OAuth2 Auth Scheme

Since v0.11.0 aah supports OAuth2 auth scheme, library golang.org/x/oauth2 have been integrated with aah.

OAuth2 auth scheme can be achieved in three steps -

  • Configure client credentials
  • Implement authc.PrincipalProvider to provide subject principals based on OAuth2 provider
  • Implement authz.Authorizer to provide subject’s roles and permissions

Refer aah OAuth2 - Social Login example. It demonstrates Facebook, Google and GitHub social login(s).

Table of Contents

Configuration

OAuth2 auth scheme provides an easy to use and flexible configuration. It supports one or more OAuth2 auth schemes; configuring multiple social login, for example.

Section: oauth_scheme_key { … }

oauth_scheme_key { ... } configuration goes under section security.auth_schemes { ... }.

# -----------------------------------------------------------------------------
# OAuth2 auth scheme
# Choose a unique key name. It gets used as route auth.
#
# Doc: https://docs.aahframework.org/auth-schemes/oauth2.html
# -----------------------------------------------------------------------------
oauth_scheme_key {
  # Auth scheme name.
  # Supported values are `form`, `oauth2`, `basic` and `generic`.
  #
  # It is required value, no default.
  scheme = "oauth2"

  # To provide subject's principal information, implement interface
  # `authc.PrincipalProvider` and configure here.
  #
  # It is required value, no default.
  principal = "security/SubjectPrincipalProvider"

  # To provide subject's Roles and Permissions, implement interface
  # `authz.Authorizer` and configure here.
  #
  # It is required value, no default.
  authorizer = "security/AuthorizationProvider"

  # -----------------------------------------------------------------------------
  # OAuth2 Provider's Client credentials
  # Doc: https://docs.aahframework.org/auth-schemes/oauth2.html#configuration
  # -----------------------------------------------------------------------------
  client {
    # Client ID
    id = "client id"

    # Client secret
    secret = "client secret"

    # Scope specifies the requested permissions.
    scopes = ["profile", "email"]

    provider {
      # aah is aware of some of the OAuth2 providers auth and token URLs via library.
      # So, just configure the name here.
      # Refer https://docs.aahframework.org/auth-schemes/oauth2.html#known-provider-endpoints
      name = "facebook"

      # Provider's Auth and Token URL
      # It is required, when `client.provider.name` is not defined.
      #url {
      #  auth = "https://provider.com/o/oauth2/auth"
      #  token = "https://provider.com/o/oauth2/token"
      #}
    }
  }

  # Configuration to provide login, redirect/callback and success URL.
  url {
    # OAuth Login URL
    #
    # Default value is derived from the user-defined auth scheme key.
    # For example:
    #   auth scheme key ~ `github_auth` then login URL => `/github-auth/login`.
    login = "oauth2/login"

    # Redirect/callback URL is used to receive request from OAuth2 provider
    # after successful authentication.
    #
    # Default value is derived from the user-defined auth scheme key.
    # For example:
    #   auth scheme key ~ `github_auth` then callback URL => `/github-auth/callback`.
    redirect = "oauth2/callback"

    # Success URL is used to redirect after successful authentication
    # and authorization.
    #
    # Default value is `/`.
    success = "/success.html"
  }
}

Example Config

This is one of the OAuth2 provider configurations from aah OAuth2 Social login example.

# OAuth2 provider: Google
google_auth {
  scheme = "oauth2"  
  principal = "security/google/SubjectPrincipalProvider"
  authorizer = "security/AuthorizationProvider"

  client {
    id = "client id"
    secret = "client secret"
    scopes = ["profile", "email"]
    provider {
      name = "google"
    }
  }

  url {
    success = "/success.html"
  }
}

state Parameter

OAuth2 authorization protocols provide state parameter. During authentication, aah sends state parameter in the authorization request and then OAuth2 authorization server returns this parameter value as-is in response to caller application redirect.

The state parameter is used to protect against XSRF (aka CSRF, or sea surf).

aah OAuth2 state parameter created as follows

Note: state code is valid for 10 minutes.

state parameter is "32 byte secure random string using 'crypto/rand' : time stamp in UTC unix nano"

then, HMAC SHA-256 signed and base64 URL safe encoded

Known Provider Endpoints

aah is aware of some of the OAuth2 providers auth and token URLs via oauth2 library. So, just mention the name in client.provider.name.

OAuth2 provider names, just alphabetically ordered -

amazon, bitbucket, cern, facebook, fitbit, foursquare, github, gitlab,
google, heroku, hipchat, kakao, linkedin, mailchimp, mailru, mediamath,
microsoft, odnoklassniki, paypal, slack, spotify, twitch, uber, vk,
yahoo, yandex

For Azure OAuth2 endpoints, name format it -

For more information see: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints

provider {
  name = "azure.<tenant-name>"
}

Configuring OAuth2 Endpoint URLs

Configuring OAuth2 URLs instead of mentioning provider’s name.

url { ... } configuration goes under section client.provider { ... }.

# Provider's Auth and Token URL
# It is required, when `client.provider.name` is not defined.
url {
  auth = "https://provider.com/o/oauth2/auth"
  token = "https://provider.com/o/oauth2/token"
}