{"id":50494974,"url":"https://github.com/libraz/go-oidc-provider","last_synced_at":"2026-06-02T06:04:30.362Z","repository":{"id":353898871,"uuid":"1221352504","full_name":"libraz/go-oidc-provider","owner":"libraz","description":"Mount an OpenID Connect Provider on any Go http.Handler. Targets FAPI 2.0 Baseline / Message Signing. Pre-v1.0.","archived":false,"fork":false,"pushed_at":"2026-05-23T08:40:15.000Z","size":9455,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-23T10:33:46.680Z","etag":null,"topics":["authorization-server","dpop","fapi","fapi2","golang","library","oauth2","oidc","openid-connect"],"latest_commit_sha":null,"homepage":"https://go-oidc-provider.libraz.net","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/libraz.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-26T04:49:10.000Z","updated_at":"2026-05-22T14:17:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/libraz/go-oidc-provider","commit_stats":null,"previous_names":["libraz/go-oidc-provider"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/libraz/go-oidc-provider","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libraz%2Fgo-oidc-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libraz%2Fgo-oidc-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libraz%2Fgo-oidc-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libraz%2Fgo-oidc-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/libraz","download_url":"https://codeload.github.com/libraz/go-oidc-provider/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/libraz%2Fgo-oidc-provider/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33808708,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-02T02:00:07.132Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization-server","dpop","fapi","fapi2","golang","library","oauth2","oidc","openid-connect"],"created_at":"2026-06-02T06:04:29.610Z","updated_at":"2026-06-02T06:04:30.349Z","avatar_url":"https://github.com/libraz.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# go-oidc-provider\n\n[![CI](https://img.shields.io/github/actions/workflow/status/libraz/go-oidc-provider/ci.yml?branch=main\u0026label=CI)](https://github.com/libraz/go-oidc-provider/actions/workflows/ci.yml)\n[![codecov](https://codecov.io/gh/libraz/go-oidc-provider/branch/main/graph/badge.svg)](https://codecov.io/gh/libraz/go-oidc-provider)\n[![Release](https://img.shields.io/github/v/release/libraz/go-oidc-provider?include_prereleases\u0026sort=semver\u0026display_name=tag\u0026label=release)](https://github.com/libraz/go-oidc-provider/releases)\n[![Go Reference](https://pkg.go.dev/badge/github.com/libraz/go-oidc-provider/op.svg)](https://pkg.go.dev/github.com/libraz/go-oidc-provider/op)\n[![Go Report Card](https://goreportcard.com/badge/github.com/libraz/go-oidc-provider)](https://goreportcard.com/report/github.com/libraz/go-oidc-provider)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)\n[![Docs](https://img.shields.io/badge/docs-libraz.net-blue?logo=readthedocs\u0026logoColor=white)](https://go-oidc-provider.libraz.net)\n\nOpenID Connect Provider (Authorization Server) library for Go. `op.New(...)`\nreturns a standard `http.Handler` you mount on `net/http`, `chi`, `gin`, or any\nrouter — no framework lock-in, no global state. Targets FAPI 2.0 Baseline /\nMessage Signing.\n\n\u003e 📘 **[Documentation site](https://go-oidc-provider.libraz.net)** — concepts,\n\u003e use cases, security posture, conformance scoreboard, and the full options\n\u003e reference live there. This README is the source-tree map and example\n\u003e inventory.\n\n\u003e **Status: pre-v1.0.** `v0.9.0` is the initial public release; the public API\n\u003e may change in any minor release until `v1.0.0`.\n\u003e [`CHANGELOG.md`](CHANGELOG.md) starts tracking notable changes from the\n\u003e release that follows `v0.9.0`.\n\n## Install\n\n```sh\ngo get github.com/libraz/go-oidc-provider/op@v0.9.0\n```\n\nGo 1.25+. Storage adapters are published as sub-modules so their\ndependencies stay out of your `go.sum` until you opt in:\n\n```sh\ngo get github.com/libraz/go-oidc-provider/op/storeadapter/sql@v0.9.0\ngo get github.com/libraz/go-oidc-provider/op/storeadapter/redis@v0.9.0\n```\n\n## Quickstart\n\n`op.New` requires four options at minimum — `Issuer`, `Store`, `Keyset`, and a\n32-byte `CookieKey`. The constructor returns an error rather than booting in an\nunsafe configuration, so partial setups fail fast.\n\n```go\nhandler, err := op.New(\n    op.WithIssuer(\"https://idp.example.com\"),\n    op.WithStore(inmem.New()),\n    op.WithKeyset(op.Keyset{{KeyID: \"k1\", Signer: priv}}),\n    op.WithCookieKey(cookieKey), // 32 bytes, AES-256-GCM\n)\nif err != nil {\n    log.Fatal(err)\n}\nlog.Fatal(http.ListenAndServe(\":8080\", handler))\n```\n\nEnd-to-end startup (key generation, store wiring, graceful shutdown) lives in\n[`examples/01-minimal`](examples/01-minimal/main.go); see also\n[Quick Start](https://go-oidc-provider.libraz.net/getting-started/install) and\n[Required options](https://go-oidc-provider.libraz.net/getting-started/required-options).\n\n### Local development\n\nThe defaults are tuned for production (https-only, public-network-only). When\nyou boot against `http://127.0.0.1` or a stub RP on the loopback interface, two\nopt-ins keep the validators from rejecting the demo wiring:\n\n```go\nop.WithAllowLocalhostLoopback(),                 // admit textual \"localhost\" hosts\nop.WithAllowInsecureBackchannelLogoutForDev(),   // admit http://localhost backchannel_logout_uri\n```\n\nBoth options are dev / CI-only — production embedders leave them off and front\ntheir RPs over TLS. Every example under [`examples/`](examples) that binds a\nloopback listener uses these options; an embedder porting one of the demos\ninto a production stack drops the lines.\n\n### FAPI 2.0 Baseline in one switch\n\n```go\nop.WithProfile(profile.FAPI2Baseline) // PAR + JAR + DPoP, ES256, alg lock\n```\n\nThe constructor refuses to start if the declared profile and the rest of the\noptions conflict. See\n[Use case: FAPI 2.0 Baseline](https://go-oidc-provider.libraz.net/use-cases/fapi2-baseline).\n\n## What this library is — and is not\n\n- **Embeds as `http.Handler`**: framework-agnostic, mountable at any prefix.\n- **BYO user model and storage**: small `store.*` substore interfaces; the\n  library never touches your `users` table directly.\n- **Headless interaction driver**: drive login / consent / logout from a SPA\n  (React, Vue, Svelte, Angular, …) via `op.WithSPAUI`, or supply your own\n  templates with `op.WithConsentUI`.\n- **Audit-first observability**: business events go through `audit.Emitter`\n  and `op.WithPrometheus(reg)` registers a curated counter set on your\n  registry. The library does **not** mount `/metrics`, install request-duration\n  middleware, or wrap your router — that's the embedder's job.\n\nOut of scope on purpose: it is not an IdP (no user table, no password hashing,\nno email delivery), not a generic OAuth2 framework (opinionated toward OIDC),\nand not a UI kit (the default HTML driver exists so the OP boots without\nconfiguration). Detail in\n[Why this library](https://go-oidc-provider.libraz.net/why).\n\n## Standards\n\nOpenID Connect Core 1.0; OAuth 2.0 (RFC 6749) and the Security Best Current\nPractices (RFC 9700); PKCE (RFC 7636), DPoP (RFC 9449), PAR (RFC 9126), JAR\n(RFC 9101), JARM, mTLS (RFC 8705); FAPI 2.0 Baseline / Message Signing.\n\nEach release is regressed against the OpenID Foundation conformance suite —\nthe live scoreboard is on the\n[conformance results page](https://go-oidc-provider.libraz.net/compliance/ofcs).\nA per-RFC matrix is at\n[Compliance — RFC matrix](https://go-oidc-provider.libraz.net/compliance/rfc-matrix).\n\n## Storage\n\nBring your own backend by implementing the substore interfaces in\n[`op/store`](op/store). The repository ships:\n\n| Adapter | Module path | Purpose |\n|---|---|---|\n| `inmem` | `op/storeadapter/inmem` | Reference / dev / test store. The contract harness in [`op/store/contract`](op/store/contract) runs against it. |\n| `sql` | `op/storeadapter/sql` | `database/sql` adapter for SQLite, MySQL 8.0+, PostgreSQL 14+. **Sub-module.** Contract harness exercises every substore against a real engine via testcontainers (`go test -tags=testcontainers`). |\n| `redis` | `op/storeadapter/redis` | Volatile substores (`InteractionStore`, `ConsumedJTIStore`). **Sub-module.** Refuses to start without TLS (`rediss://`) and AUTH unless `WithDevModeAllowPlaintext` is set explicitly. |\n| `composite` | `op/storeadapter/composite` | Hot/cold splitter — durable substores to one backend, volatile to another, while enforcing the transactional-cluster invariant. |\n\nDynamoDB is planned for v1.x as an additional sub-module. Background:\n[Operations — multi-instance](https://go-oidc-provider.libraz.net/operations/multi-instance).\n\n## Examples\n\nRunnable demos live under [`examples/`](examples/README.md) — see that index\nfor the full goal-oriented table, the numeric topic bands, and the docker\nstacks shipped with `07-mysql-store` and `09-redis-volatile`. Each row also\nmaps to a use-case page on the docs site under\n[Use cases](https://go-oidc-provider.libraz.net/use-cases/).\n\n```sh\ngo run -tags example ./examples/01-minimal\n```\n\n## Community\n\n- [SECURITY.md](SECURITY.md) — vulnerability reporting policy and supported\n  versions.\n- [CONTRIBUTING.md](CONTRIBUTING.md) — contribution mechanics, Conventional\n  Commits scopes, test layering expectations.\n- [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) — Contributor Covenant 2.1 and the\n  project's reporting channel.\n\n## License\n\nApache-2.0. See [LICENSE](LICENSE) and [NOTICE](NOTICE). Third-party dependency\nlicenses are tracked in [`THIRD_PARTY.md`](THIRD_PARTY.md), regenerated from\n`go.mod` by `make licenses`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flibraz%2Fgo-oidc-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flibraz%2Fgo-oidc-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flibraz%2Fgo-oidc-provider/lists"}