OAuth/SSO | JWT (OAuth 2.0 Authorization Framework

makes extensive use of HTTP redirections … [per] HTTP 302 status code, or any other method available via the user-agent …

Authorization, not authentication.
OpenID Connect (OIDC) deals with authentication.

Grant Types

Golang OAuth Libraries

  1. ORY Hydra [9K] | ory.sh/hydra
    • Server … OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption.not an identity provider … _, but connects to your existing identity provider through a login and consent app.
  2. OmniAuth: Standardized Multi-Provider Authentication [7K] | Wiki
    • Client … a black box that you can send your application's users into when you need authentication and then get information back.
    • Provider Strategies (@ Ruby)
  3. OAuth2 for Go [3K] | GoDoc
    • Client … implementation for OAuth 2.0 spec.
  4. Goth: Multi-Provider Authentication for Go [3K] | GoDoc
    • Client … lets you write OAuth, OAuth2, or any other protocol providers, as long as they implement the Provider and Session interfaces.

Identity Providers

graphic

OpenID Connect (OIDC) 1.0

OIDC extends OAuth 2.0with a new signed id_token for the client and a UserInfo endpoint to fetch user attributes; is a simple identity layer on top of the OAuth 2.0 protocol. … a standard set of scopes and claims for identities.

Examples include: profile, email, address, and phone. … built-in registration, discovery, and metadata for dynamic federations. You can type in your email address, then it dynamically discovers your OIDC provider, dynamically downloads the metadata, dynamically know what certs it’s going to use, and allows BYOI (Bring Your Own Identity). It supports high assurance levels and key SAML use cases for enterprises.

Misc/Other/Older References

URL sent to GitHub (OAuth Identity Provider) from our application

https://github.com/login/oauth/authorize?client_id=<APPs_GITHUB_OAUTH_ID>&redirect_uri=http://<APPs_DOMAIN>/oauth/redirect

Redirect URL is where we want Identity Provider (GitHub) to send this user upon SSO authentication per GitHub.

http://<APPs_DOMAIN>/oauth/redirect

After registering your app, you will receive a client ID and optionally a client secret. The client ID is considered public information, and is used to build login URLs, or included in Javascript source code on a page. The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as single-page Javascript apps or native apps, then the secret is not used, and ideally the service shouldn't issue a secret to these types of apps in the first place.