Go OAuth2 Server

An OAuth2 server in Go. This project uses an embedded RangeDB event store.

Docs

Docs

Docker

docker run -p 8080:8080 inklabs/goauth2

Client Credentials Grant

https://tools.ietf.org/html/rfc6749#section-4.4

+---------+                                  +---------------+
|         |                                  |               |
|         |>--(A)- Client Authentication --->| Authorization |
| Client  |                                  |     Server    |
|         |<--(B)---- Access Token ---------<|               |
|         |                                  |               |
+---------+                                  +---------------+

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=client_credentials" \
    -d "scope=read_write"

{
  "access_token": "d5f4985587ea46028c0946e4a240a9c1",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write"
}

Resource Owner Password Credentials

https://tools.ietf.org/html/rfc6749#section-4.3

+----------+
| Resource |
|  Owner   |
|          |
+----------+
     v
     |    Resource Owner
     (A) Password Credentials
     |
     v
+---------+                                  +---------------+
|         |>--(B)---- Resource Owner ------->|               |
|         |         Password Credentials     | Authorization |
| Client  |                                  |     Server    |
|         |<--(C)---- Access Token ---------<|               |
|         |    (w/ Optional Refresh Token)   |               |
+---------+                                  +---------------+

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=password" \
    -d "username=john@example.com" \
    -d "password=Pass123!" \
    -d "scope=read_write"

{
  "access_token": "a3c5300be4d24e65a68176c7ba521c50",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write",
  "refresh_token": "3a801b1fc3d847599b3d5719d82bca7b"
}

Refresh Token

+--------+                                           +---------------+
|        |--(A)------- Authorization Grant --------->|               |
|        |                                           |               |
|        |<-(B)----------- Access Token -------------|               |
|        |               & Refresh Token             |               |
|        |                                           |               |
|        |                            +----------+   |               |
|        |--(C)---- Access Token ---->|          |   |               |
|        |                            |          |   |               |
|        |<-(D)- Protected Resource --| Resource |   | Authorization |
| Client |                            |  Server  |   |     Server    |
|        |--(E)---- Access Token ---->|          |   |               |
|        |                            |          |   |               |
|        |<-(F)- Invalid Token Error -|          |   |               |
|        |                            +----------+   |               |
|        |                                           |               |
|        |--(G)----------- Refresh Token ----------->|               |
|        |                                           |               |
|        |<-(H)----------- Access Token -------------|               |
+--------+           & Optional Refresh Token        +---------------+

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=refresh_token" \
    -d "refresh_token=3a801b1fc3d847599b3d5719d82bca7b"

{
  "access_token": "97ed11d0d399454eb5ab2cab8b29f600",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write",
  "refresh_token": "b4c69a71124641739f6a83b786b332d3"
}

Authorization Code

https://tools.ietf.org/html/rfc6749#section-4.1

+----------+
| Resource |
|   Owner  |
|          |
+----------+
     ^
     |
    (B)
+----|-----+          Client Identifier      +---------------+
|         -+----(A)-- & Redirection URI ---->|               |
|  User-   |                                 | Authorization |
|  Agent  -+----(B)-- User authenticates --->|     Server    |
|          |                                 |               |
|         -+----(C)-- Authorization Code ---<|               |
+-|----|---+                                 +---------------+
  |    |                                         ^      v
 (A)  (C)                                        |      |
  |    |                                         |      |
  ^    v                                         |      |
+---------+                                      |      |
|         |>---(D)-- Authorization Code ---------'      |
|  Client |          & Redirection URI                  |
|         |                                             |
|         |<---(E)----- Access Token -------------------'
+---------+       (w/ Optional Refresh Token)

open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=code&state=somestate&scope=read_write

Login via the web form (john@example.com | Pass123!)
Click button to grant access
The authorization server redirects back to the redirection URI including an authorization code and any state provided by the client

https://example.com/oauth2/callback?code=36e2807ee1f94252ac2d9b1d3adf2ba2&state=somestate

curl localhost:8080/token \
    -u client_id_hash:client_secret_hash \
    -d "grant_type=authorization_code" \
    -d "code=36e2807ee1f94252ac2d9b1d3adf2ba2" \
    -d "redirect_uri=https://example.com/oauth2/callback"

{
  "access_token": "865382b944024b2394167d519fa80cba",
  "expires_at": 1574371565,
  "token_type": "Bearer",
  "scope": "read_write",
  "refresh_token": "48403032170e46e8af72b7cca1612b43"
}

Implicit

http://tools.ietf.org/html/rfc6749#section-4.2

+----------+
| Resource |
|  Owner   |
|          |
+----------+
     ^
     |
    (B)
+----|-----+          Client Identifier     +---------------+
|         -+----(A)-- & Redirection URI --->|               |
|  User-   |                                | Authorization |
|  Agent  -|----(B)-- User authenticates -->|     Server    |
|          |                                |               |
|          |<---(C)--- Redirection URI ----<|               |
|          |          with Access Token     +---------------+
|          |            in Fragment
|          |                                +---------------+
|          |----(D)--- Redirection URI ---->|   Web-Hosted  |
|          |          without Fragment      |     Client    |
|          |                                |    Resource   |
|     (F)  |<---(E)------- Script ---------<|               |
|          |                                +---------------+
+-|--------+
  |    |
 (A)  (G) Access Token
  |    |
  ^    v
+---------+
|         |
|  Client |
|         |
+---------+

open http://localhost:8080/authorize?client_id=client_id_hash&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2%2Fcallback&response_type=token&state=somestate&scope=read_write

Login via the web form (john@example.com | Pass123!)
Click button to grant access
The authorization server redirects back to the redirection URI including an access token and any state provided by the client in the URI fragment

https://example.com/oauth2/callback#access_token=1e21103279e549779a9b5c07d50e641d&expires_at=1574371565&scope=read_write&state=somestate&token_type=Bearer

Name		Name	Last commit message	Last commit date
Latest commit History 67 Commits
.run		.run
build		build
cmd/goauth2		cmd/goauth2
docs		docs
goauth2test		goauth2test
pkg/securepass		pkg/securepass
projection		projection
provider/uuidtoken		provider/uuidtoken
web		web
.gitignore		.gitignore
.travis.yml		.travis.yml
LICENSE		LICENSE
README.md		README.md
TODO.md		TODO.md
authorization_code.go		authorization_code.go
authorization_code_commands.go		authorization_code_commands.go
authorization_code_events.go		authorization_code_events.go
authorization_code_process_manager.go		authorization_code_process_manager.go
authorization_code_refresh_tokens_projection.go		authorization_code_refresh_tokens_projection.go
authorization_code_refresh_tokens_projection_test.go		authorization_code_refresh_tokens_projection_test.go
client_application.go		client_application.go
client_application_command_authorization.go		client_application_command_authorization.go
client_application_commands.go		client_application_commands.go
client_application_events.go		client_application_events.go
commands.go		commands.go
events.go		events.go
go.mod		go.mod
go.sum		go.sum
goauth2.go		goauth2.go
goauth2_test.go		goauth2_test.go
helper_test.go		helper_test.go
passwords.go		passwords.go
passwords_test.go		passwords_test.go
refresh_token.go		refresh_token.go
refresh_token_commands.go		refresh_token_commands.go
refresh_token_events.go		refresh_token_events.go
refresh_token_process_manager.go		refresh_token_process_manager.go
resource_owner.go		resource_owner.go
resource_owner_command_authorization.go		resource_owner_command_authorization.go
resource_owner_commands.go		resource_owner_commands.go
resource_owner_events.go		resource_owner_events.go

License

inklabs/goauth2

Folders and files

Latest commit

History

Repository files navigation

Go OAuth2 Server

Docs

Docker

Client Credentials Grant

Resource Owner Password Credentials

Refresh Token

Authorization Code

Implicit

About

Resources

License

Stars

Watchers

Forks

Languages