Skip to content
This repository has been archived by the owner on Jun 14, 2022. It is now read-only.

ftauth/ftauth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

138 Commits

.github/workflows

.github/workflows

 
 

cmd/server

cmd/server

 
 

internal

internal

 
 

pkg

pkg

 
 

web

web

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

Dockerfile.buildx

Dockerfile.buildx

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

config.yaml

config.yaml

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

FTAuth codecov

FTAuth (Fault-Tolerant Auth) is a secure, lightweight OAuth 2.1-compliant server, written in Go.

Note: This project is still in development and should not be used in production.

Quick Start

Run the following command to create a local instance of FTAuth:

docker run --rm -it \
    -e FTAUTH_OAUTH_ADMIN_USERNAME=admin \
    -e FTAUTH_OAUTH_ADMIN_PASSWORD=password \
    -p 8000:8000 ftauth/ftauth:latest --embedded

The process will print client info in JSON to the terminal which can be used with a client SDK to connect to the running server.

Admin client: {
  "uid": "3cf9a7ac-9198-469e-92a7-cc2f15d8b87d",
  "client_name": "Admin",
  "client_type": "public",
  "redirect_uris": [
    "localhost",
    "myapp://auth"
  ],
  "scopes": [
    {
      "name": "default"
    },
    {
      "name": "admin"
    }
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "access_token_life": 3600,
  "refresh_token_life": 86400
}

Client SDKs

Features

FTAuth supports the OAuth 2.1 protocol, currently in draft, which slims the original OAuth 2.0 spec and incorporates best practices for security.

Features include:

  • JSON Web Tokens (JWT) & JSON Web Keys (JWK)

JWTs improve performance by allowing clients to introspect the token without querying the authorization server. JWKs allow clients to validate the claims embedded within the JWT by verifying the signature against a public key set.

  • Demonstrated Proof-of-Possession (DPoP) - RFC

While OAuth best practices mandate that clients mutually authenticate (e.g. via mutual TLS (mTLS)), this is not possible for public clients (i.e. Web apps, native apps) which encompass the majority of common use cases.

As an alternative, DPoP or Demonstrated Proof-of-Possession is implemented for all clients (public and confidential) which protects against many of the same attacks. The disadvantage of DPoP is that the public client cannot be initially authenticated, i.e. anyone can impersonate a trusted client.

It is recommended that mTLS is implemented when possible, e.g. in the service mesh.

  • Proof Key for Code Exchange (PKCE) - RFC

An added layer of protection for public clients, this standard protects against authorization code intercepts by establishing a secret on the client which is used later when exchanging the authorization code. In the same way DPoP protects access tokens, PKCE protects authorization codes from interception and replay attacks.

About

The FTAuth server

ftauth.io

Topics

golang oauth oauth2 authentication authorization oauth-server

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages