A library for performing OAuth Device flow and Web application flow in Go client apps.

oauth

A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com.


Traditionally, OAuth for web applications involves redirecting to a URI after the user authorizes an app. While web apps (and some native client apps) can receive a browser redirect, client apps such as CLI applications do not have such an option.

To accommodate client apps, this library implements the OAuth Device Authorization Grant which GitHub.com now supports. With Device flow, the user is presented with a one-time code that they will have to enter in a web browser while authorizing the app on the server. Device flow is suitable for cases where the web browser may be running on a separate device than the client app itself; for example a CLI application could run within a headless, containerized instance, but the user may complete authorization using a browser on their phone.

To transparently enable OAuth authorization on any GitHub host (e.g. GHES instances without OAuth “Device flow” support), this library also bundles an implementation of OAuth web application flow in which the client app starts a local server at http://127.0.0.1:/ that acts as a receiver for the browser redirect. First, Device flow is attempted, and the localhost server is used as fallback. With the localhost server, the user's web browser must be running on the same machine as the client application itself.

Usage

Applications that need more control over the user experience around authentication should directly interface with github.com/cli/oauth/device and github.com/cli/oauth/webapp packages.

In theory, these packages would enable authorization on any OAuth-enabled host. In practice, however, this was only tested for authorizing with GitHub.

Comments
  • Expose refresh token (used by GitHub Apps)

    Expose refresh token (used by GitHub Apps)

    GitHub Apps have the ability to expose refresh_tokens when identifying and authorizing users using either the device or web flow.

    This refresh token is valid for 6 months and can be exchanged for a fresh access token (valid for 8 hours) and a new refresh token.

    This PR exposes the refresh_token that is returned when using the OAuth flow with a GitHub App.

  • [Question] Interest in adding support for the Microsoft identity platform's OAuth device flow?

    [Question] Interest in adding support for the Microsoft identity platform's OAuth device flow?

    Hey there! Thanks for making this oauth module, it's awesome!

    Curious if there is interest in adding support for the Microsoft identity platform's OAuth device flow?

    I took a quick look at what's needed, and I think potentially the "only" change would be to support a JSON response from the device code endpoint, currently it looks like we only handle form responses:

    https://github.com/cli/oauth/blob/6b1e71c3614ec61205f1ffc9964b06dd61221385/api/form.go#L95

    I think if it could accept JSON, then other OAuth servers, like Microsoft identity platform's, would come for free.

    Thoughts?

  • PollToken should cancel early if the context is canceled

    PollToken should cancel early if the context is canceled

    This is kind of a nice issue, but in a console app I am working on the app intercepts the os SIGKILL/SIGINT signals to do all of its own graceful shutdown via context, but currently there is no way to cancel the loop in PollToken.

    To make this cancelable, it would be nice to something like this into the loop there.

    		select {
    		case <-ctx.Done():
    			return nil, ErrCanceled
    		default:
    			timeSleep(checkInterval)
    		}
    

    Then the function could be extended like a lot of packages with a second copy of the method, and context propagated down.

    
    func PollTokenContext(ctx context.Context, c httpClient, pollURL string, clientID string, code *CodeResponse) (*api.AccessToken, error) {
    ... current implementation
    }
    
    func PollToken(c httpClient, pollURL string, clientID string, code *CodeResponse) (*api.AccessToken, error) {
      return PollTokenContext(context.Background(), c, pollURL, clientID, code)
    }
    

    The same thing could be done to DetectFlow, or it could be embbed within the flow struct so the outer api layout would change less.

  • Support third-party OAuth hosts

    Support third-party OAuth hosts

    This pull request should make some headway to supporting further OAuth providers than just GitHub. This pull request doesn't introduce specific support for anything, but provides an API to allow third-parties to their flavour endpoints.


    Not all OAuth hosts use the same routes as GitHub, for example:

    • Microsoft use /oauth2/v2.0/devicecode
    • Google use /device/code
    • Auth0 use /oauth/device/code

    Similar differences are present for the authorise and access token routes too.

    This commit introduces a concept of a Server, which is a container for the endpoints that the library uses. This is a replacement for Flow's Hostname and as such is a breaking change.

  • Can I create an access token with SSO enabled?

    Can I create an access token with SSO enabled?

    I'm trying to create a CLI tool for internal use at my company that can access an internal repository in our GitHub Enterprise Cloud organization (we have SSO enabled). I can use this library to successfully create an access token for my account, but I can't use the access token to access my repository. Is it possible to request that the access token have SSO enabled programmatically so that I can use it to hit an internal repository, or would I be better off just asking my users to provide a personal access token with SSO already enabled?

  • ## What's Changed

    ## What's Changed

    What's Changed

    • pr merge: fix merge queue API access for PAT consumers by @mislav in https://github.com/cli/cli/pull/5779
    • Use go-gh repository.ParseWithHost by @samcoe in https://github.com/cli/cli/pull/5655
    • Use go-gh for SSH hostname alias translation by @samcoe in https://github.com/cli/cli/pull/5654

    Full Changelog: https://github.com/cli/cli/compare/v2.12.0...v2.12.1


    This discussion was created from the release GitHub CLI 2.12.1.

    Originally posted by @github-actions[bot] in https://github.com/cli/cli/discussions/5780

  • Device Flow does not work with JSON Responses

    Device Flow does not work with JSON Responses

    I've been testing this library out with the device code flow feature in the Dex Authorization framework (https://github.com/dexidp/dex) and it doesn't seem to work properly.

    After digging into the code a little bit, I realized that this library expects the response to be encoded as a form. If it does not receive a response in that form, it falls back to the webapp flow.

    However, the official RFC for the Device Code flow explicitly expects a JSON response.

    Would a PR that allows for both response types be welcome?

  • Add support for custom strings in Device Flow

    Add support for custom strings in Device Flow

    On the device flow, add support to specify the message to be shown to the user.

    On oauth_device.go, currently the messages are: fmt.Fprintf(stdout, "First, copy your one-time code: %s\n", code.UserCode) fmt.Fprint(stdout, "Then press [Enter] to continue in the web browser... ")

  • Support Google

    Support Google "OAuth 2.0 for TV and Limited-Input Device Applications"

    With some minor changes, this library can be made to work with Google's "OAuth 2.0 for TV and Limited-Input Device Applications". There are just two small changes to make:

    • Google returns a verification_url instead of verification_uri, and
    • Google requires the client_secret when polling for tokens.

    Example authentication

    Copy code: QCP-GZV-LGZ
    then open: https://www.google.com/device
    Access token: $ACCESS_TOKEN
    
  • @fingolfin Thats seems like a good idea. Will you make the PR ?

    @fingolfin Thats seems like a good idea. Will you make the PR ?

    @fingolfin Thats seems like a good idea. Will you make the PR ?


    Once you have selected your values for your --json flag and made them pretty with --template, you can then pass your command through fzf for an interactive experience.

    Take advantage of the environment variable GH_FORCE_TTY, to enable terminal-style output even when the output is redirected (see gh environment for more details about it).

    Example:

    Code

    # .zshrc gh pr list command extended with fzf, see the man page (man fzf) for an explanation of the arguments.
    function ghpr {
    	[[ ! "$(git rev-parse --is-inside-work-tree)" ]] && return 1
    	GH_COMMAND='gh pr list --state open --json number,author,additions,deletions,updatedAt,title --template "
    	{{- tablerow (\"PR\" | color \"blue+b\") (\"LAST UPDATE\" | color \"blue+b\") (\"AUTHOR\" | color \"blue+b\") \"\" \"\" (\"TITLE\" | color \"blue+b\") -}}
    	{{- range . -}}
    		{{- tablerow (printf \"#%v\" .number | color \"green+h\") (timeago .updatedAt | color \"gray+h\") (.author.login | color \"cyan+h\") (printf \"+%v\" .additions | color \"green\") (printf \"-%v\" .deletions | color \"red\") .title -}}
    	{{- end -}}" --search'
    	FZF_DEFAULT_COMMAND="$GH_COMMAND ${1:-\"\"}" \
    		GH_FORCE_TTY=100% fzf --ansi --disabled --no-multi --header-lines=1 \
    		--header $'CTRL+B - Browser | CTRL+D - Toggle Diff  | CTRL+X - Checkout\nCTRL+E - Edit    | CTRL+I - Toggle Info  | CTRL+Y - Comment' \
    		--prompt 'Search Open PRs >' --preview-window hidden:wrap \
    		--layout=reverse --info=inline --no-multi \
    		--bind "change:reload:sleep 0.25; $GH_COMMAND {q} || true" \
    		--bind 'ctrl-b:execute-silent(gh pr view {1} --web)' \
    		--bind 'ctrl-d:toggle-preview+change-preview(gh pr diff {1} --color always)' \
    		--bind 'ctrl-i:toggle-preview+change-preview(gh pr view {1} --comments)' \
    		--bind 'ctrl-e:accept+execute(gh pr edit {1})' \
    		--bind 'ctrl-x:accept+execute(gh pr checkout {1})' \
    		--bind 'ctrl-y:accept+execute(gh pr comment {1})'
    }
    

    GIF

    In the example I used nano as editor to write the comment, but you can set your own with gh config set editor ....

    Originally posted by @LangLangBart in https://github.com/cli/cli/issues/6089#issuecomment-1220250908

  • Note: I had erroneously committed to `master` instead of to a feature branch before creating this PR — I suppose that may be why I saw this message. Regardless, `gh` didn't help me figure this out, but instead confused me further; so I suppose the message could be clarified.

    Note: I had erroneously committed to `master` instead of to a feature branch before creating this PR — I suppose that may be why I saw this message. Regardless, `gh` didn't help me figure this out, but instead confused me further; so I suppose the message could be clarified.

    Note: I had erroneously committed to master instead of to a feature branch before creating this PR — I suppose that may be why I saw this message. Regardless, gh didn't help me figure this out, but instead confused me further; so I suppose the message could be clarified.

    Originally posted by @waldyrious in https://github.com/cli/cli/issues/2090#issuecomment-703291690

  • Support more auth endpoints

    Support more auth endpoints

    Hi,

    this is a draft to support other endpoints than GitHub.

    In my specific case, I had to use Microsofts Auth Endpoint wich is a bit different than that from GitHub. See details here.

    I needed the support of additional post parameters in the AccessToken function and also to handle JSON based responses.

    My solution is not that generic (to support others) as I wanted, because I had to focus on my specific case but maybe it is a good starting point for other auth endpoints.

  • How should OAuth Client IDs be distributed to headless apps?

    How should OAuth Client IDs be distributed to headless apps?

    Hi, I apologize if I've just missed something in the documentation but, should our OAuth App Client IDs be kept secret? In the case of writing a headless app how should we distribute the Client IDs to the user's applications so that they can authenticate with GitHub? Is it best to write a server side relay that requests the tokens on the behalf of the CLI tool and then passes the resulting temporary code and token back to the user, so that the user never has access to the Client ID, or is it safe to embed the client ID in a distributed binary/source code? Thanks for your time.

A library for Go client applications that need to perform OAuth authorization against a server
A library for Go client applications that need to perform OAuth authorization against a server

oauth-0.8.0.zip oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditiona

Oct 13, 2021
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Jan 4, 2022
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Sep 2, 2020
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Jan 4, 2023
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Mar 7, 2022
OauthMicroservice-cassandraCluster - Implement microservice of oauth using golang and cassandra to store user tokens

implement microservice of oauth using golang and cassandra to store user tokens

Jan 24, 2022
Goauth: Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login

goauth Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login. Currently supports Google, Facebook and Microsoft "out of the bo

Jan 28, 2022
GOAuth An Oauth consumer Written in Go V 0.0.5

GOAuth ====== This is the source code repository for the GOAuth an OAuth consumer written on the Go programming language. Copyright 2010 The GOAuth

Feb 11, 2021
[NO LONGER MAINTAINED} oauth 2 server implementation in Go

hero hero is a feature rich oauth 2 server implementation in Go. Features User account management Client management oauth 2 rfc 6749 compliant Configu

Nov 18, 2022
OAuth 1.0a implementation in Go

Package oauth1a Summary An implementation of OAuth 1.0a in Go1. API reference Installing Run: go get github.com/kurrik/oauth1a Include in your source

Aug 23, 2022
OAuth 1.0 implementation in go (golang).

OAuth 1.0 Library for Go (If you need an OAuth 2.0 library, check out: https://godoc.org/golang.org/x/oauth2) Developing your own apps, with this libr

Nov 22, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Dec 29, 2022
OAuth 2.0 middleware service for chi (ported from gin by community member)

oauth middleware OAuth 2.0 Authorization Server & Authorization Middleware for go-chi This library was ported to go-chi from https://github.com/maxzer

Dec 8, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Jan 8, 2023
Go Trakt Device Auth Library
 Go Trakt Device Auth Library

A Go library to allow an end user to authorize a third-party Trakt application access to their account using the device method.

Oct 10, 2022
manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow

oidc-wireguard-vpn manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow Requirements Linux WireGuard nftabl

Oct 7, 2022
The Single Sign-On Multi-Factor portal for web apps
The Single Sign-On Multi-Factor portal for web apps

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications

Jan 8, 2023
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Dec 30, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Jan 1, 2023