The go-sec authentication package offers token-based and basic authentication for HTTP APIs of web services.

This can be chained with rule-based authorization for additional access control; see Authorization.

Identity providers are OAuth 2.0 / OpenID Connect servers.

• keycloak: Keycloak
  • Keycloak Authentication Instructions

In token-based authentication, the user/application follows an OAuth 2.0 Grant Type (e.g. Client Credentials, Authorization Code) depending on the application to obtains a token from the identity provider. The token is passed to the web service on each request. The web service then validates the given token to grant access.

The token is typically a JSON Web Token (JWT), issued and signed by the identity provider. The token is verified locally by the web service using the public key of the issuer, or by invoking issuer's introspection endpoint.

The token is sent in the Authorization request header field using the Bearer method. For example:

GET /rc/resources HTTP/1.1
Host: localhost
Authorization: Bearer QXV0aGVudGljYXRpb25Ub2tlbg==

In Basic Authentication, the user sends its credentials to the web service on each request. The Service exchanges the credentials with the identity provider using OAuth 2.0 Resource Owner Password Credentials Grant to get a token. It then validates the issued token to grant access.

Basic Authentication should only be used if the requests are encrypted (i.e using HTTPS), and if the user fully trusts the web service.

The credentials (base64 encoded username:password) is sent in the Authorization request header field using the Basic method. For example:

GET /rc/resources HTTPS/1.1
Host: localhost
Authorization: Basic dXNlcjEyMzpnVVJQNzQ=