Learn more

Shadow SSO (3SO)

A robust and flexible OAuth 2.0 and OpenID Connect implementation for Go applications.

Overview

Shadow SSO provides a complete suite of tools to implement secure authentication and authorization in your Go applications. We've crafted it with clarity and modularity, making it easier to protect your APIs and data.

Key Features

OAuth 2.0 Support

Full implementation of RFC 6749

  • Complete protocol coverage
  • Secure token lifecycle management
  • Multiple grant types support

OpenID Connect

OIDC extensions to OAuth 2.0

  • Secure user identification
  • Profile access
  • Trust and interoperability

Security Features

Enterprise-grade security

  • PKCE Support (RFC 7636)
  • Token Introspection (RFC 7662)
  • Token Revocation (RFC 7009)

Session Management

Advanced session control

  • Efficient session state management
  • Fine-grained access control
  • Session revocation capabilities

Getting Started

Installation

go get github.com/pilab-dev/shadow-sso

Quick Start

go
1package main
2
3import (
4    "github.com/labstack/echo/v4"
5    ssso "github.com/pilab-dev/shadow-sso"
6    "github.com/pilab-dev/shadow-sso/client"
7)
8
9func main() {
10    // Create a new key
11    signingKey, err := ssso.GenerateRSAKey()
12    if err != nil {
13        log.Fatalf("error generating rsa signing key %s\n", err.Error())
14    }
15
16    // Initialize repositories
17    oauthRepo := NewYourOAuthRepository()
18    userRepo := NewYourUserRepository()
19    clientStore := client.NewClientMemoryStore()
20
21    // Create services
22    oauthService := ssso.NewOAuthService(oauthRepo, userRepo, signingKey, "https://your-issuer.com")
23    jwksService := ssso.NewJWKSService(signingKey)
24    clientService := client.NewClientService(clientStore)
25    pkceService := ssso.NewPKCEService(oauthRepo)
26
27    // Initialize OAuth2 API
28    config := ssso.NewDefaultConfig("https://your-issuer.com")
29    oauth2API := ssso.NewOAuth2API(
30        oauthService,
31        jwksService,
32        clientService,
33        pkceService,
34        config,
35    )
36
37    // Setup Echo server
38    e := echo.New()
39    oauth2API.RegisterRoutes(e)
40    e.Logger.Fatal(e.Start(":8080"))
41}

Security Best Practices

  • Constant-time Comparisons for sensitive data
  • PKCE by Default for public clients
  • Secure Token Storage with encryption
  • Full-Spectrum Session Management
  • Detailed Token Introspection
  • Scope Validation
  • Client Authentication

Documentation

For detailed documentation, please visit our GitHub repository.

Contributing

We welcome contributions! Please check our contribution guidelines.

Contact

For any questions or support, please contact us at gyula@pilab.hu.

Follow us
GitHubTwitterMastodonYouTube
All Rights Reserved
© 2011-2026
Progressive Innovation
LAB