/auth-htmx

Experiment with Go + HTMX and OAuth2/OIDC + WebAuthn

Primary LanguageGoApache License 2.0Apache-2.0

Go + HTMX + OAuth2/OIDC + WebAuthn

A very simple example HTMX with OAuth2 with:

  • Go HTML templating engine.
  • HTMX solution for SSR.
  • OAuth2 with Github Auth and OIDC. OAuth2 delegates authentication to another authentication service. OIDC provides identities.
  • CSRF protection measures for OAuth2 and all requests.
  • SQLite3 with sqlc and golang-migrate.
  • Optional users in database as Identity Provider. Authentication is through WebAuthn, a solution to delegate authentication directly to the user.
  • JWT is used a session token.

Embellishment:

  • Notyf to notify about errors, include HTMX errors.
  • Added Hyperscript for edge cases.

Motivation

For the hype.

Usage

  1. Edit the config.yaml to set the OAuth2 providers.

  2. Set the necessary parameters or environment variables:

    ## .env.local
    ## A 32 bytes hex secret ()
    CSRF_SECRET=51b22632498f26d9131c4743b72c362567b5b4c96ac5e0f4fef7cb58ecac5684
    ## A unique string secret
    JWT_SECRET=secret
    ## PUBLIC_URL will be used as redirect url which is ${PUBLIC_URL}/callback
    PUBLIC_URL=http://localhost:3000 # redirectURL: http://localhost:3000/callback
    DB_PATH=/data/db.sqlite3
    # CONFIG_PATH=/path/to/config.yaml
  3. Run the binary:

    ./auth-htmx

Help:

NAME:
   auth-htmx - Demo of Auth and HTMX.

USAGE:
   auth-htmx [global options] command [command options] [arguments...]

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --csrf.secret value            A 32 bytes hex secret [$CSRF_SECRET]
   --jwt.secret value             A unique string secret [$JWT_SECRET]
   --config.path value, -c value  Path of the configuration file. (default: "./config.yaml") [$CONFIG_PATH]
   --public-url value             An URL pointing to the server. (default: "http://localhost:3000") [$PUBLIC_URL]
   --db.path value                SQLite3 database file path. (default: "./db.sqlite3") [$DB_PATH]
   --help, -h                     show help
   --version, -v                  print the version

Application Flow

  • A home page:
    • Show login button if not logged in.
    • Else, show a welcome with routing.
  • A protected counter page.

The login process follows the standard OAuth2 process, which is fully documented on GitHub.

Fetching identity is through OIDC or GitHub API.