Authentication service that keeps you in control without forcing you to be an expert in web security.

Overview

Keratin AuthN

Keratin Pangolin A modern authentication backend service. (https://keratin.tech)

GitterBuild StatusCoverage StatusGo Report

Related

This repository builds a backend Go service that provides secured endpoints related to accounts and passwords. You must integrate it with your application's frontend(s) and backend(s).

Client libraries are currently available for:

If you are missing a client library, please submit a request.

Implementation

Documentation

Deployment

Documentation

Configuration

All configuration is through ENV variables.

Documentation

Contributing

Welcome! Please familiarize yourself with the CONTRIBUTING doc and the CODE OF CONDUCT.

Here's how the dev environment works:

  1. go get github.com/keratin/authn-server
  2. Install Docker and docker-compose.
  3. Run make test to ensure a clean build

To run a dev server:

  1. Create a own .env file with desired configuration.
  2. Run make migrate
  3. Run make server

To build a compiled server for integration testing:

  1. Run make build
  2. Execute dist/authn with appropriate ENV variables

To build a Docker image for integration testing:

  1. Run make docker
  2. Start the keratin/authn-server:latest image with appropriate ENV variables

COPYRIGHT & LICENSE

Copyright (c) 2016-2020 Lance Ivy

Keratin AuthN is distributed under the terms of the LGPLv3. See LICENSE-LGPLv3 for details.

Issues
  • gRPC Support

    gRPC Support

    This PR introduces gRPC support with Protobuf.

    Closes #78

    Continuous feedback is preferred instead of waiting for me to finish.

    Tasks:

    • [x] refactor existing code so it can be reused more readily between HTTP and gRPC servers
    • [ ] remove the current server into authn-server/http
    • [x] work on a parallel authn-server/gRPC package that can be preferred with a command flag
    • [ ] if and when appropriate, bring in grpc-gateway to replace the authn-server/http package
    • [x] protect the gRPC API from abuse (existing REST API validates Origin header, gRPC does .... [insert something here])
    • [ ] tests, tests, tests
    • [N/A] Fix mTLS with with cmux & add tests for it (I feel this is going to be a giant test)
    • [x] Address comments here. It's pretty tricky to eliminate dependency on vendor directory.

    Critical bug in current branch:

    • [x] mounting on a subpath not working. My hunch is wrapping the handler with http.StripPrefix should fix it, but I'm yet to tackle it.
    • [x] Work around this "bug".

    Resources used and/or might need as reference to complete PR:

    opened by mohammed90 32
  • build a distributable for windows/amd64

    build a distributable for windows/amd64

    Fixes #68

    @egorsmkv Please try https://github.com/keratin/authn-server/releases/download/v1.4.1/authn-windows64.bz2 and let me know how it goes!

    • [x] Change dist naming so the upload to GH is less error-prone
    • [ ] Extract port from AUTHN_URL
    • [x] Active users page 404
    • [ ] Support for authn-server.env file
    opened by cainlevy 15
  • AuthN Docker RDS Connectivity Issue

    AuthN Docker RDS Connectivity Issue

    Hi there, I'm getting the following error when trying to run the AuthN docker image on EC2 Ubuntu 20.04.

    ~*~ Keratin AuthN v1.10.4 ~*~
    data.NewDB: dial tcp: lookup <redacted>.us-east-1.rds.amazonaws.com: device or resource busy
    

    I have a fairly simple setup, just an EC2 instance and an RDS instance. I have done the following debugging and am quite certain that it is not a networking issue like security groups.

    1. On the EC2, I can psql to the RDS instance
    2. I used docker exec to run the AuthN container, installed psql using apk --update add postgresql-client and was able to successfully connect to rds
    3. There is a dockerized Rails app on the same EC2 that can reach the same RDS instance
    4. The docker-compose below works fine on my local machine (mac) but causes the above error on EC2

    Here is my docker-compose (sensitive items removed)

    version: '3.8'
    volumes:
      redis_auth_data:
    
    networks:
      frontend:
      backend:
    
    services:
      redis:
        image: redis
        # using persistant storage
        command: ['redis-server', '--appendonly', 'yes']
        volumes:
          - redis_auth_data:/data
        networks:
          backend:
            aliases:
              - redis_auth.docker # used below
    
      keratin_auth:
        image: keratin/authn-server:1.10.4
        ports:
          - "21002:3000"
          - "21001:21001"
        environment:
          - AUTHN_URL=http://localhost:8080
          - APP_DOMAINS=localhost
          - HTTP_AUTH_USERNAME # passthrough from env
          - HTTP_AUTH_PASSWORD # passthrough from env
          - DATABASE_URL=postgresql://<pg_username>:<pg_password>@<host>.us-east-1.rds.amazonaws.com/keratin_authn
          - PUBLIC_PORT=21001
          - REDIS_URL=redis://redis_auth.docker:6379/1
          - SECRET_KEY_BASE=<redacted>
        networks:
          backend:
          frontend:
        depends_on:
          - redis
    

    Thanks in advance

    opened by xcskier56 14
  • Double signup with different passwords returns token using CockroachDB

    Double signup with different passwords returns token using CockroachDB

    I found an issue that caused me confusion. First I thought that it was a front-end issue, but it is in the back end, and the front end will report success even though the passwords are different.

    To reproduce:

    Step 1 Sign up using credentials: Username: User1234 Password: 9oiajshdfioudewiuufjhi8127y4981

    Expect: Token (201) Result: Token (201)

    Step 2: Sign up using credentials: Username: User1234 Password: sometotallydifferentPassword1897387214

    Expect: TAKEN Result: Token (201)

    opened by sourcetreehugger 14
  • Feels a bit slow?

    Feels a bit slow?

    Maybe it is the way I have set this up but it feels a bit slow. I did some testing from a pod in the Kubernetes cluster and checking if a user already exists on register varies between 300ms and as high as 2 seconds. That feels very slow for a Go application.

    image

    opened by saul-data 10
  • OAuth authentication with existing normal account when account user is email

    OAuth authentication with existing normal account when account user is email

    Hey Lance and all contributors!

    First of all, thanks so much for this project, looks really good. So I gave the server a spin and started testing some stuff. I specifically set USERNAME_IS_EMAIL=true and then created an account using the signup endpoint, using my GMail address for that. All good.

    Then I tried logging in using OAuth and Gmail, but got access deined because that account already existed. I would expect to be able to log in using OAuth and Gmail, since I am the owner of my account. Shouldn't this be the expected behaviour?

    opened by martinreus 10
  • Concerns about XSS attack vectors

    Concerns about XSS attack vectors

    Please correct me if I completely misunderstood the way id_tokens should work in Authn, but I have some concerns about them from what I have seen so far:

    What

    Currently when signin in, signing up, refreshing, and in every other endpoint where this happens, an id_token is returned from these requests. Giving a client - in this case, specifically a webbrowser client - the option to read the id_token (which is a signed token) and storing it somewhere (like in local storage or cookies) opens up XSS attack possibilities.

    Proposal

    Instead of returning the id_token, I would suggest returning only the JWT claims in a plain JSON object (without a signature, so it can't be used as an id_token), so that frontends are still able to know when to refresh the token when validity halftime is reached. Then, also set a cookie from Authn Server that has the HttpOnly flag set to true, so that it can't be read via javascript and which will be automatically sent by the browser on every request made to the backend or other backends in a microservices architecture, for instance. However, this would mean every client library will also have to be adapted to this new implementation and would mean breaking changes :sweat:

    Or maybe there is another way?

    opened by martinreus 8
  •  'Origin is not a trusted host.'  when performing signup from backend

    'Origin is not a trusted host.' when performing signup from backend

    How can i signup user from my backend ?

    response is  'Origin is not a trusted host.' 
     Error: Request failed with status code 403
    

    When i do POST request to /accounts with username and password i get error.

    Also which url should i use to perform signup from backend AUTHN_URL? Or same as i do from browser?

    for example now getting the user from my backend is working like http://HTTP_AUTH_USERNAME:[email protected]:3000/accounts/${userId} but performing POST for signup from backend caused error

    opened by triesa 8
  • FEATURE IDEA: Account Invite API

    FEATURE IDEA: Account Invite API

    Idea

    We'd like the ability to have our server side application send newly created accounts an email to create a password. This is 99% the same as a reset password flow, except that 1) it is triggered by our server and 2) we need to send a different email which means we need the AuthN server to hit a slightly different endpoint than reset password

    Changes API

    1. Create a new private endpoint that behaves identically to the current reset password endpoint. Potentially /account/invite
    2. Add a new env var APP_INVITE_URL that would be the uri of the server to call to deliver the a "invite" aka reset password token

    Thoughts/Feedback?

    Thanks,

    Doug

    opened by xcskier56 7
  • Helm charts for keratin

    Helm charts for keratin

    Hello @cainlevy

    Thank you for all your work. I wanted to experiment with keratin and potentially use keratin in my hobby projects. I use terraform and helm to configure my playground and I was a bit upset to know that there are no helm charts available for it. I also wanted to learn about helm a bit more so I created charts for helm version 2 and 3 here: https://github.com/obukhov/keratin-helm-charts

    I tested them and they seem to work although there is probably plenty of space for improvements. I created helm repo with github pages, so potentially anyone can use it: https://github.com/obukhov/keratin-helm-repo

    I was considering to create a PR to add by repo to helm hub (like described here: https://github.com/helm/hub/blob/master/Repositories.md). But before that, I wanted to discuss with you the following question: I think it would make much more sense if these two repos will be moved to keratin organization - it will be easier to discover them and contribute for the others and also help to get rid of "bus factor".

    I also haven't used any keratin related images in the charts (like icon/logo) because I wasn't sure this is allowed.

    Let me know what you think about that.

    opened by obukhov 7
  • proper loading of docker secrets

    proper loading of docker secrets

    Main focus is on ability to pass Docker secrets properly instead of environment variables.

    If Secure settings are not set, then drop to original mode of loading secrets from environment variables.

    Other minor changes:

    • App name and version are printed as 1st line on startup to to make sure app is starting
    • Added Docker version tags
    • removed routing.go from Makefile, because it does not seem to exist (could it be the reason for runtime error I reported?)

    Version with these changes is on my Docker space https://cloud.docker.com/repository/docker/kulak/authn-server

    opened by kulak 7
  • Seeking Additional Maintainer

    Seeking Additional Maintainer

    AuthN is alive! It handles its scope of responsibility quite well and is deployed into multiple production environments. I'm still able to coordinate and guide contributions and manage releases.

    Nonetheless, I'm seeking an additional maintainer who can increase the bus factor and bring new energy to the project. If you are interested, please reach out to lance-at-cainlevy-dot-net with some brief detail about your experiences with AuthN and your vision for how you'd like to continue moving it forward.

    opened by cainlevy 0
  • Add TOTP multi-factor authentication support

    Add TOTP multi-factor authentication support

    An attempt to see https://github.com/keratin/authn-server/pull/133 through. Squashed and rebased against v1.11.0.

    My understanding is that we may need a way to try this out before we feel comfortable merging — is that right, @cainlevy?

    opened by jeffreylo 1
  • configuration for setting id-token in cookie

    configuration for setting id-token in cookie

    I have SSR logic that hydrates the page data based on user-id, so it needs to authenticate the user from the initial request's cookie.

    Currently, my authn-service instance's login and register endpoints return the id-token in the response payload, so I have to set it in localstorage.

    Is there a way to configure authn-server so that those endpoints set the id-token in the cookie?

    opened by brietsparks 1
  • Support Generic OAuth2 Providers

    Support Generic OAuth2 Providers

    Keratin supports generic OAuth2 providers here: https://github.com/keratin/authn-server/blob/master/lib/oauth/provider.go

    However, there is no means to read configurations from the environment, or otherwise inject them. The credentials, scopes and endpoints required for an *oauth2.Config could be represented by:

    CUSTOM_OAUTH_NAME (Used for HTTP path.) CUSTOM_OAUTH_CREDENTIALS CUSTOM_OAUTH_AUTH_URL CUSTOM_OAUTH_TOKEN_URL CUSTOM_OAUTH_SCOPES

    Or, the env vars could be written to be easily pattern matchable to allow for multiple custom providers.

    I see there are outstanding requests for Twitter and other providers. A generic provider would sidestep the need to PR for every requested provider. I believe the oauth2 library took the same tack and basically stopped accepting changes for what amounted to config as code: https://github.com/golang/oauth2#policy-for-new-packages

    opened by alee792 2
  • UUID for account ID

    UUID for account ID

    Is there a way to rather store the account ID or user ID as UUID instead of integers? I worry about iterating over integers where we would have to separately map UUID to an account/user.

    opened by saul-data 12
Releases(v1.15.0)
Owner
Keratin
strengthened application microservices
Keratin
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 372 May 15, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 4 Jan 31, 2022
Barbar Service is a project for demo of simple distribute authentication Service.

Barbar Service Barbar Service is a project for demo of simple distribute authentication Service. Project Structure Basicaly we reffer to Domain Driven

Audy Vaksi Pranata 3 Mar 13, 2022
An imaginary authentication and session tracking service that is defined in this Apiary

Userland This repository contains impelementation of "Userland" on boarding project Userland is an imaginary authentication and session tracking servi

Raja Moris 0 Dec 5, 2021
AuthService is a service that provides authentication with Minecraft Mojang.

AuthService AuthService is a service that provides authentication with Minecraft Mojang. Protobuf is managed by Buf. Command to pull Protobuf files wi

Layercraft 1 Mar 11, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Sanad Haj Yahya 366 May 14, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.7k May 16, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Duo Labs 798 May 13, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

null 5 Apr 19, 2022
A simple authentication web application in Golang (using jwt)

Simple Authentication WebApp A simple authentication web app in Go (using JWT) Routes Path Method Data /api/v1/auth/register POST {"firstname":,"lastn

Shayan 2 Feb 6, 2022
Platform-Agnostic Security Tokens implementation in GO (Golang)

Golang implementation of PASETO: Platform-Agnostic Security Tokens This is a 100% compatible pure Go (Golang) implementation of PASETO tokens. PASETO

Oleg Lobanov 595 May 12, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 13, 2022
goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.

goRBAC goRBAC provides a lightweight role-based access control implementation in Golang. For the purposes of this package: * an identity has one or mo

Xing 1.3k May 18, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 11, 2022
Role Based Access Control (RBAC) with database persistence

Authority Role Based Access Control (RBAC) Go package with database persistence Install First get authority go get github.com/harranali/authority Next

null 218 May 2, 2022
Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dalton Hubble 1.5k May 4, 2022
HTTP Authentication middlewares

goji/httpauth httpauth currently provides HTTP Basic Authentication middleware for Go. It is compatible with Go's own net/http, goji, Gin & anything t

Goji 213 Dec 15, 2021