README
¶
stdwebauthn
Example id tokens from providers
Note1: // Linkedin does not support "public" subject tokens. So if we need to rotate the Linkedin oidc client_id/secret // all our identities will change. Making it even more important that account (re)linking works well. As when this // happens all users logging in via linkedin should be able to link to their old profile.
Note 2: // We need to turn the id token claims into a reliable identifier for our user. This identifier needs to be unique // for the user, and be immutable. Also it should given the same value even if the the client_id/client_secret are // switched out or rotated.
Note 3:
// EmailVerified any json:"email_verified"
// google encodes this as a bool, linkedin as a string. Microsoft does not return it at all.
// https://learn.microsoft.com/en-us/answers/questions/812672/microsoft-openid-connect-getting-verified-email
// some discussion about this here: https://github.com/ory/kratos/pull/433
//
// It seems common that for some providers the "email_verified" status is not trusted. And more of a "hint" anyway
// https://github.com/IQSS/dataverse/issues/6679 https://github.com/keycloak/keycloak/discussions/8622
// It seems to be OK to use this for sending transactional/marketing email but not for authentication decisions
// such as account linking.
// ### Microsoft ###
app 1: Sterndesk (Staging)
{
"ver": "2.0",
"iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"sub": "AAAAAAAAAAAAAAAAAAAAAJh6IifS_sEmInqbacAe5gw",
"aud": "cdf06d77-368a-41fa-a66e-78410c60dcd7",
"exp": 1747311281,
"iat": 1747224581,
"nbf": 1747224581,
"name": "Ad van der Veer",
"preferred_username": "advanderveer@gmail.com",
"oid": "00000000-0000-0000-d856-474049a1aad0",
"email": "advanderveer@gmail.com",
"tid": "9188040d-6c67-4c5b-b112-36a304b66dad",
"aio": "DnID4Chz!...*SvfniVhgJT22FEK0ZEWJkKdbOR"
}
app 2: Sterndesk
{
"ver": "2.0",
"iss": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"sub": "AAAAAAAAAAAAAAAAAAAAAC86BKg0Et16-VMCPEC8N0U",
"aud": "7972410d-c841-4c82-a872-73afde4d3ef2",
"exp": 1747311968,
"iat": 1747225268,
"nbf": 1747225268,
"name": "Ad van der Veer",
"preferred_username": "advanderveer@gmail.com",
"oid": "00000000-0000-0000-d856-474049a1aad0",
d856 474049a1aad0
"email": "advanderveer@gmail.com",
"tid": "9188040d-6c67-4c5b-b112-36a304b66dad",
"aio": "DqnTG4fY1G2aCMh!E6GAHPF8CVJ....3G0xrb5jjSy0J8jDr2o95Kafjc"
}
// ### LinkedIn ###
app 1: Sterndesk (Staging)
{
"iss": "https://www.linkedin.com/oauth",
"aud": "78mzfmuak6gfvj",
"iat": 1747227271,
"exp": 1747230871,
"sub": "-oQzDrUKmr",
"name": "Adam van der Veer",
"given_name": "Adam",
"family_name": "van der Veer",
"picture": "https://media.lic,..t=5G95B3nCwQnrV4BCmRAWHt_7eZMx08jC_iq4tuEbqyc",
"email": "advanderveer@gmail.com",
"email_verified": "true",
"locale": "en_US"
}
app 2: Sterndesk
{
"iss": "https://www.linkedin.com/oauth",
"aud": "78nwvm0xvt7t0z",
"iat": 1747227710,
"exp": 1747231310,
"sub": "cq7p3geg8a",
"name": "Adam van der Veer",
"given_name": "Adam",
"family_name": "van der Veer",
"picture": "https://media.licdn.co...5G95B3nCwQnrV4BCmRAWHt_7eZMx08jC_iq4tuEbqyc",
"email": "advanderveer@gmail.com",
"email_verified": "true",
"locale": "en_US"
}
Documentation
¶
Overview ¶
Package stdwebauthn provides web client authentication.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsAnonymous ¶
Types ¶
type Anonymous ¶
type Anonymous struct{}
Anonymous represents an identity that is not authenticated. We do not know who this is.
func (Anonymous) MarshalJSON ¶
func (Anonymous) UnmarshalJSON ¶
type Authenticated ¶
type Authenticated struct {
// contains filtered or unexported fields
}
Authenticated repesent an authenticated identity. We know who this is.
func NewAuthenticated ¶
func NewAuthenticated(id string, email string) Authenticated
func (Authenticated) Email ¶
func (idn Authenticated) Email() string
func (Authenticated) ID ¶
func (idn Authenticated) ID() string
func (Authenticated) MarshalJSON ¶
func (idn Authenticated) MarshalJSON() ([]byte, error)
func (Authenticated) String ¶
func (idn Authenticated) String() string
func (*Authenticated) UnmarshalJSON ¶
func (idn *Authenticated) UnmarshalJSON(data []byte) error
type Authentication ¶
type Authentication struct {
// contains filtered or unexported fields
}
Authentication provides authentication of web clients.
func (*Authentication) Callback ¶
func (a *Authentication) Callback() (string, bhttp.HandlerFunc[context.Context])
Callback implements the return of the client from the provider.
func (*Authentication) Login ¶
func (a *Authentication) Login() (string, bhttp.HandlerFunc[context.Context])
Login implements the start of the authentication flow.
func (*Authentication) Logout ¶
func (a *Authentication) Logout() (string, bhttp.HandlerFunc[context.Context])
func (*Authentication) SessionMiddleware ¶
func (a *Authentication) SessionMiddleware() bhttp.Middleware
SessionMiddleware provides the middleware that reads the session information for every request that passes through the server.
type Backend ¶
type Backend interface {
AuthenticateCode(
ctx context.Context,
provider Provider,
code string,
) (Identity, error)
}
Backend implements an authentication backend.
func NewFixedIdentityBackend ¶
type Config ¶
type Config struct {
// configure which social providers are enabled.
EnabledProviders []string `env:"ENABLED_PROVIDERS"`
// configure the exterior url clients will be re-directed back to.
BaseCallbackURL string `env:"BASE_CALLBACK_URL,required"`
// SessionKeyPairs configures the keys used for signing en encrypting the session cookies.
SessionKeyPairs []stdenvcfg.HexBytes `env:"SESSION_KEY_PAIRS"`
// the max age of the session cookie, in seconds. Defaults to a year.
SessionDefaultMaxAgeSeconds int64 `env:"SESSION_DEFAULT_MAX_AGE_SECONDS" envDefault:"31556926"`
// how long the session that keeps state between login and callback remains valid.
StateMaxAgeSeconds int `env:"STATE_MAX_AGE_SECONDS" envDefault:"3600"`
// name of the cookie used to keep the auth (flow) state from login to callback.
StateCookieName string `env:"STATE_COOKIE_NAME" envDefault:"AUTHSTATE"`
// name of the cookie used to keep the user's session between requests.
SessionCookieName string `env:"SESSION_COOKIE_NAME" envDefault:"AUTHSESS"`
// white list of hosts where the backend will redirect to.
AllowedRedirectHosts []string `env:"ALLOWED_REDIRECT_HOSTS"`
// configuration for each supported social provider.
Google providerConfig `envPrefix:"GOOGLE_"`
LinkedIn providerConfig `envPrefix:"LINKEDIN_"`
Microsoft providerConfig `envPrefix:"MICROSOFT_"`
}
Config configures the package's components.
type Identity ¶
func IdentityFromContext ¶
type Provider ¶
type Provider interface {
Kind() ProviderKind
OAuth() *oauth2.Config
OIDC() *oidc.Provider
}
Provider is what the provider.
type ProviderKind ¶
type ProviderKind int
const ( ProviderKindUnknown ProviderKind = iota ProviderKindLinkedIn ProviderKindGoogle ProviderKindMicrosoft )
func (ProviderKind) String ¶
func (pk ProviderKind) String() string
Source Files