Consider adding testcases to the code.

Without this, it does not inspire confidence for people to use it.

Hi,

Great project :)

I was trying to integrate with some code of mine and I got
cannot use mongo.Conn() (type *"gopkg.in/mgo.v2".Session) as type "labix.org/v2/mgo".
I had trouble in the past and apparently it is suggested to use gopkg.in/mgo.v2 instead of labix.org/v2/mgo.

See http://stackoverflow.com/questions/31244438/mgo-newobjectid-corrupt-on-insert for the comment from mgo's maintainer.

For example, jwttoken example broken with error: "Error Request must be POST".

Hi there,
I have a web app that uses osin for login. It uses https://github.com/andreassolberg/jso (Implicit flow).

I need to implement "Remember me" feature on the login page and the idea is to prolong the ttl of the token if it's requested by the user.

Now the AccessData::ExpiresIn parameter is by default 3600.
Can we create a special parameter Persistant or a convention ExpiresIn==-1 that will tell OSIN not to expire the token?

Thanks

Mobile devices with potential connectivity issues may request a refresh_token grant type without being able to accept the response,
in such case, the refresh token is removed and the mobile device has to authenticate the user again using another flow.

we experienced this issue during QA of bad connectivity.

I suggest to keep the refresh + access token even on successful refresh and let the server handle deletion (such as within the first usage of the new token), or on storage.LoadAccess() for the new token.

I'm already doing this in a fork and can submit a PR.

I believe that the correct http status code should be BadRequest. The error is correctly returned.

Should I fix and create a pull request?

https://github.com/RangelReale/osin/blob/master/access.go#L132-L143

Reading through RFC (4.3) I could not find a clear and direct statement about client secret -- is it optional or required. OSIN makes it required (judging by logic in getClientAuth()) but changing that and make this configurable would be trivial.

I havn't done any extensive research, but for example, PHP's implementation (https://github.com/bshaffer/oauth2-server-php) allows client secrets to be optional. A few other examples: http://security.stackexchange.com/questions/64091/oauth2-resource-owner-password-credentials-grant, https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps

My opinion is that both functions, CheckBasicAuth() and getClientAuth() take too much responsibility in validating of the credentials. This should be responsibility of some other (pluggable) function (similar as ClientSecretMatcher solution)

Any thoughts on that?

Hello, i want to integrate your framework in my project.
Could you tell me, which access token grant types are supported right now from Oauth 2.0 specification?

For some reason, when attempting to access the token URL generated by the app, I get an invalid_grant error triggered in access.go line 181, right after loading authorized data from the provided code.

This doesn't happen all the time. When I restart my goapp server it accesses the token fine after refreshing the web page once. I really want to be able to download this token after the url is generated however this inconsistency is blocking me.

This is how I download the token:

    ctx := appengine.NewContext(r)
    client := urlfetch.Client(ctx)
    req, err := http.NewRequest("GET", fmt.Sprintf("http://localhost:8080%s", aurl), nil)
    if err != nil {
        w.Write([]byte("error forming req"))
    }
    ba := &osin.BasicAuth{"<client username>", "<client password>"}
    req.SetBasicAuth(ba.Username, ba.Password)
    res, err2 := client.Do(req)
    defer res.Body.Close()
    if err2 != nil {
        w.Write([]byte("error forming res"))
    }
    jdec := json.NewDecoder(res.Body)
    jdec.Decode(&jr)

^that only works sometimes as mentioned before. Can anyone please help? I've been stuck on this for days :(

I am trying osin complete example. I am able to run it on the http://localhost:14000/app. Even though I am not passing any Authorization header but I am getting Basic MTIzNDphYWJiY2NkZA== as header in info API. Not sure from where it is coming. Because of this info API is failing.

My travis build (which depends on osin) failed today with the following message:

...
...

- go get -u github.com/RangelReale/osin

../../RangelReale/osin/tokengen.go:31: not enough arguments to return

The command "go get -u github.com/RangelReale/osin" failed and exited with 2 during .

Seems something is wrong with the recent commits.

Do you plan to support the JWT bearer as described in RFC7523? Or do you have any pointers how to implement such?

Hi!

Am I missing something or are the passwords stored in plain text in the storages? It looks to me that all passwords are matched against their unencrypted dito. Are there any planned feature improvements on this or are you open for pull requests?

I notice the AccessData struct keep the previous AccessData record:

type AccessData struct {
....
AccessData *AccessData
....
}

The problem is when I use refresh_token grant type to create new access_tokens; it will save previous AccessData record in the pointer. So if I keep continue to use refresh_token multiple times, consequently I get something like that (I use mongo as storage for the access token)

{
"_id": "Y2MzNTE0ZTItODYyNy00YWY1LWJmMWUtNmRiYTRiODI5OWIy",
"client": {
"id": "1234",
"secret": "aabbccdd",
...
},
"authorizedata": null,
"accessdata": {
"client": {
"id": "1234",
"secret": "aabbccdd",
...
},
"authorizedata": null,
"accessdata": {
"client": {
"id": "1234",
"secret": "aabbccdd",
....
},
"authorizedata": {
....
},
.....
},
....
},
....
},
...
}

Beside the storage problem (the data for that entry might grow exceed the allowed entry size restricted by mongoDB), it also has problem when I unmarshal the json to struct; It's due to the 'Breaking Change' when client now is an interface not struct.

I take a look at the code. Seems that the AccessData not even being used. The GenerateAccessToken(data *AccessData, generaterefresh bool) (accesstoken string, refreshtoken string, err error) only use it in case of JWT token (base64 not being used). But still clientInfo (data.Client.GetId() -- in JWT GenerateAccessToken) can be obtain from the first level of the struct directly. I am wondering why we need to keep the previous Access Data pointer. If it's necessary, can I just keep at most 2 levels instead of infinitely nesting the object in.

This may be a misunderstanding of mine with the OAuth spec. I was under the impression that when requesting a refresh token, the new expiration would be a much longer duration. However in osin it just defaults to the same expiration as the access token. What would be the correct process for getting a token with a much longer expiration time?

While trying to draft up my OAuth Server using this amazing library I've ran into a little bit of an issue. I'm not quite sure whether its by design or if you are open to possibly some API changes.

I'm developing some services using a micro service approach and would love to have an authentication service. Doing so I would like to use RPC as the communication layer. Sadly osin makes some pretty hard assumptions on using HTTP as the transport layer and doesn't seem to expose any sort of underlying API to support any other transport layer.

Would you be opposed to some API changes to accommodate other transport protocols? If so, would you ever consider splitting packages and exposing the HTTP api in a package say osin/http?

First of all, thanks for this library, as it saved me a lot of time.

However i felt bad using AuthorizeRequest, AccessRequest and AuthorizeData's UserData interface{} field.

I used it to store info gathered during the authorization request and translate it into a JSON Web token after the access request.

I open this issue as a discussion, in the hope of a new solution to pass data between the storage and the api that dosen't involve an interface{} field.

Since JWT grant stills not standartised, it would be a good idea to implement this grant type, so we can use it to pass the client credentials in a much more secure way than passing directly inside HTTP form.

I implemented a MongoDB storage for OSIN at https://github.com/martint17r/osin-mongo-storage

Your feedback is greatly appreciated.

Cheers

Martin

Thanks for creating this library. I'm new to oauth2 as well as to Go, so thanks for your patience. Is there an example of how to write an endpoint for it that's oauth protected? (I've got osin integrated with my app so I can generate tokens, but I'm not sure if I'm on my own to validate the headers, etc. on my actual functional endpoints.)

I'm considering implementing an endpoint for dynamic client registration as per (https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-29).

Would you consider merging it if I were to implement it?

I'm not sure what the oauth official param is but I noticed on Google's OAuth API they use redirect_uri. Should this be something you can customize? Also, I noticed in the README it says to use redirect_url, and when I use that URL, that seems to work and not redirect_uri using osin. I did a search of the entire repo on osin and I don't see how redirect_url even works and not redirect_uri. Any ideas?

I'm playing around with osin to get a better grip on how Oauth works and how I should use it with projects. Using the example with the /token endpoint it returns a refresh_token. But as I understand this is against the specs:

4.4. Client Credentials Grant
...
4.4.3. Access Token Response

If the access token request is valid and authorized, the
authorization server issues an access token as described in
Section 5.1. A refresh token SHOULD NOT be included. If the request
failed client authentication or is invalid, the authorization server
returns an error response as described in Section 5.2.

Is there a way to disable / work around this behavior?

5.1.4.1.3. No Cleartext Storage of Credentials
The authorization server should not store credentials in clear text.
Typical approaches are to store hashes instead or to encrypt
credentials. If the credential lacks a reasonable entropy level
(because it is a user password), an additional salt will harden the
storage to make offline dictionary attacks more difficult.
Note: Some authentication protocols require the authorization server
to have access to the secret in the clear. Those protocols cannot be
implemented if the server only has access to hashes. Credentials
should be strongly encrypted in those cases.

OAuth 2.0 Threat Model and Security Considerations

Gaining access to the database, e.g. by using SQL Injection (OWASP's #1 attack vector), would provide an attacker with long lived credentials (refresh tokens) and short lived credentials (authorize code, access token). Having client passwords stored securely is nice and all but gives a false sense of security, because all other credentials are stored in a insecure way.

Right now, a storage could implement encryption and en-/decrypt tokens on SaveAccess / LoadAccess / etc. In an ideal world, we should not rely on encryption but rather on hashing, but that option is currently not possible in a performant way unless unsalted md5 / crc32 / shaXYZ is used. Unsalted hashing is considered bad practice for long living credentials (:= refresh tokens).

Ideally, a token would consist of two parts: {random-string-without-dots}.{signature}
Only the signature is stored. The authorization server would then first validate if random-string matches signature (e.g. by using BCrypt) and reject the token/code if the two mismatch. It would then lookup the signature in the database confirming that the token/code exists and return the appropriate data. An attacker who gained access to the database would then only have the signature which is useless without the random-string. With BCrypt it would practically be impossible to find the matching random-string in a reasonable time.

If encryption (AES) was used, an attacker who gained access to both database and app server would have access to the encryption key, rendering the security measure insecure. If hashing is used, there is no way to guess the credentials, even if an attacker has access to both systems. Only changes to the code base might disable these security measures. These however will probably be catched by a sysadmin in reasonable time.

Yes, this could be implemented by providing a custom store implementation and token generation strategy. But the store would become a validator and suddenly be more than just storage. Additionally, you can not use any of the storage implementations listed in the readme. Plus this library should enforce secure behavior rather than making insecure behavior so easy to get right.

I fell into that pitfall and it will take me significant time to refactor it and get security right. And seeing how popular this repository is amongst gophers I have reasonable doubt that some applications / companies out there are not as secure as they claim or think.

So I was skimming through RFC6749 and saw that it doesn't really specify assertions in a detailed manner, but the example it provides is very different from the explanation of assertions in the v10 draft. I did a little more digging and found https://tools.ietf.org/html/draft-ietf-oauth-assertions-18. I was wondering what the view was on assertions support since the OAuth assertions draft is dramatically different from that specified in the OAuth2 v10 draft (which is what is currently implemented).

Thoughts?

This bug is introduced in 40db961

The value stored in r.Form is already unescaped (proof: http://play.golang.org/p/mRvsjF51Kd) .

This bug will cause "redirect_uri mismatch" response if redirect_uri parameter passed to authorization endpoint and token endpoint has escaped characters.

As a quick glimpse of this oauth provider usage, example/complete is doing a good job, but the 'Goto Token URL' function fails, error msg:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}

console log:

ERROR: Client authentication not sent

Is there anything should be adjusted?

Hi there,

I used this library for a small project a few months ago and it worked flawlessly.
However, when I came back to using it for a new project, I noticed that the tokens that are generated by osin look very similar (AccessToken & RefreshToken that is).

Here is a short program demonstrating the issue https://gist.github.com/Ligustah/bee3217f5b6c037bbf78 , which I think was introduced here: https://github.com/RangelReale/osin/pull/45

To see the difference please compare:
https://godoc.org/code.google.com/p/go-uuid/uuid#NewUUID
https://godoc.org/code.google.com/p/go-uuid/uuid#New

Now I'm not too sure as to what the implications of this are, but it think it defeats the purpose of the long lived refresh token vs. short lived access token, when it's trivial to easily guess the refresh token given a specific access token.

I suggest that you provide a default token generator that uses actually secure random tokens, which is fairly trivial using the standard library and doesn't require UUIDs at all.

Not sure if below code compiles, but I'm using a similar piece of code for another project and assuming crypto/rand is reliable it will generate fairly secure random tokens.

import (
    "crypto/rand"
    "encoding/base64"
)

func generateToken(length int) (secret string, err error) {
    var buf = make([]byte, length)
    _, err = rand.Read(buf)
    secret = base64.URLEncoding.EncodeToString(buf)

    return
}

Thoughts?

Currently, the way we retrieve token information is based on the query string. I have a client which sends the access_token via header already. To avoid breaking current users, we could keep both:

curl -i http://localhost:8000/me?code=ZGQyN2UyYWUtODczNS00NzAzLTllNzEtMzJlZjM0ZTliY2E1

and

curl -i -H "Authentication: Bearer ZGQyN2UyYWUtODczNS00NzAzLTllNzEtMzJlZjM0ZTliY2E1" http://localhost:8000/me

What do you think about it? If you agree I can send a pull request.
https://github.com/RangelReale/osin/blob/1bb768e23b70885ba6dc41a4e1d633aff5591e52/info.go#L20-L22

Would you consider switching osin.Client to be an interface, much like Storage? Or to avoid BC could potentially create a osin.ClientInterface (can't think of a better name) with osin.Client as the default implementation.

We'd like to be able to offer client registration via a website for developers, as well as Id, Client, Secret we'd like some other information (like contact email, developer name, application name etc).

There's also some other things we'd like to be able to overwrite, for example the JSON marshalling (hiding the secret).

Happy to submit a pull if it's a change that'd be welcomed :)

I am trying to implement your server this with: golang.org/x/oauth2 (that is client). It seams to me that everything works ok (code is generated, client_id and client secret are working ok and so on). Error I am getting is this one:

&{   0001-01-01 00:00:00 +0000 UTC map[error:invalid_grant error_description:The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.]}

that error occurs in : handleAuthorizationCodeRequest func on line 182: ret.AuthorizeData, err = w.Storage.LoadAuthorize(ret.Code)

This is my code:

var Endpoint = oauth2.Endpoint{
    AuthURL:  "http://localhost:9000/authorize",
    TokenURL: "http://localhost:9000/token",
}

ccc := &oauth2.Config{

    ClientID:     "id",
    ClientSecret: "sec",
    RedirectURL:  "http://localhost:9000",
    Scopes:[]string{"everything"},
    Endpoint: Endpoint,
}

if len(code) > 0{
    tok, err := ccc.Exchange(oauth2.NoContext, code)

    if err != nil {
        log.Println("err is", err)

        return nil
    }

    log.Println(tok)

} else {

    url := ccc.AuthCodeURL("xyz")
    log.Println(url)
    return c.Redirect(url)
}

where authorize/ route and token route are from your manual so nothing is new there.

i have tried that osincli client as well but error message is the same one.
I see your all examples uses get (that sucks do not you think?)

Hi, first, I would like to thank you for this amazing project!

I'm trying to use mongodb with mgo and I'm unable to get it running due to the latest changes. Even when I try to use DefaulClient I'm getting an error:

authData := &osin.AuthorizeData{
    Client: &osin.DefaultClient{},
}
err = conn.Authorizations().Find(bson.M{"code": code}).One(authData)

Error:

ERROR: reflect.Set: value of type bson.M is not assignable to type osin.Client

One way would be convert the authorize data to a custom struct where the client is a string(object id representation) and create two other methods to convert it. Not sure if that's a great solution. Could you please help me out?
Thanks!

HandleAccessRequest function responds with an error indicating unsupported_grant_type if request sent with Content-Type: application/json header because ParseForm() at access.go doesn't parse values.

handle*Request methods take http.Request and Response and generates AccessRequest from r.Form individually so I couldn't find a clean way of implementing this.

The BasicClient mentioned in documentation doesn't exists. It should be DefaultClient in the actual code. Please unify them. Thanks.

I was wondering if you have any plan to support MAC tokens?

Hi!
I'm trying to create one service with Authorization Server and Resource Server's endpoints (using revel)

I ran into one problem:

As far as I understand the code the Resource Server is supposed to use the /info endpoint to check if the token has required rights.

Is it possible to check if caller has access to a resource using Osin? (Omitting the unnecessary http call.)

Thanks!

Please provide installation steps

I would like to modify the storage interface to accept an interface for context information.

i.e.

// GetClient loads the client by id (client_id)
GetClient(context interface{}, id string) (Client, error)

It would also require changes to the response to accept a Context to be included in the response that could be passed into the storage calls.

// Server response
type Response struct {
    Context            interface{}

This would be a breaking change. Would this be considered for a merge?

It would be nice to be able to customize the parameter names return in the JSON output. For instance I'm building an api that uses all camel case responses, however osin always returns snake case access_token, error_description. I guess its a small point, but would be nice to be able to customize this.

When passing an invalid redirect_uri the user-agent has been redirected with the error description as follow:

https://my-url?error=invalid_request&error_description=The+request+is+missing+a+required+parameter%2C+includes+an+invalid+parameter+value%2C+includes+a+parameter+more+than+once%2C+or+is+otherwise+malformed.

Looking at the code, I see that it forces the redirection but I didn't get the point. Why is it necessary?
https://github.com/RangelReale/osin/blob/master/authorize.go#L132-L133

And the RFC says that we should not redirect the user-agent, btw..

3.1.2.4. Invalid Endpoint

If an authorization request fails validation due to a missing,
invalid, or mismatching redirection URI, the authorization server
SHOULD inform the resource owner of the error and MUST NOT
automatically redirect the user-agent to the invalid redirection URI.

The current information endpoint reads the access token from parameter "code". In other OAuth2 server implementation, however, they'd use "access_token" instead.

The relevant code:

• line 18, info.go
• line 47, util.go
• line 26, info.go
• line 37, info.go

I can provide a modification to (IMO) fix this, but I'd like to discuss how best to change / no change the current code first.

Is there any reason behind the decision?
Isn't "access_token" a more sensible choice?

It is a very good oauth server implementation. I am just wondering does it support oauth assertion, if not, any plan to do that?

The spec is here: http://tools.ietf.org/html/draft-ietf-oauth-assertions-01

Thanks!

The GoAuth2 example enables passing of Client Secret as a parameter instead of via the header. This should still work, but GoAuth2 now passes the client info as body parameters and via the BasicAuth header

http://localhost:14000/appauth/password returns

APP AUTH - PASSWORD
ERROR: invalid_request
FULL RESULT: map[error:invalid_request error_description:The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.]

Hi dear osin team,
I'm just started with go and your project - can you help me with 2 questions:

1. How to install your project?
   according 'go help gopath' structure of axample project should be different from your current, so I'm lost a bit how to make your project
2. How to run example ?
   It's maybe same issue as with question 1, but now in './simple/simple.go' i have numerous compilation errors - changing import to 'import osin 'import osin "github.com/RangelReale/osin" ' aren't helping.
   P.S.: "I have go version go1.2.2 linux/amd64, fedora 20"
   Thand you for help, Artem

Could you look at these implementations:

https://github.com/raphael/goa-middleware/pull/4

just to verify that I'm not doing anything wrong? Thanks for Osin!

My authentication server uses password grant type to generate access tokens using OSIN. This alone works fine when multiple devices login concurrently. Issues arise, however, when one of the devices uses their refresh token to get a new access token. Because OSIN removes the old refresh token and access token whenever a refreshtoken is used, the other device (which doesn't know these have been removed) fails the next request since the accesstoken is now invalid and also fails to get a new token since the refresh token is also now invalid.

Here is the exact piece of code that causes this issue in access.go:

// remove previous access token
if ret.AccessData != nil {
    if ret.AccessData.RefreshToken != "" {
        w.Storage.RemoveRefresh(ret.AccessData.RefreshToken)
    }
    w.Storage.RemoveAccess(ret.AccessData.AccessToken)
}

I am not sure how to get around this, however. I thought about using the AccessRequest.ForceAccessData field, but I can't think of a way to reliably retrieve an existing access token when all I have is a username and password.

Any ideas on this?

As mentioned in pull request #24, all storage engines of GAE requires the current *http.Request to work with. There is no way a Storage implementation can obtain such information.

There are 2 ways, I can think of, to cater the need:

1. Change all Storage methods to accept a *http.Request parameter
2. Change Storage.Clone() to collect *http.Request as a parameter
   This also requires the change in NewResponse() or Server.NewResponse() call

Change 1 is more intuitive but also more invasive. Users will have to change all their Storage methods. Change 2 require less changes to users' code and is much preferable.