goth
goth copied to clipboard
markbates
Password grant flow
Why
Goth is probably the current best authentication library in the Go ecosystem but it is lacking direct username/password flow. Adding Password Grant flow is likely to increase adoption.
How
This PR adds a direct provider implementing the Password Grant flow as a Goth provider.
Implementation works as follows:
sequenceDiagram
participant Client as Client
participant Server as Server
participant DirectProvider as DirectProvider
Client->>Server: GET /auth/direct
Server->>Server: Creates empty session and redirect to AuthURL ui
Server-->>Client:
Client->>Server: POST /auth/direct with email & password
Server->>DirectProvider: IssueSession(email, password)
DirectProvider->>Server: Return Session with AccessToken
Server->>DirectProvider: FetchUser(email)
DirectProvider->>Server: Return User data
Server->>Client: Return authenticated user data or error
This implementation aims to be as consistent as possible with the existing patterns in the codebase, meaning that it is designed to work seamlessly with the existing utilities (like CompleteUserAuth). As such, this feature appears as the addition of an additional provider.
Note: Not coupling the password grant to the CompleteUserAuth function has a small disadvantage. It is not possible to perform a request directly by providing a form, as an empty session is still not created but needed to progress through the CompleteUserAuth function. As a result, an intermediate redirect occurs, creating the required session for login. This is not ideal, as a "standard" user login page typically displays the login form right away. Please let me know if anyone has better ideas on how to handle this.
@techknowlogick let me know what do you think
Just for curiosity what happened with this PR. Is this repository no longer being actively maintained?
