The v0 stack (authentication/, authorization/, the in-tree password
package, and authentication/provider/oauth2) was removed during the
refactor. This guide maps the old API to the v2 stack. For the workspace
layout and the new module list see ../MIGRATION.md.
| v0 | v2 |
|---|---|
authentication.Credential (mutable, any) |
security.Authentication (immutable interface) |
authentication.Filter / OnFilter |
security.Extractor — Extract(ctx, Carrier) |
authentication.Provider / Authenticate |
security.Authenticator — Authenticate(ctx, Authentication) |
authentication.Handler (the filter loop) |
security.Engine + httpsec.Middleware |
authorization.Option checks |
voter.* + security.AccessDecisionManager |
password.BCryptHasher |
password.Hasher (NewBCryptHasher / NewArgon2idHasher) |
NewOAuth2AuthenticationProvider |
oauth2.Server (issuer) + bearer/jwtsec (resource server) |
v0 credentials were a mutable bag mutated in place by each filter. v2
Authentication is a read-only interface; an authenticator returns a new
value rather than mutating its input:
// v2
func (a *Authenticator) Authenticate(ctx context.Context, auth security.Authentication) (security.Authentication, error) {
// …validate…
return in.WithAuthenticated(user, authorities), nil // new value
}Every runtime operation now takes context.Context as its first argument —
Extract, Authenticate, Hasher.Hash/Verify, UserLoader.Load,
TokenVerifier.Verify. Thread the request context through; do not use
context.Background() on the request path.
v0's Handler kept iterating filters after a successful authentication and
silently swallowed provider errors. v2 replaces it with:
security.Manager— first-success-wins, then stops; all-fail produces an aggregated error reachable viaerrors.Is.security.Engine— runs extractors, calls theManager, stores the result in the context.httpsec.Middleware/grpcsecinterceptors — wire theEngineinto a transport and map failures to status codes.
v0's Verify returned a bare bool, conflating "wrong password" with
"malformed hash". v2:
ok, err := hasher.Verify(ctx, encodedHash, password)
// err != nil -> malformed hash / unknown algorithm / cancelled
// err == nil -> ok tells you whether the password matchedCall hasher.NeedsRehash(encodedHash) after a successful verify to upgrade
stored hashes when you raise the cost factor.
Replace ad-hoc role checks with attributes, voters, and an
AccessDecisionManager:
adm := security.NewAffirmativeDecisionManager(voter.HasRole("ADMIN"))
mux.Handle("/admin", httpsec.Authorize(adm, security.Role("ADMIN"))(adminHandler))v0's NewOAuth2AuthenticationProvider mixed token issuance and token
validation. v2 separates them:
- Authorization server —
oauth2.NewServer(cfg)exposesTokenHandler,RevokeHandler,IntrospectHandler,MetadataHandler. - Resource server — validate incoming bearer tokens with
bearer+ aTokenVerifier(jwtsecfor JWT access tokens, or introspection).
See examples/oauth2 for both halves wired together, and the examples/ directory for the other per-scenario demos.
The v0 example imported gorilla/mux. v2 examples use the standard
net/http.ServeMux — no third-party router is required, and none is a
dependency of any module.