{"id":43349407,"url":"https://github.com/ticketmaster/authentication","last_synced_at":"2026-02-02T02:14:30.498Z","repository":{"id":40281361,"uuid":"295884499","full_name":"ticketmaster/authentication","owner":"ticketmaster","description":"Authentication library for Go APIs","archived":false,"fork":false,"pushed_at":"2023-12-15T02:58:43.000Z","size":8103,"stargazers_count":0,"open_issues_count":6,"forks_count":0,"subscribers_count":9,"default_branch":"master","last_synced_at":"2023-12-15T03:57:29.634Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ticketmaster.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-09-16T00:49:09.000Z","updated_at":"2020-09-16T02:43:57.000Z","dependencies_parsed_at":"2023-12-15T03:48:21.344Z","dependency_job_id":"11771cd6-241f-46e0-bae9-25ac87e197f6","html_url":"https://github.com/ticketmaster/authentication","commit_stats":null,"previous_names":[],"tags_count":2,"template":null,"template_full_name":null,"purl":"pkg:github/ticketmaster/authentication","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticketmaster%2Fauthentication","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticketmaster%2Fauthentication/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticketmaster%2Fauthentication/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticketmaster%2Fauthentication/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ticketmaster","download_url":"https://codeload.github.com/ticketmaster/authentication/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ticketmaster%2Fauthentication/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29001653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-02T01:32:03.847Z","status":"online","status_checked_at":"2026-02-02T02:00:07.448Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-02T02:14:29.985Z","updated_at":"2026-02-02T02:14:30.493Z","avatar_url":"https://github.com/ticketmaster.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authentication\n\n## TL\u0026DR\nAuthentication/authorization library for Go based APIs. Supports Gin and Revel.\n\n# Authentication/Authorization\n\n## Overview\n\n This library enables users to authenticate either locally to a GO-based API or to an external authentication provider such as LDAP. Once authenticated, the package evaluates the user's group membership (e.g., role) and matches the aggregated roles to system-defined authorization rules (e.g., authentication.yam). Authorization rules determine what level of access the user has to an API end-point.\n\n## Dependencies\n\nThe authentication package requires that the system implements either [Gin](https://github.com/gin-gonic/gin) or [Revel](https://revel.github.io/) for route handling. The chief differences between the two frameworks is that Gin is strictly an API framework whereas Revel is a true web framework with front-end support.\n\nFor LDAP support, the API implementing this middleware must import an authentication.yaml file with defined rules. See sample_authentication.yaml.\n\n## How It Works\n\nImplementation of the authentication package is quite simple. Note that the following process assumes that the routing framework is Gin. \n\n1. In your main.go file, create a new router object `router := gin.Default()`\n2. To enable authentication, simply import the authentication package and call the `UseAuthentication` method (see below).\n\n```go\npackage main\nimport (\n\tfilter \"github.com/ticketmaster/authentication/gin\"\n\t\"github.com/gin-gonic/gin\"\n\t_ \"github.com/lib/pq\"\n)\nfunc main() {\n    router := gin.Default() \n/* Default automatically creates routes for logging, etc. See gin documentation for additional options */\n    err := filter.UseAuthentication(router, filter.NewAuthenticationOptions())\n    ...\n}\n```\n\nThe `NewAuthenticationOptions` method loads all the definitions stored in the authentication.yaml file into memory for system consumption.\n\n### Authentication/Authorization Definitions\n\nThere are two main sections to the authentication.yaml file. One section is for authentication and the other is for authorization. In the authentication section, one must instruct the system to either authenticate locally (e.g., memory) or remotely (e.g. LDAP).\n\n#### Local Authentication\n\n```go\nauthenticationClient:\n  - provider: memory // memory or ldap.\n    origin: testOrigin // grouping for rule association.\n    users:\n      - username: test // local user.\n        password: testpass // plaintext password - not secure!\n        name: My Name // name of user.\n        email: test@test.com // email of user.\n        roles: // either role or roles.\n          - testRole // role/group user is a member of.\n          - testRole2 // role/group user is a member of.\n...\n```\n\n#### Remote Authentication\n\n```go\nauthenticationClient:\n  - provider: ldap // memory or ldap.\n    endpoint: foo.bar.local // authentication provider.\n    baseDN: DC=foo,DC=bar // ldap DN to search for user accounts.\n    port: 636 // ldap port.\n    useTLS: true // TLS for secure communication.\n    shortDomain: foobar // instructs the package to assume techops domain.\n    tlsServerName: foo.bar.local // SNI for endpoint.\n...\n```\n\n#### Authorization\n\nNext, we define the authorization rules. Although the package supports the ability to \u003cu\u003eexplicitly allow\u003c/u\u003e and \u003cu\u003eexplicitly deny\u003c/u\u003e access to routing end-points, it is best to focus on one or the other. Otherwise, we run the risk of accidentally granting access to a sensitive resource because of rule precedence.\n\nTo ensure that the API is secure, we \u003cu\u003eimplicitly deny\u003c/u\u003e access to all routes; thus, cutting out all access to the API right from the get go. Then we create rules that explicitly grant access to routes and HTTP methods based on role membership.  \n\n```yaml\n#^^^ authentication rules go above\nauthorization:\n  default: deny # allow or deny. in this case, implicitly deny access to all routes\n  rules:\n    - ruleType: route # apply rule to route\n      method: GET # HTTP method to apply the rule to\n      route: \n        - /mypath # route end-point\n      authorize: allow # allow or deny - since we implicitly deny, avoid adding deny rules\n      role: \"NotRoot\" # Either a defined role for local auth or an AD Security Group\n      origin: foo # grouping for rule association - must match field value in authentication section\n\n```\n\nA simple note on authorization rules. You can define as many rules as you wish, but be very careful with how you define the routes for each rule. It is best to group routes based on method(s), and limit the number of unique rules. For example:\n\n- Rule 1: Allow all authenticated users in NotRoot, read access (GET)\n- Rule 2: Allow all members of Operator, read and modify access (GET/PUT/PATCH)\n- Rule 3: Allow all members of Administrator, read,  modify and delete access (GET/PUT/PATCH/DELETE)\n\nAs such, the methods would look like:\n\n```yaml\n# Rule 1\n...\n      method:\n        - GET\n...\n# Rule 2 (Operator roles)\n...\n      method:\n        - GET\n\t- PUT\n\t- PATCH\n...\n# Rule 3 (Administrator roles)\n...\n\t  method:\n        - GET\n\t- PUT\n\t- PATCH\n\t- DELETE\n...\n```\n\n#### JSON Web Token\n\nThe last component of the authentication.yaml file is the configuration options for the JSON Web Token (JWT). For this, all we need to do is include the certificate pair for the API (used for signing/decrypting tokens) and the expiration value for the token.\n\n```yaml\n# ^^^ authentication/authorization rules\nprivateKey: \"private.key\"\npublicKey: \"sign.crt\"\njwtExpiration: \"1h\"\n```\n\nTo request a token, all users have to do is submit a JSON payload to `/login`, using POST. For example:\n\n```bash\ncurl --header \"Content-Type: application/json\" \\\n  --request POST \\\n  --data '{\"username\":\"xyz\",\"password\":\"xyz\"}' \\\n  https://myapi/login\n```\n\nThe aforementioned request will return a JSON object with a token. \n\nThe following expands on the request and includes using the token to make a GET request to the virtualserver end-point.\n\n```bash\n# Set Token\nTOKEN=$(curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{\"username\":\"{username}\",\"password\":\"{password}\",\"rememberMe\":false}' https://myapi/login | jq -r '.id_token')\n\ncurl -H 'Accept: application/json' -H \"Authorization: Bearer ${TOKEN}\" https://myapi/mypath\n```\n\n\n\n## Credits\n- Author: Mike Walker\n- Contributors: Carlos Villanueva\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fticketmaster%2Fauthentication","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fticketmaster%2Fauthentication","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fticketmaster%2Fauthentication/lists"}