openid

README

Go OpenID Connect authentication library

Bugs, comments, questions: create a new issue.

Documentation

Overview

Package openid implements OpenID Connect authentication.

The package uses the ID Token flow, as it conveniently stores the user email in the claims, so no further exchange requests are required. A temporary nonce cookie (__Host-AuthNonce) is established at the beginning and verified at the end of the flow, protecting against login CSRF. As the ID token is returned to the redirect URI in the fragment, a small JavaScript is responsible for sending it to the server via POST. The ID token is then verified and stored in a cookie (__Host-AuthToken) with an expiration of 1 year. On future requests, the ID token is obtained and verified from the cookie, and the user email can be extracted. Since the ID token expiration is typically only 1h, expiry is only verified during authentication and not in subsequent requests. The user email must be verified at the provider.

To use it:

1) Choose an identity provider, e.g. Google

2) Register an OAuth application at the provider

• configure OAuth consent screen, e.g. at https://console.developers.google.com/apis/credentials/consent
• create an OAuth Client ID credential of type Web, e.g. at https://console.developers.google.com/apis/credentials
• for authorized redirect URIs add your origin + /auth/callback
• create and copy the client ID, the client secret is not needed

3) Use the package

ctx := context.Background()
auth := openid.New(ctx, &openid.Config{
        Provider: "https://accounts.google.com",
        ClientID: "xxx.apps.googleusercontent.com",
})
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        user, err := auth.User(r)
        if err != nil {
                auth.Redirect(w, r)
                return
        }
        fmt.Fprintf(w, "Hello %v", user)
})

Index

• type Auth
  • func New(ctx context.Context, config *Config) *Auth
  • func (s *Auth) Redirect(w http.ResponseWriter, r *http.Request)
  • func (s *Auth) User(r *http.Request) (string, error)
• type Config

Examples

• New

Types

type Auth

type Auth struct {
	// contains filtered or unexported fields
}

Auth represents the auth module.

func New

func New(ctx context.Context, config *Config) *Auth

New creates a new authentication module. It registers a handler at /auth/callback for the provider.

Example

package main

import (
	"context"
	"fmt"
	"net/http"

	"github.com/StalkR/openid"
)

func main() {
	ctx := context.Background()
	auth := openid.New(ctx, &openid.Config{
		Provider: "https://accounts.google.com",
		ClientID: "xxx.apps.googleusercontent.com",
	})
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		user, err := auth.User(r)
		if err != nil {
			auth.Redirect(w, r)
			return
		}
		fmt.Fprintf(w, "Hello %v", user)
	})
}

func (*Auth) Redirect

func (s *Auth) Redirect(w http.ResponseWriter, r *http.Request)

Redirect redirects the user to the provider for authentication.

func (*Auth) User

func (s *Auth) User(r *http.Request) (string, error)

User returns the user email after verifying the id token cookie.

type Config

type Config struct {
	Provider string
	ClientID string
}

Config configures the auth module.