Авторизация с помощью OAuth 2.0 на Go

Авторизация с помощью OAuth 2.0 на Go

The very first implemented solution was for the user to provide a login and password to service A so that it could receive data from service B.

With the advent of a large number of web services, it became necessary to provide resources from one service to another. The very first implemented solution was for the user to provide a login and password to service A so that it could receive data from service B. However, this solution has the following number of problems and limitations:

  • Service A needs to store the username and password on its own; moreover, the password is stored unencrypted.
  • You cannot select a subset of resources, and also limit the time of their availability.
  • The user cannot selectively deny the service access to its resources. If you change your login or password, all services will lose access.
  • Hacking one of the services will lead to leakage of the user's login and password, and, therefore, access to the private data of another service.

Thus, to solve the problems indicated above, the OAuth specification was proposed, by implementing which it becomes possible for a third-party service to securely obtain limited access to the resources of another.

NoteThe article is of a purely informative nature, and does not pursue the goal of presenting the material on the topic in as much detail as possible - there is documentation for this. It should be mentioned that the article appeared due to the study of this issue by the author himself. If you do not know what OAuth is, then below is the material that I tried to summarize and present in an accessible form.

There are two versions of the specification: OAuth 1.0 and OAuth 2.0 , which, by the way, are backward incompatible. The first version was published in 2007, and is a document with recommendations for delegating resources to a third-party service without disclosing the username and password, while the second version (2012) is already an Internet standard, takes into account the shortcomings of the first version, and expands possible scenarios usage (selective access to resources, 4 types of authorization, use of native applications, refresh token, etc.). When they talk about OAuth, they usually mean the second version, since it is most often used, and we will talk about it in more detail below.

Characters

The OAuth 2.0 specification distinguishes the following roles:

  • Client. A service (application) that wants to access user data.
  • Resource Server. Service that owns user data.
  • Authorization Server. A service that provides the user with an interface for choosing whether or not to give access to the resources of a third-party service.
  • Resource Owner. The user who gives access to resources.

Let's consider the work of OAuth from the point of view of the Client as with the most frequent use case for developers, and the details of the implementation of the Authorization Server are already documented.

статьи api golang

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Top 10 API Security Threats Every API Team Should Know

Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them

Public ASX100 APIs: The Essential List

The method used for this initial research was to obtain a list of the ASX100 (as of 18 September 2020). Then work through each company looking at the following

What Are Good Traits That Make Great API Product Managers

What is API product management and what can you be doing to be a better API product manager — get aligned with SaaS and enterprise software requirements. This guide lays out what is API product management and some of the things you should be doing to be a good product manager.

54% of Developers Cite Lack of Documentation as the Top Obstacle to Consuming APIs

APIs are perceived as reliable—more than half of respondents stated that APIs do not break, stop working, or materially change specification often enough to matter.

Consume Web API Post method in ASP NET MVC | Calling Web API | Rest API Bangla Tutorial

LIKE | COMMENT | SHARE | SUBSCRIBE In this tutorial, I will discussed about how to consume Web API Get method and display records in the ASP.NET View. Here, ...