This package can be used when developing an OAuth2 provider. Currently, the package can create tokens by properly signing them with HMAC or RSA signing methods. It provides built-in endpoint wrappers that returns OAuth2 tokens.
NOTE: Only the Resource Owner Password Credential grant has been implemented so far
- Initialize key manager
The following example is fo a HMAC signed key. The first step is to initialize a key manager and add a key
keyManager := manager.NewHSKeyManager()
keyManager.AddKey("key1", "thesecret")- Set up token storage
Then define and create a token storage. The package includes memory storage as an example. Refer to the store/memory_store.go for the implementation and example.go file for an example of how to use it. The store directory also contains instructions on how to create a postgres store.
s := new(store.MemoryTokenStore)
s.CreateStore(ctx)You can implement your own token storage but it must implement the TokenStorage interface. The TokenStore interface
type TokenStore interface {
CreateStore(ctx context.Context) error
StoreToken(ctx context.Context, tokenInfo *TokenInfo) error
GetTokenInfo(ctx context.Context, resourceOwnerId string) (*TokenInfo, error)
UpdateTokenInfo(ctx context.Context, resourceOwnerId string, accessToken string, idToken string) error
CloseConnection() error
}- Set the options for the auth server
serverOptions := &options.AuthOptions{
Validity: v,
Store: s,
}- Create the server obejct
And then we can initialize oauth server with the key manager
oauthServer := server.NewOAuthServer("key1", keyManager, serverOptions)- Define the endpoint
Then we can call the password grant endpoint like this
http.HandleFunc(
"POST /oauth2/token",
oauthServer.ResourceOwnerPasswordCredential(
func(r *http.Request, opt *options.AuthOptions) *server.CallbackError {
username := r.FormValue("username")
password := r.FormValue("password")
fmt.Printf("do something with %s and %s\n", username, password)
return nil
}))By default, the username is used as sub. The application using this package will be the iss
By default, the access token expires in 10 minutes and the refresh token in 1 hour. Refresh token is generated by default. If you want to disable the refresh token set the validity without refresh token expiry time like this
v := &accessor.Validity{
AccessExpiresIn: 15 * 60, // 15 minutes
// RefreshExpiresIn: 30 * 60, // commented out to show this is not being used
}Since id token depends on a lot of data, it is left to be configured by the consumer in the endpoint's callback function
http.HandleFunc(
"POST /oauth2/token",
oauthServer.ResourceOwnerPasswordCredential(
func(r *http.Request, opt *options.AuthOptions) *server.CallbackError {
username := r.FormValue("username")
password := r.FormValue("password")
fmt.Printf("do something with %s and %s\n", username, password)
// Added id token claims here
givenName := "User"
familyName := "One"
idTokenClaims := &claims.JWTIdClaims{
Name: givenName + " " + familyName,
GivenName: givenName,
FamilyName: familyName,
Email: username,
}
opt.AddIdTokenClaims(idTokenClaims)
return nil
}))Take a look at the example.go file for a detailed server setup with cookie based authentication