auth0

package module

v0.0.0-...-aacf0f7 Latest Latest Go to latest Published: Oct 29, 2017 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ellulpatrick/go-auth0

Links

Open Source Insights

README ¶

auth0

auth0 is a package helping to authenticate using the Auth0 service.

Installation

go get github.com/auth0-community/go-auth0

Client Credentials - HS256

Using HS256, the validation key is the secret you retrieve in the dashboard.

// Creates a configuration with the Auth0 information
secret, _ := base64.URLEncoding.DecodeString(os.Getenv("AUTH0_CLIENT_SECRET"))
secretProvider := auth0.NewKeyProvider(secret)
audience := os.Getenv("AUTH0_CLIENT_ID")

configuration := auth0.NewConfiguration(secretProvider, []string{audience}, "https://mydomain.eu.auth0.com/", jose.HS256)
validator := auth0.NewValidator(configuration)

token, err := validator.ValidateRequest(r)

if err != nil {
    fmt.Println("Token is not valid:", token)
}

Client Credentials - RS256

Using RS256, the validation key is the certificate you find in advanced settings

// Extracted from https://github.com/square/go-jose/blob/master/utils.go
// LoadPublicKey loads a public key from PEM/DER-encoded data.
func LoadPublicKey(data []byte) (interface{}, error) {
	input := data

	block, _ := pem.Decode(data)
	if block != nil {
		input = block.Bytes
	}

	// Try to load SubjectPublicKeyInfo
	pub, err0 := x509.ParsePKIXPublicKey(input)
	if err0 == nil {
		return pub, nil
	}

	cert, err1 := x509.ParseCertificate(input)
	if err1 == nil {
		return cert.PublicKey, nil
	}

	return nil, fmt.Errorf("square/go-jose: parse error, got '%s' and '%s'", err0, err1)
}
// Create a configuration with the Auth0 information
secret, _ := LoadPublicKey(sharedKey)
secretProvider := auth0.NewKeyProvider(secret)
audience := os.Getenv("AUTH0_CLIENT_ID")

configuration := auth0.NewConfiguration(secretProvider, []string{audience}, "https://mydomain.eu.auth0.com/", jose.RS256)
validator := auth0.NewValidator(configuration)

token, err := validator.ValidateRequest(r)

if err != nil {
    fmt.Println("Token is not valid:", token)
}

API with JWK

   
client := NewJWKClient(JWKClientOptions{URI: "https://mydomain.eu.auth0.com/.well-known/jwks.json"})
audience := os.Getenv("AUTH0_CLIENT_ID")
configuration := NewConfiguration(client, []string{audience}, "https://mydomain.eu.auth0.com/", jose.RS256)
validator := NewValidator(configuration)

token, err := validator.ValidateRequest(r)

if err != nil {
    fmt.Println("Token is not valid:", token)
}

Example

Gin

Using Gin and the Auth0 Authorization Extension, you may want to implement the authentication auth like the following:

var auth.AdminGroup string = "my_admin_group"

// Access Control Helper function.
func shouldAccess(wantedGroups []string, groups []interface{}) bool { 
 /* Fill depending on your needs */
}

// Wrapping a Gin endpoint with Auth0 Groups.
func Auth0Groups(wantedGroups ...string) gin.HandlerFunc {

	return gin.HandlerFunc(func(c *gin.Context) {

		tok, err := validator.ValidateRequest(c.Request)
		if err != nil {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
			c.Abort()
			log.Println("Invalid token:", err)
			return
		}

		claims := map[string]interface{}{}
		err = validator.Claims(c.Request, tok, &claims)
		if err != nil {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid claims"})
			c.Abort()
			log.Println("Invalid claims:", err)
			return
		}

		metadata, okMetadata := claims["app_metadata"].(map[string]interface{})
		authorization, okAuthorization := metadata["authorization"].(map[string]interface{})
		groups, hasGroups := authorization["groups"].([]interface{})
		if !okMetadata || !okAuthorization || !hasGroups || !shouldAccess(wantedGroups, groups) {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "need more privileges"})
			c.Abort()
			log.Println("Need more provileges")
			return
		}
		c.Next()
	})
}

// Use it
r.PUT("/news", auth.Auth0Groups(auth.AdminGroup), api.GetNews)

For a sample usage, take a look inside the example directory.

Documentation ¶

Index ¶

Variables
func FromHeader(r *http.Request) (*jwt.JSONWebToken, error)
type Configuration
- func NewConfiguration(provider SecretProvider, audience []string, issuer string, ...) Configuration
type JWKClient
- func NewJWKClient(options JWKClientOptions) *JWKClient
- func (j *JWKClient) GetKey(ID string) (jose.JSONWebKey, error)
- func (j *JWKClient) GetSecret(req *http.Request) (interface{}, error)
type JWKClientOptions
type JWKS
type JWTValidator
- func NewValidator(config Configuration) *JWTValidator
- func NewValidatorCustomExtractor(config Configuration, extractor RequestTokenExtractor) *JWTValidator
- func (v *JWTValidator) Claims(req *http.Request, token *jwt.JSONWebToken, values ...interface{}) error
- func (v *JWTValidator) ValidateRequest(r *http.Request) (*jwt.JSONWebToken, error)
type RequestTokenExtractor
type RequestTokenExtractorFunc
- func (f RequestTokenExtractorFunc) Extract(r *http.Request) (*jwt.JSONWebToken, error)
type SecretProvider
- func NewKeyProvider(key interface{}) SecretProvider
type SecretProviderFunc
- func (f SecretProviderFunc) GetSecret(req *http.Request) (interface{}, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidContentType = errors.New("Should have a JSON content type for JWKS endpoint.")
	ErrNoKeyFound         = errors.New("No Keys has been found")
	ErrInvalidTokenHeader = errors.New("No valid header found")
	ErrInvalidAlgorithm   = errors.New("Only RS256 is supported")
)

View Source

var (
	ErrNoJWTHeaders = errors.New("No headers in the token")
)

View Source

var (
	ErrTokenNotFound = errors.New("Token not found")
)

Functions ¶

func FromHeader ¶

func FromHeader(r *http.Request) (*jwt.JSONWebToken, error)

FromHeader looks for the request in the authentication header or call ParseMultipartForm if not present.

Types ¶

type Configuration ¶

type Configuration struct {
	// contains filtered or unexported fields
}

Configuration contains all the information about the Auth0 service.

func NewConfiguration ¶

func NewConfiguration(provider SecretProvider, audience []string, issuer string, method jose.SignatureAlgorithm) Configuration

NewConfiguration creates a configuration for server

type JWKClient ¶

type JWKClient struct {
	// contains filtered or unexported fields
}

func NewJWKClient ¶

func NewJWKClient(options JWKClientOptions) *JWKClient

NewJWKClient creates a new JWKClient instance from the provided options.

func (*JWKClient) GetKey ¶

func (j *JWKClient) GetKey(ID string) (jose.JSONWebKey, error)

GetKey returns the key associated with the provided ID.

func (*JWKClient) GetSecret ¶

func (j *JWKClient) GetSecret(req *http.Request) (interface{}, error)

type JWKClientOptions ¶

type JWKClientOptions struct {
	URI            string
	TokenExtractor RequestTokenExtractor
}

type JWKS ¶

type JWKS struct {
	Keys []jose.JSONWebKey `json:"keys"`
}

type JWTValidator ¶

type JWTValidator struct {
	// contains filtered or unexported fields
}

JWTValidator helps middleware to validate token

func NewValidator ¶

func NewValidator(config Configuration) *JWTValidator

NewValidator creates a new validator with the provided configuration.

func NewValidatorCustomExtractor ¶

func NewValidatorCustomExtractor(config Configuration, extractor RequestTokenExtractor) *JWTValidator

NewValidator creates a new validator with the provided configuration.

func (*JWTValidator) Claims ¶

func (v *JWTValidator) Claims(req *http.Request, token *jwt.JSONWebToken, values ...interface{}) error

Claims unmarshall the claims of the provided token

func (*JWTValidator) ValidateRequest ¶

func (v *JWTValidator) ValidateRequest(r *http.Request) (*jwt.JSONWebToken, error)

ValidateRequest validates the token within the http request.

type RequestTokenExtractor ¶

type RequestTokenExtractor interface {
	Extract(r *http.Request) (*jwt.JSONWebToken, error)
}

RequestTokenExtractor can extract a JWT from a request.

type RequestTokenExtractorFunc ¶

type RequestTokenExtractorFunc func(r *http.Request) (*jwt.JSONWebToken, error)

RequestTokenExtractorFunc function conforming to the RequestTokenExtractor interface.

func (RequestTokenExtractorFunc) Extract ¶

func (f RequestTokenExtractorFunc) Extract(r *http.Request) (*jwt.JSONWebToken, error)

Extract calls f(r)

type SecretProvider ¶

type SecretProvider interface {
	GetSecret(req *http.Request) (interface{}, error)
}

SecretProvider will provide everything needed retrieve the secret.

func NewKeyProvider ¶

func NewKeyProvider(key interface{}) SecretProvider

NewKeyProvider provide a simple passphrase key provider.

type SecretProviderFunc ¶

type SecretProviderFunc func(req *http.Request) (interface{}, error)

SecretProviderFunc simple wrappers to provide secret with functions.

func (SecretProviderFunc) GetSecret ¶

func (f SecretProviderFunc) GetSecret(req *http.Request) (interface{}, error)

GetSecret implements the SecretProvider interface.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
example

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL