go get github.com/keratin/authn-server

github.com/keratin/authn-server/api/meta

D:\Go\src\github.com\keratin\authn-server\api\meta\get_jwks.go:14:13: undefined: jose.JSONWebKey
D:\Go\src\github.com\keratin\authn-server\api\meta\get_jwks.go:20:25: undefined: jose.JSONWebKey
D:\Go\src\github.com\keratin\authn-server\api\meta\get_jwks.go:29:35: undefined: jose.JSONWebKeySet
D:\Go\src\github.com\keratin\authn-server\api\meta\get_root.go:14:3: undefined: views.Root

If one uses docker-compose from the get-go, this could be a gotcha. Should migrations generally be part of runtime or separate?

Will this feature be implemented magic link authentication?

Hi,

I would like to implement a service level segmentation for the private API sections of Keratin, this would require that private APIs bind to local host and all communication is proxied through a service mesh which will terminate TLS locally and also control access to the private API.

In order to implement this I would like to be able to configure the bind address for the server changing it from 0.0.0.0 to a user specified value using environment variables.

Proposed Change:
Implement two new environment variables for the configuration of AuthN.
BIND_ADDRESS = ip address to bind the API to
PUBLIC_BIND_ADDRESS = ip address to bind the public API to

In a service mesh scenario I would have the public bind set to 0.0.0.0 to allow public inbound traffic to the cluster however the private API would be bound to 127.0.0.1 and all traffic proxied through the mesh.

If this is an acceptable proposal I would be more than happy to carry out this work and issue a pull request.

Kind regards,

Nic

The IP address printed in request logs is from req.RemoteAddr. But when authn-server is deployed behind a proxy (e.g. load balancer) the correct address is more commonly found in X-Forwarded-For.

But we only want to parse X-Forwarded-For when the server is behind a proxy. We can do this by enabling a config option that adds gorilla.ProxyHeaders to the middleware stack.

The function that validates emails, in my opinion, is poor:

https://github.com/keratin/authn-server/blob/master/services/util.go#L8-L14

There are some packages which validate emails: https://github.com/search?l=Go&q=email+validator&type=Repositories

We need to find a solution that does it better. I think, the authn-server must has a few options like validate by regexp, smtp checking, dns checking, or at all without email validation step.

Email validation is not simple because of the RFC.

Please make the server plugin-able so we add easily add emailer, backend to backend communication and so on.

I just ran a docker run command mentioned in the documentation and got "Origin is not a trusted host." error.
How can i get rid of this?

while following the instructions in README I encountered a few issues while trying to get the dev environment setup. I will open this issue to track the fixes in my pull request

• Mac OSX High Sierra
• go version go1.9.3 darwin/amd64

these issues were encountered while running make vendor (Step 2):

go install
# github.com/keratin/authn-server/lib/compat
../../keratin/authn-server/lib/compat/key_id.go:20:9: undefined: jose.JSONWebKey
make: *** [vendor] Error 2

this issue is due to the import of github.com/square/go-jose, which should be gopkg.in/square/go-jose.v2 per the docs

once that is cleared up we get this error: (ran make clean && make vendor)

go install
# github.com/keratin/authn-server/api/meta
api/meta/get_root.go:14:3: undefined: views.Root
make: *** [vendor] Error 2

which is because /api/views/root.ego has not been compiled, this leads to a more abstract issue, where the dep cmd ego is not installed in the Makefile (although it is in travis.yml and Dockerfile.builder), so if you have never used ego then it won't be installed and the thus the error.

Adding it to make vendor fixes this but sort of "breaks" the Makefile workflow or could add bloat, so I changed vendor -> init and have it call `$(EGOS)

I would also suggest adding ego to glide.yaml as a dep, but since you left it out I will also at this time

Let me know your thoughts?

As the title states, it would be nice to see this listen on https://github.com/avelino/awesome-go to make it more discoverable.

• Manage dev dependency through docker-compose
• Add accounts table migration
• Add AccountStore implementation (probably a near-copy of MySQL + Sqlite)
• Add to existing AccountStore tests

Hi there,

I have been trying to implement OAuth2 with Github however my I am getting an error from Cloudflare which is sitting in front of my public IP address. I can see the request hitting the AuthN server in the logs however something strange seems to be happening when It attempts to redirect back to the homepage.

My current settings are that I am running on kubernetes, authn traffic is routed on the path /auth and everything works fine for normal logins and signups but I am not having a great deal of success with OAuth. I will take cloudflare out of the picture tomorrow to see if I can get things up and running with plain DNS.

Kind regards,

Nic

Error 1000 Ray ID: 46754461f5f09b1a • 2018-10-10 01:20:54 UTC
DNS points to prohibited IP
What happened?

You've requested a page on a website (xn--emjify-4v74e.ws) that is on the Cloudflare network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare's system.
What can I do?

If you are the owner of this website:
you should login to Cloudflare and change the DNS A records for xn--emjify-4v74e.ws to resolve to a different IP address.

I am running with the following error while connecting authn-server to my postgresql docker instance.

panic: NewRefreshTokenStore: unsupported driver: postgres

The Go client should:

• offer a client for private API endpoints
• provide a helper method to verify an AuthN JWT
• fetch and cache AuthN public keys for verification

The current reference implementation for backend clients is https://github.com/keratin/authn-rb.

Why is the db path fixed within current binary path?

How can i signup user from my backend ?

response is  'Origin is not a trusted host.' 
 Error: Request failed with status code 403

When i do POST request to /accounts with username and password i get error.

Also which url should i use to perform signup from backend AUTHN_URL?
Or same as i do from browser?

for example now getting the user from my backend is working like
http://HTTP_AUTH_USERNAME:HTTP_AUTH_PASSWORD@authn:3000/accounts/${userId}
but performing POST for signup from backend caused error

JWT support will be nice to integrate AuthN with kong and similar systems

I find Origin checking somewhat clunky.

Consider these use cases:

1. Communicate backend to backend using AuthN public API. In this case the other backend needs to set Origin header manually (and redundantly).
2. The Origin header is only set automatically by the browser in the case of CORS. It is entirely possible to host the API in a separate path, e.g. /api while hosting the web app from the same domain. In this case the Origin header is not set by the browser?
3. When using Postman it is easy to spoof origin checking, so I don't think it gives much value in terms of security defence. Also it is a bit of a gotcha for newcomers just testing things out.

Hence I think there should be an option to turn off Origin checking completely.

Will something like this be implemented?

can we use vk.com OAuth provider for users?

FormatDSN(): root:xxxx@tcp(127.0.0.1:3306)/authnservertest?parseTime=true
panic: data.NewDB: this authentication plugin is not supported

Are y'all planning to add some sort of permission/role based system into the mix? Or would you expect the people using this microservice to keep track of emails/permissions for authorization type functionality?

Hey guys,

How would single sign on (SSO) work between 2 applications that use Keratin AuthN?

So lets say a user goes to App1 (app1.mycompany.com) and successfully logs into AuthN (auth.mycompany.com) by entering his/her username and password that are then posted to AuthN.
If the user then goes to App2 (app2.mycompany.com) how does this app handle the fact that the user already has a session at AuthN without the user having to re-enter his/her username and password?

Thank you!

Hello @cainlevy! Thanks for a great project 👍

It is the real world problem when people use email temporarily services (e.g. getnada.com) for creating accounts.

I propose to add a new configuration option - EMAIL_USERNAME_DISPOSABLE_DOMAINS like EMAIL_USERNAME_DOMAINS option to prevent this behaviour.

Webhooks like a password reset expect a 2xx response back, otherwise they'll retry on a schedule before the message is dropped.

Hi, would storing key/value pairs on the user be within scope of the project? I might be able to skip having a separate user store in the application altogether if I'm able to store arbitrary data with the user.

Some deployments may prefer to only expose public routes to the public, with private routing between the application's backend and the authn server. Permitting only the public URLs in a firewall is finicky, error-prone, and hard to maintain.

My best solution for supporting this while remaining backwards compatible is to listen on two ports:

1. public and private routes
2. public routes only

With this setup, a firewall could easily route to the second port. Internal routing can still use the first.

For example i have created the user on register from frontend- when i do- i first create in auth from client-> then send the info with account_id to server and create user in app database with its info- but > what if the server side fails- i should some how remove the user from auth. Is there things for such cases?

The Migrate task is not working, it fails with the below exception.

authn-server git:(master) make migrate
go run -ldflags "-X main.VERSION=1.1.0" *.go migrate
go run: cannot run *_test.go files (routing_test.go)
make: *** [migrate] Error 1

Have to fix that by individually specifying the files in the Makefile's migrate task.
go run -ldflags "-X main.VERSION=$(VERSION)" main.go routing.go migrate

to be able to login with a link would be a great feature

AuthN is designed for direct communication from an application's frontend. Attempting to proxy frontend communication through the application's backend is extra work (cookies, origin header) and increases the application's exposure to user passwords.

Please use docute, it reads the markdown files and shows them in a nice and readable web page

https://github.com/leptosia/docute
https://gohugo.io/

Why in this example https://github.com/keratin/authn-server/blob/master/docs/guide-deploying_with_docker.md docker-compose uses redis and mysql, but there is no description in docs, how to add additional user info fields?

Also is there some build in things for ACL?

Hello @cainlevy

It is very good that you continue to develop the project 👍

Did you think about a web GUI for the project?

Hi,

If running authn-server in k8s behind an ingress which has the following path based routing:
/auth -> authn
/ -> website

When a user logs into the site a CORS error will be returned as since the domain is the same for the post the browser will not send an Origin header or attempt pre-flight.

I read the previous comment about disabling CORS and agree that it should be in place however I am wondering if there is a fix for same domain hosted applications.

I have sat the authn-server with docker-compose like in example- how can i inspect content with navicat? I tryed to connect but the connection fails to mysql /redis?

I found an issue that caused me confusion. First I thought that it was a front-end issue, but it is in the back end, and the front end will report success even though the passwords are different.

To reproduce:

Step 1
Sign up using credentials:
Username: User1234
Password: 9oiajshdfioudewiuufjhi8127y4981

Expect: Token (201)
Result: Token (201)

Step 2:
Sign up using credentials:
Username: User1234
Password: sometotallydifferentPassword1897387214

Expect: TAKEN
Result: Token (201)

AuthN could support both gRPC and REST by converting the core service to gRPC and integrating https://github.com/grpc-ecosystem/grpc-gateway. This could make it easier to write backend clients in target languages while maintaining flexibility for frontend clients that don't want to bundle grpc-web (50kb).

For example in case if i dont know the authn mysql user id- how can i get it?

Is there a way- how can i get the user from auth if i know only the email or username ?

An official Python client would close the triangle of popular microservice languages

Hi,

I am almost there with my demo, I just have one last thing, github auth is redirecting back to the authn server which is located at https://auth.xn--emjify-4v74e.ws/ this then attempts to redirect back to my home page at https://xn--emjify-4v74e.ws/, however, I am getting a location of http://xn--emjify-4v74e.ws in the redirect.

Cloudflare will redirect this back to https but not sure if this is causing problems with the cookie not being returned. I am also seeing odd logs complaining about the cookie.

 2018/10/15 15:31:59 [2018-10-15 15:31:59.807219352 +0000 UTC m=+23.930634267][GET /oauth/github/return?code=a669a11bf9f9f9c06c2a] getState: Cookie: http: named cookie not present
10.0.2.4 - - [15/Oct/2018:15:31:59 +0000] "GET /oauth/github/return?code=a669a11bf9f9f9c06c2a HTTP/1.1" 303 53 "https://xn--emjify-4v74e.ws/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:62.0) Gecko/20100101 Firefox/62.0"
10.0.2.35 - - [15/Oct/2018:15:32:36 +0000] "GET / HTTP/1.1" 200 39271 "" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" 

This looks like a cool project, nice work! ✨

I was reading the README and noticed it's mentioned as being GPL, though it looks like there's and LGPL license in the project root. Might be good to clarify which license it is, I can open a PR for that if you want 💁‍♂️

Please add

• tcp
• rabbitmq
• nats

AuthN should add a PATCH /account API that requires an active session and allows updating the username of the session's account. Updates through this endpoint should send a notification to the app.

This should complement the PATCH /accounts/:id API, which is private and allows updating the username of any account.

Why Redis and SQL? What does each do?

Does this support the use-case where users signup / login via 3rd party OAuth (I.E Github / Facebook) ?

Using postman, I generated a request GET /password/reset?username=kengo to reset username by following the document; however server always returns 404 page not found.

I am using Postman

Hey, @cainlevy

Can you build a release of AuthN for Windows?

Opentracing integration would be great

http://opentracing.io/

can you publish the OAuth repo to docker hub, please?