A library for performing OAuth Device flow and Web application flow in Go client apps.

Overview

oauth

A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com.


Traditionally, OAuth for web applications involves redirecting to a URI after the user authorizes an app. While web apps (and some native client apps) can receive a browser redirect, client apps such as CLI applications do not have such an option.

To accommodate client apps, this library implements the OAuth Device Authorization Grant which GitHub.com now supports. With Device flow, the user is presented with a one-time code that they will have to enter in a web browser while authorizing the app on the server. Device flow is suitable for cases where the web browser may be running on a separate device than the client app itself; for example a CLI application could run within a headless, containerized instance, but the user may complete authorization using a browser on their phone.

To transparently enable OAuth authorization on any GitHub host (e.g. GHES instances without OAuth “Device flow” support), this library also bundles an implementation of OAuth web application flow in which the client app starts a local server at http://127.0.0.1:/ that acts as a receiver for the browser redirect. First, Device flow is attempted, and the localhost server is used as fallback. With the localhost server, the user's web browser must be running on the same machine as the client application itself.

Usage

Applications that need more control over the user experience around authentication should directly interface with github.com/cli/oauth/device and github.com/cli/oauth/webapp packages.

In theory, these packages would enable authorization on any OAuth-enabled host. In practice, however, this was only tested for authorizing with GitHub.

Issues
  • Expose refresh token (used by GitHub Apps)

    Expose refresh token (used by GitHub Apps)

    GitHub Apps have the ability to expose refresh_tokens when identifying and authorizing users using either the device or web flow.

    This refresh token is valid for 6 months and can be exchanged for a fresh access token (valid for 8 hours) and a new refresh token.

    This PR exposes the refresh_token that is returned when using the OAuth flow with a GitHub App.

    opened by swinton 4
  • Support third-party OAuth hosts

    Support third-party OAuth hosts

    This pull request should make some headway to supporting further OAuth providers than just GitHub. This pull request doesn't introduce specific support for anything, but provides an API to allow third-parties to their flavour endpoints.


    Not all OAuth hosts use the same routes as GitHub, for example:

    • Microsoft use /oauth2/v2.0/devicecode
    • Google use /device/code
    • Auth0 use /oauth/device/code

    Similar differences are present for the authorise and access token routes too.

    This commit introduces a concept of a Server, which is a container for the endpoints that the library uses. This is a replacement for Flow's Hostname and as such is a breaking change.

    opened by jamierocks 2
  • Can I create an access token with SSO enabled?

    Can I create an access token with SSO enabled?

    I'm trying to create a CLI tool for internal use at my company that can access an internal repository in our GitHub Enterprise Cloud organization (we have SSO enabled). I can use this library to successfully create an access token for my account, but I can't use the access token to access my repository. Is it possible to request that the access token have SSO enabled programmatically so that I can use it to hit an internal repository, or would I be better off just asking my users to provide a personal access token with SSO already enabled?

    opened by mfcollins3 2
  • ## What's Changed

    ## What's Changed

    What's Changed

    • Support filtering PRs authored by GitHub Apps by @joshmgross in https://github.com/cli/cli/pull/5180
    • Alias list as ls for all commands by @CGA1123 in https://github.com/cli/cli/pull/5214
    • Change how gh-cli is installed on fedora by @Hanjingxue-Boling in https://github.com/cli/cli/pull/5204
    • gh auth login: added flags to partially automate flow by @jonathan-enf in https://github.com/cli/cli/pull/5158
    • Use StringEnumFlag helper in more places by @mislav in https://github.com/cli/cli/pull/5221
    • Misc. docs improvements by @mislav in https://github.com/cli/cli/pull/5223
    • :nail_care: Update triage.md by @mislav in https://github.com/cli/cli/pull/5238
    • Codespaces Create: Allow Accepting Permissions by @markphelps in https://github.com/cli/cli/pull/5234
    • Bump github.com/itchyny/gojq from 0.12.6 to 0.12.7 by @dependabot in https://github.com/cli/cli/pull/5263
    • Fix HexToRGB panic by @markphelps in https://github.com/cli/cli/pull/5247
    • Fix obtained scope mapping to include implied scopes by @mario-campos in https://github.com/cli/cli/pull/5256

    New Contributors

    • @CGA1123 made their first contribution in https://github.com/cli/cli/pull/5214
    • @Hanjingxue-Boling made their first contribution in https://github.com/cli/cli/pull/5204
    • @jonathan-enf made their first contribution in https://github.com/cli/cli/pull/5158
    • @markphelps made their first contribution in https://github.com/cli/cli/pull/5234
    • @mario-campos made their first contribution in https://github.com/cli/cli/pull/5256

    Full Changelog: https://github.com/cli/cli/compare/v2.5.1...v2.5.2


    This discussion was created from the release GitHub CLI 2.5.2.

    Originally posted by @github-actions[bot] in https://github.com/cli/cli/discussions/5265

    opened by RazazR 0
  • No worries. We'll try to add a test before this merges ✌️

    No worries. We'll try to add a test before this merges ✌️

    No worries. We'll try to add a test before this merges ✌️

    Originally posted by @mislav in https://github.com/cli/cli/issues/4285#issuecomment-914291823

    opened by Lilmomma42 0
  • Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

    Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

    Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

    Originally posted by @cliAutomation in https://github.com/cli/cli/issues/3943#issuecomment-873312434

    opened by ghost 0
  • Add support for custom strings in Device Flow

    Add support for custom strings in Device Flow

    On the device flow, add support to specify the message to be shown to the user.

    On oauth_device.go, currently the messages are: fmt.Fprintf(stdout, "First, copy your one-time code: %s\n", code.UserCode) fmt.Fprint(stdout, "Then press [Enter] to continue in the web browser... ")

    opened by alfredovaldes 0
  • Support Google

    Support Google "OAuth 2.0 for TV and Limited-Input Device Applications"

    With some minor changes, this library can be made to work with Google's "OAuth 2.0 for TV and Limited-Input Device Applications". There are just two small changes to make:

    • Google returns a verification_url instead of verification_uri, and
    • Google requires the client_secret when polling for tokens.

    Example authentication

    Copy code: QCP-GZV-LGZ
    then open: https://www.google.com/device
    Access token: $ACCESS_TOKEN
    
    opened by markandrus 0
  • [Question] Interest in adding support for the Microsoft identity platform's OAuth device flow?

    [Question] Interest in adding support for the Microsoft identity platform's OAuth device flow?

    Hey there! Thanks for making this oauth module, it's awesome!

    Curious if there is interest in adding support for the Microsoft identity platform's OAuth device flow?

    I took a quick look at what's needed, and I think potentially the "only" change would be to support a JSON response from the device code endpoint, currently it looks like we only handle form responses:

    https://github.com/cli/oauth/blob/6b1e71c3614ec61205f1ffc9964b06dd61221385/api/form.go#L95

    I think if it could accept JSON, then other OAuth servers, like Microsoft identity platform's, would come for free.

    Thoughts?

    opened by swinton 2
  • PollToken should cancel early if the context is canceled

    PollToken should cancel early if the context is canceled

    This is kind of a nice issue, but in a console app I am working on the app intercepts the os SIGKILL/SIGINT signals to do all of its own graceful shutdown via context, but currently there is no way to cancel the loop in PollToken.

    To make this cancelable, it would be nice to something like this into the loop there.

    		select {
    		case <-ctx.Done():
    			return nil, ErrCanceled
    		default:
    			timeSleep(checkInterval)
    		}
    

    Then the function could be extended like a lot of packages with a second copy of the method, and context propagated down.

    
    func PollTokenContext(ctx context.Context, c httpClient, pollURL string, clientID string, code *CodeResponse) (*api.AccessToken, error) {
    ... current implementation
    }
    
    func PollToken(c httpClient, pollURL string, clientID string, code *CodeResponse) (*api.AccessToken, error) {
      return PollTokenContext(context.Background(), c, pollURL, clientID, code)
    }
    

    The same thing could be done to DetectFlow, or it could be embbed within the flow struct so the outer api layout would change less.

    opened by tomlazar 3
  • Support more auth endpoints

    Support more auth endpoints

    Hi,

    this is a draft to support other endpoints than GitHub.

    In my specific case, I had to use Microsofts Auth Endpoint wich is a bit different than that from GitHub. See details here.

    I needed the support of additional post parameters in the AccessToken function and also to handle JSON based responses.

    My solution is not that generic (to support others) as I wanted, because I had to focus on my specific case but maybe it is a good starting point for other auth endpoints.

    opened by v-braun 1
  • How should OAuth Client IDs be distributed to headless apps?

    How should OAuth Client IDs be distributed to headless apps?

    Hi, I apologize if I've just missed something in the documentation but, should our OAuth App Client IDs be kept secret? In the case of writing a headless app how should we distribute the Client IDs to the user's applications so that they can authenticate with GitHub? Is it best to write a server side relay that requests the tokens on the behalf of the CLI tool and then passes the resulting temporary code and token back to the user, so that the user never has access to the Client ID, or is it safe to embed the client ID in a distributed binary/source code? Thanks for your time.

    documentation 
    opened by alecbcs 4
Releases(v0.9.0)
  • v0.9.0(Oct 15, 2021)

    What's Changed

    • Expose refresh token (used by GitHub Apps) by @swinton in https://github.com/cli/oauth/pull/9
    • Support third-party OAuth hosts by @jamierocks in https://github.com/cli/oauth/pull/7

    New Contributors

    • @swinton made their first contribution in https://github.com/cli/oauth/pull/9
    • @jamierocks made their first contribution in https://github.com/cli/oauth/pull/7
    Source code(tar.gz)
    Source code(zip)
A library for Go client applications that need to perform OAuth authorization against a server

oauth-0.8.0.zip oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditiona

tigressma 1 Oct 13, 2021
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Adam Lloyd 24 Sep 2, 2020
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 1.9k May 18, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
OauthMicroservice-cassandraCluster - Implement microservice of oauth using golang and cassandra to store user tokens

implement microservice of oauth using golang and cassandra to store user tokens

Mehdi 1 Jan 24, 2022
Goauth: Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login

goauth Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login. Currently supports Google, Facebook and Microsoft "out of the bo

Steven Frew 0 Jan 28, 2022
GOAuth An Oauth consumer Written in Go V 0.0.5

GOAuth ====== This is the source code repository for the GOAuth an OAuth consumer written on the Go programming language. Copyright 2010 The GOAuth

null 50 Feb 11, 2021
[NO LONGER MAINTAINED} oauth 2 server implementation in Go

hero hero is a feature rich oauth 2 server implementation in Go. Features User account management Client management oauth 2 rfc 6749 compliant Configu

Geofrey Ernest 214 Feb 9, 2022
OAuth 1.0a implementation in Go

Package oauth1a Summary An implementation of OAuth 1.0a in Go1. API reference Installing Run: go get github.com/kurrik/oauth1a Include in your source

Arne Roomann-Kurrik 23 Sep 17, 2021
OAuth 1.0 implementation in go (golang).

OAuth 1.0 Library for Go (If you need an OAuth 2.0 library, check out: https://godoc.org/golang.org/x/oauth2) Developing your own apps, with this libr

Matt Jones 259 Apr 16, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 2.9k May 11, 2022
OAuth 2.0 middleware service for chi (ported from gin by community member)

oauth middleware OAuth 2.0 Authorization Server & Authorization Middleware for go-chi This library was ported to go-chi from https://github.com/maxzer

go-chi 12 Apr 1, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 372 May 15, 2022
Go Trakt Device Auth Library

A Go library to allow an end user to authorize a third-party Trakt application access to their account using the device method.

Brenek Harrison 0 Jan 7, 2022
manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow

oidc-wireguard-vpn manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow Requirements Linux WireGuard nftabl

Kurochan 26 Apr 27, 2022
The Single Sign-On Multi-Factor portal for web apps

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications

Authelia 12.9k May 15, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Duo Labs 798 May 13, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

null 5 Apr 19, 2022