Marketplace Authentication

Log your customers into your Gobo Marketplace.

Last updated 1 year ago

Marketplace Authentication

Log your customers into your Gobo Marketplace.

Gobo provides multiple solutions to handle access management:

Password Auth
GoPass JWT Auth
SAML/OIDC

Enterprise customers requiring SAML or OIDC connections should reach out to for help configuring their authentication system.

GoPass Auth

With GoPass authentication, your backend server can use a JSON Web Token (JWT) to securely log your users into your Gobo Marketplace.

You can enable GoPass authentication in your .

How does it work?

GoPass Auth URL

https://{gobo_marketplace_domain}/account/login/gopass/{base64_jwt_token}

Creating a JWT

GoPass JWTs have the following format:

GoPass JWT Example

{
  ver: "1.0",
  iat: 1690933371,

  user: "{guid}",
  user_id: "user_123",
  user_email: "john@example.com",
  user_firstname: "John",
  user_lastname: "Doe",

  org: "{guid}",
  org_id: "org_123",
  org_name: "Org 123",

  role: "admin"
}

Required Field

Description

ver

Version: currently "1.0"

iat

Current epoch time in seconds.

user or user_id or user_email

A value representing the customeruser. If multiple fields are present, the leftmost field provided is used to lookup the customeruser any the additional fields are updated if changed.

org or org_id

A value representing the customerorg. If multiple fields are present, the leftmost field provided is used to lookup the customerorg and any additional fields are updated if changed.

role

Defaults to member. If this user should be able to install apps, must be admin.

When to create the token?

GoPass marketplace sessions expire after 15 minutes. At this time the user will be redirected back to the specified login URL to create another JWT and log them back into the marketplace. Gobo uses the iat claim in the JWT to ensure that the token is still valid.

In order to ensure that your iat claim is fresh, you should only create your JWT at the moment your user wants to access the marketplace. One strategy is to direct all users to the endpoint provided for the login URL, make sure they are logged in, and then create the JWT and redirect to your marketplace.

When someone accesses your marketplace without logging in, Gobo redirects them to the custom login URL on your site so that you can authenticate them.

If the request is for a specific partnerorg (e.g. an app initiated an authorization code flow for a previously installed app) then Gobo will optionally pass along to the login URL the partnerorg GUID and eternal_id as the query parameters target and target_id.

Example Express Application

Node.js Example

const jwt = require("jsonwebtoken");

const GOPASS_KEY = "gp_...";
const GOPASS_URL = "https://marketplace.yourco.com/account/login/gopass"

app.get("/marketplace", (req, res) => {
  const org_id = req.query.target_id;
  // Use target_id to validate that you're logging user into the right org.

  const claims = {
    ver: "1.0",
    iat: Math.floor(Date.now() / 1000),

    // user: "{guid}",
    user_id: "user_123",
    user_email: "john@example.com",
    user_firstname: "John",
    user_lastname: "Doe",

    // org: "{guid}",
    org_id: "org_123",
    org_name: "Org 123",

    role: "admin",
  };

  const token = jwt.sign(claims, GOPASS_KEY);
  const url = new URL(token, GOPASS_URL);
  console.log("Redirecting to:", url.href);
  res.setHeader(
    "Cache-Control",
    "max-age=0, no-cache, no-store, must-revalidate, private"
  );
  return res.redirect(url);
});

Keep your GoPass Key Secure

The GoPass key ensures that only you can log users into your marketplace. It must be kept secure and private. Be sure to prevent your signing key from being made publicly accessible, such as in client-side code, GitHub, unsecured S3 buckets, and so forth. The signing key is prefixed with gp_.