Provides Request authentication for Decentraland services
This requires the intervention of a third party (authentication server) in order to authenticate the user against a service provider
import "github.com/decentraland/auth-go/pkg/ephemeral"
ephKey, _ := ephemeral.NewEphemeralKey(&ephemeral.EphemeralKeyConfig{})import (
"github.com/decentraland/auth-go/pkg/ephemeral"
"net/http"
"strings"
)
req, _ := http.NewRequest("POST", "https://yourserver.org/api/resource", strings.NewReader("{\"param\":\"data\"}"))
accessToken := "..." // Access Token given by the third party. To generate one you will need to send the ecdsa public key generated as part of the credential generation process
ephKey.AddRequestHeaders(req, accessToken)For WebRTC or non HTTP requests you should be able to obtain all the credentials for the message you want to send
import "github.com/decentraland/auth-go/pkg/ephemeral"
ephKey, _ := ephemeral.NewEphemeralKey(&ephemeral.EphemeralKeyConfig{})
msg := []byte("Your Message")
accessToken := "..." // Access Token given by the third party. To generate one you will need to send the ecdsa public key generated as part of the credential generation process
ephKey.MakeCredentials(msg, accessToken)| Header | Meaning |
|---|---|
| x-signature | This is the signed request information (http method + url + body + timestamp) with the generated ephemeral key. This is vital to prevent replay attacks. |
| x-timestamp | Request timestamp, in Unix time. |
| x-identity | The users ephemeral public key used in the access token creation and the user ID |
| x-access-token | Access token. Contains the public ephemeral key and it is signed by the granting authority with its own private key. |
The service providers will need to authenticate the users based on the information present in the request headers.
We define two basic Authentication strategies
The service provider will need to know the entity who signs the access token, otherwise, the request will be rejected.
import (
"github.com/decentraland/auth-go/pkg/auth"
"github.com/decentraland/auth-go/pkg/keys"
)
reqTTL := 30 // Request time to live in seconds
trustedKey := keys.PemDecodePublicKey(pemEncodedPublicKeyString)
authHandler, err := auth.NewThirdPartyAuthProvider(&auth.ThirdPartyProviderConfig{RequestLifeSpan: reqTTL, TrustedKey: trustedKey})
req, _ := auth.MakeFromHttpRequest(httpRequest)
result, err := authHandler.ApproveRequest(req)
// Get UserID
userID := result.GetUserID() // Extracted from the access tokenimport (
"github.com/decentraland/auth-go/pkg/auth"
"github.com/decentraland/auth-go/pkg/keys"
)
reqTTL := 30 // Request time to live in seconds
trustedKey := keys.PemDecodePublicKey(pemEncodedPublicKeyString)
authHandler, err := auth.NewThirdPartyAuthProvider(&auth.ThirdPartyProviderConfig{RequestLifeSpan: reqTTL, TrustedKey: trustedKey})
msgCredentials := make(map[string]string)
msgCredentials[auth.HeaderAccessToken] = ""
//...
msgCredentials[auth.HeaderTimestamp] = "150000000"
msg := []byte("Your Message To Validate")
req := &auth.AuthRequest{Credentials: msgCredentials, Content: msg}
result, err := authHandler.ApproveRequest(req)
// Get UserID
userID := result.GetUserID() // Extracted from the access tokenimport (
"github.com/decentraland/auth-go/pkg/auth"
"github.com/decentraland/auth-go/pkg/authentication"
"github.com/decentraland/auth-go/pkg/authorization"
"net/http"
)
authnStrategy := &authentication.AllowAllStrategy{}
authzStrategy := &authorization.AllowAllStrategy{}
authHandler := auth.NewAuthProvider(authnStrategy, authzStrategy)
var httpRequest http.Response
// httpRequest = ...
req, _ := http.TransformHttpRequest(httpRequest)
ok, err := authHandler.ApproveRequest(req)The service provide could opt to implement its own auth strategy. The only thing to do is to implement AuthenticationStrategy and AuthorizationStrategy interfaces
This repository is protected with a standard Apache 2 licence. See the terms and conditions in the LICENSE file.