ggg

uberich

git clone https://git.hawx.me/uberich.git

uberich /

README.md

uberich

A small-scale 3rd party authentication server.

Designed for registering and authenticating a whitelisted set of users. Authenticating in the scope of this application means saying "yes that is an email address I know about and this is the person it belongs to". It is clearly inspired by Persona in this regard, but does not aim to be a replacement for Persona.

I am not using this at the moment, and neither should you.

Set-up

$ go get hawx.me/code/uberich/...

Use uberich-admin to add users and apps.

$ uberich-admin set-user someone@example.com secretPassword
$ uberich-admin set-app testApp http://test.example.com sharedSecret
$ uberich
...

Now testApp can integrate with uberich using the uberich package.

import (
  "github.com/gorilla/context"
  "hawx.me/code/uberich"
)

func main() {
  store := uberich.NewStore("cookieSecret")
  uberich := uberich.Client("testApp", "http://uberich.example.com", "sharedSecret", store)

  http.Handle("/secret-data", uberich.Protect(SecretHandler))
  http.Handle("/sign-in", uberich.SignIn("http://test.example.com/sign-in", "/secret-data"))
  http.Handle("/sign-out", uberich.SignOut("/")

  http.ListenAndServe(":8080", context.ClearHandler(http.DefaultServeMux))
}

Flow

The authentication flow is for an application (https://app) using an uberich authentication server (https://uberich):

User visits https://app and requests secret data.
https://app redirects the user to https://uberich/login, passing the application and redirect_uri query parameters.
User logs in using their registered details.
https://uberich redirects to redirect_uri with the email and verify query parameters.
https://app checks the verify parameter contains email hashed with the shared secret, then sets a cookie with the User's email address for later reference.