playbooks

home / skills / linehaul-ai / linehaulai-claude-marketplace / goth-fundamentals

goth-fundamentals skill

/plugins/goth-oauth/skills/goth-fundamentals

This skill guides you through Goth multi-provider authentication in Go, helping you install, configure providers, and implement secure OAuth flows.

npx playbooks add skill linehaul-ai/linehaulai-claude-marketplace --skill goth-fundamentals

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
7.9 KB
---
name: goth-fundamentals
description: This skill should be used when the user asks to "set up goth", "install goth", "oauth in go", "authentication in golang", "goth package", "goth basics", or mentions "github.com/markbates/goth". Provides foundational guidance for the Goth multi-provider authentication library.
keywords: [goth, oauth2, authentication, multi-provider, go]
disable-model-invocation: false
user-invocable: true
---

# Goth Fundamentals

Expert guidance for github.com/markbates/goth - a Go library providing simple, clean, idiomatic multi-provider OAuth authentication.

## Installation

Install the package:

```bash
go get github.com/markbates/goth
```

Import in code:

```go
import (
    "github.com/markbates/goth"
    "github.com/markbates/goth/gothic"
    "github.com/markbates/goth/providers/google"
)
```

## Core Concepts

### Provider Interface

Every authentication provider implements the `goth.Provider` interface:

```go
type Provider interface {
    Name() string
    BeginAuth(state string) (Session, error)
    UnmarshalSession(string) (Session, error)
    FetchUser(Session) (User, error)
    Debug(bool)
    RefreshToken(refreshToken string) (*oauth2.Token, error)
    RefreshTokenAvailable() bool
}
```

Key methods:
- `Name()` - Returns provider identifier (e.g., "google", "microsoft")
- `BeginAuth()` - Initiates OAuth flow, returns session with auth URL
- `FetchUser()` - Retrieves user data after successful authentication
- `RefreshToken()` - Obtains new access token using refresh token

### Session Interface

Sessions manage OAuth state throughout the authentication flow:

```go
type Session interface {
    GetAuthURL() (string, error)
    Authorize(Provider, Params) (string, error)
    Marshal() string
}
```

### User Struct

Authenticated user data returned after successful OAuth:

```go
type User struct {
    RawData           map[string]interface{}
    Provider          string
    Email             string
    Name              string
    FirstName         string
    LastName          string
    NickName          string
    Description       string
    UserID            string
    AvatarURL         string
    Location          string
    AccessToken       string
    AccessTokenSecret string
    RefreshToken      string
    ExpiresAt         time.Time
    IDToken           string
}
```

## Gothic Helper Package

The `gothic` package provides convenience functions for common web frameworks:

### Key Functions

```go
// Begin authentication - redirects to provider
gothic.BeginAuthHandler(res http.ResponseWriter, req *http.Request)

// Complete authentication - handles callback
gothic.CompleteUserAuth(res http.ResponseWriter, req *http.Request) (goth.User, error)

// Get user from session (if already authenticated)
gothic.GetFromSession(providerName string, req *http.Request) (string, error)

// Logout user
gothic.Logout(res http.ResponseWriter, req *http.Request) error
```

### Provider Selection

Gothic uses the `provider` query parameter or URL path segment to identify which provider to use:

```go
// Query parameter: /auth?provider=google
// Path segment: /auth/google
```

Override the provider getter if needed:

```go
gothic.GetProviderName = func(req *http.Request) (string, error) {
    return mux.Vars(req)["provider"], nil
}
```

## Basic Authentication Flow

### Step 1: Register Providers

Initialize providers at application startup:

```go
func init() {
    goth.UseProviders(
        google.New(
            os.Getenv("GOOGLE_CLIENT_ID"),
            os.Getenv("GOOGLE_CLIENT_SECRET"),
            "http://localhost:3000/auth/google/callback",
            "email", "profile",
        ),
    )
}
```

### Step 2: Create Auth Routes

```go
func main() {
    http.HandleFunc("/auth/", handleAuth)
    http.HandleFunc("/auth/callback/", handleCallback)
    http.HandleFunc("/logout", handleLogout)
    http.ListenAndServe(":3000", nil)
}

func handleAuth(w http.ResponseWriter, r *http.Request) {
    gothic.BeginAuthHandler(w, r)
}

func handleCallback(w http.ResponseWriter, r *http.Request) {
    user, err := gothic.CompleteUserAuth(w, r)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
    }
    // User authenticated - store in session, redirect, etc.
    fmt.Fprintf(w, "Welcome %s!", user.Name)
}

func handleLogout(w http.ResponseWriter, r *http.Request) {
    gothic.Logout(w, r)
    http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
}
```

### Step 3: Configure Session Store

Gothic uses gorilla/sessions by default:

```go
import "github.com/gorilla/sessions"

func init() {
    key := os.Getenv("SESSION_SECRET")
    maxAge := 86400 * 30 // 30 days
    isProd := os.Getenv("ENV") == "production"

    store := sessions.NewCookieStore([]byte(key))
    store.MaxAge(maxAge)
    store.Options.Path = "/"
    store.Options.HttpOnly = true
    store.Options.Secure = isProd

    gothic.Store = store
}
```

## Environment Variables Pattern

Store OAuth credentials securely using environment variables:

```bash
# .env (never commit this file)
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-client-secret
MICROSOFT_CLIENT_ID=your-azure-app-id
MICROSOFT_CLIENT_SECRET=your-azure-secret
SESSION_SECRET=your-32-byte-random-string
```

Load with godotenv or similar:

```go
import "github.com/joho/godotenv"

func init() {
    godotenv.Load()
}
```

## Supported Providers (70+)

Goth includes providers for major platforms:

| Category | Providers |
|----------|-----------|
| Cloud/Enterprise | Google, Microsoft (Azure AD), Apple, Amazon, Okta, Auth0 |
| Development | GitHub, GitLab, Bitbucket, Gitea |
| Social | Facebook, Twitter, Instagram, LinkedIn, Discord |
| Productivity | Slack, Salesforce, Shopify, Zoom |
| Other | Spotify, Twitch, PayPal, Stripe, Uber |

Import provider packages individually:

```go
import (
    "github.com/markbates/goth/providers/google"
    "github.com/markbates/goth/providers/azureadv2"
    "github.com/markbates/goth/providers/github"
)
```

## Error Handling

Handle common authentication errors:

```go
user, err := gothic.CompleteUserAuth(w, r)
if err != nil {
    switch {
    case strings.Contains(err.Error(), "access_denied"):
        // User denied access
        http.Redirect(w, r, "/login?error=denied", http.StatusTemporaryRedirect)
    case strings.Contains(err.Error(), "invalid_grant"):
        // Token expired or revoked
        http.Redirect(w, r, "/login?error=expired", http.StatusTemporaryRedirect)
    default:
        // Log and show generic error
        log.Printf("Auth error: %v", err)
        http.Error(w, "Authentication failed", http.StatusInternalServerError)
    }
    return
}
```

## Token Refresh

For long-lived sessions, refresh tokens before expiry:

```go
func refreshIfNeeded(provider goth.Provider, user *goth.User) error {
    if !provider.RefreshTokenAvailable() {
        return nil
    }

    if time.Until(user.ExpiresAt) > 5*time.Minute {
        return nil // Token still valid
    }

    token, err := provider.RefreshToken(user.RefreshToken)
    if err != nil {
        return err
    }

    user.AccessToken = token.AccessToken
    user.RefreshToken = token.RefreshToken
    user.ExpiresAt = token.Expiry
    return nil
}
```

## Quick Reference

| Task | Function/Pattern |
|------|-----------------|
| Register providers | `goth.UseProviders(provider1, provider2)` |
| Start auth flow | `gothic.BeginAuthHandler(w, r)` |
| Complete auth | `gothic.CompleteUserAuth(w, r)` |
| Logout | `gothic.Logout(w, r)` |
| Get current provider | `gothic.GetProviderName(r)` |
| Configure session store | `gothic.Store = yourStore` |
| Access user data | `user.Email`, `user.Name`, `user.AccessToken` |

## Related Skills

- **goth-providers** - Detailed provider configuration (Google, Microsoft)
- **goth-echo-security** - Echo framework integration and security patterns

## References

- [Goth GitHub Repository](https://github.com/markbates/goth)
- [Go Package Documentation](https://pkg.go.dev/github.com/markbates/goth)

Overview

This skill provides foundational guidance for integrating github.com/markbates/goth into Go web applications. It explains core concepts, essential APIs (Provider, Session, User), and the gothic helper for common auth flows. The goal is to get a developer from zero to a working multi-provider OAuth setup with secure session handling.

How this skill works

The skill walks through installing goth, registering providers at startup, and wiring auth routes that call gothic.BeginAuthHandler and gothic.CompleteUserAuth. It explains session storage via gorilla/sessions, how goth represents users and sessions, and how to refresh tokens when needed. Practical code snippets illustrate provider registration, route handlers, session store configuration, and error handling patterns.

When to use it

  • You need quick setup guidance for OAuth in Go using goth
  • Implementing sign-in with Google, GitHub, Microsoft, or other providers
  • Integrating multi-provider auth into standard net/http handlers or common frameworks
  • Securing session storage and managing access/refresh tokens
  • Understanding goth types: Provider, Session, and User

Best practices

  • Register providers during application initialization and read client secrets from environment variables
  • Use a secure server-side session store (gorilla/sessions) and set HttpOnly and Secure flags in production
  • Limit OAuth scopes to only what your app needs (e.g., "email", "profile")
  • Handle common errors explicitly (access_denied, invalid_grant) and log unexpected failures
  • Refresh access tokens before expiry when RefreshTokenAvailable() is true

Example use cases

  • Add social login (Google, GitHub, Facebook) to an existing Go web app using goth and gothic handlers
  • Implement corporate SSO with Azure AD or Okta by registering the provider and handling callbacks
  • Store authenticated user info in server-side sessions and display user profile data (name, avatar, email)
  • Support multiple providers on a single auth route by using provider query param or path segment
  • Implement token refresh logic for long-lived sessions using provider.RefreshToken

FAQ

Do I need to import provider packages separately?

Yes. Import each provider package you use (e.g., providers/google, providers/github) and pass instances to goth.UseProviders.

How does gothic select the provider?

By default it checks a "provider" query parameter or the URL path segment; you can override gothic.GetProviderName to customize selection.

Where should I store client secrets and session keys?

Store them in environment variables and load them securely (never commit them). Use a strong SESSION_SECRET for cookie stores.