[richardknop]

Hi, you can use resource owner password credentials grant which is part of OAuth2 spec:

https://github.com/RichardKnop/go-oauth2-server#resource-own...

It's basically a login with username and password.

If you want a fully fledged identity provider on top of OAuth2 (so create / update user account, password reset), I have a sample project which extends on the oauth2 repository and builds a full identity provider on top of it: https://github.com/RichardKnop/example-api

About dependencies: only two are required - etcd/consul and postgres. There is no other requirements.

Originally I developed this project while deploying to a CoreOS cluster so etcd was a native choice for storing app configuration in a distributed key store. Consul support was added later in form of a contribution as an alternative to etcd.

I also want to remove dependency on etcd/consul completely and allow just simple configuration via environment variables to make the projec more portable.

[machete143]

What I meant to ask is if this has things like user registration, password reset flow, two-factor authentication, account takeover prevention, etc.

I think removing 3rd party dependencies is always a good idea - it keeps things lean and removes ops overhead.

[richardknop]

No it doesn't have things like user registration password reset flow etc. I wanted to keep the project just as straight OAuth2 server based on spec, nothing more.

I have another project which I sometimes use as a boilerplate when working on ideas and I need a simple API for my prototyping. It contains all those things as registration, password reset flow etc:

https://github.com/RichardKnop/example-api

[machete143]

So how do people grant tokens then? They do need to log in somewhere?

[richardknop]

The go-oauth2-server contains simple web forms (which you can style to match your UI) to handle the full authorization and implicit flows of OAuth2 so you would connect to the oauth2 server from your app, log in and be redirected back to the app with authorization code and then the app can obtain access and refresh tokens from the oauth2 server via API call.

This is a normal authorization flow people are used to from Facebook/Github/LinkedIn, works the same way. See README for images of how the forms look out of the box, without any customization.

If you want to have in app login system, then for such scenario usual way I have implemented this before is to have a separate frontend layer and it works something like this:

1) Frontend (mobile/web app) displays login form

2) Enter username and password

3) Use resource owner credentials grant to obtain access token via API call

4) Now you can make authenticated API calls with the access token (and use refresh token in the background to renew your access token)

In case of web application frontend (let's say NodeJS app), the app would store client ID and secret server side (so you would proxy all requests from client app to Node proxy because we don't want to keep client ID and secret in public JS).

[richardknop]

Just in addition to my answer above, yes there is a way to log in in my project. See the README which showcases the built in web forms.

The database contains a simple table to store usernames and passwords for resource owner credentials grant.

There is no API for registering a new user account though which is what I meant.

You can do that manually buy running SQL statement to insert new username and password, or by using the cli and load it from fixtures.

How you handle registering user accounts, updating user data, resetting passwords, all of that I wanted to leave open to implementation as there are various ways in which this can be done and other people might prefer one over another so I didn't want to prescribe a specific way to do it.

I offer my preferred implementation using JSON HAL in my extending project I mentioned above. If anybody is interested, they can still fork my example-api and customize that.

[richardknop]

Test users available as fixture:

https://github.com/RichardKnop/go-oauth2-server/blob/master/...

  go-oauth2-server loaddata \
    oauth/fixtures/scopes.yml \
    oauth/fixtures/roles.yml \
    oauth/fixtures/test_clients.yml

To insert some test data to database.