Marketplace Authentication
Log your customers into your Gobo Marketplace.
Gobo provides multiple solutions to handle access management:
Password Auth
GoPass JWT Auth
SAML/OIDC
GoPass Auth
With GoPass authentication, your backend server can use a JSON Web Token (JWT) to securely log your users into your Gobo Marketplace.
You can enable GoPass authentication in your Gobo Dashboard.
How does it work?
GoPass Auth URL
https://{gobo_marketplace_domain}/account/login/gopass/{base64_jwt_token}Creating a JWT
GoPass JWTs have the following format:
{
ver: "1.0",
iat: 1690933371,
user: "{guid}",
user_id: "user_123",
user_email: "[email protected]",
user_firstname: "John",
user_lastname: "Doe",
org: "{guid}",
org_id: "org_123",
org_name: "Org 123",
role: "admin"
}ver
Version: currently "1.0"
iat
Current epoch time in seconds.
user or user_id or user_email
A value representing the customeruser. If multiple fields are present, the leftmost field provided is used to lookup the customeruser any the additional fields are updated if changed.
org or org_id
A value representing the customerorg. If multiple fields are present, the leftmost field provided is used to lookup the customerorg and any additional fields are updated if changed.
role
Defaults to member. If this user should be able to install apps, must be admin.
When to create the token?
GoPass marketplace sessions expire after 15 minutes. At this time the user will be redirected back to the specified login URL to create another JWT and log them back into the marketplace. Gobo uses the iat claim in the JWT to ensure that the token is still valid.
In order to ensure that your iat claim is fresh, you should only create your JWT at the moment your user wants to access the marketplace. One strategy is to direct all users to the endpoint provided for the login URL, make sure they are logged in, and then create the JWT and redirect to your marketplace.
Login URL
When someone accesses your marketplace without logging in, Gobo redirects them to the custom login URL on your site so that you can authenticate them.
If the request is for a specific partnerorg (e.g. an app initiated an authorization code flow for a previously installed app) then Gobo will optionally pass along to the login URL the partnerorg GUID and eternal_id as the query parameters target and target_id.
Make sure to set the appropriate Cache-Control response header to ensure that requests to your Login URL are not cached in transit or in the browser. E.g. max-age=0, no-cache, no-store, must-revalidate, private. See the MDN Web Docs for more info.
Example Express Application
const jwt = require("jsonwebtoken");
const GOPASS_KEY = "gp_...";
const GOPASS_URL = "https://marketplace.yourco.com/account/login/gopass"
app.get("/marketplace", (req, res) => {
const org_id = req.query.target_id;
// Use target_id to validate that you're logging user into the right org.
const claims = {
ver: "1.0",
iat: Math.floor(Date.now() / 1000),
// user: "{guid}",
user_id: "user_123",
user_email: "[email protected]",
user_firstname: "John",
user_lastname: "Doe",
// org: "{guid}",
org_id: "org_123",
org_name: "Org 123",
role: "admin",
};
const token = jwt.sign(claims, GOPASS_KEY);
const url = new URL(token, GOPASS_URL);
console.log("Redirecting to:", url.href);
res.setHeader(
"Cache-Control",
"max-age=0, no-cache, no-store, must-revalidate, private"
);
return res.redirect(url);
});
Keep your GoPass Key Secure
The GoPass key ensures that only you can log users into your marketplace. It must be kept secure and private. Be sure to prevent your signing key from being made publicly accessible, such as in client-side code, GitHub, unsecured S3 buckets, and so forth. The signing key is prefixed with gp_.
Last updated