Skip to content

adamgoose/goauth-experiment

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
cmd
cmd
 
 
lib
lib
 
 
.envrc.example
.envrc.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Go Auth Experiment

Welcome to the super simple Golang Authentication Experiment!

In this experiment, you'll write Golang code to fetch an Access Token from an OAuth2/OIDC Server. Once you've fetched an access token, you'll be able to run a local API server which will verify your token.

It's important to note that this is a flow typically executed from a browser. It can also be implemented from a CLI like this, but it's awkward to have to open a browser tab. You'll recognize this behavior from tsh login and vault login -method=oidc.

Read the instructions below fully before beginning. It'll be useful for you to understand the entire process before diving in.

  1. Clone the repo, install Go, and make sure you can run the program with go run .
  2. Copy the provided .envrc file and make sure the values are loaded with direnv allow
  3. Open the cmd/client.go file. Notice that it's your job to populate accessToken
  4. Use the golang.org/x/oauth2 library to generate an AuthCodeURL
  • Use http:https://localhost:9000/oauth/callback as your RedirectURL value
  • Use the github.com/coreos/go-oidc library to fetch Endpoint value
  • Access config values with viper.GetString("issuer_url") for example
  1. Run an HTTP server on localhost:9000. Upon receiving a request, extract the code Query Parameter from the Request URL
  2. Print your Auth Code URL to the console so that you can open it in your browser
  3. Login, and you'll be redirected back to your HTTP server on localhost:9000 with a code
  4. Once your HTTP server receives a request and you have a code, use the golang.org/x/oauth2 library again to Exchange the code for an access token

Use go run . client to iteratively test your changes. You can return nil anywhere in the command to bail early. You can use spew.Dump(something) to spit out a debug representation of a variable.

Once you have a valid accessToken, pass it to TestAccessToken. To test it, you'll have to first run a server.

  • In one shell, run go run . server
  • In another, run go run . client

OAuth2 Flow Diagram

  1. This is equivalent to you choosing to execute go run . client
  2. This is you clicking on the AuthCodeURL that your code prints out
  3. This is your localhost:9000 HTTP server extracting the code
  4. Authorization is implicit in our use case.
  5. Authorization is implicit in our use case.
  6. This happens inside Authentic during the Exchange
  7. This is you Exchangeing the code for an access token
  8. This is you Exchangeing the code for an access token

A. This happens in /cmd/client.go:TestAccesToken B. We don't actually do this. We just trust the IdP's JWKs (public keys) C. We don't actually do this. We just trust the IdP's JWKs (public keys) D. This happens in /lib/auth.go:Middleware

Server API Reference

When you run go run . server, the fake API server will be available at http:https://localhost:9090.

  • GET / - Public - {"challenge": "string"}
  • GET /api/secret - Protected - {"prize":"string","recipient":"string"}

Hints

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages