The latest articles on DEV Community by Mehul Gohil (@mehulgohil). https://dev.to/mehulgohil https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1081624%2F93be727e-5f2d-475b-ba7b-2272b0323c29.jpeg https://dev.to/mehulgohil en Mehul Gohil Mon, 15 May 2023 05:15:55 +0000 https://dev.to/mehulgohil/backend-for-frontend-authentication-in-go-2e98 https://dev.to/mehulgohil/backend-for-frontend-authentication-in-go-2e98 <p>In the realm of modern web development, creating secure and efficient user authentication flows is paramount. With the rise of microservices and distributed architectures, implementing a robust authentication strategy becomes even more crucial.</p> <p>The Backend for Frontend (BFF) authentication pattern is a design approach that focuses on providing a dedicated backend to handle and address all authentication requirements and challenges of the frontend application (SPA).</p> <h2> <strong>OBJECTIVES</strong> </h2> <p>The primary objective of the tech blog is to educate readers about the Backend for Frontend (BFF) authentication pattern and its implementation in the Go programming language. The blog will provide a comprehensive overview of the pattern, its benefits, and the challenges it solves in the context of building authentication systems for front-end applications.</p> <h2> <strong>History</strong> </h2> <p>SPAs typically use token-based authentication, such as JSON Web Tokens (JWTs), to authenticate and authorize users. However, managing tokens securely in SPA can be challenging. Storing tokens in client-side storage (e.g., local storage or cookies) can expose them to potential attacks like cross-site request forgery (CSRF). Developers must implement stringent security measures to protect tokens and prevent unauthorized access or misuse.</p> <p>The BFF pattern solves this problem by introducing an intermediate layer — the Backend for Frontend. This layer acts as a proxy between the front-end client and the main backend services, handling authentication-related concerns and providing a specialized authentication interface.</p> <h2> <strong>Flow Diagram</strong> </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--RO-kOoMX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/peyjcffddp5s8jtbq07x.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--RO-kOoMX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/peyjcffddp5s8jtbq07x.png" alt="Image description" width="554" height="364"></a></p> <ol> <li><p>When the frontend needs to authenticate the user, it calls an API endpoint (/login) on the BFF to start the login handshake.</p></li> <li><p>The BFF uses OAuth2 Authorization Code Flow to connect with Auth0 to authenticate and authorize the user and get the id and access tokens.</p></li> <li><p>The backend stores the user’s tokens in a cache.</p></li> <li><p>An encrypted cookie is issued for the frontend representing the user authentication session.</p></li> <li><p>When the frontend needs to call an external API, it passes the encrypted cookie to the BFF together with the URL and data to invoke the API.</p></li> <li><p>The BFF retrieves the access token from the cache and makes a call to the backend API including that token on the authorization header.</p></li> <li><p>When the external API returns a response to the BFF, this one forwards that response back to the frontend.</p></li> </ol> <h2> <strong>Implementation</strong> </h2> <h3> <strong>Prerequisite</strong> </h3> <p>As a prerequisite to fully understand the proposed solution, I recommend that you get an idea about the following topics if not aware of them already.</p> <ol> <li><p><a href="https://auth0.com/docs/get-started/auth0-overview/create-applications/regular-web-apps">Register Regular Web Application in Auth0</a></p></li> <li><p><a href="https://github.com/kataras/iris">Iris Web Frame Work</a></p></li> <li><p><a href="https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow">Authorization Code Flow</a></p></li> </ol> <h3> <strong>Project Structure</strong> </h3> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--EebAyjC5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5kjeb20cu5n1pakbwvdf.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--EebAyjC5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5kjeb20cu5n1pakbwvdf.png" alt="Project Structure" width="175" height="556"></a></p> <h3> <strong>Get Started</strong> </h3> <p>In order to kickstart the implementation process, I referred to the <a href="https://auth0.com/docs/get-started/auth0-overview/create-applications/regular-web-apps">Auth0 Guide</a> to register my web application. Following the guide, I successfully set up user authentication for the web application using Auth0. With the initial authentication functionality in place, I proceeded to modify the code to incorporate the Backend for Frontend (BFF) Authentication Pattern router.go</p> <h4> router.go </h4> <p>In router.go I define all the routes that are required in order to authenticate and authorize a user.</p> <p><code>/login</code>: This endpoint is triggered when the user clicks on the login button in the frontend.</p> <p><code>/logout</code>: Frontend routes to this endpoint when user clicks on logout button.</p> <p><code>/callback</code>: This endpoint is responsible for the token exchange process with the authorization code.</p> <p><code>/shorten</code>: This is one of the backend APIs that will be consumed by the frontend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">router</span> <span class="k">struct</span><span class="p">{}</span> <span class="k">func</span> <span class="p">(</span><span class="n">router</span> <span class="o">*</span><span class="n">router</span><span class="p">)</span> <span class="n">InitRouter</span><span class="p">(</span><span class="n">auth</span> <span class="o">*</span><span class="n">authenticator</span><span class="o">.</span><span class="n">Authenticator</span><span class="p">,</span> <span class="n">redis</span> <span class="n">interfaces</span><span class="o">.</span><span class="n">IRedisLayer</span><span class="p">)</span> <span class="o">*</span><span class="n">iris</span><span class="o">.</span><span class="n">Application</span> <span class="p">{</span> <span class="n">app</span> <span class="o">:=</span> <span class="n">iris</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">loginHandler</span> <span class="o">:=</span> <span class="n">controller</span><span class="o">.</span><span class="n">LoginHandler</span><span class="p">{</span><span class="n">Auth</span><span class="o">:</span> <span class="n">auth</span><span class="p">}</span> <span class="n">callbackHandler</span> <span class="o">:=</span> <span class="n">controller</span><span class="o">.</span><span class="n">CallbackHandler</span><span class="p">{</span><span class="n">Auth</span><span class="o">:</span> <span class="n">auth</span><span class="p">,</span> <span class="n">RedisClient</span><span class="o">:</span> <span class="n">redis</span><span class="p">}</span> <span class="n">logoutHandler</span> <span class="o">:=</span> <span class="n">controller</span><span class="o">.</span><span class="n">LogoutHandler</span><span class="p">{</span><span class="n">RedisClient</span><span class="o">:</span> <span class="n">redis</span><span class="p">}</span> <span class="n">backendApiHandler</span> <span class="o">:=</span> <span class="n">controller</span><span class="o">.</span><span class="n">BackendApiHandler</span><span class="p">{</span><span class="n">RedisClient</span><span class="o">:</span> <span class="n">redis</span><span class="p">}</span> <span class="n">middlewareHandler</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">MiddlewareHandler</span><span class="p">{</span><span class="n">RedisClient</span><span class="o">:</span> <span class="n">redis</span><span class="p">}</span> <span class="n">app</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"/login"</span><span class="p">,</span> <span class="n">loginHandler</span><span class="o">.</span><span class="n">Login</span><span class="p">)</span> <span class="n">app</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"/callback"</span><span class="p">,</span> <span class="n">callbackHandler</span><span class="o">.</span><span class="n">Callback</span><span class="p">)</span> <span class="n">app</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"/logout"</span><span class="p">,</span> <span class="n">logoutHandler</span><span class="o">.</span><span class="n">Logout</span><span class="p">)</span> <span class="c">// Backend Api</span> <span class="n">app</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/shorten"</span><span class="p">,</span> <span class="n">middlewareHandler</span><span class="o">.</span><span class="n">IsAuthenticated</span><span class="p">,</span> <span class="n">backendApiHandler</span><span class="o">.</span><span class="n">WriterRedirect</span><span class="p">)</span> <span class="k">return</span> <span class="n">app</span> <span class="p">}</span> </code></pre> </div> <p>It’s important to note the usage of the <strong>middlewareHandler.IsAuthenticated</strong> handler in the backend API route. This handler plays a vital role in validating the user’s login profile. You can find the implementation details in the Middleware section</p> <h4> Controller </h4> <p>In the controller, I have encapsulated the logic for all the routes mentioned earlier. This is where the implementation details for each route are defined and handled.</p> <ul> <li><strong><em>login.go</em></strong></li> </ul> <p>In the login route, the handler redirects the user to the Identity Provider (IDP) Universal login page. This page allows the user to perform a single sign-on and provide their consent.<br> After the user provides consent on the IDP Universal login page, the page is redirected back to the /callback endpoint along with the authorization code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">LoginHandler</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Auth</span> <span class="o">*</span><span class="n">authenticator</span><span class="o">.</span><span class="n">Authenticator</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">l</span> <span class="o">*</span><span class="n">LoginHandler</span><span class="p">)</span> <span class="n">Login</span><span class="p">(</span><span class="n">ctx</span> <span class="n">iris</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Redirect</span><span class="p">(</span><span class="n">l</span><span class="o">.</span><span class="n">Auth</span><span class="o">.</span><span class="n">AuthCodeURL</span><span class="p">(</span><span class="n">state</span><span class="p">,</span> <span class="n">oauth2</span><span class="o">.</span><span class="n">SetAuthURLParam</span><span class="p">(</span><span class="s">"audience"</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0Audience</span><span class="p">)),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusTemporaryRedirect</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The audience parameter plays a crucial role in providing the audience claim within the payload, which aids in user authorization. For a more detailed understanding, referring to <a href="https://www.youtube.com/watch?v=o_MuvVF9pY4">additional resources</a> is recommended.<br> The key challenge was to include the audience URL parameter in the <strong>l.Auth.AuthCodeURL()</strong> function. By examining the <a href="https://github.com/golang/oauth2/blob/master/oauth2.go">source code</a> of the <a href="https://pkg.go.dev/golang.org/x/oauth2">oauth2 package</a> and understanding its implementation, I gained insights on how to pass the audience parameter using <strong>oauth2.SetAuthURLParam()</strong>.</p> <ul> <li><em>callback.go</em></li> </ul> <p>After the user visits the /login route, the /callback URL is called, passing the state and authorization code as parameters.<br> The handler responsible for the /callback URL validates the value of the state parameter to ensure its integrity and security.<br> Once the state value is successfully validated, the handler proceeds to exchange the authorization code for an access token.<br> In addition to token exchange, the handler takes the necessary steps to save the token and user profile information in Redis, a data store commonly used for caching and session management.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">CallbackHandler</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Auth</span> <span class="o">*</span><span class="n">authenticator</span><span class="o">.</span><span class="n">Authenticator</span> <span class="n">RedisClient</span> <span class="n">interfaces</span><span class="o">.</span><span class="n">IRedisLayer</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">CallbackHandler</span><span class="p">)</span> <span class="n">Callback</span><span class="p">(</span><span class="n">ctx</span> <span class="n">iris</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">URLParam</span><span class="p">(</span><span class="s">"state"</span><span class="p">)</span> <span class="o">!=</span> <span class="n">state</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithJSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">,</span> <span class="s">"Invalid state parameter."</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Exchange an authorization code for a token.</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Auth</span><span class="o">.</span><span class="n">Exchange</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Request</span><span class="p">()</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">ctx</span><span class="o">.</span><span class="n">URLParam</span><span class="p">(</span><span class="s">"code"</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithJSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">,</span> <span class="s">"Failed to convert an authorization code into a token."</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">idToken</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Auth</span><span class="o">.</span><span class="n">VerifyIDToken</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Request</span><span class="p">()</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">token</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithJSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="s">"Failed to verify ID Token."</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">var</span> <span class="n">profile</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">idToken</span><span class="o">.</span><span class="n">Claims</span><span class="p">(</span><span class="o">&amp;</span><span class="n">profile</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">c</span><span class="o">.</span><span class="n">RedisClient</span><span class="o">.</span><span class="n">SetKeyValue</span><span class="p">(</span><span class="n">profile</span><span class="p">[</span><span class="s">"email"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span><span class="o">+</span><span class="s">"_token"</span><span class="p">,</span> <span class="n">token</span><span class="o">.</span><span class="n">AccessToken</span><span class="p">,</span> <span class="m">24</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">c</span><span class="o">.</span><span class="n">RedisClient</span><span class="o">.</span><span class="n">HSetKeyValue</span><span class="p">(</span><span class="n">profile</span><span class="p">[</span><span class="s">"email"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span><span class="o">+</span><span class="s">"_profile"</span><span class="p">,</span> <span class="n">profile</span><span class="p">,</span> <span class="m">24</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">ctx</span><span class="o">.</span><span class="n">SetCookieKV</span><span class="p">(</span><span class="s">"logged_id_email"</span><span class="p">,</span> <span class="n">profile</span><span class="p">[</span><span class="s">"email"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">))</span> <span class="c">// Redirect to logged in page.</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Redirect</span><span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">FrontendURL</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusTemporaryRedirect</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>To store the token and profile information, I have implemented <a href="https://redis.io/docs/clients/go/">Redis</a> as the caching layer. I create a key for each user by prefixing it with their email address to ensure uniqueness and easy retrieval of data.<br> In addition, the <strong>ctx.SetCookieKV()</strong> function is employed to set an encrypted <a href="https://cookie-script.com/documentation/httponly-cookies">HTTP-only</a> cookie. This cookie is later sent by the frontend when making calls to the backend APIs</p> <ul> <li><em>logout.go</em></li> </ul> <p>When the user clicks on the logout button, the logout handler performs two main actions. Firstly, it clears out all the cached values, ensuring that any stored token or user profile information is removed. Secondly, it initiates a logout process with Auth0 (IDP), effectively logging out the user from the Identity Provider<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">LogoutHandler</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">RedisClient</span> <span class="n">interfaces</span><span class="o">.</span><span class="n">IRedisLayer</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">l</span> <span class="o">*</span><span class="n">LogoutHandler</span><span class="p">)</span> <span class="n">Logout</span><span class="p">(</span><span class="n">ctx</span> <span class="n">iris</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">userCookie</span> <span class="o">:=</span> <span class="n">ctx</span><span class="o">.</span><span class="n">GetCookie</span><span class="p">(</span><span class="s">"logged_id_email"</span><span class="p">)</span> <span class="k">if</span> <span class="n">userCookie</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">iris</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"please make sure user is logged in"</span><span class="p">))</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// delete token key</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">l</span><span class="o">.</span><span class="n">RedisClient</span><span class="o">.</span><span class="n">DeleteKey</span><span class="p">(</span><span class="n">userCookie</span> <span class="o">+</span> <span class="s">"_token"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// delete profile key</span> <span class="n">err</span> <span class="o">=</span> <span class="n">l</span><span class="o">.</span><span class="n">RedisClient</span><span class="o">.</span><span class="n">DeleteKey</span><span class="p">(</span><span class="n">userCookie</span> <span class="o">+</span> <span class="s">"_profile"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">logoutUrl</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">Parse</span><span class="p">(</span><span class="s">"https://"</span> <span class="o">+</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0Domain</span> <span class="o">+</span> <span class="s">"/v2/logout"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">returnTo</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">ShortifyFrontendDomain</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// remove the logged_id_email http-only cookie from context</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RemoveCookie</span><span class="p">(</span><span class="s">"logged_id_email"</span><span class="p">)</span> <span class="n">parameters</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">Values</span><span class="p">{}</span> <span class="n">parameters</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="s">"returnTo"</span><span class="p">,</span> <span class="n">returnTo</span><span class="o">.</span><span class="n">String</span><span class="p">())</span> <span class="n">parameters</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="s">"client_id"</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0ClientID</span><span class="p">)</span> <span class="n">logoutUrl</span><span class="o">.</span><span class="n">RawQuery</span> <span class="o">=</span> <span class="n">parameters</span><span class="o">.</span><span class="n">Encode</span><span class="p">()</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Redirect</span><span class="p">(</span><span class="n">logoutUrl</span><span class="o">.</span><span class="n">String</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusTemporaryRedirect</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>To delete the cached information, including the user profile and token stored in Redis, I utilize the RedisClient.DeleteKey() function. This ensures that the relevant data is removed from the cache. Additionally, calling Auth0’s /v2/logout API allows us to effectively log out the user from Auth0 as well.<br> To remove a specific cookie, <strong>ctx.RemoveCookie()</strong> is used. This function specifically targets and deletes the ‘logged_id_email’ cookie, which was initially set during the /callback handler.</p> <ul> <li><em>backendApi.go</em></li> </ul> <p>When the frontend makes a request to one of the backend APIs, the Backend for Frontend (BFF) ensures that it fetches the user token from the cache. This token is essential for authentication and authorization purposes.<br> The BFF then adds the fetched token to the Authorization Header of the request and forwards it to the backend API.<br> Once the backend API processes the request and generates a response, the BFF acts as a proxy and sends the response back to the frontend, allowing seamless communication between the frontend and the backend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">BackendApiHandler</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">RedisClient</span> <span class="n">interfaces</span><span class="o">.</span><span class="n">IRedisLayer</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">w</span> <span class="o">*</span><span class="n">BackendApiHandler</span><span class="p">)</span> <span class="n">WriterRedirect</span><span class="p">(</span><span class="n">ctx</span> <span class="n">iris</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">raw</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">ctx</span><span class="o">.</span><span class="n">User</span><span class="p">()</span><span class="o">.</span><span class="n">GetRaw</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">profile</span> <span class="o">:=</span> <span class="n">raw</span><span class="o">.</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">)</span> <span class="n">email</span> <span class="o">:=</span> <span class="n">profile</span><span class="p">[</span><span class="s">"email"</span><span class="p">]</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">w</span><span class="o">.</span><span class="n">RedisClient</span><span class="o">.</span><span class="n">GetKeyValue</span><span class="p">(</span><span class="n">email</span> <span class="o">+</span> <span class="s">"_token"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">client</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Client</span><span class="p">{}</span> <span class="n">req</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Request</span><span class="p">()</span><span class="o">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">BackendApi</span><span class="p">,</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Request</span><span class="p">()</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">,</span> <span class="s">"Bearer "</span><span class="o">+</span><span class="n">token</span><span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">Do</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">res</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">body</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">res</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">var</span> <span class="n">respBody</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">respBody</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithJSON</span><span class="p">(</span><span class="n">res</span><span class="o">.</span><span class="n">StatusCode</span><span class="p">,</span> <span class="n">respBody</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Note the <strong>ctx.User().GetRaw()</strong> fetches the user profile information which was set during the middleware.IsAuthenticated() handler defined below. With the help of email from <strong>ctx.User()</strong> I get the token from redis cache and add the authorization header.</p> <h4> Middleware </h4> <p>The middleware plays a crucial role in validating the encrypted cookie sent from the frontend along with the API request and also check if user is logged in.</p> <ul> <li> <em>isAuhtenticated.go</em> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">MiddlewareHandler</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">RedisClient</span> <span class="n">interfaces</span><span class="o">.</span><span class="n">IRedisLayer</span> <span class="p">}</span> <span class="c">// IsAuthenticated is a middleware that checks if</span> <span class="c">// the user has already been authenticated previously.</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">MiddlewareHandler</span><span class="p">)</span> <span class="n">IsAuthenticated</span><span class="p">(</span><span class="n">ctx</span> <span class="n">iris</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">userCookie</span> <span class="o">:=</span> <span class="n">ctx</span><span class="o">.</span><span class="n">GetCookie</span><span class="p">(</span><span class="s">"logged_id_email"</span><span class="p">)</span> <span class="k">if</span> <span class="n">userCookie</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">iris</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"please make sure user is logged in"</span><span class="p">))</span> <span class="k">return</span> <span class="p">}</span> <span class="n">value</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">m</span><span class="o">.</span><span class="n">RedisClient</span><span class="o">.</span><span class="n">HGetKeyValue</span><span class="p">(</span><span class="n">userCookie</span> <span class="o">+</span> <span class="s">"_profile"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="o">||</span> <span class="n">value</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">StopWithError</span><span class="p">(</span><span class="n">iris</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"please make sure user is logged in"</span><span class="p">))</span> <span class="k">return</span> <span class="p">}</span> <span class="n">ctx</span><span class="o">.</span><span class="n">SetUser</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>By utilizing <strong>ctx.SetUser()</strong>, the user profile information is stored in the Iris context. This information becomes accessible and can be utilized by the backend API handler during request processing.</p> <h4> Authenticator </h4> <p>Authenticator initializes new instance of an Oauth2 provider.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Authenticator is used to authenticate our users.</span> <span class="k">type</span> <span class="n">Authenticator</span> <span class="k">struct</span> <span class="p">{</span> <span class="o">*</span><span class="n">oidc</span><span class="o">.</span><span class="n">Provider</span> <span class="n">oauth2</span><span class="o">.</span><span class="n">Config</span> <span class="p">}</span> <span class="c">// New instantiates the *Authenticator.</span> <span class="k">func</span> <span class="n">New</span><span class="p">()</span> <span class="p">(</span><span class="o">*</span><span class="n">Authenticator</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">provider</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">oidc</span><span class="o">.</span><span class="n">NewProvider</span><span class="p">(</span> <span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="s">"https://"</span><span class="o">+</span><span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0Domain</span><span class="o">+</span><span class="s">"/"</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="n">conf</span> <span class="o">:=</span> <span class="n">oauth2</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">ClientID</span><span class="o">:</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0ClientID</span><span class="p">,</span> <span class="n">ClientSecret</span><span class="o">:</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0ClientSecret</span><span class="p">,</span> <span class="n">RedirectURL</span><span class="o">:</span> <span class="n">config</span><span class="o">.</span><span class="n">EnvVariables</span><span class="o">.</span><span class="n">Auth0CallbackURL</span><span class="p">,</span> <span class="n">Endpoint</span><span class="o">:</span> <span class="n">provider</span><span class="o">.</span><span class="n">Endpoint</span><span class="p">(),</span> <span class="n">Scopes</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">oidc</span><span class="o">.</span><span class="n">ScopeOpenID</span><span class="p">,</span> <span class="s">"profile"</span><span class="p">,</span> <span class="s">"email"</span><span class="p">},</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">Authenticator</span><span class="p">{</span> <span class="n">Provider</span><span class="o">:</span> <span class="n">provider</span><span class="p">,</span> <span class="n">Config</span><span class="o">:</span> <span class="n">conf</span><span class="p">,</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// VerifyIDToken verifies that an *oauth2.Token is a valid *oidc.IDToken.</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">Authenticator</span><span class="p">)</span> <span class="n">VerifyIDToken</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">token</span> <span class="o">*</span><span class="n">oauth2</span><span class="o">.</span><span class="n">Token</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">oidc</span><span class="o">.</span><span class="n">IDToken</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">rawIDToken</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">Extra</span><span class="p">(</span><span class="s">"id_token"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"no id_token field in oauth2 token"</span><span class="p">)</span> <span class="p">}</span> <span class="n">oidcConfig</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">oidc</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">ClientID</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">ClientID</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">a</span><span class="o">.</span><span class="n">Verifier</span><span class="p">(</span><span class="n">oidcConfig</span><span class="p">)</span><span class="o">.</span><span class="n">Verify</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">rawIDToken</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>It is crucial to ensure that all the environment variables of the Auth0 application are properly configured and set. This step is necessary to successfully initialize the OAuth2 provider.</p> <h3> About the Flow </h3> <p>Here is what happens when the user authenticates with the application:</p> <ol> <li>The user clicks on the login button on the frontend UI.</li> <li>The frontend redirects the user to the /login endpoint in the Backend for Frontend (BFF).</li> <li>The BFF further redirects the user to the Universal Login Page of Auth0.</li> <li>The user provides their credentials and consents to the authentication process.</li> <li>After successful authentication, the callback request is sent back to the /callback endpoint in the application.</li> <li>The callback handler validates the received state parameter, ensuring its integrity and security.</li> <li>The callback handler exchanges the received authorization code for an access token over a secured channel.</li> <li>The received access token is validated.</li> <li>The access token and associated profile information are extracted and cached in a Redis server.</li> <li>The handler redirects the user back to the frontend UI, along with an HTTP-only cookie.</li> <li>When the user makes subsequent calls to backend APIs from the frontend, the cookie is included in the request.</li> <li>The cookie is validated by the middleware handler, which also verifies the user’s logged-in status and checks for the availability of profile information in the cache.</li> <li>The backend API handler manages the flow, extracting the JWT access token from the cache, and adding it to the Authorization Header of the forwarded request.</li> <li>The request is then forwarded to the backend API.</li> <li>Once the response is received from the backend, it is forwarded back to the frontend.</li> </ol> <h3> Conclusion </h3> <p>In conclusion, the Backend for Frontend (BFF) authentication pattern in Go provides a powerful and flexible approach to building authentication systems for front-end applications. By separating the authentication concerns into dedicated back-end services, tailored to each front-end client, developers can create robust, scalable, and secure authentication systems that meet the unique requirements of their applications.</p> <p>I hope this tech blog has provided valuable insights and practical guidance for implementing the BFF authentication pattern in Go. Happy coding!</p> <p>The source code of this example is available at <a href="https://github.com/mehulgohil/go-bffauth">mehulgohil/go-bffauth</a></p>