finds.dev← search

// the find

RichardKnop/go-oauth2-server

★ 2,148 · Go · MPL-2.0 · updated Dec 2025

A standalone, specification-compliant, OAuth2 server written in Golang.

A standalone OAuth 2.0 server in Go covering all four grant types plus token introspection. It's aimed at teams that want to run their own auth server rather than paying for Auth0 or Okta, and need something they can actually read and modify.

The service interface pattern throughout (oauth, session, web, health) makes it genuinely pluggable — swapping in Redis sessions or a custom user store is a real use case the code actually supports. Test coverage is solid: each grant type has its own test file, there are functional tests against an in-memory SQLite DB, and mocks are generated for the service interface. Config via etcd or consul is a reasonable choice for teams already running those, and the docker-compose setup gets you a working stack with one command. The token introspection endpoint (RFC 7662) is there, which many minimal OAuth implementations skip.

Last meaningful activity looks to be several years ago — the implicit grant is included and documented, which OAuth 2.1 drops entirely as insecure; that alone signals the spec compliance is frozen in 2016. There's no PKCE support, which means the authorization code flow is unsafe for public clients (SPAs, mobile apps) as written. The config-in-etcd/consul approach is operationally heavy for small teams — there's no simple env-var or file-based config path. Tests use SQLite but production uses Postgres, which is the exact divergence that masks real migration bugs.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →