zalando / gin-oauth2 Goto Github PK
View Code? Open in Web Editor NEWMiddleware for Gin Framework users who also want to use OAuth2
License: MIT License
Middleware for Gin Framework users who also want to use OAuth2
License: MIT License
I'm wondering if I can use this to be a provider for Oauth 2.0 applications. If so is there an example somewhere on this? Basically, we are trying to mimic like the GitHub OAuth Apps, where the user clicks a button to create a new application, they get a client id and secret given to them and they can update call back URL or refresh the secret. Every google search brings me here for gin and OAuth. Help, please :) I have the db model done its pretty simple, just not sure how to integrate this in or where to start with it. As all the examples are using a provider and not being a provider.
Is there a working example which includes the refresh token?
The AccessTuple
type limits the API to a token database being stored in a single process, in memory.
However, this limit could easily be removed if the AccessTuple
was removed from the API. The ginoauth2.Auth
function only needs an accessCheckFunction
closure that will authenticate users, and it should be left to that closure to decide the data source to use.
Here is how to fix the API:
exampleauth
that will only be an example of an authenticatorAccessTuple
and func UidCheck
to exampleauth
AccessTuple
from the ginoauth2.Auth
func signaturefunc(tc * TokenContainer, ctx *gin.Context) bool { return exampleauth.UidCheck(tc, USERS, ctx) }
where ginoauth2.UidCheck
was previously usedTell me if you want a PR that implements this.
It should be possible to use Github OAuth2 infrastructure with this middleware.
I'm using environment variables to handle my secrets. I was wondering if it would be ok for me to submit mutator methods to support another means of setting the oauth2.Config
's in google.go specifically. I'd of course want to ensure this remains backwards compatible, so I would only be adding these setters. Below are the functions I'd like to add:
// Usage would be something like:
google.SetClientID(configs.ClientID)
google.SetClientSecret(configs.ClientSecret)
google.SetRedirectURL(redirectURL)
google.SetScopes([]string{gmail.GmailReadonlyScope})
google.SetEndpoint(google.Endpoint)
If there's no aversion, I'd be happy to submit an PR - with tests too! :)
Use https://github.com/coreos/dex to have an automated test setup with travis-ci as Brandon Philips pointed out. This will help to make it useful for non Zalando organizations, because it shows a usage that is not dependent to Zalando.
Hi,
i've just tested your implementation and discovered that the RequestAuthInfo function can only be used if the AuthInfo endpoint of my Oauth2 server is using the access_token parameter.
So my question is what is about other servers like keycloak which are using the Auth header for passing the bearer.
Can this lib uses with keycloak for example?
I can't understand the following:
from your token provider (oauth2.Endpoint.AuthURL):
% TOKEN=$(curl https://$USER:[email protected]/access_token)
my core code :
var TEAMS []zalando.AccessTuple = []zalando.AccessTuple{
{"teams", "a", "a"},
}
...
...
...
router.Run(":8001")
I get token like this:
https://a:[email protected]:8001/access_token
but Could not get response. why?
As part of the Auth()
's returned gin.HandlerFunc
, the user
is saved to the context and session. This is great for identification, however I'm running into an issue. During the google
package's Setup()
, my application is able to specify scopes
to make subsequent requests on behalf of the user. The problem is that our token
, which was issued with those scopes, is no longer available. To get a token this would require an additional or custom middleware be implemented. Since we are providing a means to specify scopes
, I think its presumable that the application should be able to make requests on the user's behalf following authentication. With that, I was interested in modifying the Auth()
function to save the token
to the session
and the context
.
If I'm misunderstanding the flow or overlooking a way to not have to reinitiate the oauth2 flow, please let me know. I'm going to work up an MR in the mean time. Thanks!
Hi, I wanted to try out the GitHub example, and after a successful login I have navigated to the /auth/api endpoint but got an error message, is this the expected behaviour? Thanks!
[GIN] 2018/01/09 - 15:07:15 | 401 | 132.011µs | 127.0.0.1 | GET /auth/api
Error #01: Invalid session state: ***********
I use the zap to take over the gin logger and other package's log.it'sI use zap to take over the log output of the package in the project, and I also want to take over the log of gin-oauth2 using zap, is there any solution?
It should be possible to use Google OAuth2 infrastructure with this middleware.
Hello,
is there an example provider server, which could be spun up for testing this library with the zalando example?
There is no LICENSE file (but a broken link in the README).
Hi there as gin-gonic currently lacks in active development (at least it looks like that to me) we should consider to open this project to a wider audience and provide middle ware for others frameworks too.
While working #76, I had issues running all of the tests locally. Also, my PR didn't abide to go doc standards, which I also didn't catch. I think this repo could benefit from 2 things:
Makefile
, which would essentially be duplicating the checks locally so that a developer can verify their PR conforms to standards and the tests work. The Makefile
could also automate the setup needed to run the tests locally.Hello zalando team,
I was interested in your implementation, and as far I do get it right. The implementation of this repo only covers the resource authorization but not the actual authorization service.
Currently I'm generating JWT tokens using a gin-jwt service. I'm using basic authentication to validate and generate a token, afterwards I'm using that token in Swagger API's to fetch resources.
Now I would like to use this implementation (well done btw), to leverage a more fine-grained access control using scope. I'm just wonderin where to start. I believe an UI would required to generate new apps (redirect_uri, client id, client secret, name). Afterwards that information can be used to fetch an authorization token and afterwards the access token. Once you have the latter, you can use your implementation to limit request to it's received scoped token.
I'm just wondering what would be the best way to implement the authorization behaviour, or what implementation should be used.
Thanks for everything!
Cedric
Hi, I wanted to try out the Google example, and after a successful login I have navigated to the /auth/api endpoint but got an error message, is this the expected behaviour? Thanks!
[GIN] 2021/03/07 - 14:55:29 | 401 | 108.714µs | ::1 | GET "/auth/api"
Error #01: Invalid session state: *********************************
Seems like an issue similar to #45
In case you have a token with scope = "nakadi.event_stream.read" the payload from the tokeninfo endpoint is the following:
{
"access_token":"dyU...xVM",
"client_id":"stups_marilyn-updater_ec462cc5-3861-4873-9f91-001549db1aaa",
"expires_in":2605,
"grant_type":"password",
"nakadi.event_stream.read":true,
"realm":"/services",
"scope":[
"nakadi.event_stream.read",
"uid"
],
"token_type":"Bearer",
"uid":"stups_marilyn-updater"
}
in ParseTokenContainer the following code parse the payload
scopes := data["scope"].([]interface{})
for _, scope := range scopes {
sscope := scope.(string)
sval, ok := data[sscope]
if ok {
tdata[sscope] = sval
}
}
The above code creates a map[string]interface{} that in the case of the example payload above, it will be:
tdata["uid"] = "stups_marilyn-updater"
tdata["nakadi.event_stream.read"] = true
the zalando.ScopeCheck takes the map and cast the value to string:
if cur, ok := tc.Scopes[s].(string); ok {
glog.V(2).Infof("Found configured scope %s", cur)
scopesFromToken = append(scopesFromToken, cur)
ctx.Set(s, cur) // set value from token of configured scope to the context, which you can use in your application.
}
This cause the ok to be != true and the scope check to fail
The current lib is simple and works for a "golden" path like stack, but does not work for:
The best would be to not break the API but have an additional API that can support all these cases and we use the old way to create the old defaults.
We are trying to use GitHub as authorisation server for our app called "one".
We are unable to use successfully the browser to retrieve server resources (even though we specify code
and state
in each request). We are currently able to retrieve resources only using cURL.
There are two major things while attempting to use this library that we cannot find anywhere in the official OAUTH documentations resp. inside available online resources:
we never see any token flowing back and forth between our backend equipped with your library and the browser. On the contrary, we see that apparently the token is "rebuilt" at each GET done by the browser (https://github.com/zalando/gin-oauth2/blob/master/github/github.go#L84)
we do see a cookie "one_session_github" that arrives in the browser after the redirect following the OK given by the user on GitHub. This cookie is mandatory and without it not even our cURL resource requests may succeed.
We are having a real hard time using your library. Can you please help investigating our case?
Thank you for your attention.
See.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.