Documentation ¶
Overview ¶
Package openid implements OpenID Connect authentication.
The package uses the ID Token flow, as it conveniently stores the user email in the claims, so no further exchange requests are required. A temporary nonce cookie (__Host-AuthNonce) is established at the beginning and verified at the end of the flow, protecting against login CSRF. As the ID token is returned to the redirect URI in the fragment, a small JavaScript is responsible for sending it to the server via POST. The ID token is then verified and stored in a cookie (__Host-AuthToken) with an expiration of 1 year. On future requests, the ID token is obtained and verified from the cookie, and the user email can be extracted. Since the ID token expiration is typically only 1h, expiry is only verified during authentication and not in subsequent requests. The user email must be verified at the provider.
To use it:
1) Choose an identity provider, e.g. Google
2) Register an OAuth application at the provider
- configure OAuth consent screen, e.g. at https://console.developers.google.com/apis/credentials/consent
- create an OAuth Client ID credential of type Web, e.g. at https://console.developers.google.com/apis/credentials
- for authorized redirect URIs add your origin + /auth/callback
- create and copy the client ID, the client secret is not needed
3) Use the package
ctx := context.Background() auth := openid.New(ctx, &openid.Config{ Provider: "https://accounts.google.com", ClientID: "xxx.apps.googleusercontent.com", }) http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { user, err := auth.User(r) if err != nil { auth.Redirect(w, r) return } fmt.Fprintf(w, "Hello %v", user) })
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
Auth represents the auth module.
func New ¶
New creates a new authentication module. It registers a handler at /auth/callback for the provider.
Example ¶
package main import ( "context" "fmt" "net/http" "github.com/StalkR/openid" ) func main() { ctx := context.Background() auth := openid.New(ctx, &openid.Config{ Provider: "https://accounts.google.com", ClientID: "xxx.apps.googleusercontent.com", }) http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { user, err := auth.User(r) if err != nil { auth.Redirect(w, r) return } fmt.Fprintf(w, "Hello %v", user) }) }
Output: