<p>I'm pretty new to both RestAPI's and OAuth. I'm trying to make a mobile app which will require authentication (facebook and custom for now). I read that basic Auth is not secure for web/mobile apps. People suggest using <a href="https://godoc.org/golang.org/x/oauth2">OAuth2</a>. I don't want to get lost in documents for a week. Is there a good tutorial which I can use to implement this feature to my database, restapi and client?</p>
<p>PS: I'll host my server on AWS not appengine</p>
<hr/>**评论:**<br/><br/>gogroob: <pre><p>I'm not sure if there's a good tutorial, but I was able to figure out how to use OAuth2 with Go by studying <a href="https://github.com/bitly/oauth2_proxy" rel="nofollow">https://github.com/bitly/oauth2_proxy</a>
and various REST API client libs. </p>
<p><a href="https://github.com/digitalocean/godo" rel="nofollow">https://github.com/digitalocean/godo</a></p>
<p><a href="https://github.com/google/google-api-go-client/blob/master/GettingStarted.md" rel="nofollow">https://github.com/google/google-api-go-client/blob/master/GettingStarted.md</a></p>
<p>Finaly, have you seen <a href="https://github.com/markbates/goth" rel="nofollow">goth</a>? It's a Go library that implements multi provider authentication. </p></pre>QThellimist: <pre><p>Nice. I'll check out. Thanks.</p></pre>lothamer: <pre><p>The link you included should be able to handle most of the server-side client components of OAuth2. The biggest difficulty you'll run into, I think, is session/token <a href="https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/" rel="nofollow">management</a>. These tend to be general problems so there are tutorials around for lots of languages. I'd recommend looking at <a href="https://github.com/garyburd/redigo" rel="nofollow">redis</a> or some other server-side storage solution for the token combined with sessions. Another option to look at is implicit grant and manage it all client-side.</p></pre>QThellimist: <pre><p>Do I have to implement token management system early on? I am doing a MVP and I didn't thought I'd have to use redis so early on.</p></pre>ejayben: <pre><p>redis is dead easy... i'm pretty sure you could have installed it, ran it, and implemented the token storage in the time that you've spend on this thread.</p></pre>ejayben: <pre><p>here i did it for you because i was bored :P</p>
<p><a href="https://gist.github.com/anonymous/df5b4f560c4a9437b143" rel="nofollow">https://gist.github.com/anonymous/df5b4f560c4a9437b143</a></p>
<p>it uses url params but obviously you would want to move that information out of the URL and into a json request object</p></pre>nokkare: <pre><p>Why Martini? Didn't Negroni supersede Martini ages ago?</p>
<p><a href="http://codegangsta.io/blog/2014/05/19/my-thoughts-on-martini/" rel="nofollow">http://codegangsta.io/blog/2014/05/19/my-thoughts-on-martini/</a></p></pre>ejayben: <pre><p>martini works for all my use cases and I don't mind using reflection / dependency injection at all.</p></pre>nokkare: <pre><p>What's the argument for server side storage? What's wrong with client side storage?</p></pre>anoland: <pre><p>Aside from the other comments, it should be noted that there is already a facebook implementation for you to start with</p>
<p><a href="https://godoc.org/golang.org/x/oauth2#pkg-subdirectories" rel="nofollow">https://godoc.org/golang.org/x/oauth2#pkg-subdirectories</a></p></pre>QThellimist: <pre><p>the thing is I don't know how to securely send/recv data. When I login using facebook in mobile app I'll be granted keys. When I post a data or get data specific to the user I should encrypt these (private key/public key). I'm not sure where to put these data (header,body..) and so on... I've had experience on Parse.com which just handles everything inside.</p></pre>Celestro: <pre><p>You can handle everything inside also.</p>
<p>The way I do it is create endpoints on my server that then redirect to the appropriate provider. That provider redirects back to my <em>server</em> and I get all the sensitive information there. This way you don't store/transmit that sensitive information client side.</p>
<p>Use <a href="https://github.com/markbates/goth" rel="nofollow">https://github.com/markbates/goth</a> and simply set up routes such as <code>/auth/facebook/login and /auth/facebook/callback</code>. I use <a href="https://github.com/labstack/echo" rel="nofollow">https://github.com/labstack/echo</a> for routing, which allows me to have <code>/auth/:provider/login|callback</code> so it can be dynamic.</p>
<p>Once you get your callback from the oauth server, do the exchange (via goth) and store the info in your DB. Generate your OWN token that then gets sent to the client. That token is what the client uses to auth with YOU.</p></pre>anoland: <pre><p>There is a lot going on, but I'll try to give you the gist so that you can get started. </p>
<p>First you need to create some sort of config. It needs provider specific information such as the client id and the client key. You get these when you create your app with the provider. Some types of client keys are more "secret" than others. What I mean is, if you have a mobile app the type of key you get is able to be used on somebody else device. The "secret" type of key will only be used on your system.</p>
<p>Next you have a make a request to the provider's endpoint with the config info. It will ask them if they approve the connection. If the client approves, the provider will send them back to your redirect URL with a temporary token. You use this token to get the final token that you store in your system in a process called Key Exchange.</p>
<p>To add to the confusion the final token you just exchanged for may be a permanent token that is good until the user decides to expire, or it may be another kind of token that you use over and over to request a new short term token that expires after a while.</p>
<p>Now you put this in storage like <a href="/u/lothamer" rel="nofollow">/u/lothamer</a> suggests.</p>
<p>Once you have this process in place, you use this token to make your requests to the provider. The oauth clients should handle the headers and provider specific stuff for you as long as you give it the correct information. If you are unlucky enough to not* have a provider specific client (ahem: reddit!) then you would have to make sure all this is in place. Fortunatelly for you there is a facebook oauth client already.</p>
<p>There is some more you should know. I suggest you read up on oauth2 and 3-legged auth for more info.</p>
<p>Edit: *forgot an important word.</p></pre>QThellimist: <pre><p>Thanks. This was really helpful. I did got confused about tokens. If the token expires am I going to do this whole process again? Also can I use this token for securely sending/receiving data with my own server. If so how? </p></pre>anoland: <pre><blockquote>
<p>If the token expires am I going to do this whole process again? </p>
</blockquote>
<p>Yes</p>
<blockquote>
<p>Also can I use this token for securely sending/receiving data with my own server.</p>
</blockquote>
<p>That is an ambiguous question, but the answer you are looking for is probably No. You should use a different mechanism for exchanging data with your server. At the very least, if you want to use oauth for traffic between your app/client and your server, set up a new set of keys, and set up a proper provider on your server. Probably overkill IMHO.</p></pre>
