<p>Hey
I am relatively new in Go and wanted to do a REST API using OAuth2 for auth. From what I could tell the RangelReale/osin-package seems to be the goto choice for this.</p>
<p>Having never worked with OAuth and only a little bit of Go, I am a bit overwhelmed(underwhelmed?) by the amount of documentation for the package or lack thereof. I am not really sure how I would use it in my pretty limited scenario. There are examples, but having no idea what is meant to happen I don't really understand if it does what I want it to do.</p>
<p>Would some kind soul hold my hand a little and explain? Apparently it is so straight forward I have not been able to find any tutorials on anything on it either.</p>
<p>Thank you</p>
<hr/>**评论:**<br/><br/>klaaax: <pre><blockquote>
<p>using OAuth2 for <strong>auth</strong></p>
</blockquote>
<p>authentication or authorization ? </p></pre>RckMrkr: <pre><p>I thought of authentication when i wrote it.
Weren't aware it was possible to do authorization using OAuth2</p></pre>klaaax: <pre><blockquote>
<p>OAuth is an open standard for <strong>authorization</strong>.</p>
</blockquote>
<p><a href="https://en.wikipedia.org/wiki/OAuth" rel="nofollow">https://en.wikipedia.org/wiki/OAuth</a></p></pre>RckMrkr: <pre><p>Ok. Keep in mind I'm not really sure if my understanding is correct, but assuming that I host the Authorizing server myself instead of using an external service I must be done some kind of authentication using OAuth?</p></pre>anoland: <pre><p><a href="https://www.reddit.com/r/golang/comments/3bioq2/oauth2_golang_tutorial/" rel="nofollow">See mine and other comments here</a></p>
<p>*Edit: The osin package is for building your own oauth2 server. You are probably looking for the osincli package.</p>
<p><a href="https://github.com/RangelReale/osincli" rel="nofollow">https://github.com/RangelReale/osincli</a></p></pre>RckMrkr: <pre><p>In that case I think I may need both.
I really just want to make sure that a user can log in to my service using credentials in my system, which is pretty standard. Usually it would be done via sessions or whatever through browsers, but in order to make it more widely usable, I would like to do that using OAuth.</p>
<p>Sorry about not having clarified that enough</p></pre>anoland: <pre><blockquote>
<p>but in order to make it more widely usable, I would like to do that using OAuth</p>
</blockquote>
<p>Do you really? Whenever I hear people start talking like that I start thinking YAGNI. It doesn't sound like you have a hard requirement for oauth. Remember to KISS, at least at first. Focus on the product first, then add the bells and whistles later. You can get pretty far with just an API key that is a hash/hmac of some user specific data. </p>
<p>Food for thought.
<a href="http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/" rel="nofollow">http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/</a></p></pre>calebdoxsey: <pre><p>For a client walkthrough (using standard http): <a href="https://youtu.be/oxogqJiFVYI?t=9m35s" rel="nofollow">https://youtu.be/oxogqJiFVYI?t=9m35s</a>. You can also use this library: <a href="http://godoc.org/golang.org/x/oauth2" rel="nofollow">http://godoc.org/golang.org/x/oauth2</a>.</p></pre>CaptaincCodeman: <pre><p>There does seem to be a lot of moving parts which can be overwhelming and confusing. The problem I found was that many solutions only solved specific pieces and rarely the entire thing end-to-end. Some focus on providing OAuth server capabilities (like osin does) but others focus on OAuth client sign-in (e.g. goth or x/oauth2)</p>
<p>My take on it is that you typically need parts of both. You need to be an oauth server to your own clients (browser / users) and also an oauth client to the providers that your users want to use to sign-in with (facebook, google, twitter et al). That really is the confusing part but it gets easier once you figure out the 'app glue' where those parts meet.</p>
<p>You use the 3rd party issued tokens to identify your users (using the provider + subject) and then issue your own token under your control which you can add your own information to ( based on your user within your system - the most common need being roles. If you use JWT tokens then it's fairly trivial to decode them in the API server and check for roles to authorize each request as required using middleware - no user or database lookups required (thus allowing the API vs Auth/user systems to be separated).</p>
<p>The client (browser) can store the tokens (in localstorage or a cookie) and there are a few libs for frameworks like angular to automatically add the authentication headers and handle the refresh mechanism (which osin is great for).</p>
<p>The beauty of JWT is that it can also contain extra info useful for display on the client - the same roles used for cosmetic security (hiding or showing options), username and avatar for sign-in status display and so on.</p>
<p>I've just implemented such a system where I use osin for issuing tokens plus handling the token refresh mechanism (where user roles are re-checked) but not the full range of oauth grant types - I don't expect people to use my system's auth to sign in elsewhere. It's worked out really well and definitely something I'll re-use for future projects.</p></pre>CaptaincCodeman: <pre><p>osin is also useful in the scenario where you have existing users that need to be able to sign in directly with a username & password. In this case you just handle the 'password' grant type for those and after that you have the same JWT token mechanism as before. This way your app can support either sign-in mechanism. You can associate multiple credentials with a user to allow them to add additional 3rd party sign-ins to their account which makes for a great gradual-migration.</p></pre>
