In the OpenID Connect provider the id_token is stored in the session because this contains the user information. Storing the session can cause the error "securecookie: the value is too long" when there is a lot of data stored in the id_token field

Make UserID a mandatory field so applications using goth can trust on the fact that this is always filled (and can use it as a mandatory field)

Will create a PR for it

It must send the 'email' scope.

Seems that not all http.Get (and maybe .Post?) are replaced with the new Client() from the provider.
Example: https://github.com/markbates/goth/blob/master/providers/github/github.go#L154

Hello,

I want to implement Facebook social login on a mobile app.
It looks like goth is designed for web app, not mobile app (for example, the http redirection is not possible).
Is there a way to use the power of goth to create a rest service for facebook login ?

Thanks in advance.

Hi,

I'm sorry, I have really tried to dig into the code, the tests and the example to find out how to do this, but I'm running late with my project and I appreciate any directions.

So far I'm able to configure the gplus provider, retrieve the correct account information, and I do get _gothic_session in my cookies using the following:

goth.UseProviders(
    gplus.New(os.Getenv("GPLUS_KEY"), os.Getenv("GPLUS_SECRET"), "http://localhost:3000/auth/gplus/callback"),
)

gothic.GetProviderName = func(req *http.Request) (string, error) { 
    return "gplus", nil
}

router.GET("/auth/gplus", func(c *gin.Context) {
    gothic.BeginAuthHandler(c.Writer, c.Request)
})

router.GET("/auth/gplus/callback", func(c *gin.Context) {
    user, err := gothic.CompleteUserAuth(c.Writer, c.Request)
    if err != nil {
        fmt.Fprintln(c.Writer, err)
        return
    }
    c.JSON(http.StatusOK, user)
})

Now comes the funny part, what's next :D? What am I checking in the middleware to confirm that the user is logged in (and out when the session expires), I tried everything, do I keep calling gothic.CompleteUserAuth, because when I do I get:

oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error" : "invalid_request",
  "error_description" : "Missing required parameter: code"
}

Could someone please provide a snippet of an authentication middleware?

Thanks!

I'm a bit puzzled about the intended use of gothic.Store:

// Store can/should be set by applications using gothic. The default is a cookie store.
var Store sessions.Store

func init() {
  if Store == nil {
    Store = sessions.NewCookieStore([]byte(AppKey))
  }
}

According to my understanding of Go package initialization (and some rudimentary tests I've done), there's no way to set gothic.Store before init() runs.

Maybe that's not considered expressly "harmful," since it just means that sessions.NewCookieStore() is run needlessly, then the result is discarded (as soon as gothic.Store is set to something else), but it doesn't appear to be the intention of the code.

Or am I missing something?

Greetings! I'm loving this package. Thank you for creating it!

I've just run into an issue that has a bit of a lousy workaround, and I think it could be handled more elegantly. I'd like your thoughts on what we can do about it.

Currently, getProviderName pulls the name out of req.URL.Query().Get("provider"). This works wonderfully for gorilla.Pat, but does not work for gorilla.Mux.

The obvious solution is to add a direct dependency to mux.Vars() to check for provider in that map as well, but I don't know if that is an acceptable solution to you.

Another option, perhaps, would be to provide a function variable that could be set from calling code to retrieve the provider name. For example:

GetProviderName = func(req *http.Request) string { 
  return mux.Vars(req)["provider"];
}

I'd be happy to contribute the patch for this once an approach is decided. Thanks!

This is what I have so far. It works, but as a Golang and App Engine noob, I'm guessing some else can come up with a nicer solution? oyvindsk@6e8230b
It's a pain to implement that callback as you an see in the comment.

Why:
The oauth2 module changed and it now handles the http.DefaultClient stuff in App Engine compatible way. So for oauth2 you no longer have to set http.DefaultClient and http.DefaultTransport as in Issue #27 . (goth using the default http.Client is another issue..)

But, you do have to supply a context.Context to oauth2 in Exchange() as in the above commit.

Related:
Pull #30
https://groups.google.com/forum/#!searchin/google-appengine-go/oauth2/google-appengine-go/5H2Ra85cu1M/e57iIRivEgAJ

In recent months, gothic.go has become coupled to gorilla/mux. See lines 176 onward

func getProviderName(req *http.Request) (string, error) {
	provider := req.URL.Query().Get("provider")
	if provider == "" {
		if p, ok := mux.Vars(req)["provider"]; ok {
			return p, nil
		}
	}
	if provider == "" {
		provider = req.URL.Query().Get(":provider")
	}
	if provider == "" {
		return provider, errors.New("you must select a provider")
	}
	return provider, nil
}

Firstly, note that req.URL.Query().Get(":provider") is possibly called twice (this may be a mistake).

Secondly, mux.Vars(req)["provider"] is specific to gorilla/mux. I happen to use julienschmidt/httprouter and I'd quite like to decouple from gorilla/mux dependency, which I don't need in my codebase.

So, perhaps the package gothic is really two things: (a) it provides the main API for goth and (b) it provides gorilla/mux lookup of the provider variable. Combining these is unfortunate because it reduces the flexibility of the package. [There is a third concern: storage of state in the session; however I'm content to leave this unchanged.]

There are several possible options to reduce this coupling. The simplest I can think of is to do away with the GetProviderName method (and getProviderName) and change the signature of CompleteUserAuth to take an additional providerName string parameter.

It would then be quite easy to have another function that wraps CompleteUserAuth as a standard http.HandlerFunc, along with the gorilla/mux providerName expression - this would need to be in a different package so that gorilla/mux drops out of the imports list (note that gorilla/mux is in the list of imports and this is the key difficulty).

It would also be easy to implement different integrations with other routing libraries, which Is what I would need.

My workaround for this is to make a copy of gothic.go in my own codebase and with the necessary alteration I've described. But I'd prefer not to have to duplicate the code.

The http lib has an exotic case of connection leak which is not taken care of by goth :
if for some reasons (e.g., ongoing production incident) the target authentication URL is redirecting too many times, the golang http client might return a non-nil response object together with a non-nil error.

This is an under-documented weakness of the Golang version 1 libraries, left for compatibility reasons, causing connection leak in many projects.

Consequently, when checking for an http client error, the goth code should also check if the response is non-nil, and if non-nil close its body.

I'm having trouble getting facebook to return an email. It shows that I've given permission to the app for my email, but the user response doesn't have the email filled in. I'm wondering if we're just not setting the email properly?

I am getting this error with Twitter, please help

getBody: httpExecute: HTTP response is not 200/OK as expected. Actual response: Response Status: '401 Authorization Required' Response Code: 401 Response Body: {"errors":[{"code":32,"message":"Could not authenticate you."}]} Request Headers: [key: Authorization, val: OAuth oauth_callback="http%3A%2F%2F162.243.216.116%3A3000%2Fauth%2Ftwitter%2Fcallback",oauth_consumer_key="bu7KHEjK7UTfNReTcG4gK",oauth_nonce="1527203789697",oauth_signature="Y0zXln26LPHveIjbs%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1465900095",oauth_version="1.0"]

Here is the code I am using: https://gist.github.com/motyar/dd1a441ed7214439afcb388b6c26b567

does goth have a common story for setting additional session params for the providers that do not support oauth2's state parameter?

Hi,

I've been trying to integrate goth with https://godoc.org/gopkg.in/boj/redistore.v1 but no luck.

When I replace:

Store = sessions.NewCookieStore([]byte(AppKey))

For

Store = redisStore.NewRediStore(5, "tcp", ":6379", "redis-password",
      []byte(os.Getenv(AppKey))
    )

The return for the following code:

    session, _ := Store.New(req, SessionName)
        log.Println("ShowAuth --> after session new ")
    log.Println(session.Values[SessionName])

Changes from:

2015/12/20 14:57:30 ShowAuth --> after session new 
2015/12/20 14:57:30 {"AuthURL":"https://github.com/login/oauth/authorize?client_id=1234\u0026redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fgithub%2Fcallback\u0026response_type=code","AccessToken":""}

To

2015/12/20 15:27:14 ShowAuth --> after session new 
2015/12/20 15:27:14 <nil>

Making the whole auth process fail after session is handled on the callback method.

2015/12/20 15:27:17 &{0xc20809a5a0 0xc20813ef70 false false 0xc20813a1c0 {0xc20809b680 map[] false false} <nil> map[] false 0 -1 0 false false false [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0]} could not find a matching session for this request 

Does anyone know what is going on with this ?
Thanks

The goauth2 has been deprecated in favor of the oauth2 package.

We should update the Github, Facebook, and G+ providers accordingly.

Since we implemented #130 (multiple instances of 1 provider type) you could get in to trouble with multiple instances of the same provider when you need custom urls on one of the instances.

The way it is now handled is that you should first change the for example Gitlab TokenURL and then call the .New(). If you call the New() on the provider again it will use the initial set TokenURL since this is globally configured.
Global setting of these kind of values will cause this kind of errors.

To prevent this we should add an new sort of New() method with additional url parameters so we can pass on the right urls (without modifying the existing one to preserve backwards compatibility).

Similar approach is used in the twitter provider with New() vs NewAuthenticate()

Would Username/Password authentication be something we want in goth?

To my knowledge, Oauth2 spec requires the provider to return an ID suitable for use as a Unique ID by your application. Is the user.UserID field populated with this unique ID?

hiya,
why are test are broken into separate packages eg.( package gothic, package gothic_test ), and then the original package (eg gothic) imported, It seems to be standard practice to put both gothic.go and gothic_test.go in the same package gothic, https://golang.org/doc/code.html#Testing. Is there any reason why the test are broken into different packages.

Thanks for your great work on this package

Currently, the authUrl is hardcoded and there is no mechanism in place to provide which scopes you want to request for the user being authenticated, so by default you only get public access.

Would be nice to be able to configure which Github scopes are desired.

While connecting with linkedin it throws back and error
You+need+to+pass+the+"state"+parameter

oauth2: cannot fetch token: 400 Bad Request
Response: {"error_description":"missing required parameters, includes an invalid parameter value, parameter more than once. : code","error":"invalid_request"}

https://www.meetup.com/meetup_api/auth/

I want to use Sourcegraph code search and code review with goth. A project maintainer needs to enable it to set up a webhook so the code is up-to-date there.

Could you please enable goth on @sourcegraph by going to https://sourcegraph.com/github.com/markbates/goth and clicking on Settings? (It should only take 15 seconds.)

Thank you!

First, great work, just came across this in the golang weekly newsletter and I've felt your pain re. authenticating with other services.

Obviously down to individual developer's opinions but it feels like Provider.UnmarshalSession should really be an initialization function for Session objects in the provider's session.go, not least of all because its symmetrical partner, Session.Marshal is on the Session. UnmarshalSession makes no use of the Provider instance it is passed so at the very least (and it's a non-breaking change), it shouldn't be a Provider pointer but a Provider object in the signature, to make it clear the function doesn't modify the Provider instance it is called on.

I'm guessing you've put it on the Provider so you can include it in the interface and enforce the interface for other providers people write. In that case, I guess I'm saying it seems to make more sense on the Session if it has to be an instance method.

would it be possible to add support for wechat as a provider?

http://admin.wechat.com/wiki/index.php?title=User_Profile_via_Web

Although now deprecated in favour of OpenID Connect, OpenID-2.0 still has providers around, especially in the federated web community (easier to federate, as far as I can see). This ticket is to request/track an OpenID-2.0 provider.

See also #120

SAML would be super helpful for enterprise area.

try the example for facebook login, alway return "could not find a matching session for this request"

Hi
For my below code I am getting the error as given below please help:

Error:
getBody: httpExecute: HTTP response is not 200/OK as expected. Actual response:
Response Status: '400 Bad Request'
Response Code: 400
Response Body: {"errors":[{"code":215,"message":"Bad Authentication data."}]}
Request Headers: [key: Authorization, val: OAuth oauth_callback="http%3A%2F%2Flocalhost%3A8080%2Fauth%2Ftwitter%2Fcallback",oauth_consumer_key="",oauth_nonce="3365417980319125505",oauth_signature="LLKgHISKim8lcgKYU2fsCreLLlU%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1462389865",oauth_version="1.0"]

The Program:
// webgoauth1 project main.go
package main

import (
"encoding/json"
"fmt"
"html/template"
"log"
"net/http"
"os"
"github.com/gorilla/sessions"
"github.com/gorilla/pat"
"github.com/markbates/goth"
"github.com/markbates/goth/gothic"
// "github.com/markbates/goth/providers/facebook"
"github.com/markbates/goth/providers/twitter"
)

type Configuration struct{
TwitterKey string
TwitterSecret string
FacebookKey string
FacebookSecret string
}

var config Configuration

func init() {
gothic.Store = sessions.NewFilesystemStore(os.TempDir(), []byte("goth-example"))
file,_ := os.Open("config.json")
decoder := json.NewDecoder(file)
config := Configuration{}
err := decoder.Decode(&config)
if err != nil {
log.Fatal(err)
}
fmt.Println(config.TwitterKey)
fmt.Println(config.TwitterSecret)

}

func callbackAuthHandler(res http.ResponseWriter, req *http.Request) {
user, err := gothic.CompleteUserAuth(res,req)
if err != nil {
fmt.Fprintln(res,err)
return
}
t , _ := template.New("user").Parse(userTemplate)
t.Execute(res,user)
}

func indexHandler(res http.ResponseWriter,req *http.Request){
t,_ := template.New("index").Parse(indexTemplate)
t.Execute(res,nil)
}

func main() {
goth.UseProviders(
twitter.New(config.TwitterKey, config.TwitterSecret, "http://localhost:8080/auth/twitter/callback"),
// facebook.New(config.FacebookKey, config.FacebookSecret, "http://localhost:8080/auth/facebook/callback"),
)
r := pat.New()
r.Get("/auth/{provider}/callback", callbackAuthHandler)
r.Get("/auth/{provider}", gothic.BeginAuthHandler)
r.Get("/",indexHandler)
server := &http.Server{
Addr: ":8080",
Handler: r,
}
log.Println("Listening")
server.ListenAndServe()

}

var indexTemplate = `

Log in with Twitter

Log in with Facebook

var userTemplate =

Name {{.Name}}

Email {{.Email}}

NickName {{.NickName}}

Location {{.Location}}

AvatharURL {{.AvatharURL}}

Description {{.Description}}

UserID {{.UserID}}

AccessToken {{.AccessToken}}

`

Here and Here goth is clearing the gorilla.Context context. In my calling code, I use this. It seems bad form to completely blow out a shared resource from a subpackage.

I have a mis-configured github provider being used from gothic. If I misconfigure my callback, so that it does not match what is configured in github, the requests to my callback handler look like this:

GET /v1/auth/github/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fv3%2Foauth%2F%23redirect-uri-mismatch&state=41790af3-2ac4-4223-96e6-6e8d38621b1e HTTP/1.1

When I issue gothic.CompleteUserAuth(), it returns no errors, and a user object of
{map[message:Bad credentials documentation_url:https://developer.github.com/v3] github 0 0001-01-01 00:00:00 +0000 UTC}

I feel like situations like this should cause a failure, since otherwise, it means anyone who hits the callback with the correct state parameter is be authenticated, whether the provider thinks they should have been or not.

Where should this get fixed? The provider code for github (and possibly others)? gothic? Is this an underlying issue with oauth2.Extract()?

In the mean time, I've worked around this by requiring the 'code' param to be set in the callback before passing on to gothic.

Is the intention that users who want csrf protection should overwrite gothic.SetState to set a random state, add the state to the session, and verify in the callback handler? If that's right, it would be useful to document. Also, would you be interested in implementing csrf in gothic by default?

Nice job to contributors, I just convert it to work with the Iris web framework !

You could write a new section on README with the packages uses your library (Iris is first on 'All Languages' Github Trends and Go Trends) this method will give you traffic.

I'll take a stab at this PR.

I'd like to use this on app engine.
What would the best way be to get the proper (urlfetch) compatible Transport in?
(FetchUser uses the default http.Get)

The result i got was:

Post https://accounts.google.com/o/oauth2/token: http.DefaultTransport and http.DefaultClient are not available in App Engine. See https://cloud.google.com/appengine/docs/go/urlfetch/


I'm using Facebook auth, and specified response_type=code%20token in my auth request (as described here), which results in FaceBook responding with a URL fragment, which breaks gothic and results in the following error from the verification phase:

ERROR: oauth2: cannot fetch token: 400 Bad Request Response: {"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100}}

It appears that gothic is not parsing the URL response from FaceBook, and ends up with an empty url.Values map.

To be clear, this happens when I bypass BeginAuthHandler() and handle that phase of the auth workflow myself.

So ideally, it would be handy if there were some way to get BeginAuthHandler() to (optionally, of course) specify the response_type for FaceBook (and possibly other providers, if they support that type of operation).

Hi,

I could not find this on the web,

After enabling Require app secret for server API calls I'm running into errorAPI calls from the server require an appsecret_proof argument. Is there a way to set appsecret_proof argument ?

Thanks.

Is there support for OpenID connect provider and LDAP ?

The github user returned from FetchUser does not include the username anywhere. It is in the api response as 'login'.

Should the NickName field be set to that rather than the person's full name?

I'm looking for OpenID-2.0 style of authentication: just present an URL you control and you're in!
In order to do that, we must remove the need to hard-code clientID/clientSecret in relaying parties configurations, and dynamic client registration seems to be what's needed for that:
https://openid.net/specs/openid-connect-registration-1_0.html

Is that supported by the openid provider, or does it need to be supported by core directly ?

\cc @willemvd

See http://openid.net/specs/openid-connect-federation-1_0.html
Superceeds #142

The way this is currently implemented leaves a bit to be desired. If using goth for a slack app bot, you won't be able fetch the pertinent bot details e.g bot id, bot channel id, bot oauth2 token. I hesitate to submit a PR for this (but probably will anyways), because I don't know how others are dealing with this brokenness. In its current state, it's not very useful for a bot application.

Hi I have a case where in developing a authorization service using different providers.
My case is that there shall be multiple frontendhosts calling towards my api for authorization through f.ex facebook. So I need to be able to know the URL that called on BeginAuth, and have access to that when the callback is fired. I cant have any form for state in my app since there might be multiple calling at the same time.

So what I need is a way of identifying the requeset that is going out to facebook, for then identifying the callback that belongs to that request. I will store the url in between the two calls.

The only way I have figured how this will work is to use the encoded cookie that is beeing sent to facebook, and returned on the callback. But unfortunately I dont have access to the cookie.

Hence this pullrequest: gorilla/sessions#62

I've been trying to use https://github.com/golang/dep to download goth, and was disappointed that the project does not provide semver releases. Please consider creating a 1.0.0 tag and using semver to signal changes in the library.

Hi!
In passport.js you can use one callbackURL for signup and another for logging. Also separate callback is necessary for deactivating account. It's comfy.
I noticed that func New(clientKey, secret, callbackURL string, scopes ...string) *Provider {} allow only one callback. I got that function from facebook provider. I noticed it standard function for all providers.
I am doing it via gothic also
Is there are some approach for my need?

Add in README instruction to compile and execute example code.

When running the example I get the following error:
goth/gothic: no SESSION_SECRET environment variable is set. The default cookie store is not available and any calls will fail. Ignore this warning if you are using a different store.

Which gets returned by the following lines:

// print our state string to the console. Ideally, you should verify
// that it's the same string as the one you set in `setState`
fmt.Println("State: ", gothic.GetState(req)) 

The example doesn't set it, why?

The Error also says something about a default cookie store not being available, while the documentation tells:
Store can/should be set by applications using gothic. The default is a cookie store.
Why isn't that default cookie store available? Also, if the documentation says that the application should set the store, why doesn't the example do this?

Generated access tokens most likely have an expiration date. Would it be acceptable to add support for refresh tokens and their expiration date along with a flow to refresh them?

With the current set of functions in the gothic.* we don't have an option to retrieve the user without going through the whole authentication flow.

Current setup to get user details at login:

1. start login flow with BeginAuthHandler or GetAuthURL (if you need to do custom error handling)
2. handle callback and get the goth.User with CompleteUserAuth

Step 1 will always try to completely authenticate the user again even if he use got a session with a valid accessToken and only did a logout

To prevent this, the calling application should first do a CompleteUserAuth request and see if the goth.User can be fetched from there. To support this we need to store the AccessToken in the session and add a extra FetchUser call in the CompleteUserAuth before doing sess.Authorize

What do you think of this?
Will create a PR to show the suggested fix (without introducing all kind of extra stuff in each provider to prevent this re-authenticating)