Skip to content

Latest commit

 

History

History
255 lines (220 loc) · 8.88 KB

README.md

File metadata and controls

255 lines (220 loc) · 8.88 KB
Raw

Go OAuth2 Server

Build Status Go Report Card Test Coverage Maintainability GoDoc Go Version Release License

An OAuth2 server in Go. This project uses an embedded RangeDB event store.

Docs

Docker

docker run -p 8080:8080 inklabs/goauth2

Client Credentials Grant

+---------+                                  +---------------+
|         |                                  |               |
|         |>--(A)- Client Authentication --->| Authorization |
| Client  |                                  |     Server    |
|         |<--(B)---- Access Token ---------<|               |
|         |                                  |               |
+---------+                                  +---------------+

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=client_credentials" \
    -d "scope=read_write"
{
  "access_token": "d5f4985587ea46028c0946e4a240a9c1",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write"
}

Resource Owner Password Credentials

+----------+
| Resource |
|  Owner   |
|          |
+----------+
     v
     |    Resource Owner
     (A) Password Credentials
     |
     v
+---------+                                  +---------------+
|         |>--(B)---- Resource Owner ------->|               |
|         |         Password Credentials     | Authorization |
| Client  |                                  |     Server    |
|         |<--(C)---- Access Token ---------<|               |
|         |    (w/ Optional Refresh Token)   |               |
+---------+                                  +---------------+

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=password" \
    -d "username=john@example.com" \
    -d "password=Pass123!" \
    -d "scope=read_write"
{
  "access_token": "a3c5300be4d24e65a68176c7ba521c50",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write",
  "refresh_token": "3a801b1fc3d847599b3d5719d82bca7b"
}

Refresh Token

+--------+                                           +---------------+
|        |--(A)------- Authorization Grant --------->|               |
|        |                                           |               |
|        |<-(B)----------- Access Token -------------|               |
|        |               & Refresh Token             |               |
|        |                                           |               |
|        |                            +----------+   |               |
|        |--(C)---- Access Token ---->|          |   |               |
|        |                            |          |   |               |
|        |<-(D)- Protected Resource --| Resource |   | Authorization |
| Client |                            |  Server  |   |     Server    |
|        |--(E)---- Access Token ---->|          |   |               |
|        |                            |          |   |               |
|        |<-(F)- Invalid Token Error -|          |   |               |
|        |                            +----------+   |               |
|        |                                           |               |
|        |--(G)----------- Refresh Token ----------->|               |
|        |                                           |               |
|        |<-(H)----------- Access Token -------------|               |
+--------+           & Optional Refresh Token        +---------------+

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=refresh_token" \
    -d "refresh_token=3a801b1fc3d847599b3d5719d82bca7b"
{
  "access_token": "97ed11d0d399454eb5ab2cab8b29f600",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write",
  "refresh_token": "b4c69a71124641739f6a83b786b332d3"
}

Authorization Code

+----------+
| Resource |
|   Owner  |
|          |
+----------+
     ^
     |
    (B)
+----|-----+          Client Identifier      +---------------+
|         -+----(A)-- & Redirection URI ---->|               |
|  User-   |                                 | Authorization |
|  Agent  -+----(B)-- User authenticates --->|     Server    |
|          |                                 |               |
|         -+----(C)-- Authorization Code ---<|               |
+-|----|---+                                 +---------------+
  |    |                                         ^      v
 (A)  (C)                                        |      |
  |    |                                         |      |
  ^    v                                         |      |
+---------+                                      |      |
|         |>---(D)-- Authorization Code ---------'      |
|  Client |          & Redirection URI                  |
|         |                                             |
|         |<---(E)----- Access Token -------------------'
+---------+       (w/ Optional Refresh Token)

open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=code&state=somestate&scope=read_write
  1. Login via the web form (john@example.com | Pass123!)
  2. Click button to grant access
  3. The authorization server redirects back to the redirection URI including an authorization code and any state provided by the client
https://example.com/oauth2/callback?code=36e2807ee1f94252ac2d9b1d3adf2ba2&state=somestate

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=authorization_code" \
    -d "code=36e2807ee1f94252ac2d9b1d3adf2ba2" \
    -d "redirect_uri=https://example.com/oauth2/callback"
{
  "access_token": "865382b944024b2394167d519fa80cba",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write",
  "refresh_token": "48403032170e46e8af72b7cca1612b43"
}

Implicit

+----------+
| Resource |
|  Owner   |
|          |
+----------+
     ^
     |
    (B)
+----|-----+          Client Identifier     +---------------+
|         -+----(A)-- & Redirection URI --->|               |
|  User-   |                                | Authorization |
|  Agent  -|----(B)-- User authenticates -->|     Server    |
|          |                                |               |
|          |<---(C)--- Redirection URI ----<|               |
|          |          with Access Token     +---------------+
|          |            in Fragment
|          |                                +---------------+
|          |----(D)--- Redirection URI ---->|   Web-Hosted  |
|          |          without Fragment      |     Client    |
|          |                                |    Resource   |
|     (F)  |<---(E)------- Script ---------<|               |
|          |                                +---------------+
+-|--------+
  |    |
 (A)  (G) Access Token
  |    |
  ^    v
+---------+
|         |
|  Client |
|         |
+---------+

open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=token&state=somestate&scope=read_write
  1. Login via the web form (john@example.com | Pass123!)
  2. Click button to grant access
  3. The authorization server redirects back to the redirection URI including an access token and any state provided by the client in the URI fragment
https://example.com/oauth2/callback#access_token=1e21103279e549779a9b5c07d50e641d&expires_at=1574371565&scope=read_write&state=somestate&token_type=Bearer