Authentication framework for Go applications.
- OAuth2 today
- Supports other protocols too
- Multiple providers - Supports Google, GitHub and Facebook and more
- Easily extensible
- Example web app to copy
- Works beautifully with Goweb
- Fully TDD
- Jump right into the API Documentation
Install Gomniauth by doing:
go get github.com/toggl/gomniauth
Check out the example web app code to see how to use Gomniauth using Goweb.
- If you add a provider that others could also make use of, please send us a Pull Request and we'll add it to the repo.
First and only once for your application, you need to setup the security key and providers. The security key is used when hashing any data that gets transmitted to ensure its integrity.
You are free to use the signature package's RandomKey function to generate a unique code every time your application starts.
gomniauth.SetSecurityKey(signature.RandomKey(64))
A provider represents an authentication service that will be available to your users. Usually, you'll have to add some configuration of your own, such as your application key
and secret
(provided by the auth service), and the callback
into your app where users will be sent following successful (or not) authentication.
gomniauth.WithProviders(
github.New("key", "secret", "callback"),
google.New("key", "secret", "callback"),
)
The callback should be an absolute URL to your application and should include the provider name in some way.
For example, in the example web app we used the following format for callbacks:
http://mydomain.com/auth/{provider}/callback
When a user tries to access a protected resource, or if you want to make third party authenticated API calls, you need a mechanism to decide whether a user is logged in or not. For web apps, cookies usually work, if you're building an API, then you should consider some kind of auth token.
If they are not logged in, you need to provide them with a list of providers from which they can choose.
You can access a list of the providers you are supporting by calling the gomniauth.Providers()
function.
Once a provider has been chosen, you must redirect them to be authenticated. You can do this by using the gomniauth.Provider
function, that will return a Provider by name.
So if the user chooses to login using Github, you would do:
provider, err := gomniauth.Provider("github")
Once you have your provider, you can get the URL to redirect users to by calling:
authUrl, err := provider.GetBeginAuthURL(state, options)
You should then redirect the user to the authUrl
.
The state
parameter is a State
object that contains information that will be hashed and passed (via the third party) through to your callback (see below). Usually, this object contains the URL to redirect to once authentication has completed, but you can store whatever you like in here.
The options
parameter is an objx.Map
containing additional query-string parameters that will be sent to the authentication service. For example, in OAuth2 implementations, you can specify a scope
parameter to get additional access to other services you might need.
Once the third party authentication service has finished processing the request, they will send the user back to your callback URL.
Remember, you specified the callback URL when you setup your providers.
For example, the user might hit:
http://yourdomain.com/auth/github/callback?code=abc123
You don't need to worry about the detail of the parameters passed back, because Gomniauth takes care of those for you. You just need to pass them into the CompleteAuth
method of your provider:
provider, err := gomniauth.Provider("github")
creds, err := provider.CompleteAuth(queryParams)
NOTE: It's unlikely you'll hard-code the provider name, we have done it here to make it obvious what's going on.
The provider will then do the work in the background to complete the authentication and return the creds
for that user. The creds
are then used to make authenticated requests to the third party (in this case Github) on behalf of the user.
If you then want some information about the user who just authenticated, you can call the GetUser
method on the provider (passing in the creds
from the CompleteAuth
method.)
The User you get back will give you access to the common user data you will need (like name, email, avatar URL etc) and also an objx.Map
of Data()
that contains everything else.
Once you had the credentials for a user for a given provider, you should cache them in your own datastore. This will mean that if the cookie hasn't expired, or if the client has stored the auth token, they can continue to use the service without having to log in again.