Documentation ¶
Overview ¶
Package openid20 implements simplistic Open ID 2.0 support.
Open ID 2.0 is obsolete and replaced by OpenID Connect but some providers still use it, e.g. Steam.
Simplification choices of this library: - it does not verify nonce reuse
- the spec requires it but it's a terrible stateful idea requiring storage
- you can replay identification, not a problem unless the return URL leaks
- they expire after 1 minute anyway
- it does not verify discover information
- we're only using openid.claimed_id property
- spec says we should verify it can assert it, but it's the basic one
- if the server is malicious it can lie on the discover anyway
- avoids extra discover requests and caching of response
- it does not verify return_to scheme matches
- because server itself doesn't know, e.g. if behind a reverse proxy
- it's signed by the openid server anyway
Another potential problem with Open ID 2.0 spec is login xsrf, but it's easy enough to mitigate in applications, if that's something you're concerned about: - before redirecting: generate a nonce, set it as cookie and append it to return_to - on verify: compare the nonce in cookie and URL
For a spec compliant but heavier library see https://github.com/yohcop/openid-go.
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RedirectURL ¶ added in v1.0.3
RedirectURL builds a redirect URL to login with the provider.
func Verify ¶ added in v1.0.3
Verify verifies the return URL after a login and returns the openid.claimed_id.
Example ¶
package main import ( "fmt" "net/http" "github.com/StalkR/openid/openid20" ) func main() { const endpoint = "https://steamcommunity.com/openid/login" const returnTo = "https://example.com/auth" http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, openid20.RedirectURL(endpoint, returnTo), http.StatusSeeOther) }) http.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) { user, err := openid20.Verify(r, endpoint) if err != nil { http.Error(w, err.Error(), http.StatusForbidden) return } fmt.Fprintf(w, "hello %v", user) }) }
Output:
Types ¶
This section is empty.