GetEmail() string
- func (x *RegistrationData) GetName() string
- func (x *RegistrationData) GetUrl() *CallBackUrl
- func (*RegistrationData) ProtoMessage()
- func (x *RegistrationData) ProtoReflect() protoreflect.Message
- func (x *RegistrationData) Reset()
- func (x *RegistrationData) String() string
- type RegistrationReply
- type StringSlice
- type UnimplementedAuthenticatorServer
- func (*UnimplementedAuthenticatorServer) AuthenticatePwUser(context.Context, *UserPassword) (*AuthReply, error)
- func (*UnimplementedAuthenticatorServer) ChangeUserPw(context.Context, *NewUserPassword) (*ChangePwReply, error)
- func (*UnimplementedAuthenticatorServer) CheckUserExists(context.Context, *UserData) (*Exists, error)
- func (*UnimplementedAuthenticatorServer) GetPubKey(context.Context, *KeyID) (*PublicKey, error)
- func (*UnimplementedAuthenticatorServer) PublicUserToken(context.Context, *PublicUser) (*AuthReply, error)
- func (*UnimplementedAuthenticatorServer) RefreshToken(context.Context, *AuthReply) (*AuthReply, error)
- func (*UnimplementedAuthenticatorServer) RegisterPwUser(context.Context, *RegistrationData) (*RegistrationReply, error)
- func (*UnimplementedAuthenticatorServer) ResetUserPW(context.Context, *UserEmail) (*empty.Empty, error)
- func (*UnimplementedAuthenticatorServer) VerifyUser(context.Context, *AuthReply) (*AuthReply, error)
- type UserData
- type UserEmail
- type UserPassword
- func (*UserPassword) Descriptor() ([]byte, []int)deprecated
- func (x *UserPassword) GetEmail() string
- func (x *UserPassword) GetPassword() string
- func (*UserPassword) ProtoMessage()
- func (x *UserPassword) ProtoReflect() protoreflect.Message
- func (x *UserPassword) Reset()
- func (x *UserPassword) String() string
Constants ¶
This section is empty.
Variables ¶
View Source
var File_authenticator_proto protoreflect.FileDescriptor
Functions ¶
func RegisterAuthenticatorServer ¶
func RegisterAuthenticatorServer(s *grpc.Server, srv AuthenticatorServer)
Types ¶
type AuthReply ¶
type AuthReply struct {
// JSON Web Token
Jwt string `protobuf:"bytes,1,opt,name=jwt,proto3" json:"jwt,omitempty"`
// contains filtered or unexported fields
}
func (*AuthReply) Descriptor
deprecated
func (*AuthReply) ProtoMessage ¶
func (*AuthReply) ProtoMessage()
func (*AuthReply) ProtoReflect ¶ added in v0.3.0
func (x *AuthReply) ProtoReflect() protoreflect.Message
type AuthenticatorClient ¶
type AuthenticatorClient interface {
// RegisterPwUser registers a new user which can authenticate using a PW.
// Server implementation should grant the user only a public role untill verification is complete.
// Authorization: Public
RegisterPwUser(ctx context.Context, in *RegistrationData, opts ...grpc.CallOption) (*RegistrationReply, error)
// PasswordAuth authenticates the user by its registered email or username and password.
// Authorization: Public
AuthenticatePwUser(ctx context.Context, in *UserPassword, opts ...grpc.CallOption) (*AuthReply, error)
// ChangeUserPw changes the password for the user. It needs either the old password or a password reset token.
// Authorization: Public
ChangeUserPw(ctx context.Context, in *NewUserPassword, opts ...grpc.CallOption) (*ChangePwReply, error)
// CheckUserExists returns true for the UserID fields which already exists.
// Authorization: Basic
CheckUserExists(ctx context.Context, in *UserData, opts ...grpc.CallOption) (*Exists, error)
// VerifyUser by previously transmitted (email) verification token
// Authorization: Public
VerifyUser(ctx context.Context, in *AuthReply, opts ...grpc.CallOption) (*AuthReply, error)
// RefreshToken using an old (and valid!) token.
// The user id and its authorization level are verified against the database.
// Authorization: Public
RefreshToken(ctx context.Context, in *AuthReply, opts ...grpc.CallOption) (*AuthReply, error)
// PublicUserToken generates a token for public and unauthenticated users.
// Such token can be used for API access and session tracking.
// Authorization: Internal
PublicUserToken(ctx context.Context, in *PublicUser, opts ...grpc.CallOption) (*AuthReply, error)
// GetPubKey retrieves registered public keys from the database, identified by KeyIDs.
// Authorization: Internal
GetPubKey(ctx context.Context, in *KeyID, opts ...grpc.CallOption) (*PublicKey, error)
// ResetUserPW sends a password reset e-mail to a registered user.
// The e-mail will contain an URL, as per passed CallBackURL.
// The URL will contain a token which (only) can be used for setting a new password.
ResetUserPW(ctx context.Context, in *UserEmail, opts ...grpc.CallOption) (*empty.Empty, error)
}
AuthenticatorClient is the client API for Authenticator service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewAuthenticatorClient ¶
func NewAuthenticatorClient(cc grpc.ClientConnInterface) AuthenticatorClient
type AuthenticatorServer ¶
type AuthenticatorServer interface {
// RegisterPwUser registers a new user which can authenticate using a PW.
// Server implementation should grant the user only a public role untill verification is complete.
// Authorization: Public
RegisterPwUser(context.Context, *RegistrationData) (*RegistrationReply, error)
// PasswordAuth authenticates the user by its registered email or username and password.
// Authorization: Public
AuthenticatePwUser(context.Context, *UserPassword) (*AuthReply, error)
// ChangeUserPw changes the password for the user. It needs either the old password or a password reset token.
// Authorization: Public
ChangeUserPw(context.Context, *NewUserPassword) (*ChangePwReply, error)
// CheckUserExists returns true for the UserID fields which already exists.
// Authorization: Basic
CheckUserExists(context.Context, *UserData) (*Exists, error)
// VerifyUser by previously transmitted (email) verification token
// Authorization: Public
VerifyUser(context.Context, *AuthReply) (*AuthReply, error)
// RefreshToken using an old (and valid!) token.
// The user id and its authorization level are verified against the database.
// Authorization: Public
RefreshToken(context.Context, *AuthReply) (*AuthReply, error)
// PublicUserToken generates a token for public and unauthenticated users.
// Such token can be used for API access and session tracking.
// Authorization: Internal
PublicUserToken(context.Context, *PublicUser) (*AuthReply, error)
// GetPubKey retrieves registered public keys from the database, identified by KeyIDs.
// Authorization: Internal
GetPubKey(context.Context, *KeyID) (*PublicKey, error)
// ResetUserPW sends a password reset e-mail to a registered user.
// The e-mail will contain an URL, as per passed CallBackURL.
// The URL will contain a token which (only) can be used for setting a new password.
ResetUserPW(context.Context, *UserEmail) (*empty.Empty, error)
}
AuthenticatorServer is the server API for Authenticator service.
type CallBackUrl ¶
type CallBackUrl struct {
BaseUrl string `protobuf:"bytes,1,opt,name=base_url,json=baseUrl,proto3" json:"base_url,omitempty"`
// Query paramater key under which the token will be set in the callback URL.
// If empty, it defaults to "token"
TokenKey string `protobuf:"bytes,2,opt,name=token_key,json=tokenKey,proto3" json:"token_key,omitempty"`
// Other query parameters which need to be added to the callback URL.
Params map[string]*StringSlice `` /* 153-byte string literal not displayed */
// contains filtered or unexported fields
}
func (*CallBackUrl) Descriptor
deprecated
func (*CallBackUrl) Descriptor() ([]byte, []int)
Deprecated: Use CallBackUrl.ProtoReflect.Descriptor instead.
func (*CallBackUrl) GetBaseUrl ¶
func (x *CallBackUrl) GetBaseUrl() string
func (*CallBackUrl) GetParams ¶
func (x *CallBackUrl) GetParams() map[string]*StringSlice
func (*CallBackUrl) GetTokenKey ¶
func (x *CallBackUrl) GetTokenKey() string
func (*CallBackUrl) ProtoMessage ¶
func (*CallBackUrl) ProtoMessage()
func (*CallBackUrl) ProtoReflect ¶ added in v0.3.0
func (x *CallBackUrl) ProtoReflect() protoreflect.Message
func (*CallBackUrl) Reset ¶
func (x *CallBackUrl) Reset()
func (*CallBackUrl) String ¶
func (x *CallBackUrl) String() string
type ChangePwReply ¶
type ChangePwReply struct {
Success bool `protobuf:"varint,1,opt,name=success,proto3" json:"success,omitempty"`
// contains filtered or unexported fields
}
func (*ChangePwReply) Descriptor
deprecated
func (*ChangePwReply) Descriptor() ([]byte, []int)
Deprecated: Use ChangePwReply.ProtoReflect.Descriptor instead.
func (*ChangePwReply) GetSuccess ¶
func (x *ChangePwReply) GetSuccess() bool
func (*ChangePwReply) ProtoMessage ¶
func (*ChangePwReply) ProtoMessage()
func (*ChangePwReply) ProtoReflect ¶ added in v0.3.0
func (x *ChangePwReply) ProtoReflect() protoreflect.Message
func (*ChangePwReply) Reset ¶
func (x *ChangePwReply) Reset()
func (*ChangePwReply) String ¶
func (x *ChangePwReply) String() string
type Exists ¶
type Exists struct {
Email bool `protobuf:"varint,1,opt,name=email,proto3" json:"email,omitempty"`
// contains filtered or unexported fields
}
func (*Exists) Descriptor
deprecated
func (*Exists) ProtoMessage ¶
func (*Exists) ProtoMessage()
func (*Exists) ProtoReflect ¶ added in v0.3.0
func (x *Exists) ProtoReflect() protoreflect.Message
type KeyID ¶
type KeyID struct {
Kid int32 `protobuf:"varint,1,opt,name=kid,proto3" json:"kid,omitempty"`
// contains filtered or unexported fields
}
func (*KeyID) Descriptor
deprecated
func (*KeyID) ProtoMessage ¶
func (*KeyID) ProtoMessage()
func (*KeyID) ProtoReflect ¶ added in v0.3.0
func (x *KeyID) ProtoReflect() protoreflect.Message
type NewUserPassword ¶
type NewUserPassword struct {
Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
// Types that are assignable to Credential:
// *NewUserPassword_OldPassword
// *NewUserPassword_ResetToken
Credential isNewUserPassword_Credential `protobuf_oneof:"credential"`
NewPassword string `protobuf:"bytes,5,opt,name=new_password,json=newPassword,proto3" json:"new_password,omitempty"`
// contains filtered or unexported fields
}
func (*NewUserPassword) Descriptor
deprecated
func (*NewUserPassword) Descriptor() ([]byte, []int)
Deprecated: Use NewUserPassword.ProtoReflect.Descriptor instead.
func (*NewUserPassword) GetCredential ¶
func (m *NewUserPassword) GetCredential() isNewUserPassword_Credential
func (*NewUserPassword) GetEmail ¶
func (x *NewUserPassword) GetEmail() string
func (*NewUserPassword) GetNewPassword ¶
func (x *NewUserPassword) GetNewPassword() string
func (*NewUserPassword) GetOldPassword ¶
func (x *NewUserPassword) GetOldPassword() string
func (*NewUserPassword) GetResetToken ¶
func (x *NewUserPassword) GetResetToken() string
func (*NewUserPassword) ProtoMessage ¶
func (*NewUserPassword) ProtoMessage()
func (*NewUserPassword) ProtoReflect ¶ added in v0.3.0
func (x *NewUserPassword) ProtoReflect() protoreflect.Message
func (*NewUserPassword) Reset ¶
func (x *NewUserPassword) Reset()
func (*NewUserPassword) String ¶
func (x *NewUserPassword) String() string
type NewUserPassword_OldPassword ¶
type NewUserPassword_OldPassword struct {
OldPassword string `protobuf:"bytes,3,opt,name=old_password,json=oldPassword,proto3,oneof"`
}
type NewUserPassword_ResetToken ¶
type NewUserPassword_ResetToken struct {
ResetToken string `protobuf:"bytes,4,opt,name=reset_token,json=resetToken,proto3,oneof"`
}
type PublicKey ¶
type PublicKey struct {
Key []byte `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
// contains filtered or unexported fields
}
func (*PublicKey) Descriptor
deprecated
func (*PublicKey) ProtoMessage ¶
func (*PublicKey) ProtoMessage()
func (*PublicKey) ProtoReflect ¶ added in v0.3.0
func (x *PublicKey) ProtoReflect() protoreflect.Message
type PublicUser ¶
type PublicUser struct {
Uuid string `protobuf:"bytes,1,opt,name=uuid,proto3" json:"uuid,omitempty"`
// contains filtered or unexported fields
}
func (*PublicUser) Descriptor
deprecated
func (*PublicUser) Descriptor() ([]byte, []int)
Deprecated: Use PublicUser.ProtoReflect.Descriptor instead.
func (*PublicUser) GetUuid ¶
func (x *PublicUser) GetUuid() string
func (*PublicUser) ProtoMessage ¶
func (*PublicUser) ProtoMessage()
func (*PublicUser) ProtoReflect ¶ added in v0.3.0
func (x *PublicUser) ProtoReflect() protoreflect.Message
func (*PublicUser) Reset ¶
func (x *PublicUser) Reset()
func (*PublicUser) String ¶
func (x *PublicUser) String() string
type RegistrationData ¶
type RegistrationData struct {
Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
// Name is optional
Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
Url *CallBackUrl `protobuf:"bytes,3,opt,name=url,proto3" json:"url,omitempty"`
// contains filtered or unexported fields
}
func (*RegistrationData) Descriptor
deprecated
func (*RegistrationData) Descriptor() ([]byte, []int)
Deprecated: Use RegistrationData.ProtoReflect.Descriptor instead.
func (*RegistrationData) GetEmail ¶
func (x *RegistrationData) GetEmail() string
func (*RegistrationData) GetName ¶
func (x *RegistrationData) GetName() string
func (*RegistrationData) GetUrl ¶
func (x *RegistrationData) GetUrl() *CallBackUrl
func (*RegistrationData) ProtoMessage ¶
func (*RegistrationData) ProtoMessage()
func (*RegistrationData) ProtoReflect ¶ added in v0.3.0
func (x *RegistrationData) ProtoReflect() protoreflect.Message
func (*RegistrationData) Reset ¶
func (x *RegistrationData) Reset()
func (*RegistrationData) String ¶
func (x *RegistrationData) String() string
type RegistrationReply ¶
type RegistrationReply struct {
UserId int32 `protobuf:"varint,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
// contains filtered or unexported fields
}
func (*RegistrationReply) Descriptor
deprecated
func (*RegistrationReply) Descriptor() ([]byte, []int)
Deprecated: Use RegistrationReply.ProtoReflect.Descriptor instead.
func (*RegistrationReply) GetUserId ¶
func (x *RegistrationReply) GetUserId() int32
func (*RegistrationReply) ProtoMessage ¶
func (*RegistrationReply) ProtoMessage()
func (*RegistrationReply) ProtoReflect ¶ added in v0.3.0
func (x *RegistrationReply) ProtoReflect() protoreflect.Message
func (*RegistrationReply) Reset ¶
func (x *RegistrationReply) Reset()
func (*RegistrationReply) String ¶
func (x *RegistrationReply) String() string
type StringSlice ¶
type StringSlice struct {
Slice []string `protobuf:"bytes,1,rep,name=slice,proto3" json:"slice,omitempty"`
// contains filtered or unexported fields
}
func (*StringSlice) Descriptor
deprecated
func (*StringSlice) Descriptor() ([]byte, []int)
Deprecated: Use StringSlice.ProtoReflect.Descriptor instead.
func (*StringSlice) GetSlice ¶
func (x *StringSlice) GetSlice() []string
func (*StringSlice) ProtoMessage ¶
func (*StringSlice) ProtoMessage()
func (*StringSlice) ProtoReflect ¶ added in v0.3.0
func (x *StringSlice) ProtoReflect() protoreflect.Message
func (*StringSlice) Reset ¶
func (x *StringSlice) Reset()
func (*StringSlice) String ¶
func (x *StringSlice) String() string
type UnimplementedAuthenticatorServer ¶
type UnimplementedAuthenticatorServer struct {
}
UnimplementedAuthenticatorServer can be embedded to have forward compatible implementations.
func (*UnimplementedAuthenticatorServer) AuthenticatePwUser ¶
func (*UnimplementedAuthenticatorServer) AuthenticatePwUser(context.Context, *UserPassword) (*AuthReply, error)
func (*UnimplementedAuthenticatorServer) ChangeUserPw ¶
func (*UnimplementedAuthenticatorServer) ChangeUserPw(context.Context, *NewUserPassword) (*ChangePwReply, error)
func (*UnimplementedAuthenticatorServer) CheckUserExists ¶
func (*UnimplementedAuthenticatorServer) PublicUserToken ¶
func (*UnimplementedAuthenticatorServer) PublicUserToken(context.Context, *PublicUser) (*AuthReply, error)
func (*UnimplementedAuthenticatorServer) RefreshToken ¶
func (*UnimplementedAuthenticatorServer) RegisterPwUser ¶
func (*UnimplementedAuthenticatorServer) RegisterPwUser(context.Context, *RegistrationData) (*RegistrationReply, error)
func (*UnimplementedAuthenticatorServer) ResetUserPW ¶ added in v0.3.0
func (*UnimplementedAuthenticatorServer) VerifyUser ¶
type UserData ¶
type UserData struct {
Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
// contains filtered or unexported fields
}
func (*UserData) Descriptor
deprecated
func (*UserData) ProtoMessage ¶
func (*UserData) ProtoMessage()
func (*UserData) ProtoReflect ¶ added in v0.3.0
func (x *UserData) ProtoReflect() protoreflect.Message
type UserEmail ¶ added in v0.3.0
type UserEmail struct {
Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
Url *CallBackUrl `protobuf:"bytes,2,opt,name=url,proto3" json:"url,omitempty"`
// contains filtered or unexported fields
}
func (*UserEmail) Descriptor
deprecated
added in
v0.3.0
func (*UserEmail) GetUrl ¶ added in v0.3.0
func (x *UserEmail) GetUrl() *CallBackUrl
func (*UserEmail) ProtoMessage ¶ added in v0.3.0
func (*UserEmail) ProtoMessage()
func (*UserEmail) ProtoReflect ¶ added in v0.3.0
func (x *UserEmail) ProtoReflect() protoreflect.Message
type UserPassword ¶
type UserPassword struct {
Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
Password string `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"`
// contains filtered or unexported fields
}
UserPassword holds the e-mail of the user and its password.
func (*UserPassword) Descriptor
deprecated
func (*UserPassword) Descriptor() ([]byte, []int)
Deprecated: Use UserPassword.ProtoReflect.Descriptor instead.
func (*UserPassword) GetEmail ¶
func (x *UserPassword) GetEmail() string
func (*UserPassword) GetPassword ¶
func (x *UserPassword) GetPassword() string
func (*UserPassword) ProtoMessage ¶
func (*UserPassword) ProtoMessage()
func (*UserPassword) ProtoReflect ¶ added in v0.3.0
func (x *UserPassword) ProtoReflect() protoreflect.Message
func (*UserPassword) Reset ¶
func (x *UserPassword) Reset()
func (*UserPassword) String ¶
func (x *UserPassword) String() string
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
Package middleware provides means of verifying JWTs generated by `cmd/admin`'s login handler or similar mechanisms.
|
Package middleware provides means of verifying JWTs generated by `cmd/admin`'s login handler or similar mechanisms. |
|
Package verify provides middleware for GRPc servers which need to verify JSON Web Tokens generated by this Authenticator service.
|
Package verify provides middleware for GRPc servers which need to verify JSON Web Tokens generated by this Authenticator service. |
Click to show internal directories.
Click to hide internal directories.