This repository contains a set of tools to help you implement IndieAuth, both server and client, in Go.

Overview

IndieAuth Toolkit for Go

Go Report Card Documentation

This repository contains a set of tools to help you implement IndieAuth, both server and client, in Go. The documentation can be found here. Please note that there may be bugs. Feel free to use it and send PRs with improvements.

Usage

Some examples:

License

MIT © Henrique Dias

Issues
  • fix: improve PKCE validation and random generator

    fix: improve PKCE validation and random generator

    Use base64.RawURLEncoding, not base64.URLEncoding, for the S256 code challenge method.

    Use crypto/rand, not math/rand, for high-entropy cryptographic random values.

    Fixes #8. Fixes #9.

    opened by dmitshur 2
  • use crypto/rand for generating high-entropy cryptographic random values

    use crypto/rand for generating high-entropy cryptographic random values

    https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 defines code_verifier to be a "high-entropy cryptographic random STRING", and notes:

    NOTE: The code verifier SHOULD have enough entropy to make it impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence. The octet sequence is then base64url-encoded to produce a 43-octet URL safe string to use as the code verifier.

    (Emphasis mine.)

    The math/rand Go package isn't suitable for that purpose; the crypto/rand package can be used in its place.

    I'll send a PR that fixes this issue in case you find it helpful.

    opened by dmitshur 1
  • don't use '=' padding in base64 URL encoding of S256 code challenge method, be strict about any additional characters

    don't use '=' padding in base64 URL encoding of S256 code challenge method, be strict about any additional characters

    (Hello! It's really cool to find a Go implementation for the IndieAuth spec! I've also implemented one; see https://github.com/shurcooL/home/issues/34 and https://github.com/shurcooL/home/issues/43. When trying to sign in to your site which I understand uses this package, I found a problem and wanted to report it.)

    I believe there's a small bug in the PKCE verification as currently implemented in the latest version of this package, to do with padding used in base64 encoding.

    The IndieAuth spec defers to RFC 7636 for PKCE details:

    All IndieAuth clients MUST use PKCE ([RFC7636]) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to [RFC7636] for details.

    (Source: https://indieauth.spec.indieweb.org/#authorization-request.)

    RFC 7636 section 4.6 (https://datatracker.ietf.org/doc/html/rfc7636#section-4.6) details how the code challenge method verification is done:

    If the "code_challenge_method" from Section 4.3 was "S256", the received "code_verifier" is hashed by SHA-256, base64url-encoded, and then compared to the "code_challenge", i.e.:

    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge

    [...] If the values are not equal, an error response indicating "invalid_grant" as described in Section 5.2 of [RFC6749] MUST be returned.

    In https://datatracker.ietf.org/doc/html/rfc7636#section-3 it is defined that "Base64url Encoding" refers to URL encoding without padding:

    Base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted ([...]) and without the inclusion of any line breaks, whitespace, or other additional characters. (See Appendix A for notes on implementing base64url encoding without padding.)

    (Emphasis mine.)

    Go's base64.RawURLEncoding implements URL base64 encoding without padding, and can be used instead of base64.URLEncoding.

    I'll send a PR that fixes this issue in case you find it helpful.

    opened by dmitshur 1
  • breaking: match new specification

    breaking: match new specification

    • Functions that received *Endpoints now receive *Metadata
    • Renamed DiscoverEndpoint to DiscoverLinkEndpoint
    • Removed DiscoverEndpoints
    • Introduced DiscoverMetadata that retrieves the IndieAuth metadata of an authorization server. It is backwards compatible with previous versions of IndieAuth, i.e., it still looks for the Header and HTML Meta authorization and token endpoints.
    opened by hacdias 0
  • Feature: Implement Client Information Discovery

    Feature: Implement Client Information Discovery

    Add an independent function, or inside the authorization server, that fetches client information.

    Ref.: https://indieauth.spec.indieweb.org/#client-information-discovery

    opened by hacdias 0
Releases(v2.1.0)
  • v2.0.0(Mar 17, 2022)

    Breaking Changes

    • Functions that received *Endpoints now receive *Metadata
    • Renamed DiscoverEndpoint to DiscoverLinkEndpoint
    • Removed DiscoverEndpoints
    • Introduced DiscoverMetadata that retrieves the IndieAuth metadata of an authorization server. It is backwards compatible with previous versions of IndieAuth, i.e., it still looks for the Header and HTML Meta authorization and token endpoints.
    Source code(tar.gz)
    Source code(zip)
Owner
Henrique Dias
Computer Science and Engineering student at TU/e. Digging into the decentralized web with @ipfs @testground
Henrique Dias
It is a JWT based implement of identity server.

JWTAuth 安裝說明 基本需求 安裝 docker 服務 安裝 OpenSSL 安裝指令 建立 OS 系統的 jwtauth 帳號 sudo useradd -m jwtauth 給予 JWTAuth 帳號可以操作 docker 的權限 sudo usermod -aG docker jwtau

null 0 Nov 30, 2021
A demo using go and redis to implement a token manager

使用go-redis实现一个令牌管理器 需求描述 假设我们当前的所有服务需要一个第三方的认证,认证形式为:在发送请求的时候带上第三方颁发的令牌,该令牌具有一个时效性 第三方的令牌可以通过某个接口获取,但是该接口做了单位时间内的同一ip的请求频率的限制,因此在并发的场景下,我们需要控制令牌获取接口的频

Yuki Chen 0 Oct 19, 2021
OauthMicroservice-cassandraCluster - Implement microservice of oauth using golang and cassandra to store user tokens

implement microservice of oauth using golang and cassandra to store user tokens

Mehdi 1 Jan 24, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Duo Labs 859 Jun 24, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

null 6 Jun 14, 2022
Authentication service that keeps you in control without forcing you to be an expert in web security.

Authentication service that keeps you in control without forcing you to be an expert in web security.

Keratin 1.1k Jun 25, 2022
Scaffold to help building Terraform Providers using AWS IAM authentication.

Terraform Provider Scaffolding This repository is a template for a Terraform provider. It is intended as a starting point for creating Terraform provi

Paul Zietsman 1 Mar 31, 2022
Go module that allows you to authenticate to Azure with a well known client ID using interactive logon and grab the token

azureimposter Go module that pretends to be any clientID and grabs an authentication token from Azure using interactive login (w/mfa if enabled) and r

Lars Karlslund 22 Jun 23, 2022
A set of tests to check compliance with the Prometheus Remote Write specification

Prometheus Compliance Tests This repo contains code to test compliance with various Prometheus standards. PromQL The promql directory contains code to

Prometheus 92 Jun 7, 2022
Blog-mongodb - this repository for educational purpose, learn how to use mongodb and use mongodb with go

ENDPOINT ENDPOINT METHOD ACCESS /register POST all /login POST all /articles GET all /articles POST all /articles/{articleId} GET all /articles/{artic

Muhammad Al Farizzi 0 Jan 4, 2022
Demonstration of sharing secret data between an OAuth/OIDC client and an Identity Providers web client.

OAuth / OIDC Cubbyhole Share secret data between client applications. This is mostly a demonstration of some of the work I've been evaluating at Storj

mya 3 Mar 21, 2022
A library for Go client applications that need to perform OAuth authorization against a server

oauth-0.8.0.zip oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditiona

tigressma 1 Oct 13, 2021
HTTP-server-with-auth# HTTP Server With Authentication

HTTP-server-with-auth# HTTP Server With Authentication Introduction You are to use gin framework package and concurrency in golang and jwt-go to imple

Saba Sahban 12 May 12, 2022
A library for performing OAuth Device flow and Web application flow in Go client apps.

oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditionally,

GitHub CLI 325 Jun 12, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Dbt-postgres-proxy - Proxy server which intercepts and compiles dbt queries on the fly

dbt-postgres-proxy A reverse proxy for postgres which compiles queries in flight

Alexander Butler 4 Mar 4, 2022
manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow

oidc-wireguard-vpn manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow Requirements Linux WireGuard nftabl

Kurochan 26 Apr 27, 2022
Golang OpenID Connect Client

adhocore/goic GOIC, Go Open ID Connect, is OpenID connect client library for Golang. It supports the Authorization Code Flow of OpenID Connect specifi

Jitendra 20 May 20, 2022