{"id":24525865,"url":"https://github.com/cidaas/go-interceptor","last_synced_at":"2025-03-15T15:40:55.349Z","repository":{"id":48053067,"uuid":"340407002","full_name":"Cidaas/go-interceptor","owner":"Cidaas","description":"cidaas GO Interceptor helps you to verify cidaas access tokens conveniently. Secure – Fast – And unrivaled Swabian.","archived":false,"fork":false,"pushed_at":"2024-07-01T20:42:55.000Z","size":411,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-22T05:31:21.845Z","etag":null,"topics":["cidaas","go","golang","jwt","oauth2","oidc","openid-connect"],"latest_commit_sha":null,"homepage":"https://www.cidaas.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cidaas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-19T15:15:12.000Z","updated_at":"2024-05-06T09:18:47.000Z","dependencies_parsed_at":"2024-06-19T11:30:53.724Z","dependency_job_id":"61c8a976-f361-4da8-a2a7-d7873bda48f5","html_url":"https://github.com/Cidaas/go-interceptor","commit_stats":{"total_commits":93,"total_committers":14,"mean_commits":6.642857142857143,"dds":0.7634408602150538,"last_synced_commit":"311bd749bce1eac66f7698ada278258563be9e58"},"previous_names":["cidaas/cidaas-go-interceptor"],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cidaas%2Fgo-interceptor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cidaas%2Fgo-interceptor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cidaas%2Fgo-interceptor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cidaas%2Fgo-interceptor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cidaas","download_url":"https://codeload.github.com/Cidaas/go-interceptor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243753989,"owners_count":20342537,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cidaas","go","golang","jwt","oauth2","oidc","openid-connect"],"created_at":"2025-01-22T05:29:07.637Z","updated_at":"2025-03-15T15:40:55.329Z","avatar_url":"https://github.com/Cidaas.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![pipeline status](https://gitlab.widas.de/cidaas-public-devkits/cidaas-interceptors/cidaas-go-interceptor/badges/master/pipeline.svg)](https://gitlab.widas.de/cidaas-public-devkits/cidaas-interceptors/cidaas-go-interceptor/-/commits/master)\n[![coverage report](https://gitlab.widas.de/cidaas-public-devkits/cidaas-interceptors/cidaas-go-interceptor/badges/master/coverage.svg)](https://gitlab.widas.de/cidaas-public-devkits/cidaas-interceptors/cidaas-go-interceptor/-/commits/master)\n[![License](https://img.shields.io/badge/License-MIT-brightgreen.svg)](https://gitlab.widas.de/cidaas-public-devkits/cidaas-interceptors/cidaas-go-interceptor/-/blob/master/LICENSE)\n\n![Logo](logo.jpg)\n\n## About cidaas:\n[cidaas](https://www.cidaas.com)\n is a fast and secure Cloud Identity \u0026 Access Management solution that standardises what’s important and simplifies what’s complex.\n\n## Feature set includes:\n* Single Sign On (SSO) based on OAuth 2.0, OpenID Connect, SAML 2.0 \n* Multi-Factor-Authentication with more than 14 authentication methods, including TOTP and FIDO2 \n* Passwordless Authentication \n* Social Login (e.g. Facebook, Google, LinkedIn and more) as well as Enterprise Identity Provider (e.g. SAML or AD) \n* Security in Machine-to-Machine (M2M) and IoT\n\n## How to install\n\n### Version 1.x.x\n\n`go get github.com/Cidaas/go-interceptor`\n\nThis version allows to secure your APIs by passing **scopes or roles** to the interceptor which can be either validated by introspecting the access token or checking its signature.\n\n### Version 2.x.x\n\n`go get github.com/Cidaas/go-interceptor/v2`\n\nThis version allows to secure your APIs by passing **security options** to the interceptor which can be either validated by introspecting the access token or checking its signature. You can pass the following options to the interceptor:\n\n\u003e For the signature validation only the scopes can be validated in a strict way\n\n```go\n// SecurityOptions which should be passsed to restrict the api access\ntype SecurityOptions struct {\n\tRoles                 []string                 // roles which are allowed to access this api\n\tScopes                []string                 // scopes which are allowed to acces this api\n\tGroups                []GroupValidationOptions // groups which are allowed to acces this api (only possible with introspect)\n\tAllowAnonymousSub     bool                     // false (by default) indicates that tokens which have an anonymous sub are rejected, true indicates that tokens which have an ANONYMOUS sub are allowed (only possible with the signature check for now)\n\tStrictRoleValidation  bool                     // by default false, true indicates that all provided roles must match (only possible with introspect)\n\tStrictScopeValidation bool                     // by default false, true indicates that all provided scopes must match (also possible with the signature check)\n\tStrictGroupValidation bool                     // by default false, true indicates that all provided groups must match (only possible with introspect)\n\tStrictValidation      bool                     // by default false, true indicates that all provided roles, scopes and groups must match (the signature check just checks for the scopes)\n}\n\n// GroupValidationOptions provides options to allow API access only to certain groups\ntype GroupValidationOptions struct {\n\tGroupID              string   `json:\"groupId\"`              // the group id to match\n\tGroupType            string   `json:\"groupType\"`            // the group type to match\n\tRoles                []string `json:\"roles\"`                // the roles to match\n\tStrictRoleValidation bool     `json:\"strictRoleValidation\"` // true indicates that all roles must match\n\tStrictValidation     bool     `json:\"strictValidation\"`     // true indicates that the group id, group type and all roles must match\n}\n```\n\n#### Breaking changes\n\n* Instead of passing the scopes and roles in order to verify the token, you now need to pass an object with different options, which is explained above\n* Now tokens which have **NO SUB** are rejected by default, if you want to allow this you need to enable the SecurityOptions.AllowAnonymousSub flag, which is *false* by default\n\n## Usage\n\nThe cidaas go interceptor can be used to secure APIs which use the net/http package or the fiber web framework in golang. \n\n### net/http\nThe following examples will show how to use the interceptor if you are using the net/http package for your APIs.\n\n**Attached an example how to secure an API with scopes and roles based on the signature of a token:**\n\n#### Version 1.x.x\n\n```go\nfunc get(w http.ResponseWriter, r *http.Request) {\n\t// set response to ok and return Status ok and response\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(http.StatusOK)\n\tw.Write([]byte(respJSON))\n\treturn\n}\n\nfunc main() {\n\tr := mux.NewRouter()\n\tapi := r.PathPrefix(\"/api/v1\").Subrouter()\n\t// Base URI is mandatory, ClientID is optional, if ClientID is set the interceptor will only allow requests from this Client\n\tcidaasInterceptor, err := cidaasinterceptor.New(cidaasinterceptor.Options{BaseURI: \"https://base.cidaas.de\", ClientID: \"clientID\"})\n\tif err != nil {\n\t\tlog.Panicf(\"Initialization of cidaas interceptor failed! Error: %v\", err)\n\t\tpanic(\"Panic!\")\n\t}\n\tgetHandler := http.HandlerFunc(get)\n\tapi.Handle(\"/\", cidaasInterceptor.VerifyTokenBySignature(getHandler, []string{\"profile\", \"cidaas:api_scope\"}, []string{\"role:Admin\"})).Methods(http.MethodGet)\n\tlog.Fatal(http.ListenAndServe(\":8080\", r))\n}\n```\n\n#### Version 2.x.x\n\n```go\nfunc get(w http.ResponseWriter, r *http.Request) {\n\t// set response to ok and return Status ok and response\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(http.StatusOK)\n\tw.Write([]byte(respJSON))\n\treturn\n}\n\nfunc main() {\n\tr := mux.NewRouter()\n\tapi := r.PathPrefix(\"/api/v2\").Subrouter()\n\t// Base URI is mandatory, ClientID is optional, if ClientID is set the interceptor will only allow requests from this Client\n\tcidaasInterceptor, err := cidaasinterceptor.New(cidaasinterceptor.Options{BaseURI: \"https://base.cidaas.de\", ClientID: \"clientID\"})\n\tif err != nil {\n\t\tlog.Panicf(\"Initialization of cidaas interceptor failed! Error: %v\", err)\n\t\tpanic(\"Panic!\")\n\t}\n\tgetHandler := http.HandlerFunc(get)\n\tapi.Handle(\"/\", cidaasInterceptor.VerifyTokenBySignature(getHandler, cidaasinterceptor.SecurityOptions{\n\t\tScopes: []string{\"your scope\"},\n\t\tRoles: []string{\"role:Admin\"},\n\t})).Methods(http.MethodGet)\n\tapi.Handle(\"/user\", cidaasInterceptor.VerifyTokenBySignature(getHandler, cidaasinterceptor.SecurityOptions{\n\t\tAllowAnonymousSub: true, // add this flag if you want to allow tokens with an anonymous sub\n\t\tScopes: []string{\"your scope\"},\n\t\tRoles: []string{\"role:Admin\"},\n\t})).Methods(http.MethodGet)\n\tlog.Fatal(http.ListenAndServe(\":8080\", r))\n}\n```\n\n**Attached an example how to secure an API with scopes and roles based on an introspect call to the cidaas instance:**\n\n#### Version 1.x.x\n\n```go\nfunc get(w http.ResponseWriter, r *http.Request) {\n\t// set response to ok and return Status ok and response\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(http.StatusOK)\n\tw.Write([]byte(respJSON))\n\treturn\n}\n\nfunc main() {\n\tr := mux.NewRouter()\n\tapi := r.PathPrefix(\"/api/v1\").Subrouter()\n\t// Base URI is mandatory, ClientID is optional, if ClientID is set the interceptor will only allow requests from this Client\n\tcidaasInterceptor, err := cidaasinterceptor.New(cidaasinterceptor.Options{BaseURI: \"https://base.cidaas.de\", ClientID: \"clientID\"})\n\tif err != nil {\n\t\tlog.Panicf(\"Initialization of cidaas interceptor failed! Error: %v\", err)\n\t\tpanic(\"Panic!\")\n\t}\n\tgetHandler := http.HandlerFunc(get)\n\tapi.Handle(\"\", cidaasInterceptor.VerifyTokenByIntrospect(getHandler, []string{\"profile\", \"cidaas:api_scope\"}, nil)).Methods(http.MethodGet)\n\tlog.Fatal(http.ListenAndServe(\":8080\", r))\n}\n```\n\n#### Version 2.x.x\n\n```go\nfunc get(w http.ResponseWriter, r *http.Request) {\n    ...\n\t// set response to ok and return Status ok and response\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(http.StatusOK)\n\tw.Write([]byte(respJSON))\n\treturn\n}\n\nfunc main() {\n\tr := mux.NewRouter()\n\tapi := r.PathPrefix(\"/api/v1\").Subrouter()\n\t// Base URI is mandatory, ClientID is optional, if ClientID is set the interceptor will only allow requests from this Client\n\tcidaasInterceptor, err := cidaasinterceptor.New(cidaasinterceptor.Options{BaseURI: \"https://base.cidaas.de\", ClientID: \"clientID\"})\n\tif err != nil {\n\t\tlog.Panicf(\"Initialization of cidaas interceptor failed! Error: %v\", err)\n\t\tpanic(\"Panic!\")\n\t}\n\tgetHandler := http.HandlerFunc(get)\n\tapi.Handle(\"\", cidaasInterceptor.VerifyTokenByIntrospect(getHandler, cidaasinterceptor.SecurityOptions{\n\t\tScopes: []string{\"your scope\"},\n\t\tRoles: []string{\"role:Admin\"},\n\t})).Methods(http.MethodGet)\n\tlog.Fatal(http.ListenAndServe(\":8080\", r))\n}\n```\n\n**Attached an example how to secure an API with groups based on an introspect call to the cidaas instance:**\n\n#### Version 1.x.x\n\n\u003e Not supported\n\n#### Version 2.x.x\n\n```go\nfunc get(w http.ResponseWriter, r *http.Request) {\n    ...\n\t// set response to ok and return Status ok and response\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.WriteHeader(http.StatusOK)\n\tw.Write([]byte(respJSON))\n\treturn\n}\n\nfunc main() {\n\tr := mux.NewRouter()\n\tapi := r.PathPrefix(\"/api/v1\").Subrouter()\n\t// Base URI is mandatory, ClientID is optional, if ClientID is set the interceptor will only allow requests from this Client\n\tcidaasInterceptor, err := cidaasinterceptor.New(cidaasinterceptor.Options{BaseURI: \"https://base.cidaas.de\", ClientID: \"clientID\"})\n\tif err != nil {\n\t\tlog.Panicf(\"Initialization of cidaas interceptor failed! Error: %v\", err)\n\t\tpanic(\"Panic!\")\n\t}\n\tgetHandler := http.HandlerFunc(get)\n\tapi.Handle(\"\", cidaasInterceptor.VerifyTokenByIntrospect(getHandler, cidaasinterceptor.SecurityOptions{\n\t\tGroups: []cidaasinterceptor.GroupValidationOptions{{GroupID: \"yourGroupID\"}},\n\t})).Methods(http.MethodGet)\n\tapi.Handle(\"/user\", cidaasInterceptor.VerifyTokenByIntrospect(getHandler, cidaasinterceptor.SecurityOptions{\n\t\tAllowAnonymousSub: true, // add this flag if you want to allow tokens with an anonymous sub\n\t\tGroups: []cidaasinterceptor.GroupValidationOptions{{GroupID: \"yourGroupID\"}},\n\t})).Methods(http.MethodGet)\n\tlog.Fatal(http.ListenAndServe(\":8080\", r))\n}\n```\n\n### [Fiber](https://github.com/gofiber/fiber)\nThe following examples will show how to use the interceptor if you are using the fiber web framework for your APIs.\n\n#### How to install\n\n```\ngo get -u github.com/gofiber/fiber/v2\n```\n\n**Attached an example how to secure an API with scopes and roles based on the signature token validation and also with the introspect call:**\n\n#### Version 1.x.x\n\n```go\nfunc CreateApp() (*fiber.App, error) {\n\tinterceptor, err := cidaasinterceptor.NewFiberInterceptor(cidaasinterceptor.Options{\n\t\tBaseURI:  BaseUrl,\n\t\tClientID: Client_id,\n\t})\n\tif err != nil {\n\t\tls.Fatal().Err(err).Msg(\"can't initialize interceptor\")\n\t}\n\tapp := fiber.New()\n\troot := app.Group(fmt.Sprintf(\"/%s\", base.ServiceName))\n\troot.Post(\"/user\", interceptor.VerifyTokenBySignature([]string{\"profile\", \"cidaas:api_scope\"}, []string{\"role:Admin\"}), handler.UserHandler)\n\troot.Post(\"/user\", interceptor.VerifyTokenByIntrospect([]string{\"profile\", \"cidaas:api_scope\"}, []string{\"role:Admin\"}), handler.UserHandler)\n\treturn app, nil\n}\n\nfunc main()  {\n    app, err := CreateApp()\n\tif err != nil {\n\t\tpanic(err)\n    }\n\tapp.Listen(\":3000\")\n}\n```\n\n#### Version 2.x.x\n\n```go\nfunc CreateApp() (*fiber.App, error) {\n\tinterceptor, err := cidaasinterceptor.NewFiberInterceptor(cidaasinterceptor.Options{\n\t\tBaseURI:  BaseUrl,\n\t\tClientID: Client_id,\n\t})\n\tif err != nil {\n\t\tls.Fatal().Err(err).Msg(\"can't initialize interceptor\")\n\t}\n\tapp := fiber.New()\n\troot := app.Group(fmt.Sprintf(\"/%s\", base.ServiceName))\n\troot.Post(\"/user\", interceptor.VerifyTokenBySignature(cidaasinterceptor.SecurityOptions{\n\t\tScopes: []string{\"your scope\"},\n\t\tRoles: []string{\"role:Admin\"},\n\t}), handler.UserHandler)\n\troot.Post(\"/groups\", interceptor.VerifyTokenBySignature(cidaasinterceptor.SecurityOptions{\n\t\tAllowAnonymousSub: true, // add this flag if you want to allow tokens with an anonymous sub\n\t\tScopes: []string{\"your scope\"},\n\t\tRoles: []string{\"role:Admin\"},\n\t}), handler.UserHandler)\n\troot.Post(\"/user\", interceptor.VerifyTokenByIntrospect(cidaasinterceptor.SecurityOptions{\n\t\tScopes: []string{\"your scope\"},\n\t\tRoles: []string{\"role:Admin\"},\n\t}), handler.UserHandler)\n\treturn app, nil\n}\n\nfunc main()  {\n    app, err := CreateApp()\n\tif err != nil {\n\t\tpanic(err)\n    }\n\tapp.Listen(\":3000\")\n}\n```\n\n\n**Attached an example how to secure an API with groups with the introspect call:**\n\n#### Version 1.x.x\n\n\u003e Not supported\n\n#### Version 2.x.x\n\n```go\nfunc CreateApp() (*fiber.App, error) {\n\tinterceptor, err := cidaasinterceptor.NewFiberInterceptor(cidaasinterceptor.Options{\n\t\tBaseURI:  BaseUrl,\n\t\tClientID: Client_id,\n\t})\n\tif err != nil {\n\t\tls.Fatal().Err(err).Msg(\"can't initialize interceptor\")\n\t}\n\tapp := fiber.New()\n\troot := app.Group(fmt.Sprintf(\"/%s\", base.ServiceName))\n\troot.Post(\"/user\", interceptor.VerifyTokenByIntrospect(cidaasinterceptor.SecurityOptions{\n\t\tGroups: []cidaasinterceptor.GroupValidationOptions{{GroupID: \"yourGroupID\"}},\n\t}), handler.UserHandler)\n\treturn app, nil\n}\n\nfunc main()  {\n    app, err := CreateApp()\n\tif err != nil {\n\t\tpanic(err)\n    }\n\tapp.Listen(\":3000\")\n}\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcidaas%2Fgo-interceptor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcidaas%2Fgo-interceptor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcidaas%2Fgo-interceptor/lists"}