Auth and authz advice

[joeblew999]

I’m working on an SSE plugin for goa.

I’m really glad to see Goa incorporating SSE. I use Datastar to drive gui updates . But I think MCP GUI can use it . Services can also use it instead of web hooks possibly too.

But first I need to add auth and authz. Typically I would use authelia. It’s a side car and works with caddy . But I’m not sure it’s going to work so well with Goa. Ref: https://www.authelia.com/configuration/miscellaneous/server-endpoints-authz/

Can someone offer any advice of how to do auth and authz with Goa ? Auth is cross cutting and so tricky to do with a strongly typed code generator . What I mean is that auth tends to be data driven .

One concern I have is how to do data level auth . I use SQLite or Corrosion to keep it kiss and avoid complexity . At runtime , I plan to lookup the authz rules from the db , probably keep them in an in memory cache and then I could apply them to the handlers . Same goes for sql calls , where I can add authz predicates . This , is typically a multi tenant style of setup .

My aim is to keep its very simple but usable by all goa users . Corrosion is particular is nice because it has query subscriptions and automatic global replication , allowing the SEE aspects to be heavily utilised , so that a web gui or service can get updated when data changes automatically.

[joeblew999]

I suspect Clue and the interceptors is where I should be focussing on ?

I have 3 layers where I need to apply authz:

CLI and GUI.

service layer . Both rest and sse.

db . Delete for example .

[raphael]

Just to make sure I understand, is there a reason you can't use Goa's built-in support for auth?

[joeblew999]

Wow I def missed that . Goa has come a long way .

The gui for security is built in to Authelia and supports forward proxy with caddy . Am playing with the idea of them passing it on into goa.

But there is a decent case for doing it all with Goa too based on what’s there today , which is considerable . Users and scopes are there in the docs for jwt :)

Couple of things in the decision matrix :

• Authelia is audited . Will happen soon . Keeping up with CVE etc is tricky and they must do it .
• Authelia has so much functionality , all the way through to deep link with from web to mobile apps via duo . That’s a ton of stuff Goa does not have .

Complexity is a beast and Goa gives me full control and could probably do everything over time with effirt . It probably does just enough for 80% of security use cases today .

Does Goa have a store for the users , roles / scopes , etc , that all the auth schemes? A simple tuples store would be enough with a SQLite and an API / interface into it that the main generated his looks to . If it’s an interface any store could be used. Nats Jetstream even for stupid simple replicated store.

Does go has any Web GUI for all its security ? Like default templates where the title and colour is changeable , as that all anyone needs.

I def need passkeys . Prefer to force it on users than even give them a username / password option , now that all OS ‘s support automatically these days .

Deep links for web to mobile ( WebView ) auth is hugely reusable . It’s when you sign in on web, and it will ask you to attest , like a 2fa, using your mobile .

Do the design matrix is Authelia teamed up with Goa OR do it all in Goa .