authenticator

package module
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 15, 2020 License: BSD-3-Clause Imports: 10 Imported by: 2

README

Build Status codecov GoDoc Go Report Card

Authenticator

A stand-alone gRPC based authentication API. Easily integrate authentication into any custom project. Authenticator takes care of user credential storage and checking. It generates JSON Web tokens for users, which easily can be verified by other servers in your ecosystem using performant and secure EdDSA public key cryptography.

Benefits:
  • Added security, the user credentials live in a seperate database schema as you application's one. Creating a strict seperation in database access;
  • No more password checking logic in you application. Just send a API call to authenticator and check the generated token on each subseqeuent request;

Fautures

  • gRPC based, simply implement a client in your own preferred language by compiling protobuffer files;
  • Support for master/slave database setups using our own MultiDB library;
  • Admin panel for user management;
  • A basic HTTP based login server, based on redirects;
  • Argon2 hashed password storage;
  • User groups and "audiences" for fine grained authorization checking;
  • Comes with the verify Go library, which has ready to use token verification methods to integration even easier;

Status

This project is still under heavy development. We've recently deployed a beta version of the gRPC and admin server.

Future plans

  • Two factor authentication
  • OAuth2 provider support

Development

When developing against Authenticator, there is a docker-compose.yml file which sets up a development infrastructure. It start a postgresql instance, runs the neccesary migrations and start the server instances. You can download the Compose file or run this from the root of the repository:

docker compose up
  • The authenticator gRPC server will be served at port 8765.
  • The admin interface will be served at port 1234.

The defaut user is "admin@localhost", password "admin", member of the group "primary" and audience "authenticator".

Protocol buffers

The authenticator server uses gRPC through protocol buffers generation. To regenerate the gRPC definitions, run:

protoc --go_out=plugins=grpc:$(go env GOPATH)/src authenticator.proto

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var File_authenticator_proto protoreflect.FileDescriptor

Functions

func RegisterAuthenticatorServer 

func RegisterAuthenticatorServer(s *grpc.Server, srv AuthenticatorServer)

Types

type AuthReply 

type AuthReply struct {

	// JSON Web Token
	Jwt string `protobuf:"bytes,1,opt,name=jwt,proto3" json:"jwt,omitempty"`
	// contains filtered or unexported fields
}

func (*AuthReply) Descriptor deprecated 

func (*AuthReply) Descriptor() ([]byte, []int)

Deprecated: Use AuthReply.ProtoReflect.Descriptor instead.

func (*AuthReply) GetJwt 

func (x *AuthReply) GetJwt() string

func (*AuthReply) ProtoMessage 

func (*AuthReply) ProtoMessage()

func (*AuthReply) ProtoReflect added in v0.3.0 

func (x *AuthReply) ProtoReflect() protoreflect.Message

func (*AuthReply) Reset 

func (x *AuthReply) Reset()

func (*AuthReply) String 

func (x *AuthReply) String() string

type AuthenticatorClient 

type AuthenticatorClient interface {
	// RegisterPwUser registers a new user which can authenticate using a PW.
	// Server implementation should grant the user only a public role untill verification is complete.
	// Authorization: Public
	RegisterPwUser(ctx context.Context, in *RegistrationData, opts ...grpc.CallOption) (*RegistrationReply, error)
	// PasswordAuth authenticates the user by its registered email or username and password.
	// Authorization: Public
	AuthenticatePwUser(ctx context.Context, in *UserPassword, opts ...grpc.CallOption) (*AuthReply, error)
	// ChangeUserPw changes the password for the user. It needs either the old password or a password reset token.
	// Authorization: Public
	ChangeUserPw(ctx context.Context, in *NewUserPassword, opts ...grpc.CallOption) (*ChangePwReply, error)
	// CheckUserExists returns true for the UserID fields which already exists.
	// Authorization: Basic
	CheckUserExists(ctx context.Context, in *UserData, opts ...grpc.CallOption) (*Exists, error)
	// VerifyUser by previously transmitted (email) verification token
	// Authorization: Public
	VerifyUser(ctx context.Context, in *AuthReply, opts ...grpc.CallOption) (*AuthReply, error)
	// RefreshToken using an old (and valid!) token.
	// The user id and its authorization level are verified against the database.
	// Authorization: Public
	RefreshToken(ctx context.Context, in *AuthReply, opts ...grpc.CallOption) (*AuthReply, error)
	// PublicUserToken generates a token for public and unauthenticated users.
	// Such token can be used for API access and session tracking.
	// Authorization: Internal
	PublicUserToken(ctx context.Context, in *PublicUser, opts ...grpc.CallOption) (*AuthReply, error)
	// GetPubKey retrieves registered public keys from the database, identified by KeyIDs.
	// Authorization: Internal
	GetPubKey(ctx context.Context, in *KeyID, opts ...grpc.CallOption) (*PublicKey, error)
	// ResetUserPW sends a password reset e-mail to a registered user.
	// The e-mail will contain an URL, as per passed CallBackURL.
	// The URL will contain a token which (only) can be used for setting a new password.
	ResetUserPW(ctx context.Context, in *UserEmail, opts ...grpc.CallOption) (*empty.Empty, error)
}

AuthenticatorClient is the client API for Authenticator service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.

func NewAuthenticatorClient 

func NewAuthenticatorClient(cc grpc.ClientConnInterface) AuthenticatorClient

type AuthenticatorServer 

type AuthenticatorServer interface {
	// RegisterPwUser registers a new user which can authenticate using a PW.
	// Server implementation should grant the user only a public role untill verification is complete.
	// Authorization: Public
	RegisterPwUser(context.Context, *RegistrationData) (*RegistrationReply, error)
	// PasswordAuth authenticates the user by its registered email or username and password.
	// Authorization: Public
	AuthenticatePwUser(context.Context, *UserPassword) (*AuthReply, error)
	// ChangeUserPw changes the password for the user. It needs either the old password or a password reset token.
	// Authorization: Public
	ChangeUserPw(context.Context, *NewUserPassword) (*ChangePwReply, error)
	// CheckUserExists returns true for the UserID fields which already exists.
	// Authorization: Basic
	CheckUserExists(context.Context, *UserData) (*Exists, error)
	// VerifyUser by previously transmitted (email) verification token
	// Authorization: Public
	VerifyUser(context.Context, *AuthReply) (*AuthReply, error)
	// RefreshToken using an old (and valid!) token.
	// The user id and its authorization level are verified against the database.
	// Authorization: Public
	RefreshToken(context.Context, *AuthReply) (*AuthReply, error)
	// PublicUserToken generates a token for public and unauthenticated users.
	// Such token can be used for API access and session tracking.
	// Authorization: Internal
	PublicUserToken(context.Context, *PublicUser) (*AuthReply, error)
	// GetPubKey retrieves registered public keys from the database, identified by KeyIDs.
	// Authorization: Internal
	GetPubKey(context.Context, *KeyID) (*PublicKey, error)
	// ResetUserPW sends a password reset e-mail to a registered user.
	// The e-mail will contain an URL, as per passed CallBackURL.
	// The URL will contain a token which (only) can be used for setting a new password.
	ResetUserPW(context.Context, *UserEmail) (*empty.Empty, error)
}

AuthenticatorServer is the server API for Authenticator service.

type CallBackUrl 

type CallBackUrl struct {
	BaseUrl string `protobuf:"bytes,1,opt,name=base_url,json=baseUrl,proto3" json:"base_url,omitempty"`
	// Query paramater key under which the token will be set in the callback URL.
	// If empty, it defaults to "token"
	TokenKey string `protobuf:"bytes,2,opt,name=token_key,json=tokenKey,proto3" json:"token_key,omitempty"`
	// Other query parameters which need to be added to the callback URL.
	Params map[string]*StringSlice `` /* 153-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*CallBackUrl) Descriptor deprecated 

func (*CallBackUrl) Descriptor() ([]byte, []int)

Deprecated: Use CallBackUrl.ProtoReflect.Descriptor instead.

func (*CallBackUrl) GetBaseUrl 

func (x *CallBackUrl) GetBaseUrl() string

func (*CallBackUrl) GetParams 

func (x *CallBackUrl) GetParams() map[string]*StringSlice

func (*CallBackUrl) GetTokenKey 

func (x *CallBackUrl) GetTokenKey() string

func (*CallBackUrl) ProtoMessage 

func (*CallBackUrl) ProtoMessage()

func (*CallBackUrl) ProtoReflect added in v0.3.0 

func (x *CallBackUrl) ProtoReflect() protoreflect.Message

func (*CallBackUrl) Reset 

func (x *CallBackUrl) Reset()

func (*CallBackUrl) String 

func (x *CallBackUrl) String() string

type ChangePwReply 

type ChangePwReply struct {
	Success bool `protobuf:"varint,1,opt,name=success,proto3" json:"success,omitempty"`
	// contains filtered or unexported fields
}

func (*ChangePwReply) Descriptor deprecated 

func (*ChangePwReply) Descriptor() ([]byte, []int)

Deprecated: Use ChangePwReply.ProtoReflect.Descriptor instead.

func (*ChangePwReply) GetSuccess 

func (x *ChangePwReply) GetSuccess() bool

func (*ChangePwReply) ProtoMessage 

func (*ChangePwReply) ProtoMessage()

func (*ChangePwReply) ProtoReflect added in v0.3.0 

func (x *ChangePwReply) ProtoReflect() protoreflect.Message

func (*ChangePwReply) Reset 

func (x *ChangePwReply) Reset()

func (*ChangePwReply) String 

func (x *ChangePwReply) String() string

type Exists 

type Exists struct {
	Email bool `protobuf:"varint,1,opt,name=email,proto3" json:"email,omitempty"`
	// contains filtered or unexported fields
}

func (*Exists) Descriptor deprecated 

func (*Exists) Descriptor() ([]byte, []int)

Deprecated: Use Exists.ProtoReflect.Descriptor instead.

func (*Exists) GetEmail 

func (x *Exists) GetEmail() bool

func (*Exists) ProtoMessage 

func (*Exists) ProtoMessage()

func (*Exists) ProtoReflect added in v0.3.0 

func (x *Exists) ProtoReflect() protoreflect.Message

func (*Exists) Reset 

func (x *Exists) Reset()

func (*Exists) String 

func (x *Exists) String() string

type KeyID 

type KeyID struct {
	Kid int32 `protobuf:"varint,1,opt,name=kid,proto3" json:"kid,omitempty"`
	// contains filtered or unexported fields
}

func (*KeyID) Descriptor deprecated 

func (*KeyID) Descriptor() ([]byte, []int)

Deprecated: Use KeyID.ProtoReflect.Descriptor instead.

func (*KeyID) GetKid 

func (x *KeyID) GetKid() int32

func (*KeyID) ProtoMessage 

func (*KeyID) ProtoMessage()

func (*KeyID) ProtoReflect added in v0.3.0 

func (x *KeyID) ProtoReflect() protoreflect.Message

func (*KeyID) Reset 

func (x *KeyID) Reset()

func (*KeyID) String 

func (x *KeyID) String() string

type NewUserPassword 

type NewUserPassword struct {
	Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	// Types that are assignable to Credential:
	//	*NewUserPassword_OldPassword
	//	*NewUserPassword_ResetToken
	Credential  isNewUserPassword_Credential `protobuf_oneof:"credential"`
	NewPassword string                       `protobuf:"bytes,5,opt,name=new_password,json=newPassword,proto3" json:"new_password,omitempty"`
	// contains filtered or unexported fields
}

func (*NewUserPassword) Descriptor deprecated 

func (*NewUserPassword) Descriptor() ([]byte, []int)

Deprecated: Use NewUserPassword.ProtoReflect.Descriptor instead.

func (*NewUserPassword) GetCredential 

func (m *NewUserPassword) GetCredential() isNewUserPassword_Credential

func (*NewUserPassword) GetEmail 

func (x *NewUserPassword) GetEmail() string

func (*NewUserPassword) GetNewPassword 

func (x *NewUserPassword) GetNewPassword() string

func (*NewUserPassword) GetOldPassword 

func (x *NewUserPassword) GetOldPassword() string

func (*NewUserPassword) GetResetToken 

func (x *NewUserPassword) GetResetToken() string

func (*NewUserPassword) ProtoMessage 

func (*NewUserPassword) ProtoMessage()

func (*NewUserPassword) ProtoReflect added in v0.3.0 

func (x *NewUserPassword) ProtoReflect() protoreflect.Message

func (*NewUserPassword) Reset 

func (x *NewUserPassword) Reset()

func (*NewUserPassword) String 

func (x *NewUserPassword) String() string

type NewUserPassword_OldPassword 

type NewUserPassword_OldPassword struct {
	OldPassword string `protobuf:"bytes,3,opt,name=old_password,json=oldPassword,proto3,oneof"`
}

type NewUserPassword_ResetToken 

type NewUserPassword_ResetToken struct {
	ResetToken string `protobuf:"bytes,4,opt,name=reset_token,json=resetToken,proto3,oneof"`
}

type PublicKey 

type PublicKey struct {
	Key []byte `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// contains filtered or unexported fields
}

func (*PublicKey) Descriptor deprecated 

func (*PublicKey) Descriptor() ([]byte, []int)

Deprecated: Use PublicKey.ProtoReflect.Descriptor instead.

func (*PublicKey) GetKey 

func (x *PublicKey) GetKey() []byte

func (*PublicKey) ProtoMessage 

func (*PublicKey) ProtoMessage()

func (*PublicKey) ProtoReflect added in v0.3.0 

func (x *PublicKey) ProtoReflect() protoreflect.Message

func (*PublicKey) Reset 

func (x *PublicKey) Reset()

func (*PublicKey) String 

func (x *PublicKey) String() string

type PublicUser 

type PublicUser struct {
	Uuid string `protobuf:"bytes,1,opt,name=uuid,proto3" json:"uuid,omitempty"`
	// contains filtered or unexported fields
}

func (*PublicUser) Descriptor deprecated 

func (*PublicUser) Descriptor() ([]byte, []int)

Deprecated: Use PublicUser.ProtoReflect.Descriptor instead.

func (*PublicUser) GetUuid 

func (x *PublicUser) GetUuid() string

func (*PublicUser) ProtoMessage 

func (*PublicUser) ProtoMessage()

func (*PublicUser) ProtoReflect added in v0.3.0 

func (x *PublicUser) ProtoReflect() protoreflect.Message

func (*PublicUser) Reset 

func (x *PublicUser) Reset()

func (*PublicUser) String 

func (x *PublicUser) String() string

type RegistrationData 

type RegistrationData struct {
	Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	// Name is optional
	Name string       `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
	Url  *CallBackUrl `protobuf:"bytes,3,opt,name=url,proto3" json:"url,omitempty"`
	// contains filtered or unexported fields
}

func (*RegistrationData) Descriptor deprecated 

func (*RegistrationData) Descriptor() ([]byte, []int)

Deprecated: Use RegistrationData.ProtoReflect.Descriptor instead.

func (*RegistrationData) GetEmail 

func (x *RegistrationData) GetEmail() string

func (*RegistrationData) GetName 

func (x *RegistrationData) GetName() string

func (*RegistrationData) GetUrl 

func (x *RegistrationData) GetUrl() *CallBackUrl

func (*RegistrationData) ProtoMessage 

func (*RegistrationData) ProtoMessage()

func (*RegistrationData) ProtoReflect added in v0.3.0 

func (x *RegistrationData) ProtoReflect() protoreflect.Message

func (*RegistrationData) Reset 

func (x *RegistrationData) Reset()

func (*RegistrationData) String 

func (x *RegistrationData) String() string

type RegistrationReply 

type RegistrationReply struct {
	UserId int32 `protobuf:"varint,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
	// contains filtered or unexported fields
}

func (*RegistrationReply) Descriptor deprecated 

func (*RegistrationReply) Descriptor() ([]byte, []int)

Deprecated: Use RegistrationReply.ProtoReflect.Descriptor instead.

func (*RegistrationReply) GetUserId 

func (x *RegistrationReply) GetUserId() int32

func (*RegistrationReply) ProtoMessage 

func (*RegistrationReply) ProtoMessage()

func (*RegistrationReply) ProtoReflect added in v0.3.0 

func (x *RegistrationReply) ProtoReflect() protoreflect.Message

func (*RegistrationReply) Reset 

func (x *RegistrationReply) Reset()

func (*RegistrationReply) String 

func (x *RegistrationReply) String() string

type StringSlice 

type StringSlice struct {
	Slice []string `protobuf:"bytes,1,rep,name=slice,proto3" json:"slice,omitempty"`
	// contains filtered or unexported fields
}

func (*StringSlice) Descriptor deprecated 

func (*StringSlice) Descriptor() ([]byte, []int)

Deprecated: Use StringSlice.ProtoReflect.Descriptor instead.

func (*StringSlice) GetSlice 

func (x *StringSlice) GetSlice() []string

func (*StringSlice) ProtoMessage 

func (*StringSlice) ProtoMessage()

func (*StringSlice) ProtoReflect added in v0.3.0 

func (x *StringSlice) ProtoReflect() protoreflect.Message

func (*StringSlice) Reset 

func (x *StringSlice) Reset()

func (*StringSlice) String 

func (x *StringSlice) String() string

type UnimplementedAuthenticatorServer 

type UnimplementedAuthenticatorServer struct {
}

UnimplementedAuthenticatorServer can be embedded to have forward compatible implementations.

func (*UnimplementedAuthenticatorServer) AuthenticatePwUser 

func (*UnimplementedAuthenticatorServer) AuthenticatePwUser(context.Context, *UserPassword) (*AuthReply, error)

func (*UnimplementedAuthenticatorServer) ChangeUserPw 

func (*UnimplementedAuthenticatorServer) ChangeUserPw(context.Context, *NewUserPassword) (*ChangePwReply, error)

func (*UnimplementedAuthenticatorServer) CheckUserExists 

func (*UnimplementedAuthenticatorServer) CheckUserExists(context.Context, *UserData) (*Exists, error)

func (*UnimplementedAuthenticatorServer) GetPubKey 

func (*UnimplementedAuthenticatorServer) GetPubKey(context.Context, *KeyID) (*PublicKey, error)

func (*UnimplementedAuthenticatorServer) PublicUserToken 

func (*UnimplementedAuthenticatorServer) PublicUserToken(context.Context, *PublicUser) (*AuthReply, error)

func (*UnimplementedAuthenticatorServer) RefreshToken 

func (*UnimplementedAuthenticatorServer) RefreshToken(context.Context, *AuthReply) (*AuthReply, error)

func (*UnimplementedAuthenticatorServer) RegisterPwUser 

func (*UnimplementedAuthenticatorServer) RegisterPwUser(context.Context, *RegistrationData) (*RegistrationReply, error)

func (*UnimplementedAuthenticatorServer) ResetUserPW added in v0.3.0 

func (*UnimplementedAuthenticatorServer) ResetUserPW(context.Context, *UserEmail) (*empty.Empty, error)

func (*UnimplementedAuthenticatorServer) VerifyUser 

func (*UnimplementedAuthenticatorServer) VerifyUser(context.Context, *AuthReply) (*AuthReply, error)

type UserData 

type UserData struct {
	Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	// contains filtered or unexported fields
}

func (*UserData) Descriptor deprecated 

func (*UserData) Descriptor() ([]byte, []int)

Deprecated: Use UserData.ProtoReflect.Descriptor instead.

func (*UserData) GetEmail 

func (x *UserData) GetEmail() string

func (*UserData) ProtoMessage 

func (*UserData) ProtoMessage()

func (*UserData) ProtoReflect added in v0.3.0 

func (x *UserData) ProtoReflect() protoreflect.Message

func (*UserData) Reset 

func (x *UserData) Reset()

func (*UserData) String 

func (x *UserData) String() string

type UserEmail added in v0.3.0 

type UserEmail struct {
	Email string       `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	Url   *CallBackUrl `protobuf:"bytes,2,opt,name=url,proto3" json:"url,omitempty"`
	// contains filtered or unexported fields
}

func (*UserEmail) Descriptor deprecated added in v0.3.0 

func (*UserEmail) Descriptor() ([]byte, []int)

Deprecated: Use UserEmail.ProtoReflect.Descriptor instead.

func (*UserEmail) GetEmail added in v0.3.0 

func (x *UserEmail) GetEmail() string

func (*UserEmail) GetUrl added in v0.3.0 

func (x *UserEmail) GetUrl() *CallBackUrl

func (*UserEmail) ProtoMessage added in v0.3.0 

func (*UserEmail) ProtoMessage()

func (*UserEmail) ProtoReflect added in v0.3.0 

func (x *UserEmail) ProtoReflect() protoreflect.Message

func (*UserEmail) Reset added in v0.3.0 

func (x *UserEmail) Reset()

func (*UserEmail) String added in v0.3.0 

func (x *UserEmail) String() string

type UserPassword 

type UserPassword struct {
	Email    string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	Password string `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"`
	// contains filtered or unexported fields
}

UserPassword holds the e-mail of the user and its password.

func (*UserPassword) Descriptor deprecated 

func (*UserPassword) Descriptor() ([]byte, []int)

Deprecated: Use UserPassword.ProtoReflect.Descriptor instead.

func (*UserPassword) GetEmail 

func (x *UserPassword) GetEmail() string

func (*UserPassword) GetPassword 

func (x *UserPassword) GetPassword() string

func (*UserPassword) ProtoMessage 

func (*UserPassword) ProtoMessage()

func (*UserPassword) ProtoReflect added in v0.3.0 

func (x *UserPassword) ProtoReflect() protoreflect.Message

func (*UserPassword) Reset 

func (x *UserPassword) Reset()

func (*UserPassword) String 

func (x *UserPassword) String() string

Source Files

View all Source files

Directories

Path Synopsis
cmd
admin
httpauth
server
Package middleware provides means of verifying JWTs generated by `cmd/admin`'s login handler or similar mechanisms.
 Package middleware provides means of verifying JWTs generated by `cmd/admin`'s login handler or similar mechanisms.
Package verify provides middleware for GRPc servers which need to verify JSON Web Tokens generated by this Authenticator service.
 Package verify provides middleware for GRPc servers which need to verify JSON Web Tokens generated by this Authenticator service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.