A specification compliant implementation of RFC7636 - Proof Key for Code Exchange (PKCE) for Go

Overview

pkce

Go Reference Go Report Card Go Test golangci-lint

pkce implements the client side of RFC 7636 "Proof Key for Code Exchange by OAuth Public Clients" (PKCE) to enable the generation of cryptographically secure and specification compliant code verifiers and code challenges. With no external dependencies .

Getting Started

pkce makes use of go mod, you can install it by using go get:

go get github.com/matthewhartstonge/pkce

Examples

Structs

For those that like abstractions, feel free to enjoy "safety ™️ ":

package main

import (
	"fmt"

	"github.com/matthewhartstonge/pkce"
)

func main() {
	// Generate a secure proof key! 
	// Make sure yo do this each time you want a new proof key - it's stateful.
	key, err := pkce.New()
	if err != nil {
		panic(err)
	}

	fmt.Println("my generated code verifier is:", key.CodeVerifier())
	fmt.Println("my generated plain code challenge is:", key.CodeChallenge())

	// Finally - on the server-side side, we can verify the received code 
	// verifier:
	receivedCodeVerifier := "#yolo-cant-verify-me-mr-mcbaggins"
	isValid := key.VerifyCodeVerifier(receivedCodeVerifier)
	fmt.Println("is the received code verifier valid?", isValid)
}

Okay, so that was a bit easy... But, what can I configure?!?

package main

import (
	"fmt"

	"github.com/matthewhartstonge/pkce"
)

func main() {
	// Generate a ... proof key!
	key, err := pkce.New(
		// pkce.WithCodeVerifierLength enables increasing entropy for 
		// super-duper securities!
		pkce.WithCodeVerifierLength(9001),

		// pkce.WithChallengeMethod enables setting the PKCE mode, which is 
		// really code name for setting the method to "plain" for, you know, if
		// you've got a non-compliant OAuth PKCE accepting server that may 
		// require backwards compatibility. #SnarkIntended
		pkce.WithChallengeMethod(pkce.Plain),

		// pkce.WithCodeVerifier enables BYO code verifier.
		//
		// ... I hope you use a secure implementation ...
		//
		// This is mainly useful if you like the struct style of encapsulation, 
		// or if loading the verifier from a datastore.
		//
		// Using this option will disable code verifier generation, therefore 
		// `pkce.WithCodeVerifierLength` will be redundant if specified.
		pkce.WithCodeVerifier([]byte("#YOLO")),
	)
	if err != nil {
		// hah, yeah, there's gonna be an error or two...
		panic(err)
	}

	// ... otherwise, it's business as usual ...

Functional

For those that like functions, you can fight against your own "to err == programmer"

package main

import (
	"fmt"

	"github.com/matthewhartstonge/pkce"
)

func main() {
	// Generate a secure code verifier!
	codeVerifier, err := pkce.GenerateCodeVerifier(50)
	if err != nil {
		panic(err)
	}

	// OR, lawd forbid, you can generate and send in your own code verifier...
	//    ... don't do this ...

	// Then we can generate a code challenge based on the incoming code 
	// challenge method
	codeChallenge, err := pkce.GenerateCodeChallenge(pkce.S256, codeVerifier)
	if err != nil {
		panic(err)
	}

	fmt.Println("my manually generated code verifier is:", codeVerifier)
	fmt.Println("my manually generated code challenge is:", codeChallenge)

	// Finally - on the server-side side, we can verify the received code 
	// verifier:
	incomingCodeVerifier := "#yolo-cant-verify-me-mr-mcbaggins"
	isValid := pkce.VerifyCodeVerifier(pkce.S256, incomingCodeVerifier, codeChallenge)
	fmt.Println("is the received code verifier valid?", isValid)
}

What is PKCE?

Great Question!

For more information on "Proof Key for Code Exchange (PKCE) by OAuth Public Clients" (or for some light bedtime reading) check out the following links:

Releases(v0.1.2)
  • v0.1.2(Jan 26, 2022)

    :ship: v0.1.2 - 2022-01-27

    Added

    • :white_check_mark: pkce: adds tests.

    Changed

    • :recycle: options: orders options alphabetically.

    Fixed

    • :bug: options: fixes challenge method being able to be set with invalid values.
    • :bug: pkce: stops invalid methods from being able to be set.
    • :bug: pkce: stops the code verifier length being overwritten if code verifier is set.
    • :bug: pkce: ensures getCodeVerifier checks against nilness and emptiness.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.1(Jan 25, 2022)

    :ship: v0.1.1 - 2022-01-25

    Added

    • :memo: README: adds code verifier verification examples.
    • :page_facing_up: LICENSE: adds MIT license. Fixes #4.
    • :construction_worker: ci/cd: enables github actions. Fixes #3.
    • :memo: README: adds go reference, go report and github action build badges.

    Fixed

    • :memo: README: fixes a couple of spelling misteaks.
    • :rotating_light: pkce: fixes whitespace issues (wsl).
    • :rotating_light: validation: simplifies if-return (revive).
    • :rotating_light: errors: reduces line lengths (lll).
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0(Jan 24, 2022)

    :ship: v0.1.0 - 2022-01-25

    Added

    • Generation of code verifier and code challenge.
    • Code verifier and code challenge spec-compliant validation.
    • Verification for an incoming code verifier.
    • URL parameter key constants.
    Source code(tar.gz)
    Source code(zip)
Owner
Matthew Hartstonge
Lead Dev @ LINC-ED. I love being able to build human centric software that enables people to do magic! (oh, and building massive cloud scale infrastructure!)
Matthew Hartstonge
stark key authentication library, signature generator for dydx exchange

stark key authentication library, signature generator for dydx exchange for the following operations: Place an order Withdraw funds link : https://doc

null 7 Mar 14, 2022
A set of tests to check compliance with the Prometheus Remote Write specification

Prometheus Compliance Tests This repo contains code to test compliance with various Prometheus standards. PromQL The promql directory contains code to

Prometheus 92 Jun 7, 2022
Key-Checker - Go scripts for checking API key / access token validity

Key-Checker Go scripts for checking API key / access token validity Update V1.0.0 ?? Added 37 checkers! Screenshoot ?? How to Install go get github.co

Muhammad Daffa 188 Jun 24, 2022
:key: Secure alternative to JWT. Authenticated Encrypted API Tokens for Go.

branca branca is a secure alternative to JWT, This implementation is written in pure Go (no cgo dependencies) and implements the branca token specific

Wesley Hill 165 Jun 21, 2022
fiber api key authentication middleware

fiber-key-auth Secure your fiber endpoints using API keys. Report Bug · Request Feature Table of Contents About The Project Built With Getting Started

Ben 4 Feb 15, 2022
Advent of Code Input Loader, provide a session cookie and a problem date, returns a string or []byte of the input

Advent of Code Get (aocget) A small lib to download your puzzle input for a given day. Uses your session token to authenticate to obtain your personal

Adrian 0 Dec 9, 2021
An implementation of JOSE standards (JWE, JWS, JWT) in Go

Go JOSE Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. This includes support for JSO

Square 1.9k Jun 23, 2022
goRBAC provides a lightweight role-based access control (RBAC) implementation in Golang.

goRBAC goRBAC provides a lightweight role-based access control implementation in Golang. For the purposes of this package: * an identity has one or mo

Xing 1.3k Jun 26, 2022
This is an implementation of JWT in golang!

jwt This is a minimal implementation of JWT designed with simplicity in mind. What is JWT? Jwt is a signed JSON object used for claims based authentic

John Rowley 99 May 9, 2022
Golang implementation of JSON Web Tokens (JWT)

jwt-go A go (or 'golang' for search engine friendliness) implementation of JSON Web Tokens NEW VERSION COMING: There have been a lot of improvements s

Dave Grijalva 10.4k Jun 23, 2022
Platform-Agnostic Security Tokens implementation in GO (Golang)

Golang implementation of PASETO: Platform-Agnostic Security Tokens This is a 100% compatible pure Go (Golang) implementation of PASETO tokens. PASETO

Oleg Lobanov 608 Jun 26, 2022
[NO LONGER MAINTAINED} oauth 2 server implementation in Go

hero hero is a feature rich oauth 2 server implementation in Go. Features User account management Client management oauth 2 rfc 6749 compliant Configu

Geofrey Ernest 214 Feb 9, 2022
OAuth 1.0a implementation in Go

Package oauth1a Summary An implementation of OAuth 1.0a in Go1. API reference Installing Run: go get github.com/kurrik/oauth1a Include in your source

Arne Roomann-Kurrik 23 Sep 17, 2021
OAuth 1.0 implementation in go (golang).

OAuth 1.0 Library for Go (If you need an OAuth 2.0 library, check out: https://godoc.org/golang.org/x/oauth2) Developing your own apps, with this libr

Matt Jones 258 Jun 16, 2022
A go implementation of JSON Web Tokens

jwt-go A go (or 'golang' for search engine friendliness) implementation of JSON Web Tokens NEW VERSION COMING: There have been a lot of improvements s

null 2.8k Jun 29, 2022
A fast and simple JWT implementation for Go

JWT Fast and simple JWT implementation written in Go. This package was designed with security, performance and simplicity in mind, it protects your to

Gerasimos (Makis) Maropoulos 139 Jun 25, 2022
backend implementation demonstration in go with JWT, MongoDB and etc.

backend implementation demonstration in go with JWT, MongoDB and etc.

Parham Alvani 12 May 18, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Xenit AB 3 Dec 22, 2021
Golang implementation of JWT and Refresh Token

Fiber and JWT with Refresh Token Repo ini adalah demostrasi JWT support refresh token tanpa menggunakan storage Branch Main: unlimited refresh token R

Muhamad Surya Iksanudin 11 May 26, 2022