zalando / gin-oauth2 Goto Github PK

I'm wondering if I can use this to be a provider for Oauth 2.0 applications. If so is there an example somewhere on this? Basically, we are trying to mimic like the GitHub OAuth Apps, where the user clicks a button to create a new application, they get a client id and secret given to them and they can update call back URL or refresh the secret. Every google search brings me here for gin and OAuth. Help, please :) I have the db model done its pretty simple, just not sure how to integrate this in or where to start with it. As all the examples are using a provider and not being a provider.

Is there a working example which includes the refresh token?

The AccessTuple type limits the API to a token database being stored in a single process, in memory.

However, this limit could easily be removed if the AccessTuple was removed from the API. The ginoauth2.Auth function only needs an accessCheckFunction closure that will authenticate users, and it should be left to that closure to decide the data source to use.

Here is how to fix the API:

• create a new package exampleauth that will only be an example of an authenticator
• move type AccessTuple and func UidCheck to exampleauth
• remove AccessTuple from the ginoauth2.Auth func signature
• refactor examples to use func(tc * TokenContainer, ctx *gin.Context) bool { return exampleauth.UidCheck(tc, USERS, ctx) } where ginoauth2.UidCheck was previously used

Tell me if you want a PR that implements this.

It should be possible to use Github OAuth2 infrastructure with this middleware.

I'm using environment variables to handle my secrets. I was wondering if it would be ok for me to submit mutator methods to support another means of setting the oauth2.Config's in google.go specifically. I'd of course want to ensure this remains backwards compatible, so I would only be adding these setters. Below are the functions I'd like to add:

// Usage would be something like:
google.SetClientID(configs.ClientID)
google.SetClientSecret(configs.ClientSecret)
google.SetRedirectURL(redirectURL)
google.SetScopes([]string{gmail.GmailReadonlyScope})
google.SetEndpoint(google.Endpoint)

If there's no aversion, I'd be happy to submit an PR - with tests too! :)

Use https://github.com/coreos/dex to have an automated test setup with travis-ci as Brandon Philips pointed out. This will help to make it useful for non Zalando organizations, because it shows a usage that is not dependent to Zalando.

Hi,

i've just tested your implementation and discovered that the RequestAuthInfo function can only be used if the AuthInfo endpoint of my Oauth2 server is using the access_token parameter.
So my question is what is about other servers like keycloak which are using the Auth header for passing the bearer.

Can this lib uses with keycloak for example?

I can't understand the following:

from your token provider (oauth2.Endpoint.AuthURL):
% TOKEN=$(curl https://$USER:[email protected]/access_token)

my core code :

var TEAMS []zalando.AccessTuple = []zalando.AccessTuple{
	{"teams", "a", "a"},
}

...
...
...
router.Run(":8001")

I get token like this：
https://a:[email protected]:8001/access_token
but Could not get response. why?

As part of the Auth()'s returned gin.HandlerFunc, the user is saved to the context and session. This is great for identification, however I'm running into an issue. During the google package's Setup(), my application is able to specify scopes to make subsequent requests on behalf of the user. The problem is that our token, which was issued with those scopes, is no longer available. To get a token this would require an additional or custom middleware be implemented. Since we are providing a means to specify scopes, I think its presumable that the application should be able to make requests on the user's behalf following authentication. With that, I was interested in modifying the Auth() function to save the token to the session and the context.

If I'm misunderstanding the flow or overlooking a way to not have to reinitiate the oauth2 flow, please let me know. I'm going to work up an MR in the mean time. Thanks!

Hi, I wanted to try out the GitHub example, and after a successful login I have navigated to the /auth/api endpoint but got an error message, is this the expected behaviour? Thanks!

[GIN] 2018/01/09 - 15:07:15 | 401 |     132.011µs | 127.0.0.1 |   GET     /auth/api
Error #01: Invalid session state: ***********

I use the zap to take over the gin logger and other package's log.it'sI use zap to take over the log output of the package in the project, and I also want to take over the log of gin-oauth2 using zap, is there any solution?

It should be possible to use Google OAuth2 infrastructure with this middleware.

Hello,

is there an example provider server, which could be spun up for testing this library with the zalando example?

There is no LICENSE file (but a broken link in the README).

Hi there as gin-gonic currently lacks in active development (at least it looks like that to me) we should consider to open this project to a wider audience and provide middle ware for others frameworks too.

While working #76, I had issues running all of the tests locally. Also, my PR didn't abide to go doc standards, which I also didn't catch. I think this repo could benefit from 2 things:

1. Local CI Checks - This could be done using a Makefile, which would essentially be duplicating the checks locally so that a developer can verify their PR conforms to standards and the tests work. The Makefile could also automate the setup needed to run the tests locally.
2. Github Actions - I think the free account allows like 2k action minutes p/month before getting charged. I'm not sure what the owner is ok with, but maybe there could be a post check upon a merge to master. This would keep the usage minimal, even though it would be nice to have this run for each PR - easier said though when I'm not floating the bill 😄

Hello zalando team,

I was interested in your implementation, and as far I do get it right. The implementation of this repo only covers the resource authorization but not the actual authorization service.

Currently I'm generating JWT tokens using a gin-jwt service. I'm using basic authentication to validate and generate a token, afterwards I'm using that token in Swagger API's to fetch resources.

Now I would like to use this implementation (well done btw), to leverage a more fine-grained access control using scope. I'm just wonderin where to start. I believe an UI would required to generate new apps (redirect_uri, client id, client secret, name). Afterwards that information can be used to fetch an authorization token and afterwards the access token. Once you have the latter, you can use your implementation to limit request to it's received scoped token.

I'm just wondering what would be the best way to implement the authorization behaviour, or what implementation should be used.

Thanks for everything!
Cedric

Hi, I wanted to try out the Google example, and after a successful login I have navigated to the /auth/api endpoint but got an error message, is this the expected behaviour? Thanks!

[GIN] 2021/03/07 - 14:55:29 | 401 |     108.714µs |             ::1 | GET      "/auth/api"
Error #01: Invalid session state: *********************************

Seems like an issue similar to #45

In case you have a token with scope = "nakadi.event_stream.read" the payload from the tokeninfo endpoint is the following:

{
    "access_token":"dyU...xVM",
    "client_id":"stups_marilyn-updater_ec462cc5-3861-4873-9f91-001549db1aaa",
    "expires_in":2605,
    "grant_type":"password",
    "nakadi.event_stream.read":true,
    "realm":"/services",
    "scope":[
        "nakadi.event_stream.read",
        "uid"
    ],
    "token_type":"Bearer",
    "uid":"stups_marilyn-updater"
}

in ParseTokenContainer the following code parse the payload

scopes := data["scope"].([]interface{})
for _, scope := range scopes {
	sscope := scope.(string)
	sval, ok := data[sscope]
	if ok {
		tdata[sscope] = sval
	}
}

The above code creates a map[string]interface{} that in the case of the example payload above, it will be:

tdata["uid"] = "stups_marilyn-updater"
tdata["nakadi.event_stream.read"] = true

the zalando.ScopeCheck takes the map and cast the value to string:

if cur, ok := tc.Scopes[s].(string); ok {
	glog.V(2).Infof("Found configured scope %s", cur)
	scopesFromToken = append(scopesFromToken, cur)
	ctx.Set(s, cur) // set value from token of configured scope to the context, which you can use in your application.
}

This cause the ok to be != true and the scope check to fail

The current lib is simple and works for a "golden" path like stack, but does not work for:

• non Gin handler applications (#31 and #47)
• not able to pass a logger #75
• we are a bit stuck by using globals instead of having a struct

The best would be to not break the API but have an additional API that can support all these cases and we use the old way to create the old defaults.

We are trying to use GitHub as authorisation server for our app called "one".
We are unable to use successfully the browser to retrieve server resources (even though we specify code and state in each request). We are currently able to retrieve resources only using cURL.

There are two major things while attempting to use this library that we cannot find anywhere in the official OAUTH documentations resp. inside available online resources:

• we never see any token flowing back and forth between our backend equipped with your library and the browser. On the contrary, we see that apparently the token is "rebuilt" at each GET done by the browser (https://github.com/zalando/gin-oauth2/blob/master/github/github.go#L84)

• we do see a cookie "one_session_github" that arrives in the browser after the redirect following the OK given by the user on GitHub. This cookie is mandatory and without it not even our cURL resource requests may succeed.

We are having a real hard time using your library. Can you please help investigating our case?
Thank you for your attention.

See.