How are people managing authentication in Go?

For those building RESTful APIs and JS front-end apps in Go, how are you managing authentication? Are you using any particular libraries or techniques?

I'm surprised to find so little discussion about this. I keep in mind answers like the following, and am trying to avoid developing my own implementation:

https://stackoverflow.com/questions/20062103/authentication-in/20062137#20062137

Is everybody coding their own solution, separately?

This question gets a ton of views--and has a Popular Question badge--so I know there is a lot of latent interest in this topic, and many people are asking exactly the same thing and not finding answers on the Interwebs.

Most of the available information results in the textual equivalent of the hand wavy thing, left as an "exercise for the reader."

However I've finally located one concrete example, (generously) provided by a member of the golang-nuts mailing list:

https://groups.google.com/forum/#!msg/golang-nuts/GE7a_5C5kbA/fdSnH41pOPYJ

This provides a suggested schema and server-side implementation as a basis for custom authentication. The client-side code is still up to you.

(I hope the author of the post sees this: Thanks!)

Excerpted (and reformatted):

"I would suggest something like the following design:

create table User (
 ID int primary key identity(1,1),
 Username text,
 FullName text,
 PasswordHash text,
 PasswordSalt text,
 IsDisabled bool
)

create table UserSession (
 SessionKey text primary key,
 UserID int not null, -- Could have a hard "references User"
 LoginTime <time type> not null,
 LastSeenTime <time type> not null
)

• When a user logs in to your site via a POST under TLS, determine if the password is valid.
• Then issue a random session key, say 50 or more crypto rand characters and stuff in a secure Cookie.
• Add that session key to the UserSession table.
• Then when you see that user again, first hit the UserSession table to see if the SessionKey is in there with a valid LoginTime and LastSeenTime and User is not deleted. You could design it so a timer automatically clears out old rows in UserSession."

Another possible solution is Authboss, recently announced on the mailing list.

(I haven't tried using this library.)

Also see Best way to make a webapp with user auth?

1: https://github.com/go-authboss/authboss "Authboss"
2: https://groups.google.com/forum/#!topic/golang-nuts/1AbkiW1TUEc
3: https://www.reddit.com/r/golang/comments/2rhdxo/best_way_to_make_a_webapp_with_user_auth/

You would use middleware to do the authentication.

You can try go-http-auth for basic and digest authentication and gomniauth for OAuth2.

But how to authenticate really depends on your app.

Authentication introduces state/context into your http.Handlers and there have been some discussion about that lately.

Well known solutions to the context problem are gorilla/context and google context described here.

I made a more general solution without the need of global state in go-on/wrap that may be used together or without the other two and nicely integrates with context free middleware.

wraphttpauth provides integration of go-http-auth with go-on/wrap.

Answering this in 2018. I suggest using JWT(JSON Web Token). The answer you marked solved has drawback, which is the trip it did front(user) and back(server/db). What is worse if user did frequent request that need auth, will result in bloated request from/to server and database. To solve this use JWT which store the token in user end which can be used by user anytime it needs access/request. No need trip to database and server processing to check the token validity take short time.

Honestly, there's a lot of authentication methods and techniques that you can mount into your application and that depends on applications business logic and requirements.<br>
For example Oauth2, LDAP, local authentication, etc. <br>
My answer assumes you are looking for local authentication which means you manage the user's identities in your application.
The server must expose a set of external API allow users and admins
Managing the accounts and how they want to identify themselves to Server to achieve trustable communication.
you will end up creating a DB table holding the user's information.
where the password is hashed for security purposes See How to store the password in the database

let assume app requirements to authenticate users based on one of the following methods:<br>

• basic authentication (username, password): <br>
  This auth method depends on user credentials sets in Authorization header encoded in base64 and defined inrfc7617, basically when the app receives the user requests its decodes the authorization and re-hash the password to compare it within DB hash if it's matched the user authenticated otherwise return 401 status code to the user.

• certificate-based authentication:<br>
  This auth method depends on a Digital Certificate to identify a user,
  and it's known as x509 auth, so when the app receives the user requests it reads the client's certificate and verifies it that matches the CA Root certificate that is provided to the APP.

• bearer token: <br>
  This auth method depends on short-lived Access tokens, The bearer token is a cryptic string, usually generated by the server in response to a login request. so when the app receives the user requests it reads the authorization and validates the token to authenticate the user.

However, I'd recommend go-guardian
for authentication library which it does through an extensible set of authentication methods known as strategies. basically Go-Guardian does not mount routes or assume any particular database schema, which maximizes flexibility and allows decisions to be made by the developer.

Setting up a go-guardian authenticator is straightforward.

Here the full example of the above methods.

package main

import (
	"context"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"sync"

	"github.com/golang/groupcache/lru"
	"github.com/gorilla/mux"
	"github.com/shaj13/go-guardian/auth"
	"github.com/shaj13/go-guardian/auth/strategies/basic"
	"github.com/shaj13/go-guardian/auth/strategies/bearer"
	gx509 "github.com/shaj13/go-guardian/auth/strategies/x509"
	"github.com/shaj13/go-guardian/store"
)

var authenticator auth.Authenticator
var cache store.Cache

func middleware(next http.Handler) http.HandlerFunc {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		log.Println("Executing Auth Middleware")
		user, err := authenticator.Authenticate(r)
		if err != nil {
			code := http.StatusUnauthorized
			http.Error(w, http.StatusText(code), code)
			return
		}
		log.Printf("User %s Authenticated\n", user.UserName())
		next.ServeHTTP(w, r)
	})
}

func Resource(w http.ResponseWriter, r *http.Request) {
	w.Write([]byte("Resource!!\n"))
}

func Login(w http.ResponseWriter, r *http.Request) {
	token := "90d64460d14870c08c81352a05dedd3465940a7"
	user := auth.NewDefaultUser("admin", "1", nil, nil)
	cache.Store(token, user, r)
	body := fmt.Sprintf("token: %s \n", token)
	w.Write([]byte(body))
}

func main() {
	opts := x509.VerifyOptions{}
	opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
	opts.Roots = x509.NewCertPool()
	// Read Root Ca Certificate
	opts.Roots.AddCert(readCertificate("<root-ca>"))

	cache = &store.LRU{
		lru.New(100),
		&sync.Mutex{},
	}

	// create strategies
	x509Strategy := gx509.New(opts)
	basicStrategy := basic.New(validateUser, cache)
	tokenStrategy := bearer.New(bearer.NoOpAuthenticate, cache)

	authenticator = auth.New()
	authenticator.EnableStrategy(gx509.StrategyKey, x509Strategy)
	authenticator.EnableStrategy(basic.StrategyKey, basicStrategy)
	authenticator.EnableStrategy(bearer.CachedStrategyKey, tokenStrategy)

	r := mux.NewRouter()
	r.HandleFunc("/resource", middleware(http.HandlerFunc(Resource)))
	r.HandleFunc("/login", middleware(http.HandlerFunc(Login)))

	log.Fatal(http.ListenAndServeTLS(":8080", "<server-cert>", "<server-key>", r))
}

func validateUser(ctx context.Context, r *http.Request, userName, password string) (auth.Info, error) {
	// here connect to db or any other service to fetch user and validate it.
	if userName == "stackoverflow" && password == "stackoverflow" {
		return auth.NewDefaultUser("stackoverflow", "10", nil, nil), nil
	}

	return nil, fmt.Errorf("Invalid credentials")
}

func readCertificate(file string) *x509.Certificate {
	data, err := ioutil.ReadFile(file)

	if err != nil {
		log.Fatalf("error reading %s: %v", file, err)
	}

	p, _ := pem.Decode(data)
	cert, err := x509.ParseCertificate(p.Bytes)
	if err != nil {
		log.Fatalf("error parseing certificate %s: %v", file, err)
	}

	return cert
}

Usage:

• Obtain token:

curl  -k https://127.0.0.1:8080/login -u stackoverflow:stackoverflow
token: 90d64460d14870c08c81352a05dedd3465940a7

• Authenticate with a token:

curl  -k https://127.0.0.1:8080/resource -H "Authorization: Bearer 90d64460d14870c08c81352a05dedd3465940a7"

Resource!!

• Authenticate with a user credential:

curl  -k https://127.0.0.1:8080/resource -u stackoverflow:stackoverflow

Resource!!

• Authenticate with a user certificate:

curl --cert client.pem --key client-key.pem --cacert ca.pem https://127.0.0.1:8080/resource

Resource!!

You can enable multiple authentication methods at once. You should usually use at least two methods

Another open source package for handling authentication with cookies is httpauth.

(written by me, by the way)

Take a look at Labstack Echo - it wraps authentication for RESTful APIs and frontend applications into middleware that you can use to protect specific API routes.

Setting up basic authentication, for example, is as straightforward as creating a new subrouter for the /admin route:

e.Group("/admin").Use(middleware.BasicAuth(func(username, password string, c echo.Context) (bool, error) {
if username == "joe" && password == "secret" {
return true, nil
}
return false, nil
}))

See all of Labstack's middleware authentication options here.