I build these kinds of things for a living, and sadly, there isn't very much in pure Go that I'm aware of to do this. I have a bunch of Go code which I use to do this, but sadly, I can't share it yet, as I'm working on getting approval to open source it.
The quickest way might be to put a SAML or Oauth2 proxy in front of your service, for example, this is a good one despite being abandoned: https://github.com/bitly/oauth2_proxy. You would run this as your internet facing service, which would authenticate your users, then it would proxy the requests to your actual API server once they pass auth. You can look through their code for inspiration. It's really subtle to get a proper identity provider workflow going, so it's best to borrow someone else's work if you can. It's inefficient to proxy like this, but it could let you get something up and running, and punt the problem of actual secure signup to your ID provider. Your signup workflow would go through your identity provider, and assuming it's Oauth2 compliant, you could use this proxy to authenticate. I also came across this tutorial, which is pretty good: https://tutorialedge.net/golang/go-oauth2-tutorial/ Session token workflows are generally pretty custom to their application, so writing general purpose tools is pretty tricky, particularly given that secure login is fraught with many non-obvious security holes. Every identity provider, Google, Facebook, Okta, and friends do their own "special" thing which makes you write a custom login flow for each of them. You will have to decide on the login flow to support, and find libraries which implement their spec, for Google Oidc, for example, you could use https://github.com/coreos/go-oidc If I could make a recommendation, use a standard SAML login process, which produces JWT's <https://jwt.io/> as session tokens, which you control. Authenticate the session tokens using a JWT library, https://github.com/lestrrat-go/jwx <https://github.com/lestrrat-go/jwx>being one of the best from a usability standpoint. When you control your own session JWT's, you can put whatever you want in them without having to hit the DB to check access permissions, and if you stick to known secure signatures, like HMAC256 or ES256, you'll be pretty secure (assuming everything is running on top of TLS). Anyhow, good luck. You're off the well beaten path here, and into custom craftsmanship territory. -- Marcin On Tue, Mar 19, 2019 at 4:50 PM <henrikn...@gmail.com> wrote: > Let me first tell you I am new to Golang. > > I am looking for the code of an example web application with a simple > Login, Logout, Signup page (With or without social network login). I tried > google and nothing conclusive came out. > Obviously I need something to protect against CSRF, hashed password, ect). > > I am surprise I have trouble finding this since any one starting a project > needs this now a days. > > anyone knows where I can find this? > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
