How do I build an OIDC server with zitadel/oidc in Go?

Use the example server from the /example folder; run 'go run github.com/zitadel/oidc/v3/example/server' and configure environment variables like PORT and REDIRECT_URI as described in the README for basic setup.

zitadel/oidc vs go-oidc: which is better for a client?

zitadel/oidc is certified and supports both client and server, while go-oidc is client-only. If you need certification or plan to implement a server later, choose zitadel/oidc; for a minimal client, go-oidc might suffice.

Does zitadel/oidc handle PKCE for mobile or SPA apps?

Yes, PKCE is fully supported for both client and server, as shown in the features table and demonstrated in the example code for authorization code flow with various authentication methods.

What OIDC flows are missing in zitadel/oidc?

Implicit Flow is not supported for clients, and Hybrid Flow is not yet available for servers, as per the features table. mTLS support is also listed as 'not yet' for both sides.

Is zitadel/oidc good for production IAM systems?

Yes, it's certified and has high test coverage, but consider the missing features like mTLS and the limited feature review process, which might affect long-term maintenance for advanced needs.

How to implement token exchange with this library?

Token Exchange is supported as per RFC 8693; refer to the features table and likely use the /client/rp or /op packages, though specific example code for this flow isn't detailed in the provided README snippets.

Open-Awesome

oidc

Apache-2.0Gov3.47.5

An OpenID Foundation-certified OpenID Connect client and server library for Go, designed for ease of use.

Visit Website GitHub

1.8k stars208 forks0 contributors

What is oidc?

ZITADEL OIDC is an OpenID Connect SDK for Go that provides both client and server implementations for handling authentication and authorization. It solves the need for a certified, easy-to-use library that supports the full OIDC specification, enabling developers to integrate secure identity management into their applications.

Target Audience

Go developers building applications that require OpenID Connect authentication, including those implementing identity providers (IdPs), relying parties (clients), or resource servers.

Value Proposition

Developers choose this library because it is officially certified by the OpenID Foundation, supports both client and server roles, and is built on familiar Go standards, ensuring reliability and ease of integration for IAM solutions.

Overview

Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation

Use Cases

Best For

Implementing a certified OpenID Connect provider (OP) in Go applications
Adding OIDC client (RP) functionality to Go web services or APIs
Building secure authentication flows with PKCE or JWT profiles
Integrating token exchange or device authorization grant flows
Developing IAM (Identity and Access Management) services in Go
Creating examples or testing environments for OIDC/OAuth2 scenarios

Not Ideal For

Projects requiring immediate mTLS client authentication support
Teams that need a lightweight, client-only OIDC library without server capabilities
Applications relying on Implicit Flow for frontend authentication
Environments stuck on older Go versions (below 1.25)

Pros & Cons

Pros

OpenID Foundation Certified

Officially certified for Basic and Config profiles, ensuring compliance and reliability for IAM integrations, as highlighted in the README and certification badges.

Dual Client/Server Library

Provides both Relying Party (client) and OpenID Provider (server) implementations in a single package, reducing dependency on multiple libraries for full OIDC support.

Comprehensive Protocol Support

Implements key OIDC flows like Code Flow, PKCE, Token Exchange, and Device Authorization, with a detailed features table showing broad coverage of specifications.

Built on Go Standards

Reuses and extends the standard OAuth2 for Go package, making it familiar for Go developers and ensuring interoperability with existing Go ecosystems.

Extensive Example Code

Includes practical examples in the /example folder for scenarios like web apps, APIs, and dynamic server configurations, aiding in quick integration and testing.

Cons

Missing Advanced Features

Lacks support for mTLS and Hybrid Flow on the server side, which are explicitly marked as 'not yet' in the features table, limiting use cases requiring these protocols.

Limited Feature Review Bandwidth

The README notes 'limited availability for feature reviews' in a discussion link, which could slow down development and response to new feature requests or issues.

Go Version Constraints

Only supports the latest two Go versions (e.g., 1.25 and 1.26), potentially excluding projects on older versions and requiring frequent updates for compatibility.

Frequently Asked Questions

Related Projects

casbin

Apache Casbin: an authorization library that supports access control models like ACL, RBAC, ABAC.

Stars20,178

Forks1,741

Last commit24 days ago

jwt-go

Go implementation of JSON Web Tokens (JWT).

Stars9,107

Forks430

Last commit7 days ago

spicedb

Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data

Stars6,763

Forks398

Last commit3 days ago

goth

Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Stars6,547

Forks632

Last commit3 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub