Cloud Foundry UAA allows OAuth clients to be used to leverage the users of Cloud Foundry. This allows you to create apps without maintaining another user database. A free single-signon (SSO) for all your applications!

Golang makes it easy to write applications that use SSO - by being OAuth clients for UAA (and your pretty/themed login-server).

First we need to add client into UAA client

      cf-go-client-example:
        access-token-validity: 1209600
        authorities: scim.write,scim.read,cloud_controller.read,cloud_controller.write,password.write,uaa.admin,uaa.resource,cloud_controller.admin,billing.admin
        authorized-grant-types: authorization_code,client_credentials
        override: true
        redirect-uri: https://cf-go-client-example.10.244.0.34.xip.io/oauth2callback
        refresh-token-validity: 1209600
        scope: openid,cloud_controller.read,cloud_controller.write,password.write,console.admin,console.support
        secret: c1oudc0w

Please note the authorizations example exposes many scopes & authorities. You can scope it back for your use cases.

main.go

package main
 
import (
	"github.com/go-martini/martini"
	gooauth2 "github.com/golang/oauth2"
	"github.com/martini-contrib/oauth2"
	"github.com/martini-contrib/sessions"
)
 
func main() {
	m := martini.Classic()
 
	oauthOpts := &gooauth2.Options{
		ClientID:     "cf-go-client-example",
		ClientSecret: "c1oudc0w",
		RedirectURL:  "https://cf-go-client-example.10.244.0.34.xip.io/oauth2callback",
		Scopes:       []string{""},
	}
 
	cf := oauth2.NewOAuth2Provider(oauthOpts, "https://login.10.244.0.34.xip.io/oauth/authorize",
		"https://uaa.10.244.0.34.xip.io/oauth/token")
 
	m.Handlers(
		sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123"))),
		cf,
		oauth2.LoginRequired,
		martini.Logger(),
		martini.Static("public"),
	)
 
	m.Get("/", func(tokens oauth2.Tokens) string {
		if tokens.IsExpired() {
			return "not logged in, or the access token is expired"
		}
		return "logged in"
	})
 
	m.Run()
}

That's it! Simple as that.

m := martini.Classic()

We use martini for this because it has great plugin.

oauthOpts := &gooauth2.Options{
		ClientID:     "cf-go-client-example",
		ClientSecret: "c1oudc0w",
		RedirectURL:  "https://cf-go-client-example.10.244.0.34.xip.io/oauth2callback",
		Scopes:       []string{""},
	}
 
	cf := oauth2.NewOAuth2Provider(oauthOpts, "https://login.10.244.0.34.xip.io/oauth/authorize",
		"https://uaa.10.244.0.34.xip.io/oauth/token")

This setup our OAuth handler. Note that redirect URL must match the one set in manifest or it will not work.

m.Handlers(
		sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123"))),
		cf,
		oauth2.LoginRequired,
		martini.Logger(),
		martini.Static("public"),
	)

These handlers force all connections to be authenticated. The session is needed to keep a session for each user.

	m.Get("/restrict", oauth2.LoginRequired, func(tokens oauth2.Tokens) string {
		return tokens.Access()
	})

Alternately if you don't want all request to be authenticated, you can do it by endpoint. With martini you can chain handler.

	m.Get("/", func(tokens oauth2.Tokens) string {
		if tokens.IsExpired() {
			return "not logged in, or the access token is expired"
		}
		return "logged in"
	})
 
	m.Run()

That's it you have an OAuth client for Cloud Foundry.

The code can be found: https://github.com/cloudfoundry-community/cf-go-client-example