A user management microservice; OAuth 2.0 and OIDC provider
Space (formerly known as Jupiter) is a user authentication and authorisation microservice intended to be used across multiple client applications. Currently, it's used to provide OAuth 2 authorisation for the earaujoassis/wallet and earaujoassis/watchman projects. Though it is not intended to be used widely, it can be used as a reference implementation of a Golang-based OAuth 2 provider.
It uses Gin as the Web Framework and GORM for Golang's structure–relational mapping. Redis is used as a memory store to keep track of users' atomic and ephemeral actions (like the whole authorisation process under the "Authorization Code Grant" method, described in RFC 6749, section 4.1). For the user's authentication process, it is mandatory to use Two-factor authentication (Time-based One-time Password).
Additionally, the application supports the use of Hashicorp's Vault in order to obtain configuration information and secrets. It is planned to use Vault as a way to store client keys and secrets, if the OAuth client application supports it.
It is not planned to implement all authorisation methods described in RFC 6749 but section 4.1 only, "Authorization Code Grant". As OAuth 2.1 is under draft, and following RFC 7636 "Proof Key for Code Exchange by OAuth Public Clients", RFC 9700 "Best Current Practice for OAuth 2.0 Security", and the drafts for OAuth 2.1 and "OAuth 2.0 for Browser-Based Applications", the methods for "Implicit Grant", "Resource Owner Password Credentials Grant", and "Client Credentials Grant" won't be implemented.
Space is based on a set of feature flags enabled/disabled through a Redis store.
- RFC 6749: The OAuth 2.0 Authorization Framework
- RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
- RFC 9700: Best Current Practice for OAuth 2.0 Security
- RFC 7009: OAuth 2.0 Token Revocation
- RFC 7662: OAuth 2.0 Token Introspection
- RFC 8414: OAuth 2.0 Authorization Server Metadata
- OpenID Connect Core 1.0 incorporating errata set 2
- OpenID Connect Discovery 1.0 incorporating errata set 2
- OAuth 2.0 Multiple Response Type Encoding Practices
Space is built on top of Golang and Node.js; both are manageable on top of asdf – a .tool-versions file is already provided. Space also uses Redis and Postgres as data stores – and optionally Vault. Please make sure to place this project inside the $GOPATH (a symbolic link could solve this or simply go getting this like $ go get github.com/earaujoassis/space) or to set the GO111MODULE=on env var. A .env file is used to load environment information for the application – .env is already available. The application needs a PORT env var in order to setup its socket (it is automatically provided by goreman).
In order to setup the application, additional configuration is necessary. That could be delivered through Vault or through a local .config.local.json file. If you plan to use Vault, you need to fill the .config.yml file, according to the .config.sample.yml, and store a k/v secret according to the .config.local.sample.json. If you don't plan to use Vault, just create a .config.local.json file according to .config.local.sample.json. The application will try to load the .config.local.json by default, if it is available; otherwise, it will attempt to load it from Vault. At least one of these configuration schemes is necessary.
Once the configuration is complete, the following commands will run the server application locally:
$ scripts/setup.sh
$ go get github.com/mattn/goreman
$ goreman start
$ open http://localhost:9000For testing (plus code coverage) and linting, you could run:
$ scripts/setup.sh
$ task test
$ task lint && yarn lintIf you have any question, comment or an issue, please take a look at /issues.
MIT License © Ewerton Carlos Assis
Illustrations provided by unDraw - "Open-source illustrations for any idea you can imagine and create". For more details, take a look at ATTRIBUTIONS.md