feat: oidc (#605)

* chore: add oidc base config * wip: authorize page * feat: implement basic oidc functionality * refactor: implement oidc following tinyauth patterns * feat: adapt frontend to oidc flow * fix: review comments * fix: oidc review comments * feat: refresh token grant type support * feat: cleanup expired oidc sessions * feat: frontend i18n * fix: fix typo in error screen * tests: add basic testing * fix: more review comments * refactor: rework oidc error messages * feat: openid discovery endpoint * feat: jwk endpoint * i18n: fix typo * fix: more rabbit nitpicks * fix: final review comments * i18n: authorize page error messages
2026-02-23 09:22:04 +00:00 · 2026-02-01 19:00:59 +02:00
parent 252ba10f48
commit 671343f677
38 changed files with 2573 additions and 64 deletions
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -2,6 +2,7 @@ package middleware

 import (
 	"fmt"
+	"slices"
 	"strings"
 	"time"

@@ -13,6 +14,8 @@ import (
 	"github.com/gin-gonic/gin"
 )

+var OIDCIgnorePaths = []string{"/api/oidc/token", "/api/oidc/userinfo"}
+
 type ContextMiddlewareConfig struct {
 	CookieDomain string
 }
@@ -37,6 +40,13 @@ func (m *ContextMiddleware) Init() error {

 func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
+		// There is no point in trying to get credentials if it's an OIDC endpoint
+		path := c.Request.URL.Path
+		if slices.Contains(OIDCIgnorePaths, strings.TrimSuffix(path, "/")) {
+			c.Next()
+			return
+		}
+
 		cookie, err := m.auth.GetSessionCookie(c)

 		if err != nil {