Hi,

I am currently using the jwt strategy for development process. This works good so far, however, I can see there is some caveats:

• lifespan must be huge or user experience will be bad (have to relog each x minutes)
• jwt could be intercepted by a malicious third party and this jwt will be usage for probably a long time (lifespan config value)

I think creating a new strategy like refreshTokenStrategy will resolve these issues.

There is a full specification of the OAuth2 here: https://datatracker.ietf.org/doc/html/rfc6749

Protocol Flow: https://datatracker.ietf.org/doc/html/rfc6749#section-1.2

What is a refresh token: https://datatracker.ietf.org/doc/html/rfc6749#section-1.5 What is an access token: https://datatracker.ietf.org/doc/html/rfc6749#section-1.4

Authorization code grant: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1 Resource owner Password credentials grant: https://datatracker.ietf.org/doc/html/rfc6749#section-4.3 (case we want to auth a microservice for example)

I could keep linking all the docs, but I think this isn't necessary as someone made a great OAuth server implementation here: https://github.com/go-oauth2/oauth2

My point is: could we create an oauth strategy based on the OAuth server implementation that go-oauth2 made?

What version of Go are you using (go version)?

$ go version 1.17

Does this issue reproduce with the latest release?

yes

What version of Go-Guardian are you using ?

Go-Guardian Version: 2.11.4

What did you do?

I configured ldap against a server that has port 636 "ldaps" disabled, and only uses StartTLS on port 389.

What did you expect to see?

I expected to connect and authenticate with ldap credentials

What did you see instead?

"Network Error": read tcp x.x.x.x:60677->x.x.x.x:389: read: connection reset by peer

I believe this should still be scheme ldap, and ldaps should be used against an LDAP server with SSL enabled on port 636.

This would remediate the issue:

diff --git a/auth/strategies/ldap/ldap.go b/auth/strategies/ldap/ldap.go
index ec9b920..cc00906 100644
--- a/auth/strategies/ldap/ldap.go
+++ b/auth/strategies/ldap/ldap.go
@@ -56,10 +56,13 @@ func dial(cfg *Config) (conn, error) {
 	opts := []ldap.DialOpt{}
 
 	if cfg.TLS != nil {
-		scheme = "ldaps"
 		opts = append(opts, ldap.DialWithTLSConfig(cfg.TLS))
 	}
 
+  if cfg.Port == "636" {
+    scheme = "ldaps"
+  }
+
 	addr := fmt.Sprintf("%s://%s:%s", scheme, cfg.Host, cfg.Port)
 	return ldap.DialURL(addr, opts...)
 }

Hello!

Using the ldaps scheme against an LDAP server running on port 389, with StartTLS, will result is a "Network Error": read tcp x.x.x.x:60677->x.x.x.x:389: read: connection reset by peer error

I believe this should still be scheme ldap, and ldaps should be used against an LDAP server with SSL enabled on port 636.

What version of Go are you using (go version)?

$ go version
1.16

Does this issue reproduce with the latest release?

Yes

What version of Go-Guardian are you using ?

Go-Guardian Version: 
v2.11.3

What did you do?

Trying to get rotated secrets working and have been looking at https://play.golang.org/p/5N-5fWa0mfN (posted by @shaj13) for some help. This is also found somewhere in the examples but can't find it right now.

The issue is that jwt.SecretsKeeper's methods Get and KID doesn't use pointers in it's signature definitions so changes to r.LastRotation in KID is not saved to the keeper struct.

For example this func (r RotatedSecrets) KID() string should be this func (r *RotatedSecrets) KID() string?

What did you expect to see?

That time.Now().After(r.LastRotation) would be false if within specified rotation duration.

What did you see instead?

That time.Now().After(r.LastRotation) is always true as r.LastRotation is always 0.

What did you expect to see?

token and basic example

What did you see instead?

https://github.com/shaj13/go-guardian/tree/master/_examples/basic_bearer

TODO

split the basic_bearer to basic and token. the token example can use the basic similar to jwt example

What version of Go are you using (go version)?

$ go version
1.16

Does this issue reproduce with the latest release?

Yes

What version of Go-Guardian are you using ?

Go-Guardian Version: 
v2.11.2

What did you do?

Run the jwt token example in the repo with basic login.

What did you expect to see?

A token without password.

What did you see instead?

The password included in plain text in the payload of the token:

{
  "Extensions": {
    "x-go-guardian-basic-password": [
      "admin"
    ]
  },
  "Groups": null,
  "ID": "1",
  "Name": "admin",
  "aud": [
    ""
  ],
  "exp": 1615318474,
  "iat": 1615318174,
  "nbf": 1615318174,
  "sub": "1"
}

What version of Go are you using (go version)?

1.13

Does this issue reproduce with the latest release?

yes

What version of Go-Guardian are you using?

latest

What did you do?

https://play.golang.org/p/NlbR34g1GRM I just ran the jwt example

What did you expect to see?

I expect to get a token in the response

What did you see instead?

token:  
➜  ~ curl  -k http://127.0.0.1:8080/v1/book/1449311601 -u admin:admin
Author: Ryan Boyd 
➜  ~ curl  -k http://127.0.0.1:8080/v1/auth/token -u admin:admin
token:  
➜  ~ 

Token is empty

I'm using Digest strategy and works fine until I restart my service. Chrome re-challenges user to give creds again. Strategy returns: userInfo = nil, err = Invalid Response to all web requests. I'm using FIFO lib cache FWIW.

Do I need to implement my own cache implementation that stores values on disk to survive restarts?

I'm trying to replace nginx reverse proxy and this doesn't happen w/nginx so this is a loss in functionality as well and user issue.

If someone asks you how this project differs from https://github.com/volatiletech/authboss, what would you answer?

Thanks for your amazing commitment! ❤️

I was trying to use this library in my project and ran into a naming collision of sorts. I have a few GORM models including a base Model and a User model. Model includes a few fields that get used in all of my other models, such as ID, created at, updated at, etc. My other models then have something like this.

type User struct {
    Model

    Email string
    HashedPassword []byte
}

What seemed appropriate to do at the time was add the functions from your auth.Info interface to my User model so that I could just pass my User into functions like Append, for example, or return my User model instead of a DefaultUser instance from my validateLogin function. That part works perfectly, but it came with other compromises.

One of the functions in the auth.Info interface is ID(). One of my fields in my base Model (and by extension my User model and indeed all my models) is also ID. Obviously I can change the name of the field, and that's what I've done for now, but I either name it Id which works but causes go-lint to yell at me, or name it something like ModelID which just feels... weird. I could also not use the base Model in my User model and manually add the necessary fields from the base Model, naming the id field UserID in the process, but that creates code duplication and means if I have to add to or edit the base Model I also most likely have to edit the User model. Not too big of a deal but a bit of a code smell.

What I would like to propose is renaming the ID() method on the auth.Info interface to UserID(), as it not only avoids this issue but also makes it match better with the UserName() method. Of course if you're privy to information that I'm not on why that wouldn't work I absolutely understand, and I can work around the issue with either one of the methods I described above or writing some functions to convert my User models to DefaultUser instances, but I figured it was worth having the discussion.

I noticed that shaj13/libcache's documentation says that lru.New() initializes a non-thread safe cache (https://github.com/shaj13/libcache/blob/master/lru/lru.go#L15) and I couldn't find any code to handle thread safety in go-guardian so I'm wondering, is go-guardian thread-safe? Can it be used in the request path of a go web server safely?

What version of Go are you using (go version)?

$ go version

Does this issue reproduce with the latest release?

What version of Go-Guardian are you using ?

Go-Guardian Version: 

What did you do?

What did you expect to see?

What did you see instead?

What version of Go are you using (go version)?

$ go version
go version go1.18.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What version of Go-Guardian are you using ?

Go-Guardian Version:  v2.11.5
Libcache Version: v1.0.5

What did you do?

Hello, I just want to follow the jwt example https://github.com/shaj13/go-guardian/blob/master/_examples/jwt/main.go But the function RegisterOnExpired was deprecated and no-longer works. Can you update the example directory on this repo.

What did you expect to see?

The program init and run

What did you see instead?

$> go run ./...
panic: RegisterOnExpired no longer available

goroutine 1 [running]:
github.com/shaj13/libcache/internal.(*Cache).RegisterOnExpired(0x18?, 0x7c80a0?)
	/home/xxx/go/pkg/mod/github.com/shaj13/[email protected]/internal/cache.go:379 +0x27
github.com/shaj13/libcache.(*cache).RegisterOnExpired(0xc00009e120, 0x6?)
	/home/xxx/go/pkg/mod/github.com/shaj13/[email protected]/cache.go:245 +0x56
main.setupGoGuardianJWT()
	/home/xxx/go/src/gitlab.com/xxx/my-project/cmd/go-guardian-jwt.go:33 +0x17d
main.main()
	/home/xxx/go/src/gitlab.com/xxx/my-project/cmd/main.go:20 +0x1d
exit status 2

Hi, I would like to ask how to use authenticator to verify username/pass instead of request

Here is the authenticator from the go guardian package

       return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	log.Println("Executing Auth Middleware")
	for k, v := range r.URL.Query() {
		log.Printf("%s: %s\n", k, v)
	}
	user, err := authenticator.Authenticate(r)

What I want to do is to check the user by cheking the username/password passed from frontend form Like

         func SetupGoGuardian(u, p string) (*authentication.User, error) {
                   // u here is username from form
                   // p here is password from form
               log.Printf("User username %s", u)
               cfg := &ldap.Config{
	            Port:         "389",
	            Host:         "ldapadmin.test",
	            BindDN:       "cn=admin,dc=ldapadmin,dc=test",
	            BindPassword: "root",
	            BaseDN:       "dc=ldapadmin, dc=test",
	            Filter:       "(uid=%s)",
               }
              authenticator = auth.New()
              cache = store.NewFIFO(context.Background(), time.Minute*10)
              strategy := ldap.NewCached(cfg, cache)
              authenticator.EnableStrategy(ldap.StrategyKey, strategy)
                  user, err := authenticator.Authenticate(u, p) // this what I want to check my username password,
	      if err != nil {
                      return &authentication.User{}, nil
                  }
                   return (///////////////////you are now allowed)

Any ideas ?

Context: LDAP strategy does not fetch user groups and only fill the user info and the rest of the data mapped to extensions.

Tasks:

• update LDAP strategy to fetch user groups
• Test changes