Add OIDC provider functionality with validation setup

This commit adds OpenID Connect (OIDC) provider functionality to tinyauth, allowing it to act as an OIDC identity provider for other applications. Features: - OIDC discovery endpoint at /.well-known/openid-configuration - Authorization endpoint for OAuth 2.0 authorization code flow - Token endpoint for exchanging authorization codes for tokens - ID token generation with JWT signing - JWKS endpoint for public key distribution - Support for PKCE (code challenge/verifier) - Nonce validation for ID tokens - Configurable OIDC clients with redirect URIs, scopes, and grant types Validation: - Docker Compose setup for local testing - OIDC test client (oidc-whoami) with session management - Nginx reverse proxy configuration - DNS server (dnsmasq) for custom domain resolution - Chrome launch script for easy testing Configuration: - OIDC configuration in config.yaml - Example configuration in config.example.yaml - Database migrations for OIDC client storage
2025-12-31 12:32:29 +00:00 · 2025-12-30 12:17:40 +01:00
parent 986ac88e14
commit 020fcb9878
21 changed files with 1873 additions and 8 deletions
--- a/validation/nginx.conf
+++ b/validation/nginx.conf
@@ -0,0 +1,43 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Use Docker's built-in DNS (127.0.0.11) for service name resolution
+    # This allows nginx to resolve Docker service names like "tinyauth" and "oidc-whoami"
+    resolver 127.0.0.11 valid=10s;
+    resolver_timeout 5s;
+
+    server {
+        listen 80;
+        server_name auth.example.com;
+
+        location / {
+            # Use variable to enable dynamic resolution at request time
+            set $backend "tinyauth:3000";
+            proxy_pass http://$backend;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+        }
+    }
+
+    server {
+        listen 80;
+        server_name client.example.com;
+
+        location / {
+            # Use variable to enable dynamic resolution at request time
+            set $backend "oidc-whoami:8765";
+            proxy_pass http://$backend;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+        }
+    }
+}
+