This is part yelling at clouds, part cry for help, and part question.
Good grief, the go middleware is really puzzling, that’s my main thesis, and I’d love to hear some advice from people who know better.
First of all, the experience of setting up an application on auth0 is incredibly good. It has code examples sitting right next to the signup page and it all looks really straightforward. It’s amazing and it fills me with a lot of comfort seeing that so much care is taken to make the experience this good.
The walk-thru guides are stored on github as well, which I found here -github.com/auth0-samples
And if we look at the golang web app, we see there is some middleware to check if users are logged in.
Again, amazing! This looks like something I can use in my own application. What does this middleware do? It checks for the existence of a “profile” key in the session. That’s it. It doesn’t actually check if my users are logged in, or have the correct permission to view different pages. I would have anticipated that it would have at least pulled the key out and validated it.
But this tutorial works, I got it up and running in about an hour, it’s easy to follow and it at least seemed like a good start Just that the actual authentication part was a little lacking and I thought I needed to do a little more for professional use.
After a bit of research, I noticed there is another middleware located at -github.com/auth0/go-jwt-middleware and I thought perhaps I could use that to add key verification. I thought to myself that this was odd to have a separate middleware and it wasn’t mentioned in the tutorial.
Oh, and lookie there, there is a golang gin example in this repo as well! Great! Would be nice if it was in the tutorial, but I’m still having a good time.
I look in the example, and I notice that I need to set my own signing key. Now it makes sense why this isn’t in the tutorial – apparently, this middleware must be for another kind of authentication where I sign my own tokens, whereas I just want to make sure users are logged in.
I noticed then, there is totally different tutorial for “backends”. This is a different tutorial than the one I saw before. -auth0.com/docs/quickstart/backend/golang/interactive
I found the sample used in this tutorial here. What I find odd about this one is that the tutorial (and the sample code) instructs again to write our own custom middleware, but this middleware actually uses the go-jwt-middleware internally.
And I do think that this approach is better than the first tutorial I had seen. It will validate the key, and will allow me to check for scope, and it uses jwks
-github.com/auth0-samples/auth0-golang-api-samples/blob/master/01-Authorization-RS256/middleware/jwt.go
I’m left wondering why there are so many of what looks to me as partial implementations that are really just an invitation for a developer to write their own.
Auth0 in general seems so well put together, I expected to find middleware that is simple to use and to discover, and I have instead found the opposite for both.
What my naive self expected
I suppose this is what I expected to find is something like this –
An RequireAuthenticated() middleware that checks whether a user has authetnticated, and places attributes about the user profile into the request context.
A RequireScope(<scope>) middleware that checks whether the authenticated user has the required permission.
Anybody else irked by the auth0 authentication middleware? What are you using in your projects?