Skip to content

Package oidcauth is an authentication middleware for web applications and HTTP APIs which uses an external OpenID Connect identity provider (IdP) for user storage and authentication.

License

Notifications You must be signed in to change notification settings

quasoft/oidcauth

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

oidcauth

Package oidcauth is an authentication middleware for web applications and microservices, which uses an external OpenID Connect identity provider (IdP) for user storage and authentication.

The library is configurable, except for some choices that have been pre-made on purpose:

  • Supports only the authorization code flow of OAuth2, which makes it suitable for multi-page web apps. If you are creating a SPA app, the implicit flow might be a better choice for your project.
  • Uses secure cookies to pass session IDs back and forth between the browser and the app. Session management is handled by gorilla/sessions, so you can use any of the many available implementations for it to choose where to store the session data (eg. CookieStore, RedisStore, DynamoStore, etc.).
  • Authenticated handlers verify same origin with standard headers ("Origin" and "Referer") and block potential CSRF requests. If neither Origin nor the Referer header is present, the request is blocked. Exception is made for GET and OPTIONS requests which are always allowed. Additionally "Access-Control-Allow-Origin" header is added to responses to indicate the allowed origin. The list of allowed origins must be specified in the configuration object (usually only the domain of your own app and the domain of the IdP). Use of origin "*" is not allowed.

Suitability:

Can be used as authentication middleware for (see examples):

  • Standard multi-page web application
  • Complex web application that act as a gateway between the browser and several microservices (APIs) by passing the access token acquired during the authentication phase down to the microservices.

What oidcauth is currently not

  • oidcauth currently does not contain authorization functionality. Applications can build simple authorization on top of it by leveraging the session data (user ID and claims).

Tested for compatibility with:

Dependencies:

TODO:

  • Add authorization support.

About

Package oidcauth is an authentication middleware for web applications and HTTP APIs which uses an external OpenID Connect identity provider (IdP) for user storage and authentication.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages