{"id":21354933,"url":"https://github.com/salrashid123/sts","last_synced_at":"2025-03-16T05:23:28.928Z","repository":{"id":61623564,"uuid":"536289403","full_name":"salrashid123/sts","owner":"salrashid123","description":"Security Token Exchange Server (STS) Credentials for HTTP and gRPC (rfc8693)","archived":false,"fork":false,"pushed_at":"2023-10-27T16:51:30.000Z","size":85,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-22T17:47:02.092Z","etag":null,"topics":["authentication","sts"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-13T19:59:11.000Z","updated_at":"2023-11-11T03:08:25.000Z","dependencies_parsed_at":"2025-01-22T17:45:14.874Z","dependency_job_id":"87e4160c-f680-4e07-adfc-38cb0b724887","html_url":"https://github.com/salrashid123/sts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fsts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/sts/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243828606,"owners_count":20354529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","sts"],"created_at":"2024-11-22T04:15:21.235Z","updated_at":"2025-03-16T05:23:28.902Z","avatar_url":"https://github.com/salrashid123.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"##  Security Token Service (STS) Credentials for HTTP and gRPC (rfc8693)\n\n\nThis library provides `HTTP` and `gRPC` credentials where the final `access_token` is acquired through [STS OAuth 2.0 Token Exchange:  rfc8693](https://www.rfc-editor.org/rfc/rfc8693) \n\n\nYou can use this library to setup sts credentials for use with either `net/http` Client or  gRPC `RPCCredentials` where you exchange an intermediate credential with an STS server for a final `access_token`.   The final token is then used to access the resource server\n\n\n![images/sts.png](images/sts.png)\n\n\n---\n\n#### Examples\n\nsee `examples/` folder which is a sample trivial implementation from a different repo which i've deployed on cloud run.\n\nthe STS server accepts a bearer token `iammtheeggman` and responds back with a new token `iamthewalrus` where where the client uses the library described in this repo (ie., this repo is the client; the repo immediately below is a server)\n \nsee [Serverless Security Token Exchange Server(STS) and gRPC STS credentials](https://github.com/salrashid123/sts_server/blob/main/sts_server/sts_server.go#L44)\n\n```golang\nconst (\n\tinboundPassphrase  = \"iamtheeggman\"\n\toutboundPassphrase = \"iamthewalrus\"\n)\n```\n\n```log\n$ go run main.go \n2023/10/27 12:00:27 New Token: iamthewalrus\n2023/10/27 12:00:27 {\n  \"args\": {}, \n  \"headers\": {\n    \"Accept-Encoding\": \"gzip\", \n    \"Authorization\": \"Bearer iamthewalrus\", \n    \"Host\": \"httpbin.org\", \n    \"User-Agent\": \"Go-http-client/2.0\", \n    \"X-Amzn-Trace-Id\": \"Root=1-653bde9b-7b86e72a6e1006f802a9bc80\"\n  }, \n  \"origin\": \"108.51.25.168\", \n  \"url\": \"https://httpbin.org/get\"\n}\n2023/10/27 12:00:28 RPC Response: message:\"Hello unary RPC msg   from K_REVISION grpcserver-00006-vsr\"\n```\n\n##### `http`:\n\nthe first output shows the echo response back from httpbin:\n\n`client--\u003estsserver`  --\u003e `sts server responds back with a token` --\u003e `client sends new token to httpbin`\n\nthe output from httpbin's echo shows the bearer token it recieved (whcih is `iamthewalrus`)\n\n##### `grpc`\n\nthe second output shows the grpc response from a server on cloud run\n\n`client--\u003estsserver`  --\u003e `sts server responds back with a token` --\u003e `client sends new token to a grpc server which echo's back some data`\n\nthe GRPC server implenentation here only accepts a bearer token of `\"iamthewalrus\"` (which is what the sts server respond back with )\n\n---\n\n##### References\n\n* [Serverless Security Token Exchange Server(STS)](https://github.com/salrashid123/sts_server)\n* [Certificate Bound Tokens using Security Token Exchange Server (STS)](https://github.com/salrashid123/cert_bound_sts_server)\n\n\n---\n\n### HTTP\n\n\n```golang\nimport (\n\tstshttp \"github.com/salrashid123/sts/http\"\n)\n\n\n\trootTS := oauth2.StaticTokenSource(\u0026oauth2.Token{\n\t\tAccessToken: secret,\n\t\tTokenType:   \"Bearer\",\n\t\tExpiry:      time.Now().Add(time.Duration(time.Second * 60)),\n\t})\n\n\t// HTTP\n\tstsTokenSource, _ := stshttp.STSTokenSource(\n\t\t\u0026stshttp.STSTokenConfig{\n\t\t\tTokenExchangeServiceURI: *stsaddress,\n\t\t\tResource:                *stsaudience,\n\t\t\tAudience:                *stsaudience,\n\t\t\tScope:                   *scope,\n\t\t\tSubjectTokenSource:      rootTS,\n\t\t\tSubjectTokenType:        \"urn:ietf:params:oauth:token-type:access_token\",\n\t\t\tRequestedTokenType:      \"urn:ietf:params:oauth:token-type:access_token\",\n\t\t\tHTTPClient:              http.DefaultClient,\n\t\t},\n\t)\n\n\ttok, err := stsTokenSource.Token()\n\tlog.Printf(\"New Token: %s\", tok.AccessToken)\n\n\tclient := oauth2.NewClient(context.TODO(), stsTokenSource)\n\tresp, err := client.Get(*httpAddress)\n```\n\n---\n\n### gRPC\n\nNote that upstream [google.golang.org/grpc/credentials/sts](https://pkg.go.dev/google.golang.org/grpc/credentials/sts) provides the same credential object except that this variation allows for\n\n\n* arbitrary HTTPClients  [issue #5611](https://github.com/grpc/grpc-go/pull/5611)\n\n* allowing source tokens from arbitrary `oauth2.TokenSource`:\n\n```golang\n\t// token source for the subject token\n\tSubjectTokenSource *oauth2.TokenSource\n```    \n\n\nExample usage:\n\n```golang\nimport (\n\tstsgrpc \"github.com/salrashid123/sts/grpc\"\n)\n\n\n\trootTS := oauth2.StaticTokenSource(\u0026oauth2.Token{\n\t\tAccessToken: secret,\n\t\tTokenType:   \"Bearer\",\n\t\tExpiry:      time.Now().Add(time.Duration(time.Second * 60)),\n\t})\n\n\tce := credentials.NewTLS(\u0026tls.Config{})\n\n\t// ### test with sts\n\tstscreds, err := stsgrpc.NewCredentials(stsgrpc.Options{\n\t\tTokenExchangeServiceURI: *stsaddress,\n\t\tResource:                *stsaudience,\n\t\tAudience:                *stsaudience,\n\t\tScope:                   *scope,\n\t\tSubjectTokenSource:      \u0026rootTS,\n\t\tSubjectTokenType:        \"urn:ietf:params:oauth:token-type:access_token\",\n\t\tRequestedTokenType:      \"urn:ietf:params:oauth:token-type:access_token\",\n\t\tHTTPClient:              http.DefaultClient,\n\t})\n\n\tctx := context.Background()\n\n\tconn, err := grpc.Dial(*grpcAddress,\n\t\tgrpc.WithTransportCredentials(ce),\n\t\tgrpc.WithPerRPCCredentials(stscreds))\n\n\tdefer conn.Close()\n\tc := pb.NewEchoServerClient(conn)\n\n\tr, err := c.SayHello(ctx, \u0026pb.EchoRequest{Name: \"unary RPC msg \"})\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fsts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Fsts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fsts/lists"}