I haven’t really found anything that’s nice that can just run as a library.
What I see lots of people doing is they use things like Authelia and handle auth/identity externally, and enforce it’s use via a reverse proxy.
The backend behind the reverse proxy gets the Remote-User and Remote-Group and so on headers.
Similar story with Caddy, not a library but there’s this authp thing, which I think is nicer, but is just not as popular as Authelia. I think it’s not as flexible around various types of auth (3FA? - client machine cert+2FA is easy in athelia but not in authp) and is not as sysadmin friendly, but you can if you want only use the “authorization” part of authp if that’s the only thing you need.
In short – it’s all one big complicated mess; start with authp.
How do you plan to handle submitter lifecycle, and how do you plan to differentiate between submitters? Do they just get a subdomain of their own at some point once they register, like we see with e.g. workday?
Neither authelia nor authp support having their config determined dynamically, buy e.g. with caddy you could reload the config without shutting down the servers or dropping connections. You could generate the caddy config, and trigger config reloading dynamically?
If your number of subscribers grows, you could shard the config … heck, you could even have a caddy authp process instance per submitter subdomain, all of them could point at the same backend?
You use the reverse proxy as a library,… in a subprocess of some kind…
… it wouldn’t be pretty, but do you care?
There’s a thing called: https://goauthentik.io/ – yet another thing that claims to be a silver bullet for all authentication out there.
It claims to support a decent number of integrations that can pass an encrypted jwt, which is all good, and has some API mentions in it’s docs. No idea how “dynamic” its config is.
ive also gone down the rabbit hole for the past couple of days. But i just found this https://oauth.net/code/go/
And had a look at the library linked there https://github.com/ory/fosite
it looks like a bit of work, but i think i can use this to achive what i want. its all the components i need to setup my own Oauth2 server and extend it with the functionality i need.
Its not a magic bullet, but it really looks like these guys did the groundwork im looking for.