oauth

README

go-oauth-cli-client

Add MFA/2FA support in your CLI for IDPs that support OAuth 2.0 Authorization Code Flow

Features

• MFA/2FA with minimal user interaction
  • If eg. Active Directory is used for other services as well, the user is often logged in in the browser already, and can close the browser after the token exchange is done in the background
• Starts temporary local server with callback endpoint to receive the code, and exchange it with a token
• State verification
• Includes the recommended PKCE - Proof Key for Code Exchange extension
• Cross platform default browser invocation
• Zero dependencies

Usage

Configure OAuth Client in the OAuth server

client_id: "my_cli"
redirect_uris: ["http://localhost"]

Get this library

go get github.com/EikaGruppen/go-oauth-cli-client

Use it

opts := oauth.Options{
  AuthorizationEndpoint: "https://the.oauth.server.com/authorize",
  TokenEndpoint: "https://the.oauth.server.com/token",
  ClientId: "my_cli",
  ClientSecret: "my_cli_secret", // optional
  AuthorizationExtParams: map[string]string{"scope": "openid"}, // optional
}

tokenResponse, err := oauth.AuthorizationCodeFlow(opts) // will open browser for user to do MFA, and show callback page there when done
if err != nil {
  // handle
}

fmt.Println(tokenResponse.AccessToken)
fmt.Println(tokenResponse.IdToken) // optional
fmt.Println(tokenResponse.RefreshToken) // optional
fmt.Println(tokenResponse.ExpiresIn)

// store tokens safely, and use them to authorize towards the service

Callback page will let the user know whether the auth was successful or not, and that they may close the page and go back to the terminal:

+----------------------------------------------------------------+
|   +---------------------------------------------------+        |
|   | 🔍️ |  http://localhost:8080/oauth/callback        |        |
|   +---------------------------------------------------+        |
|                                                                |
|                  Logged in successfully!                       |
|                                                                |
|           _You may now close this browser window_              |
|                                                                |
|                        [ close ]                               |
|                                                                |
+----------------------------------------------------------------+

Redirect URI

By default, http://localhost:<choosen port>/oauth/callback will be used. This can be overridden by setting redirectUri:

redirectUri, err := url.Parse("https://my-url.com/the/callback")
// handle err

opts := oauth.Options{
  // ...
  redirectUri: redirectUri,
  // ...
}

Documentation

Index

• Constants
• func OpenUrl(url *url.URL) error
• type CallbackPage
• type Options
• type PortRange
• type TokenResponse
  • func AuthorizationCodeFlow(opts Options) (tokenResponse *TokenResponse, err error)

Constants

const (
	DefaultLength = 32
)

Functions

func OpenUrl

func OpenUrl(url *url.URL) error

Types

type CallbackPage

type CallbackPage struct {
	Title   string
	Heading string
	Message string
}

type Options

type Options struct {
	AuthorizationEndpoint string
	// Extensions to the standard OAuth Parameters for the authorizaion endpoint
	Scopes                 []string
	AuthorizationExtParams map[string]string
	TokenEndpoint          string

	ClientId     string
	ClientSecret string

	RedirectUri *url.URL

	PortRange PortRange
}

type PortRange

type PortRange struct {
	Start int
	End   int
}

type TokenResponse

type TokenResponse struct {
	AccessToken  string `json:"access_token"`
	IdToken      string `json:"id_token"`
	RefreshToken string `json:"refresh_token"`
	ExpiresIn    int64  `json:"expires_in"`
}

func AuthorizationCodeFlow

func AuthorizationCodeFlow(opts Options) (tokenResponse *TokenResponse, err error)