OAuth2 is an open authentication and authorization standard designed to allow resource owners to give clients delegated access to private data (such as wall posts or tweets) via an access token exchange handshake. Even if you do not wish to access the private data, OAuth2 is a great option that allows people to sign in using their existing credentials, without exposing those credentials to a third-party site. In this case, we are the third party and we want to allow our users to sign in using services that support OAuth2.
From a user's point of view, the OAuth2 flow is:
- A user selects provider with whom they wish to sign in to the client app.
- The user is redirected to the provider's website (with a URL that includes the client app ID) where they are asked to give permission to the client app.
- The user signs in from the OAuth2 service provider and accepts the permissions requested by the third-party application.
- The user is redirected back to the client app with a request code.
- In the background, the client app sends the grant code to the provider, who sends back an auth token.
- The client app uses the access token to make authorized requests to the provider, such as to get user information or wall posts.
To avoid reinventing the wheel, we will look at a few open source projects that have already solved this problem for us.
Andrew Gerrand has been working on the core Go team since February 2010, that is two years before Go 1.0 was officially released. His goauth2 package (see https://code.google.com/p/goauth2/) is an elegant implementation of the OAuth2 protocol written entirely in Go.
Andrew's project inspired Gomniauth (see https://github.com/stretchr/gomniauth). An open source Go alternative to Ruby's omniauth project, Gomniauth provides a unified solution to access different OAuth2 services. In the future, when OAuth3 (or whatever next-generation authentication protocol it is) comes out, in theory, Gomniauth could take on the pain of implementing the details, leaving the user code untouched.
For our application, we will use Gomniauth to access OAuth services provided by Google, Facebook, and GitHub, so make sure you have it installed by running the following command:
go get github.com/stretchr/gomniauth
Tip
Some of the project dependencies of Gomniauth are kept in Bazaar repositories, so you'll need to head over to http://wiki.bazaar.canonical.com to download them.