Skip to content

facundoalarcon/oauth2-pkce-sample

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

doc/resources

doc/resources

 
 

platform

platform

 
 

web

web

 
 

.dockerignore

.dockerignore

 
 

.env.example

.env.example

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

exec.ps1

exec.ps1

 
 

exec.sh

exec.sh

 
 

main.go

main.go

 
 

Repository files navigation

Auth0 + Go Web App Sample with PKCE

This sample demonstrates how to add authentication to a Go web app using Auth0 with OAuth 2.0 PKCE flow.

Based on Auth0 Go Example, read it to better understand this sample.

Motivations

Because regular web apps are server-side apps where the source code is not publicly exposed, they can use the Authorization Code Flow, which exchanges an Authorization Code for a token. Your app must be server-side because during this exchange, you must also pass along your application's Client Secret, which must always be kept secure, and you will have to store it in your client.

When public clients (e.g., native and single-page applications) request Access Tokens, some additional security concerns are posed that are not mitigated by the Authorization Code Flow alone. When cannot securely store a Client Secret you can use Given these situations, OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE).

The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

Auth0 App configuration

Follow Auth0 Go Quickstart stepts and additionally configure in Application Properties section the Token Endpoint Authentication Method value with None.

auth0_app_properties

Running the App

To run the app, make sure you have go installed.

Rename the .env.example file to .env and provide your Auth0 credentials.

# .env

AUTH0_CLIENT_ID={CLIENT_ID}
AUTH0_DOMAIN={DOMAIN}
AUTH0_CALLBACK_URL=http://localhost:3000/callback

Once you've set your Auth0 credentials in the .env file, run go mod vendor to download the Go dependencies.

Run go run main.go to start the app and navigate to http://localhost:3000/.

Alternatively, you could build the docker image and run it.

docker build -t auth0-golang-web-app .
docker run --env-file .env -p 3000:3000 -it auth0-golang-web-app

Related resources

About

Auth0 with OAuth 2.0 PKCE sample

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages