2. 程式人生 > >Go Oauth2 Tutorial

Go Oauth2 Tutorial

阿新 發佈:2018-12-29

Welcome fellow coders! In this tutorial, we are going to be taking a look at how you can implement your own OAuth2 Server and client using the go-oauth2/oauth2 package.

This is without a doubt one of the most requested topics from commentors on my YouTube videos and it’s certainly something that I myself find incredibly interesting.

Security is without doubt a very important feature for any public and even private facing service or API and it’s something that you need to pay a lot of attention to in order to get it right.

The Theory

So, before we dive into how we can code this up, it’s important to know how it works in the background. Typically, we have a client

that will start by making an authorization request to the resource owner. The resource owner then either grants or denies this request.

With this authorization grant the client then passes this to the authorization server which will grant back an access token. It is with this granted access token that our client

can then access a protected resource such as an API or a service.

So, with that said, let’s now look at how we can implement our own authorization server using this go-oauth2/oauth2 package.

Note - If you are interested in seeing the RFC that Oauth2 implementations follow, you can find it here: RFC-6749

A Simple Oauth2 Flow

We’ll start off by implementing a really simple server based on the example that they provide within their documentation. When we pass an client id and a client secret to our authorization server it should return us with our access token that’ll look something like this:

1
2

{"access_token":"Z_1QUVC5M_EOCESISKW8AQ","expires_in":7200,"scope":"read","token_type":"Bearer"}

So, let’s dive into our server implementation and see if we can decipher what’s going on:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

package main

import (
	"log"
	"net/http"
	"net/url"
	"os"

	"github.com/go-session/session"
	"gopkg.in/oauth2.v3/errors"
	"gopkg.in/oauth2.v3/manage"
	"gopkg.in/oauth2.v3/models"
	"gopkg.in/oauth2.v3/server"
	"gopkg.in/oauth2.v3/store"
)

func main() {
	manager := manage.NewDefaultManager()
	// token store
	manager.MustTokenStorage(store.NewMemoryTokenStore())

	clientStore := store.NewClientStore()
	clientStore.Set("222222", &models.Client{
		ID:     "222222",
		Secret: "22222222",
		Domain: "http://localhost:9094",
	})
	manager.MapClientStorage(clientStore)

	srv := server.NewServer(server.NewConfig(), manager)
	srv.SetUserAuthorizationHandler(userAuthorizeHandler)

	srv.SetInternalErrorHandler(func(err error) (re *errors.Response) {
		log.Println("Internal Error:", err.Error())
		return
	})

	srv.SetResponseErrorHandler(func(re *errors.Response) {
		log.Println("Response Error:", re.Error.Error())
	})

	http.HandleFunc("/login", loginHandler)
	http.HandleFunc("/auth", authHandler)

	http.HandleFunc("/authorize", func(w http.ResponseWriter, r *http.Request) {
		err := srv.HandleAuthorizeRequest(w, r)
		if err != nil {
			http.Error(w, err.Error(), http.StatusBadRequest)
		}
	})

	http.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {
		err := srv.HandleTokenRequest(w, r)
		if err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
		}
	})

	log.Println("Server is running at 9096 port.")
	log.Fatal(http.ListenAndServe(":9096", nil))
}

func userAuthorizeHandler(w http.ResponseWriter, r *http.Request) (userID string, err error) {
	store, err := session.Start(nil, w, r)
	if err != nil {
		return
	}

	uid, ok := store.Get("UserID")
	if !ok {
		if r.Form == nil {
			r.ParseForm()
		}
		store.Set("ReturnUri", r.Form)
		store.Save()

		w.Header().Set("Location", "/login")
		w.WriteHeader(http.StatusFound)
		return
	}
	userID = uid.(string)
	store.Delete("UserID")
	store.Save()
	return
}

func loginHandler(w http.ResponseWriter, r *http.Request) {
	store, err := session.Start(nil, w, r)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	if r.Method == "POST" {
		store.Set("LoggedInUserID", "000000")
		store.Save()

		w.Header().Set("Location", "/auth")
		w.WriteHeader(http.StatusFound)
		return
	}
	outputHTML(w, r, "static/login.html")
}

func authHandler(w http.ResponseWriter, r *http.Request) {
	store, err := session.Start(nil, w, r)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	if _, ok := store.Get("LoggedInUserID"); !ok {
		w.Header().Set("Location", "/login")
		w.WriteHeader(http.StatusFound)
		return
	}

	if r.Method == "POST" {
		var form url.Values
		if v, ok := store.Get("ReturnUri"); ok {
			form = v.(url.Values)
		}
		u := new(url.URL)
		u.Path = "/authorize"
		u.RawQuery = form.Encode()
		w.Header().Set("Location", u.String())
		w.WriteHeader(http.StatusFound)
		store.Delete("Form")

		if v, ok := store.Get("LoggedInUserID"); ok {
			store.Set("UserID", v)
		}
		store.Save()

		return
	}
	outputHTML(w, r, "static/auth.html")
}

func outputHTML(w http.ResponseWriter, req *http.Request, filename string) {
	file, err := os.Open(filename)
	if err != nil {
		http.Error(w, err.Error(), 500)
		return
	}
	defer file.Close()
	fi, _ := file.Stat()
	http.ServeContent(w, req, file.Name(), fi.ModTime(), file)
}

Our Client

Now that we have our server implementation done and dusted, we can focus on building up our client. This will use the golang.org/x/oauth2 standard package for authenticating.

We’ll be defining a really simple server using net/http which features 2 endpoints:

  • / - The root or homepage of our client
  • /oauth2 - The route which successfully authenticated clients will be automatically redirected to.

We’ll start by defining our oauth2.Config{} object which will contain our ClientID or ClientSecret. Our OAuth2 server implementation already has a note of these two variables and should they not match, we won’t be able to retrieve access tokens from our server.

It’ll also take in a string of Scopes which define the scope of our access token, these scopes can define various different levels of access to a given resource. For example, we could provide define a Read-Only scope which just provides the client read-only access to our underlying resource.

Next, we define the RedirectURL which specifies an endpoint that our Authorization server should redirect to upon successful authentication. We’ll want this handled by our /oauth2 endpoint.

Finally, we specify oauth2.Endpoint which takes in the AuthURL and TokenURL that will point towards our authorization and token endpoints that we defined previously on our server.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"log"
	"net/http"

	"golang.org/x/oauth2"
)

var (
	config = oauth2.Config{
		ClientID:     "222222",
		ClientSecret: "22222222",
		Scopes:       []string{"all"},
		RedirectURL:  "http://localhost:9094/oauth2",
		// This points to our Authorization Server
		// if our Client ID and Client Secret are valid
		// it will attempt to authorize our user
		Endpoint: oauth2.Endpoint{
			AuthURL:  "http://localhost:9096/authorize",
			TokenURL: "http://localhost:9096/token",
		},
	}
)

// Homepage
func HomePage(w http.ResponseWriter, r *http.Request) {
	fmt.Println("Homepage Hit!")
	u := config.AuthCodeURL("xyz")
	http.Redirect(w, r, u, http.StatusFound)
}

// Authorize
func Authorize(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	state := r.Form.Get("state")
	if state != "xyz" {
		http.Error(w, "State invalid", http.StatusBadRequest)
		return
	}

	code := r.Form.Get("code")
	if code == "" {
		http.Error(w, "Code not found", http.StatusBadRequest)
		return
	}

	token, err := config.Exchange(context.Background(), code)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	
	e := json.NewEncoder(w)
	e.SetIndent("", "  ")
	e.Encode(*token)
}

func main() {

	// 1 - We attempt to hit our Homepage route
	// if we attempt to hit this unauthenticated, it
	// will automatically redirect to our Auth
	// server and prompt for login credentials
	http.HandleFunc("/", HomePage)

	// 2 - This displays our state, code and
	// token and expiry time that we get back
	// from our Authorization server
	http.HandleFunc("/oauth2", Authorize)

	// 3 - We start up our Client on port 9094
	log.Println("Client is running at 9094 port.")
	log.Fatal(http.ListenAndServe(":9094", nil))
}

So, we’ve managed to build up our client. Let’s try and run this and see what happens.

go run main.go
2018/10/20 13:25:22 Client is running at 9094 port.

Now, whenever you hit localhost:9094 within your browser, you should see it automatically redirect to your running server implementation, localhost:9096/login. We’ll then provide our credentials admin and admin for demonstration purposes, and this will prompt us to grant access to our client.

When we click Allow it will automatically redirect us back to our Client application /oauth2 endpoint, but it will return a JSON string containing our access_token, refresh_token, token_type and when our tokens will expire.

Awesome, we have a fully working Oauth2 flow implemented.

Conclusion

So, in this tutorial, we looked at how you could implement your own authorization server in Go. We then looked at how we could build a simple Go-based client that could subsequently make requests for access tokens to this server.

Hopefully, you found this tutorial useful! If you did then please feel free to let me know in the comments section below!

Was This Post Helpful?


相關推薦

Go Oauth2 Tutorial

Welcome fellow coders! In this tutorial, we are going to be taking a look at how you can implement your own OAuth2 Server and client using the go-o

Go : OAuth2.0

引用 引文以google為例子,這裡使用github為例子(訪問google有問題T_T)。 獲取 oauth2 $ go get golang.org/x/oauth2 如果出現錯誤(被牆?),請參直接使用github下載即可。 $

Go Channels Tutorial

Welcome All! In this tutorial, we are going to be looking at how you can use channels within your Go-based applications. Channels are pipes that l

Go Functions Tutorial

In this tutorial, we are going to be looking at Go’s functions and hopefully, by the end of this tutorial, you will have a firm grasp as to what th

Advanced Go Testing Tutorial

Welcome fellow coders! In this tutorial, we are going to be taking a look at selection of more advanced testing practices used by the likes of the

Go Interfaces Tutorial

Welcome all, in this tutorial, we are going to be taking a look at interfaces within the Go programming language. By the end of this tutorial, you

Go Mutex Tutorial

The use of Go when programming highly concurrent applications doesn’t preclude the possibility of you writing a system that features race condition

[Tutorial, Part 1] How to develop Go gRPC microservice with HTTP/REST endpoint, middleware…

[Tutorial, Part 1] How to develop Go gRPC microservice with HTTP/REST endpoint, middleware, Kubernetes deployment, etc.There are a lot of article how to cr

Getting Started with OAuth2 in Go @ Alex Pliutau's Blog

Getting started with OAuth2 in Go Authentication usually is very important part in any application. You can always implement your own aut

Go Basic Types Tutorial

In this tutorial, we are going to be looking at all of the basic data types available to us within the Go language. By the end of this tutorial, yo

Go Protocol Buffer Tutorial

Welcome fellow coders! In this tutorial, we are going to be looking at how you can utilize the Protocol Buffers data format within your Go-based ap

Go Face Recognition Tutorial

The whole area of Face Recognition is something I love reading about. Implementing a facial recognition system yourself makes you sound like you ar

Go Composite Types Tutorial

Welcome All! In this tutorial, we are going to be looking at the various different composite data types that are available in the Go programming la

Go Decorator Function Pattern Tutorial

Decorators are certainly more prominent in other programming languages such as Python and TypeScript, but that’s not to say you can’t use them in G

go 自己封的postgresql操作包

rep make query res urn mod .exe errors exe 1 package myDB 2 3 import ( 4 "database/sql" 5 "errors" 6 7 _ "g

go-005-變量

整數 func 基礎 字型 開始 import open spl 註意 概述   變量來源於數學,是計算機語言中能儲存計算結果或能表示值抽象概念。變量可以通過變量名訪問。   Go 語言變量名由字母、數字、下劃線組成,其中首個字母不能為數字。   聲明變量的一般形式是

GO中常用包筆記 bytes(四)

g 學習筆記 bytes包Package bytes對字節數組進行操作的包。功能和strings包相似.bytes包提供的功能有:和另一個字節數組切片的關系(逐字節比較大小,是否相等/相似,是否包含/包含次數,位置搜索,是否是前綴後綴)2.字節數組切片和字符串的關系(字符串中是否含有字節數組所包含的rune,

CDOJ 1221 Ancient Go

cout#include<bits/stdc++.h>using namespace std;bool ok;char maze[15][15];char Map[12][12];bool vis[15][15];int x[4] = {0,0,1,-1};int y[4] = {1,-1,0,0

Go - 數組

索引 創建 16px class 表示 int32 部分 func amp 數組: Array 1. 定義: var <arrayName> [n] (n>=0) <type> 註: 數組的長度n,也是數組定義的組成部分;所以:var i

Go語言之嵌入類型

go 類型 嵌入類型,或者嵌套類型,這是一種可以把已有的類型聲明在新的類型裏的一種方式,這種功能對代碼復用非常重要。在其他語言中,有繼承可以做同樣的事情,但是在Go語言中,沒有繼承的概念。Go提倡的代碼復用的方式是組合,所以這也是嵌入類型的意義所在。組合而不是繼承,所以Go才會更靈活。type Rea