Marketplace
<div align="center"> <h3>Premium sponsors</h3> <p> <a href="https://id8media.com"><strong>ID8 Media</strong></a> · <a href="https://one-studio.co"><strong>One Studio</strong></a> </p> <p><sub>Support togo — <a href="https://github.com/sponsors/fadymondy">become a sponsor</a>.</sub></p> </div>
oauth-server
Othertogo OAuth2/OIDC server — be an identity provider: authorization_code+PKCE, client_credentials, introspection, JWKS
togo-framework
bash
togo install togo-framework/oauth-serverInstall
bash
togo install togo-framework/oauth-serverThe togo answer to Laravel Passport / Doorkeeper / django-oauth-toolkit: issue OAuth2 tokens to client apps. Where auth and auth-oauth let togo consume identity, oauth-server lets togo be the identity provider.
Grants & endpoints
- authorization_code (with PKCE
S256) · client_credentials · refresh_token (rotated) - Access tokens are signed JWT (HS256); refresh tokens are opaque + single-use
GET /oauth/authorize·POST /oauth/token·POST /oauth/introspect·POST /oauth/revoke·GET /oauth/userinfoGET /.well-known/openid-configuration·GET /.well-known/jwks.jsonPOST /api/oauth/clients(register a client)
Configuration
Env | Description |
|---|---|
| OAUTH_SECRET | HS256 signing secret for access tokens (set in production) |
| OAUTH_ISSUER | issuer URL (e.g. https://id.example.com) |
Rows per page
1–2 of 2Page 1 of 1
Usage
go
srv, _ := oauthserver.FromKernel(k)
// Register a client (public/PKCE → no secret; confidential → secret returned once).
client, _ := srv.RegisterClient("My SPA", []string{"https://app.example.com/callback"},
[]string{"openid", "profile"}, []string{"authorization_code", "refresh_token"}, false)
// Authorization code + PKCE (after the user authorizes at /oauth/authorize):
code, _ := srv.IssueCode(client.ID, userID, "openid profile", redirectURI, codeChallenge, "S256")
tokens, _ := srv.ExchangeCode(code, codeVerifier, redirectURI, client.ID, "")
// tokens.AccessToken (JWT) · tokens.RefreshToken
// Verify a token (resource server):
info := srv.Introspect(tokens.AccessToken) // {Active, Sub, Scope, ClientID, Exp}
srv.Revoke(tokens.AccessToken)
Other grants
go
srv.ClientCredentials(clientID, clientSecret, "api") // machine-to-machine
srv.RefreshExchange(refreshToken, clientID, secret) // rotate
Tokens are HS256 (symmetric), so resource servers verify via
/oauth/introspect(or the shared secret). The JWKS endpoint returns an empty key set; RS256 with published keys is a planned option.
<div align="center"> <h3>Premium sponsors</h3> <p> <a href="https://id8media.com"><strong>ID8 Media</strong></a> · <a href="https://one-studio.co"><strong>One Studio</strong></a> </p> <p><sub>Support togo — <a href="https://github.com/sponsors/fadymondy">become a sponsor</a>.</sub></p> </div>