oauth

package module
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 9, 2023 License: Apache-2.0 Imports: 20 Imported by: 0

README

go-oauth-cli-client

Add MFA/2FA support in your CLI for IDPs that support OAuth 2.0 Authorization Code Flow

Features

  • MFA/2FA with minimal user interaction
    • If eg. Active Directory is used for other services as well, the user is often logged in in the browser already, and can close the browser after the token exchange is done in the background
  • Starts temporary local server with callback endpoint to receive the code, and exchange it with a token
  • State verification
  • Includes the recommended PKCE - Proof Key for Code Exchange extension
  • Cross platform default browser invocation
  • Zero dependencies

Usage

Configure OAuth Client in the OAuth server
client_id: "my_cli"
redirect_uris: ["http://localhost"]
Get this library
go get github.com/EikaGruppen/go-oauth-cli-client
Use it
opts := oauth.Options{
  AuthorizationEndpoint: "https://the.oauth.server.com/authorize",
  TokenEndpoint: "https://the.oauth.server.com/token",
  ClientId: "my_cli",
  ClientSecret: "my_cli_secret", // optional
  AuthorizationExtParams: map[string]string{"scope": "openid"}, // optional
}

tokenResponse, err := oauth.AuthorizationCodeFlow(opts) // will open browser for user to do MFA, and show callback page there when done
if err != nil {
  // handle
}

fmt.Println(tokenResponse.AccessToken)
fmt.Println(tokenResponse.IdToken) // optional
fmt.Println(tokenResponse.RefreshToken) // optional
fmt.Println(tokenResponse.ExpiresIn)

// store tokens safely, and use them to authorize towards the service

Callback page will let the user know whether the auth was successful or not, and that they may close the page and go back to the terminal:

+----------------------------------------------------------------+
|   +---------------------------------------------------+        |
|   | 🔍️ |  http://localhost:8080/oauth/callback        |        |
|   +---------------------------------------------------+        |
|                                                                |
|                  Logged in successfully!                       |
|                                                                |
|           _You may now close this browser window_              |
|                                                                |
|                        [ close ]                               |
|                                                                |
+----------------------------------------------------------------+
Redirect URI

By default, http://localhost:<choosen port>/oauth/callback will be used. This can be overridden by setting redirectUri:

redirectUri, err := url.Parse("https://my-url.com/the/callback")
// handle err

opts := oauth.Options{
  // ...
  redirectUri: redirectUri,
  // ...
}

Documentation

Index

Constants

View Source
const (
	ACCESS_TOKEN = iota
	REFRESH_TOKEN
)
View Source
const (
	DefaultLength = 32
)

Variables

This section is empty.

Functions

func ConcurrentAuthorizationCodeFlow added in v0.7.0

func ConcurrentAuthorizationCodeFlow(browser Browser, allOpts []Options) ([]codeFlowResult, error)

func Revoke added in v0.5.0

func Revoke(opts Options, tokenType TokenType, token string) error

Types

type Browser added in v0.7.0

type Browser interface {
	// Opens a browser with the specified url. Should be thread safe
	Open(urls []*url.URL) error

	// If not nil, ran in a goroutine after callback has gotten the code
	Destroy() error
}

type CallbackPage

type CallbackPage struct {
	Title   string
	Heading string
	Message string
}

type DefaultBrowser added in v0.7.0

type DefaultBrowser struct {
}

func (*DefaultBrowser) Destroy added in v0.7.0

func (d *DefaultBrowser) Destroy() error

func (*DefaultBrowser) Open added in v0.7.0

func (d *DefaultBrowser) Open(urls []*url.URL) error

type Options

type Options struct {
	AuthorizationEndpoint string
	Scopes                []string
	// Extensions to the standard OAuth Parameters for the authorizaion endpoint
	AuthorizationExtParams map[string]string
	TokenEndpoint          string
	RevokeEndpoint         string

	ClientId     string
	ClientSecret string

	RedirectUri *url.URL

	ClientTimeout time.Duration

	PortRange PortRange

	// If nil, system default browser will be used
	Browser Browser
}

type PortRange

type PortRange struct {
	Start int
	End   int
}

type TokenResponse

type TokenResponse struct {
	IdToken          string `json:"id_token"`
	AccessToken      string `json:"access_token"`
	ExpiresIn        int64  `json:"expires_in"`
	RefreshToken     string `json:"refresh_token"`
	RefreshExpiresIn int64  `json:"refresh_expires_in"`
}

func AuthorizationCodeFlow

func AuthorizationCodeFlow(opts Options) (TokenResponse, error)

func Refresh added in v0.5.0

func Refresh(opts Options, refreshToken string) (*TokenResponse, error)

type TokenType added in v0.5.0

type TokenType int

func (TokenType) String added in v0.5.0

func (t TokenType) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL