Skip to content

statebyte/go-telegram-login

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
teleauth
teleauth
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 

Repository files navigation

go-telegram-login

Go library for Telegram Login (manual implementation): Authorization Code Flow with PKCE and id_token validation via Telegram JWKS.

Documentation: Telegram Login manual implementation

Installation

go get github.com/statebyte/go-telegram-login

Import

import "github.com/statebyte/go-telegram-login/teleauth"

Usage

  1. Create a TeleAuth instance.
  2. Call StartAuth to get an authorization URL + state + code_verifier (+ optional nonce).
  3. Redirect the user to the returned URL.
  4. In your callback handler, read code and state from query params, then exchange code for tokens and validate id_token.

Minimal example (server-side):

package main

import (
	"context"
	"net/http"

	"github.com/statebyte/go-telegram-login/teleauth"
)

func main() {
	ta, _ := teleauth.New(teleauth.Config{
		ClientID:     123456789,
		ClientSecret: "BOT_CLIENT_SECRET",
		RedirectURI:  "https://example.com/auth/callback",
		// Audience defaults to ClientID when omitted.
	})

	// Example: start authorization
	http.HandleFunc("/auth/start", func(w http.ResponseWriter, r *http.Request) {
		res, err := ta.StartAuth(r.Context(), teleauth.StartAuthOptions{
			GenerateNonce: true,
			// Scopes defaults to: ["openid", "profile", "phone"]
		})
		if err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}

		// IMPORTANT:
		// Store res.State and res.CodeVerifier (and res.Nonce if used) in a user session/CSRF-safe storage.
		// Do not rely on client-provided values without checking them.

		http.Redirect(w, r, res.URL, http.StatusFound)
	})

	// Example: callback handler
	http.HandleFunc("/auth/callback", func(w http.ResponseWriter, r *http.Request) {
		ctx := context.Background()
		q := r.URL.Query()

		code := q.Get("code")
		state := q.Get("state")
		_ = state // Verify it against the stored value from your session.

		// IMPORTANT:
		// Load codeVerifier (and expectedNonce if you enabled it) from your session.
		codeVerifier := "CODE_VERIFIER_FROM_SESSION"
		expectedNonce := "NONCE_FROM_SESSION" // or "" if you didn't include nonce

		user, err := ta.ExchangeAndValidate(ctx, code, codeVerifier, expectedNonce)
		if err != nil {
			http.Error(w, err.Error(), http.StatusUnauthorized)
			return
		}

		_ = user
		w.WriteHeader(http.StatusOK)
	})

	_ = http.ListenAndServe(":8080", nil)
}

Notes

  • Always validate state (CSRF protection) on the callback.
  • Always validate the id_token signature and claims server-side (this library does it via JWKS + RS256).
  • If you set GenerateNonce: true, pass the returned nonce as expectedNonce into ExchangeAndValidate.

About

Simple Go library for Telegram authentication

Topics

oauth telegram

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages