OAuth

Provides logins and session management for many OAuth providers

Technology

Goth
Golang
Project Forge

The oauth module provides comprehensive OAuth 2.0 authentication and session management for Project Forge applications. It supports sozens of OAuth providers and includes flexible permission systems for access control.

Overview

This module enables secure authentication through external OAuth providers, eliminating the need for custom user management while providing fine-grained access control capabilities.

Key Features

Supported Providers

Major Platforms: - Development: GitHub, GitLab, Bitbucket, Gitea, Azure AD, Auth0, Okta - Business: Google, Microsoft, Amazon, Salesforce, Slack, Shopify - Social: Facebook, Twitter, Discord, LinkedIn, Instagram, TikTok - Gaming: Steam, Twitch, Battlenet, Discord - International: Naver, Kakao, LINE, VK, Yandex, WeChat

Security Features

Permission System

Configuration

Basic Setup

  1. Enable OAuth: Configure provider credentials via environment variables
  2. Set Permissions: Define access rules in your application initialization
  3. Configure Redirects: Set up OAuth callback URLs

Environment Variables

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# GitHub OAuth
github_key=your_client_id
github_secret=your_client_secret

# Google OAuth
google_key=your_client_id
google_secret=your_client_secret

# Custom OpenID Connect
openid_connect_name="Custom Provider"
openid_connect_url=https://provider.example.com/.well-known/openid_configuration

# OAuth redirect configuration
oauth_redirect=https://yourapp.com/auth/callback
oauth_protocol=https

Permission Configuration

Add permission rules to your application initialization:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// Basic permission setup
user.SetPermissions(false, // default deny
    // Grant admin access to GitHub users from specific domain
    user.Perm("/admin", "github:@projectforge.dev", true),
    
    // Allow specific GitHub organization members
    user.Perm("/admin", "github:org:mycompany", true),
    
    // Deny admin access to others
    user.Perm("/admin", "*", false),
    
    // Allow authenticated users to access main app
    user.Perm("/", "*", true),
)

Usage Examples

Organization-Based Access

1
2
3
4
5
// GitHub organization membership required
user.SetPermissions(false,
    user.Perm("/", "github:org:mycompany", true),
    user.Perm("/", "*", false),
)

Domain-Based Access Control

1
2
3
4
5
// Company email domain required
user.SetPermissions(false,
    user.Perm("/", "google:@company.com", true),
    user.Perm("/public", "*", true), // public area for all
)

Multi-Provider Setup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Multiple providers with different access levels
user.SetPermissions(false,
    // Admins: GitHub org members or Google company emails
    user.Perm("/admin", "github:org:mycompany", true),
    user.Perm("/admin", "google:@company.com", true),
    
    // Users: Any authenticated user from approved providers
    user.Perm("/app", "github:*", true),
    user.Perm("/app", "google:*", true),
    user.Perm("/app", "microsoft:*", true),
)

Advanced Features

Custom Provider Setup

For OpenID Connect providers not built-in:

1
2
3
4
openid_connect_name="Custom SSO"
openid_connect_url=https://sso.company.com/.well-known/openid_configuration
openid_connect_key=your_client_id
openid_connect_secret=your_client_secret

Session Customization

Configure session behavior through environment variables or programmatically:

1
2
3
4
5
6
// Custom session duration
os.Setenv("session_timeout", "7200") // 2 hours

// Custom cookie settings
os.Setenv("session_secure", "true")
os.Setenv("session_same_site", "strict")

Source Code

See Also