https://github.com/salrashid123/sts
Security Token Exchange Server (STS) Credentials for HTTP and gRPC (rfc8693)
https://github.com/salrashid123/sts
authentication sts
Last synced: over 1 year ago
JSON representation
Security Token Exchange Server (STS) Credentials for HTTP and gRPC (rfc8693)
- Host: GitHub
- URL: https://github.com/salrashid123/sts
- Owner: salrashid123
- License: apache-2.0
- Created: 2022-09-13T19:59:11.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2023-10-27T16:51:30.000Z (over 2 years ago)
- Last Synced: 2025-01-22T17:47:02.092Z (over 1 year ago)
- Topics: authentication, sts
- Language: Go
- Homepage:
- Size: 83 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Security Token Service (STS) Credentials for HTTP and gRPC (rfc8693)
This library provides `HTTP` and `gRPC` credentials where the final `access_token` is acquired through [STS OAuth 2.0 Token Exchange: rfc8693](https://www.rfc-editor.org/rfc/rfc8693)
You can use this library to setup sts credentials for use with either `net/http` Client or gRPC `RPCCredentials` where you exchange an intermediate credential with an STS server for a final `access_token`. The final token is then used to access the resource server

---
#### Examples
see `examples/` folder which is a sample trivial implementation from a different repo which i've deployed on cloud run.
the STS server accepts a bearer token `iammtheeggman` and responds back with a new token `iamthewalrus` where where the client uses the library described in this repo (ie., this repo is the client; the repo immediately below is a server)
see [Serverless Security Token Exchange Server(STS) and gRPC STS credentials](https://github.com/salrashid123/sts_server/blob/main/sts_server/sts_server.go#L44)
```golang
const (
inboundPassphrase = "iamtheeggman"
outboundPassphrase = "iamthewalrus"
)
```
```log
$ go run main.go
2023/10/27 12:00:27 New Token: iamthewalrus
2023/10/27 12:00:27 {
"args": {},
"headers": {
"Accept-Encoding": "gzip",
"Authorization": "Bearer iamthewalrus",
"Host": "httpbin.org",
"User-Agent": "Go-http-client/2.0",
"X-Amzn-Trace-Id": "Root=1-653bde9b-7b86e72a6e1006f802a9bc80"
},
"origin": "108.51.25.168",
"url": "https://httpbin.org/get"
}
2023/10/27 12:00:28 RPC Response: message:"Hello unary RPC msg from K_REVISION grpcserver-00006-vsr"
```
##### `http`:
the first output shows the echo response back from httpbin:
`client-->stsserver` --> `sts server responds back with a token` --> `client sends new token to httpbin`
the output from httpbin's echo shows the bearer token it recieved (whcih is `iamthewalrus`)
##### `grpc`
the second output shows the grpc response from a server on cloud run
`client-->stsserver` --> `sts server responds back with a token` --> `client sends new token to a grpc server which echo's back some data`
the GRPC server implenentation here only accepts a bearer token of `"iamthewalrus"` (which is what the sts server respond back with )
---
##### References
* [Serverless Security Token Exchange Server(STS)](https://github.com/salrashid123/sts_server)
* [Certificate Bound Tokens using Security Token Exchange Server (STS)](https://github.com/salrashid123/cert_bound_sts_server)
---
### HTTP
```golang
import (
stshttp "github.com/salrashid123/sts/http"
)
rootTS := oauth2.StaticTokenSource(&oauth2.Token{
AccessToken: secret,
TokenType: "Bearer",
Expiry: time.Now().Add(time.Duration(time.Second * 60)),
})
// HTTP
stsTokenSource, _ := stshttp.STSTokenSource(
&stshttp.STSTokenConfig{
TokenExchangeServiceURI: *stsaddress,
Resource: *stsaudience,
Audience: *stsaudience,
Scope: *scope,
SubjectTokenSource: rootTS,
SubjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
RequestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
HTTPClient: http.DefaultClient,
},
)
tok, err := stsTokenSource.Token()
log.Printf("New Token: %s", tok.AccessToken)
client := oauth2.NewClient(context.TODO(), stsTokenSource)
resp, err := client.Get(*httpAddress)
```
---
### gRPC
Note that upstream [google.golang.org/grpc/credentials/sts](https://pkg.go.dev/google.golang.org/grpc/credentials/sts) provides the same credential object except that this variation allows for
* arbitrary HTTPClients [issue #5611](https://github.com/grpc/grpc-go/pull/5611)
* allowing source tokens from arbitrary `oauth2.TokenSource`:
```golang
// token source for the subject token
SubjectTokenSource *oauth2.TokenSource
```
Example usage:
```golang
import (
stsgrpc "github.com/salrashid123/sts/grpc"
)
rootTS := oauth2.StaticTokenSource(&oauth2.Token{
AccessToken: secret,
TokenType: "Bearer",
Expiry: time.Now().Add(time.Duration(time.Second * 60)),
})
ce := credentials.NewTLS(&tls.Config{})
// ### test with sts
stscreds, err := stsgrpc.NewCredentials(stsgrpc.Options{
TokenExchangeServiceURI: *stsaddress,
Resource: *stsaudience,
Audience: *stsaudience,
Scope: *scope,
SubjectTokenSource: &rootTS,
SubjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
RequestedTokenType: "urn:ietf:params:oauth:token-type:access_token",
HTTPClient: http.DefaultClient,
})
ctx := context.Background()
conn, err := grpc.Dial(*grpcAddress,
grpc.WithTransportCredentials(ce),
grpc.WithPerRPCCredentials(stscreds))
defer conn.Close()
c := pb.NewEchoServerClient(conn)
r, err := c.SayHello(ctx, &pb.EchoRequest{Name: "unary RPC msg "})
```