[Q] Check if user exists before generating JWT token about auth HOT 3 CLOSED

Can we fetch email also from google and github provider and update in claim token (as of now it have name, id and avatar only)?

The scopes and mapping functions defined as a part of the provider's init, for example this is the one for google. As you can see both scope and mapping functions are predefined and have no hooks to be customized. However, the scope we use here gives access to email as well but the mapping drops it intentionally. Either way, the simplest way to change this behavior is to add your own flavor of google provider with email mapped. This can be done with service.AddCustomHandler. See this PR for more info and it also documented in README. In addition, provided example shows how to add a custom handler.

Pls note: there is an open ticket #37 around the same problem

What's the best location to check whether user account exists in our platform or not? I was thinking it might be Validator, but validator is invoked at every call. Any tips on how can I optimize it? Maybe just check once, while generating JWT token using provided secret?

See https://github.com/go-pkgz/auth#customization, namely a section describing ClaimsUpdater. This one is called at the login time only, and probably can be used for any checks you need. There is an example showing how to alter claims with the ClaimsUpdater.

hope it helps.

from auth.

Thanks alot, everything works now as per your advice.

I have one more question to ask. I want to have an option to register at my website directly instead of using external providers like google, github etc. So user can either use external providers to login or just directly login with registered username and password.

So, one way would be just host my own oauth server, but I was looking at Direct authentication section in README and it looks something similar to what I want to achieve.
Just use direct authentication, check if username and password is correct, if yes, it will issue a JWT token back, am I right?

As the frontend and backend is trusted, I really don't need to host an oauth server, something like simple session management will do the trick, but it will increase the complexity of having two different authentication protocols. So in this scenario, Direct authentication sounds good to me.

Would it be a ok to use it for a production system? Does the direct authentication method have any shortcomings?

from auth.

Direct auth will work just fine. It will check passed credentials and issue a token, exactly the same as the real ouath providers.

Would it be a ok to use it for a production system? Does the direct authentication method have any shortcomings?

This method as good as CredCheckerFunc you provide, nonthing inherently "non-production" here.

Btw, alternatively, you can setup the real oauth2 server with your own login handler. This way can be useful if you want to make your own SSO type of auth. For more details see providers.CustomServer

from auth.