simple-jwt-provider - Simple and lightweight provider which exhibits JWTs, supports login, password-reset (via mail) and user management.

Mentioned in Awesome Go Go Go Report Card codecov

simple-jwt-provider

Simple and lightweight JWT-Provider written in go (golang). It exhibits JWT for the in postgres persisted user, which can be managed via api. Also, a password-reset flow via mail verification is available. User specific custom-claims also available for jwt-generation and mail rendering.

dockerized: https://hub.docker.com/r/leberkleber/simple-jwt-provider

build it yourself:

# as docker-image
docker build . -t leberkleber/simple-jwt-provider

# as binary
go build -o simple-jwt-provider ./cmd/provider/

Table of contents

Try it

git clone [email protected]:leberKleber/simple-jwt-provider.git
docker-compose -f example/docker-compose.yml up

# create user via admin-api
./example/create-user.sh [email protected] password {}

# login with created user
./example/login.sh [email protected] password

# reset password
# 1) create password reset request
#    - mail with reset token would be send
# 2) reset password with received token
# 3) do crud operations on user

# 1) create password reset request 
./example/create-password-reset-request.sh [email protected]
# 1.1) open browser at http://127.0.0.1:8025/ and copy reset token (token only not the url)
# 2) reset password with received token
./example/reset-password.sh [email protected] newPassword {reset-token}
# verify new password
./example/login.sh [email protected] newPassword

# 3) do crud operations on user
# see ./example/*.sh

Getting started

Generate ECDSA-512 key pair

# private key
openssl ecparam -genkey -name secp521r1 -noout -out ecdsa-p521-private.pem
# public key
openssl ec -in ecdsa-p521-private.pem -pubout -out ecdsa-p521-public.pem 

Configuration

Environment variable Description Required Default
SJP_LOG_LEVEL Log-Level can be TRACE DEBUG INFO WARN ERROR FATAL or PANIC no INFO
SJP_SERVER_ADDRESS Server-address network-interface to bind on e.g.: '127.0.0.1:8080' no 0.0.0.0:80
SJP_JWT_LIFETIME Lifetime of JWT no 4h
SJP_JWT_PRIVATE_KEY JWT PrivateKey ECDSA512 yes -
SJP_JWT_AUDIENCE Audience private claim which will be applied in each JWT no -
SJP_JWT_ISSUER Issuer private claim which will be applied in each JWT no -
SJP_JWT_SUBJECT Subject private claim which will be applied in each JWT no -
SJP_DB_HOST Database-Host (postgres) yes -
SJP_DB_PORT Database-Port no 5432
SJP_DB_NAME Database-Name no simple-jwt-provider
SJP_DB_USERNAME Database-Username no -
SJP_DB_PASSWORD Database-Password no -
SJP_MIGRATIONS_FOLDER_PATH Database Migrations Folder Path no /db-migrations
SJP_ADMIN_API_ENABLE Enable admin API to manage stored users (true / false) no false
SJP_ADMIN_API_USERNAME Basic Auth Username if enable-admin-api = true yes, when enable-admin-api = true -
SJP_ADMIN_API_PASSWORD Basic Auth Password if enable-admin-api = true when is bcrypted prefix with 'bcrypt:' yes, when enable-admin-api = true -
SJP_MAIL_TEMPLATES_FOLDER_PATH Path to mail-templates folder no /mail-templates
SJP_MAIL_SMTP_HOST SMTP host to connect to yes -
SJP_MAIL_SMTP_PORT SMTP port to connect to no 587
SJP_MAIL_SMTP_USERNAME SMTP username to authorize with yes -
SJP_MAIL_SMTP_PASSWORD SMTP password to authorize with yes -
SJP_MAIL_TLS_INSECURE_SKIP_VERIFY true if certificates should not be verified no false
SJP_MAIL_TLS_SERVER_NAME name of the server who expose the certificate no -

API

POST /v1/auth/login

This endpoint will check the email/password combination and will set the respond with an jwtauthToken if correct:

Request body:

{
  "email": "[email protected]",
  "password": "s3cr3t"
}

Response body (200 - OK):

{
  "access_token": "",
  "refresh_token": ""
}

POST /v1/auth/refresh

This endpoint will return a new access and refresh token. The submitted refresh-token will no longer be valid.

Request body:

{
  "refresh_token": ""
}

Response body (200 - OK):

{
  "access_token": "",
  "refresh_token": ""
}

POST /v1/auth/password-reset-request

This endpoint will trigger a password reset request. The user gets a token per mail. With this token, the password can be reset via POST@/v1/auth/password-reset.

Request body:

{
  "email": "[email protected]"
}

Response (201 - CREATED)

POST /v1/auth/password-reset

This endpoint will reset the password of the given user if the reset-token is valid and matches to the given email.

Request body:

{
  "email": "[email protected]",
  "reset_token": "rAnDoMsHiT456",
  "password": "SeCReT"
}

Response (204 - NO CONTENT)

POST /v1/admin/users

This endpoint will create a new user if admin api auth was successfully:

Request body:

{
  "email": "[email protected]",
  "password": "s3cr3t",
  "claims": {
    "myCustomClaim": "custom claims for jwt and mail templates"
  }
}

Response body (201 - CREATED)

PUT /v1/admin/users/{email}

This endpoint will update the given properties (excluding email) of the user with the given email when the admin api auth was successfully:

Request body:

{
  "password": "n3wS3cr3t",
  "claims": {
    "updatedClaim": "now updated"
  }
}

Response body (200 - NO CONTENT)

{
  "email": "[email protected]",
  "password": "**********",
  "claims": {
    "updatedClaim": "now updated"
  }
}

DELETE /v1/admin/users/{email}

This endpoint will delete the user with the given email when there are no tokens which referred to this user, and the admin api auth was successfully:

Response body (201 - NO CONTENT)

Mail

Mails will be generated based on a set of templates which should be prepared for productive usage.

  • .html represents the html body of the mail and can be templated with html.template syntax (https://golang.org/pkg/html/template/). Available templating arguments listed in detailed template type description.
  • .txt represents the text body of the mail and can be templated with text.template syntax (https://golang.org/pkg/text/template/). Available templating arguments listed in detailed template type description.
  • .yml represents the header of the mail. In this template headers e.g. From, To or Subject can be set text.template syntax (https://golang.org/pkg/text/template/). Available templating arguments listed in detailed template type description.

Password reset request

An example of this mail type can be found in /mail-templates/password-reset-request.*. Available template arguments:

Argument Content Example usage
Recipient Users email address {{.Recipient}}
PasswordResetToken The token which is required to reset the password {{.PasswordResetToken}}
Claims All custom-claims which stored in relation to the user {{if index .Claims "first_name"}}

Development

mocks

Mocks will be generated with github.com/matryer/moq. Execute the following for generation:

go get github.com/matryer/moq
go generate ./...

component tests

Component tests can be executed locally with:

# build simple-jwt-provider from source code
# setup infrastructure
# run all test file with build-tag component in /cmd/provider 
./component-tests.sh
Similar Resources

A simple user identify template with jwt token and gin, toy project

Simple Docs Register url : /api/auth/register param type value name string username password string password mailbox string mailbox response: { "sta

Dec 31, 2021

Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

May 25, 2022

Small Lambda function which performs a Aws:Sts:AssumeRole based on the presented JWT-Token

About This implements a AWS Lambda handler which takes a JWT-Token, validates it and then performs a Aws:Sts:AssumeRole based on preconfigured rules.

Aug 8, 2022

:closed_lock_with_key: Middleware for keeping track of users, login states and permissions

Permissions2 Middleware for keeping track of users, login states and permissions. Online API Documentation godoc.org Features and limitations Uses sec

Dec 31, 2022

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Jan 4, 2023

Goauth: Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login

goauth Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login. Currently supports Google, Facebook and Microsoft "out of the bo

Jan 28, 2022

Go login handlers for authentication providers (OAuth1, OAuth2)

Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dec 30, 2022

Cache oci login token for kubectl

oci-token-cache Cache oci login token. This command cache oci login token into ~/.oci/token-cache.json and re-use for kubectl. Usage Currently, your ~

Nov 20, 2021

Ginx - Evilginx2 - A man-in-the-middle attack framework used for phishing login credentials along with session cookies

Ginx - Evilginx2 - A man-in-the-middle attack framework used for phishing login credentials along with session cookies

evilginx2 is a man-in-the-middle attack framework used for phishing login creden

Mar 19, 2022
JWT wrapper library which makes it simple to use ECDSA based JWT signing

JWT JWT wrapper library which makes it simple to user ECDSA based JWT signing. Usage package main import ( "context" "github.com/infiniteloopcloud

Feb 10, 2022
Golang based User creation and Management application. GORM, Fiber, JWT

User Creation and Management app (BACK-END) Auth Features: Create Clients (regular password + 6 one-time passwords + (optional) QR code and Secret for

Dec 2, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

Dec 24, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd

login-service login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends. Abstract l

Feb 12, 2022
Account-jwt-go - Simple JWT api with go, gorm, gin
Account-jwt-go - Simple JWT api with go, gorm, gin

Account JWT on Go Go, gorm, Gin web framework 를 활용하여 만든 간단한 JWT API 입니다. Dajngo의

Apr 14, 2022
Lightweight SSO Login System

login Lightweight SSO Login System Convention Redirect to login.changkun.de?redirect=origin When login success, login.changkun.de will redirect to ori

Sep 29, 2022
Go-gin-jwt - Secure web api using jwt token and caching mechanism

Project Description This project demonstrate how to create api and secure it wit

Jan 27, 2022
Time-Based One-Time Password (TOTP) and HMAC-Based One-Time Password (HOTP) library for Go.

otpgo HMAC-Based and Time-Based One-Time Password (HOTP and TOTP) library for Go. Implements RFC 4226 and RFC 6238. Contents Supported Operations Read

Dec 19, 2022
Krakend-jwt-header-rewriter - Kraken Plugin - JWT Header Rewriter

Kraken Plugin - JWT Header Rewriter 1 Plugin Configuration Name Desciption Defau

Feb 15, 2022
Oct 8, 2022