goincremental / negroni-oauth2 Goto Github PK

View Code? Open in Web Editor NEW

71.0 2.0 25.0 35 KB

License: Apache License 2.0

Go 100.00%

negroni-oauth2's Introduction

negroni-oauth2

Allows your Negroni application to support user login via an OAuth 2.0 backend. Requires negroni-sessions middleware.

Google, Facebook, LinkedIn and Github sign-in are currently supported.

Once endpoints are provided, this middleware can work with any OAuth 2.0 backend.

Usage

package main

import (
	"fmt"
	"net/http"

	oauth2 "github.com/goincremental/negroni-oauth2"
	sessions "github.com/goincremental/negroni-sessions"
	"github.com/goincremental/negroni-sessions/cookiestore"
	"github.com/urfave/negroni"
)

func main() {

	secureMux := http.NewServeMux()

	// Routes that require a logged in user
	// can be protected by using a separate route handler
	// If the user is not authenticated, they will be
	// redirected to the login path.
	secureMux.HandleFunc("/restrict", func(w http.ResponseWriter, req *http.Request) {
		token := oauth2.GetToken(req)
		fmt.Fprintf(w, "OK: %s", token.Access())
	})

	secure := negroni.New()
	secure.Use(oauth2.LoginRequired())
	secure.UseHandler(secureMux)

	n := negroni.New()
	n.Use(sessions.Sessions("my_session", cookiestore.New([]byte("secret123"))))
	n.Use(oauth2.Google(&oauth2.Config{
		ClientID:     "client_id",
		ClientSecret: "client_secret",
		RedirectURL:  "refresh_url",
		Scopes:       []string{"https://www.googleapis.com/auth/drive"},
	}))

	router := http.NewServeMux()

	//routes added to mux do not require authentication
	router.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
		token := oauth2.GetToken(req)
		if token == nil || !token.Valid() {
			fmt.Fprintf(w, "not logged in, or the access token is expired")
			return
		}
		fmt.Fprintf(w, "logged in")
		return
	})

	//There is probably a nicer way to handle this than repeat the restricted routes again
	//of course, you could use something like gorilla/mux and define prefix / regex etc.
	router.Handle("/restrict", secure)

	n.UseHandler(router)

	n.Run(":3000")
}

Auth flow

/login will redirect user to the OAuth 2.0 provider's permissions dialog. If there is a next query param provided, user is redirected to the next page afterwards.
If user agrees to connect, OAuth 2.0 provider will redirect to /oauth2callback to let your app to make the handshake. You need to register /oauth2callback as a Redirect URL in your application settings.
/logout will log the user out. If there is a next query param provided, user is redirected to the next page afterwards.

You can customize the login, logout, oauth2callback and error paths:

oauth2.PathLogin = "/oauth2login"
oauth2.PathLogout = "/oauth2logout"
...

Contributors

Derived from martini-contrib/oauth2

Burcu Dogan

negroni-oauth2's People

Contributors

Stargazers

Watchers

negroni-oauth2's Issues

multiple provider example?

I'm trying to figure out how to make this work with both bitbucket and github but it looks like it might not be possible because of the way the paths work?

Any chance you can provide and example of how to use this with multiple providers?

negroni-oauth2 is unsafe and vulnerable to csrf

the oauth2 "state" field, the first argument of AuthCodeURL, is supposed to be a CSRF token - a completely unguessable random string of bytes. further, on the callback, the oauth2 service will return the provided state and negroni-oauth2 should be checking it for equality

it's certainly clever that the next url is being passed in as the state field, but it's insecure. both the expected state and the next url should be kept in the session

Can't implement Dropbox OAuth2 because of access_type parameter

I'm trying to implement Dropbox OAuth2 with this package, but it doesn't work because the login() method always sets an access_type=offline parameter that Dropbox doesn't recognize.

Could you add a way to configure this behavior?

Redirect loop in Chrome and Firefox but not in IE

For the life of me, I can't seem to figure out why my app is resulting in a redirect loop only in Chrome and Firefox but not in IE. When my provider initiates a redirect request to my callback, oauth2callback, my app for some reason keeps re-initiating new requests for authorization codes; thus resulting in a redirect loop. My code is here: https://github.com/AzureFederal/azurefederalweb/blob/master/app.go.

I've tried tracing through oauth2.go and the redirect loop seems to be initiated at line 241.

@Bochenski, I noticed that you set the token to nil to avoid a redirection loop in line 206, but not sure if this has anything to do with my issue.

Thanks!

Securecookie: the value is too long

I'm using Keycloak (https://github.com/keycloak/keycloak) as my OAuth2 provider.
The access token is exceeding 4KB maxLength of SecureCookie.

This library is vulnerable to token substitution attacks

Depending on the session algorithm used and on how and when func SetToken(r *http.Request, t interface{}) is being used, this library is vulnerable to token substitution attacks. Please inform the developer, that SetToken() should never be called - except when handling the oauth2 callback. I would make it private.

If the remote idp's user id is used (e.g. by calling the user_info endpoint) for authentication, and the access token can be set by e.g. calling login?access_token=123, a malicious user will be able to break in by generating an access token for the same user on another app.

Please add a section that informs developers to use id tokens provided by OpenID Connect instead.

goincremental / negroni-oauth2 Goto Github PK

negroni-oauth2's Introduction

negroni-oauth2

Usage

Auth flow

Contributors

Derived from martini-contrib/oauth2

negroni-oauth2's People

Contributors

Stargazers

Watchers

Forkers

negroni-oauth2's Issues

Recommend Projects

Recommend Topics

Recommend Org