Authentication framework for Go applications.
- EDITOR NOTE: It is recommended that you transition to the Goth package.
- OAuth2 today
- Supports other protocols too
- Multiple providers - Supports Google, GitHub and Facebook and more
- Easily extensible
- Example web app to copy
- Works beautifully with Goweb
- Fully TDD
- Jump right into the API Documentation
Install Gomniauth by doing:
$ go get github.com/stretchr/gomniauth
- If you add a provider that others could also make use of, please send us a Pull Request and we'll add it to the repo.
Set up Gomniauth
First and only once for your application, you need to setup the security key and providers. The security key is used when hashing any data that gets transmitted to ensure its integrity.
You are free to use the signature package's RandomKey function to generate a unique code every time your application starts.
A provider represents an authentication service that will be available to your users. Usually, you'll have to add some configuration of your own, such as your application
secret (provided by the auth service), and the
callback into your app where users will be sent following successful (or not) authentication.
gomniauth.WithProviders( github.New("key", "secret", "callback"), google.New("key", "secret", "callback"), )
What kind of callback?
The callback should be an absolute URL to your application and should include the provider name in some way.
For example, in the example web app we used the following format for callbacks:
Are they logged in?
When a user tries to access a protected resource, or if you want to make third party authenticated API calls, you need a mechanism to decide whether a user is logged in or not. For web apps, cookies usually work, if you're building an API, then you should consider some kind of auth token.
Decide how to log in
If they are not logged in, you need to provide them with a list of providers from which they can choose.
You can access a list of the providers you are supporting by calling the
Redirecting them to the login page
Once a provider has been chosen, you must redirect them to be authenticated. You can do this by using the
gomniauth.Provider function, that will return a Provider by name.
So if the user chooses to login using Github, you would do:
provider, err := gomniauth.Provider("github")
Once you have your provider, you can get the URL to redirect users to by calling:
authUrl, err := provider.GetBeginAuthURL(state, options)
You should then redirect the user to the
State and options
state parameter is a
State object that contains information that will be hashed and passed (via the third party) through to your callback (see below). Usually, this object contains the URL to redirect to once authentication has completed, but you can store whatever you like in here.
options parameter is an
objx.Map containing additional query-string parameters that will be sent to the authentication service. For example, in OAuth2 implementations, you can specify a
scope parameter to get additional access to other services you might need.
Handling the callback
Once the third party authentication service has finished processing the request, they will send the user back to your callback URL.
Remember, you specified the callback URL when you setup your providers.
For example, the user might hit:
You don't need to worry about the detail of the parameters passed back, because Gomniauth takes care of those for you. You just need to pass them into the
CompleteAuth method of your provider:
provider, err := gomniauth.Provider("github") creds, err := provider.CompleteAuth(queryParams)
NOTE: It's unlikely you'll hard-code the provider name, we have done it here to make it obvious what's going on.
The provider will then do the work in the background to complete the authentication and return the
creds for that user. The
creds are then used to make authenticated requests to the third party (in this case Github) on behalf of the user.
Getting the user information
If you then want some information about the user who just authenticated, you can call the
GetUser method on the provider (passing in the
creds from the
The User you get back will give you access to the common user data you will need (like name, email, avatar URL etc) and also an
Data() that contains everything else.
Once you had the credentials for a user for a given provider, you should cache them in your own datastore. This will mean that if the cookie hasn't expired, or if the client has stored the auth token, they can continue to use the service without having to log in again.