openid20

package

v1.0.5 Latest Latest Go to latest Published: Feb 21, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/StalkR/openid

Links

Open Source Insights

Documentation ¶

Overview ¶

Package openid20 implements simplistic Open ID 2.0 support.

Open ID 2.0 is obsolete and replaced by OpenID Connect but some providers still use it, e.g. Steam.

Simplification choices of this library: - it does not verify nonce reuse

the spec requires it but it's a terrible stateful idea requiring storage
you can replay identification, not a problem unless the return URL leaks
they expire after 1 minute anyway

- it does not verify discover information

we're only using openid.claimed_id property
spec says we should verify it can assert it, but it's the basic one
if the server is malicious it can lie on the discover anyway
avoids extra discover requests and caching of response

- it does not verify return_to scheme matches

because server itself doesn't know, e.g. if behind a reverse proxy
it's signed by the openid server anyway

Another potential problem with Open ID 2.0 spec is login xsrf, but it's easy enough to mitigate in applications, if that's something you're concerned about: - before redirecting: generate a nonce, set it as cookie and append it to return_to - on verify: compare the nonce in cookie and URL

For a spec compliant but heavier library see https://github.com/yohcop/openid-go.

Index ¶

func RedirectURL(endpoint, returnTo string) string
func Verify(r *http.Request, endpoint string) (string, error)

Examples ¶

Verify

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func RedirectURL ¶ added in v1.0.3

func RedirectURL(endpoint, returnTo string) string

RedirectURL builds a redirect URL to login with the provider.

func Verify ¶ added in v1.0.3

func Verify(r *http.Request, endpoint string) (string, error)

Verify verifies the return URL after a login and returns the openid.claimed_id.

Example ¶

package main

import (
	"fmt"
	"net/http"

	"github.com/StalkR/openid/openid20"
)

func main() {
	const endpoint = "https://steamcommunity.com/openid/login"
	const returnTo = "https://example.com/auth"
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		http.Redirect(w, r, openid20.RedirectURL(endpoint, returnTo), http.StatusSeeOther)
	})
	http.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) {
		user, err := openid20.Verify(r, endpoint)
		if err != nil {
			http.Error(w, err.Error(), http.StatusForbidden)
			return
		}
		fmt.Fprintf(w, "hello %v", user)
	})

}

Output:

Types ¶

This section is empty.

Source Files ¶

View all Source files

openid20.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL