chore: merge oidc-authorize branch

internal/bootstrap/router_bootstrap.go

@@ -59,7 +59,7 @@ func (app *BootstrapApp) setupRouter() error {
 
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
 	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter, &engine.RouterGroup)
 	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)

internal/controller/controller.go

@@ -1,5 +1,12 @@
 package controller
 
+type FrontendLoginFor string
+
+const (
+	FrontendLoginForOIDC FrontendLoginFor = "oidc"
+	FrontendLoginForApp  FrontendLoginFor = "app"
+)
+
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
@@ -8,5 +15,6 @@ type UnauthorizedQuery struct {
 }
 
 type RedirectQuery struct {
-	RedirectURI string `url:"redirect_uri"`
+	RedirectURI string           `url:"redirect_uri"`
+	LoginFor    FrontendLoginFor `url:"login_for"`
 }

internal/controller/oauth_controller.go

@@ -61,7 +61,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	var reqParams service.OAuthURLParams
+	var reqParams service.OAuthCallbackParams
 
 	err = c.BindQuery(&reqParams)
 
@@ -83,7 +83,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		}
 	}
 
-	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
+	sessionId, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
@@ -272,13 +272,14 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/oidc/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
 		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
+			LoginFor:    FrontendLoginForApp,
 		})
 
 		if err != nil {
@@ -294,11 +295,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
 
-func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
-	return params.Scope != "" &&
-		params.ResponseType != "" &&
-		params.ClientID != "" &&
-		params.RedirectURI != ""
+func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
+	return params.LoginFor == string(FrontendLoginForOIDC)
 }
 
 func (controller *OAuthController) getCookieDomain() string {

internal/controller/oidc_controller.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -23,6 +24,7 @@ type authorizeErrorParams struct {
 	callback      string
 	callbackError string
 	state         string
+	json          bool
 }
 
 type OIDCController struct {
@@ -65,20 +67,34 @@ type ClientCredentials struct {
 	ClientSecret string
 }
 
+type AuthorizeScreenParams struct {
+	LoginFor   FrontendLoginFor `url:"login_for"`
+	OIDCTicket string           `url:"oidc_ticket"`
+	OIDCScope  string           `url:"oidc_scope"`
+	OIDCName   string           `url:"oidc_name"`
+}
+
+type AuthorizeCompleteRequest struct {
+	Ticket string `json:"ticket" binding:"required"`
+}
+
 func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup) *OIDCController {
+	router *gin.RouterGroup,
+	mainRouter *gin.RouterGroup) *OIDCController {
 	controller := &OIDCController{
 		log:     log,
 		oidc:    oidcService,
 		runtime: runtimeConfig,
 	}
 
+	mainRouter.POST("/authorize", controller.authorize)
+	mainRouter.GET("/authorize", controller.authorize)
+
 	oidcGroup := router.Group("/oidc")
-	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
-	oidcGroup.POST("/authorize", controller.Authorize)
+	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
@@ -86,47 +102,10 @@ func NewOIDCController(
 	return controller
 }
 
-func (controller *OIDCController) GetClientInfo(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC not configured",
-		})
-		return
-	}
-
-	var req ClientRequest
-
-	err := c.BindUri(&req)
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	client, ok := controller.oidc.GetClient(req.ClientID)
-
-	if !ok {
-		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
-		c.JSON(404, gin.H{
-			"status":  404,
-			"message": "Client not found",
-		})
-		return
-	}
-
-	c.JSON(200, gin.H{
-		"status": 200,
-		"client": client.ClientID,
-		"name":   client.Name,
-	})
-}
-
-func (controller *OIDCController) Authorize(c *gin.Context) {
+// This endpoint does **not** return a code, it handles param validation, ticket creation
+// and then redirects to the frontend to handle the consent screen. It performs no destructive
+// actions (like logging out an existing session)
+func (controller *OIDCController) authorize(c *gin.Context) {
 	if controller.oidc == nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
@@ -136,40 +115,19 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
 
-	userContext, err := new(model.UserContext).NewFromGin(c)
+	req, err := controller.resolveAuthorizeRequest(c)
 
 	if err != nil {
+		controller.log.App.Warn().Err(err).Msg("Failed to resolve authorize request")
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
-			reason:       "Failed to get user context",
-			reasonPublic: "User is not logged in or the session is invalid",
+			reason:       "Failed to resolve authorize request",
+			reasonPublic: "The authorization request is invalid",
 		})
 		return
 	}
 
-	if !userContext.Authenticated {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          errors.New("err user not logged in"),
-			reason:       "User not logged in",
-			reasonPublic: "The user is not logged in",
-		})
-		return
-	}
-
-	var req service.AuthorizeRequest
-
-	err = c.Bind(&req)
-
-	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Failed to bind JSON",
-			reasonPublic: "The client provided an invalid authorization request",
-		})
-		return
-	}
-
-	_, ok := controller.oidc.GetClient(req.ClientID)
+	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
 		controller.authorizeError(c, authorizeErrorParams{
@@ -180,7 +138,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
 
-	err = controller.oidc.ValidateAuthorizeParams(req)
+	err = controller.oidc.ValidateAuthorizeParams(*req)
 
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
@@ -203,8 +161,97 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
 
+	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
+
+	queries, err := query.Values(AuthorizeScreenParams{
+		LoginFor:   FrontendLoginForOIDC,
+		OIDCTicket: ticket,
+		OIDCScope:  req.Scope,
+		OIDCName:   client.Name,
+	})
+
+	if err != nil {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          err,
+			reason:       "Failed to compile authorize queries",
+			reasonPublic: "An internal error occured while processing your request",
+		})
+		return
+	}
+
+	redirectUrl := fmt.Sprintf("%s/oidc/authorize?%s", controller.oidc.GetIssuer(), queries.Encode())
+	c.Redirect(http.StatusFound, redirectUrl)
+}
+
+// The actual **internal** endpoint that actually creates the code and session.
+// It is called by the frontend after the user has logged in and given consent.
+func (controller *OIDCController) authorizeComplete(c *gin.Context) {
+	if controller.oidc == nil {
+		// For this endpoint we return JSON errors since it's called
+		// by the frontend and not an external client, so there's
+		// no redirect_uri to send the user to in case of error
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          errors.New("err_oidc_not_configured"),
+			reason:       "OIDC not configured",
+			reasonPublic: "This instance is not configured for OIDC",
+			json:         true,
+		})
+		return
+	}
+
+	userContext, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          err,
+			reason:       "Failed to get user context",
+			reasonPublic: "User is not logged in or the session is invalid",
+			json:         true,
+		})
+		return
+	}
+
+	if !userContext.Authenticated {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          errors.New("err user not logged in"),
+			reason:       "User not logged in",
+			reasonPublic: "The user is not logged in",
+			json:         true,
+		})
+		return
+	}
+
+	var req AuthorizeCompleteRequest
+
+	err = c.BindJSON(&req)
+
+	if err != nil {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          err,
+			reason:       "Failed to bind JSON",
+			reasonPublic: "The client provided an invalid authorization request",
+			json:         true,
+		})
+		return
+	}
+
+	authorizeReq, ok := controller.oidc.GetAuthorizeRequestByTicket(req.Ticket)
+
+	if !ok {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          errors.New("authorize request not found for ticket"),
+			reason:       "Invalid or expired ticket",
+			reasonPublic: "The authorization request has expired or is invalid",
+			json:         true,
+		})
+		return
+	}
+
+	// We no longer need the ticket
+	controller.oidc.DeleteAuthorizeRequestTicket(req.Ticket)
+
 	// Create the sub to find and delete old sessions
-	sub := controller.oidc.CreateSub(*userContext, req.ClientID)
+	sub := controller.oidc.CreateSub(*userContext, authorizeReq.ClientID)
 
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
@@ -213,19 +260,20 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to delete old sessions",
 			reasonPublic:  "Failed to delete old sessions",
-			callback:      req.RedirectURI,
+			callback:      authorizeReq.RedirectURI,
 			callbackError: "server_error",
-			state:         req.State,
+			state:         authorizeReq.State,
+			json:          true,
 		})
 		return
 	}
 
 	// Create the authorization code
-	code := controller.oidc.CreateCode(req, *userContext)
+	code := controller.oidc.CreateCode(*authorizeReq, *userContext)
 
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
-		State: req.State,
+		State: authorizeReq.State,
 	})
 
 	if err != nil {
@@ -233,16 +281,17 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to build query",
 			reasonPublic:  "Failed to build query",
-			callback:      req.RedirectURI,
+			callback:      authorizeReq.RedirectURI,
 			callbackError: "server_error",
-			state:         req.State,
+			state:         authorizeReq.State,
+			json:          true,
 		})
 		return
 	}
 
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s?%s", req.RedirectURI, queries.Encode()),
+		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
 	})
 }
 
@@ -533,14 +582,22 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		queries, err := query.Values(errorQueries)
 
 		if err != nil {
+			controller.log.App.Error().Err(err).Msg("Failed to build callback error query")
 			c.AbortWithStatus(http.StatusInternalServerError)
 			return
 		}
 
-		c.JSON(200, gin.H{
-			"status":       200,
-			"redirect_uri": fmt.Sprintf("%s?%s", params.callback, queries.Encode()),
-		})
+		redirectUrl := fmt.Sprintf("%s?%s", params.callback, queries.Encode())
+
+		if params.json {
+			c.JSON(200, gin.H{
+				"status":       200,
+				"redirect_uri": redirectUrl,
+			})
+			return
+		}
+
+		c.Redirect(http.StatusFound, redirectUrl)
 		return
 	}
 
@@ -551,6 +608,7 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 	queries, err := query.Values(errorQueries)
 
 	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to build error query")
 		c.AbortWithStatus(http.StatusInternalServerError)
 		return
 	}
@@ -563,8 +621,61 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
 	}
 
-	c.JSON(200, gin.H{
-		"status":       200,
-		"redirect_uri": redirectUrl,
-	})
+	if params.json {
+		c.JSON(200, gin.H{
+			"status":       200,
+			"redirect_uri": redirectUrl,
+		})
+		return
+	}
+
+	c.Redirect(http.StatusFound, redirectUrl)
+}
+
+func (controller *OIDCController) resolveAuthorizeRequest(c *gin.Context) (*service.AuthorizeRequest, error) {
+	// step 1: if we have a request object, decode it and ignore other params. If not, bind the params as usual
+	// we check both query and form parameters for the request object since this endpoint can be called with both GET and POST
+	requestObject, err := controller.resolveRequestObject(c)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if requestObject != nil {
+		return requestObject, nil
+	}
+
+	// step 2: by default we assume normal GET query parameters
+	// step 3: if it's a POST request, we try form parameters
+	return controller.resolveNormalParams(c)
+}
+
+func (controller *OIDCController) resolveRequestObject(c *gin.Context) (*service.AuthorizeRequest, error) {
+	raw := c.Query("request")
+
+	if raw == "" && c.Request.Method == http.MethodPost {
+		raw = c.PostForm("request")
+	}
+
+	if raw == "" {
+		return nil, nil
+	}
+
+	return controller.oidc.DecodeAuthorizeJWT(raw)
+}
+
+func (controller *OIDCController) resolveNormalParams(c *gin.Context) (*service.AuthorizeRequest, error) {
+	var req service.AuthorizeRequest
+
+	bind := binding.Query
+
+	if c.Request.Method == http.MethodPost {
+		bind = binding.Form
+	}
+
+	if err := c.ShouldBindWith(&req, bind); err != nil {
+		return nil, err
+	}
+
+	return &req, nil
 }

internal/controller/proxy_controller.go

@@ -275,6 +275,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
+		LoginFor:    FrontendLoginForApp,
 	})
 
 	if err != nil {

internal/controller/proxy_controller_test.go

@@ -3,6 +3,7 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -76,7 +77,9 @@ func TestProxyController(t *testing.T) {
 
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -89,7 +92,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -103,7 +108,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/hello"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -119,7 +126,9 @@ func TestProxyController(t *testing.T) {
 
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -134,7 +143,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -150,7 +161,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{

internal/middleware/ui_middleware.go

@@ -38,7 +38,7 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
 		switch strings.SplitN(path, "/", 2)[0] {
-		case "api", "resources", ".well-known":
+		case "api", "resources", ".well-known", "authorize":
 			c.Next()
 			return
 		case "robots.txt":

internal/service/auth_service.go

@@ -30,17 +30,14 @@ var (
 	ErrUserNotFound = errors.New("user not found")
 )
 
-// slightly modified version of the AuthorizeRequest from the OIDC service to basically accept all
-// parameters and pass them to the authorize page if needed
-type OAuthURLParams struct {
-	Scope               string `form:"scope" url:"scope"`
-	ResponseType        string `form:"response_type" url:"response_type"`
-	ClientID            string `form:"client_id" url:"client_id"`
-	RedirectURI         string `form:"redirect_uri" url:"redirect_uri"`
-	State               string `form:"state" url:"state"`
-	Nonce               string `form:"nonce" url:"nonce"`
-	CodeChallenge       string `form:"code_challenge" url:"code_challenge"`
-	CodeChallengeMethod string `form:"code_challenge_method" url:"code_challenge_method"`
+// We either store params for redirecting to an app after OAuth login,
+// or for redirecting back to the authorize screen to continue OIDC
+type OAuthCallbackParams struct {
+	LoginFor    string `form:"login_for" url:"login_for"`
+	OIDCTicket  string `form:"oidc_ticket" url:"oidc_ticket"`
+	OIDCScope   string `form:"oidc_scope" url:"oidc_scope"`
+	OIDCName    string `form:"oidc_name" url:"oidc_name"`
+	RedirectURI string `form:"redirect_uri" url:"redirect_uri"`
 }
 
 type OAuthPendingSession struct {
@@ -49,7 +46,7 @@ type OAuthPendingSession struct {
 	Token          *oauth2.Token
 	Service        *OAuthServiceImpl
 	ExpiresAt      time.Time
-	CallbackParams OAuthURLParams
+	CallbackParams OAuthCallbackParams
 }
 
 type LoginAttempt struct {
@@ -516,17 +513,17 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
 
-func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
+func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbackParams) (string, error) {
 	service, ok := auth.oauthBroker.GetService(serviceName)
 
 	if !ok {
-		return "", OAuthPendingSession{}, fmt.Errorf("oauth service not found: %s", serviceName)
+		return "", fmt.Errorf("oauth service not found: %s", serviceName)
 	}
 
 	sessionId, err := uuid.NewRandom()
 
 	if err != nil {
-		return "", OAuthPendingSession{}, fmt.Errorf("failed to generate session ID: %w", err)
+		return "", fmt.Errorf("failed to generate session ID: %w", err)
 	}
 
 	state := service.NewRandom()
@@ -542,7 +539,7 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLPara
 
 	auth.caches.oauth.Set(sessionId.String(), session, time.Minute*10)
 
-	return sessionId.String(), session, nil
+	return sessionId.String(), nil
 }
 
 func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {

internal/service/oidc_service.go

@@ -20,6 +20,7 @@ import (
 	"slices"
 
 	"github.com/go-jose/go-jose/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -106,14 +107,15 @@ type TokenResponse struct {
 }
 
 type AuthorizeRequest struct {
-	Scope               string `json:"scope" binding:"required"`
-	ResponseType        string `json:"response_type" binding:"required"`
-	ClientID            string `json:"client_id" binding:"required"`
-	RedirectURI         string `json:"redirect_uri" binding:"required"`
-	State               string `json:"state"`
-	Nonce               string `json:"nonce"`
-	CodeChallenge       string `json:"code_challenge"`
-	CodeChallengeMethod string `json:"code_challenge_method"`
+	jwt.Claims
+	Scope               string `form:"scope" json:"scope" url:"scope"`
+	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
+	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
+	RedirectURI         string `form:"redirect_uri" json:"redirect_uri" url:"redirect_uri"`
+	State               string `form:"state" json:"state" url:"state"`
+	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
+	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`
+	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" url:"code_challenge_method"`
 }
 
 type AuthorizeCodeEntry struct {
@@ -142,8 +144,9 @@ type OIDCService struct {
 	issuer     string
 
 	caches struct {
-		code     *CacheStore[AuthorizeCodeEntry]
-		usedCode *CacheStore[UsedCodeEntry]
+		code      *CacheStore[AuthorizeCodeEntry]
+		usedCode  *CacheStore[UsedCodeEntry]
+		authorize *CacheStore[AuthorizeRequest]
 	}
 }
 
@@ -311,8 +314,11 @@ func NewOIDCService(
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
 	usedCode := NewCacheStore[UsedCodeEntry](256)
+	authorize := NewCacheStore[AuthorizeRequest](256)
+
 	service.caches.code = codeCash
 	service.caches.usedCode = usedCode
+	service.caches.authorize = authorize
 
 	// Start cache cleanup routine
 	dg.Go(func(ctx context.Context) {
@@ -324,6 +330,7 @@ func NewOIDCService(
 			case <-ticker.C:
 				service.caches.code.Sweep()
 				service.caches.usedCode.Sweep()
+				service.caches.authorize.Sweep()
 			case <-ctx.Done():
 				return
 			}
@@ -856,3 +863,44 @@ func (service *OIDCService) MarkCodeAsUsed(codeHash string, sub string) {
 func (service *OIDCService) DeleteSessionBySub(ctx context.Context, sub string) error {
 	return service.queries.DeleteOIDCSessionBySub(ctx, sub)
 }
+
+func (service *OIDCService) CreateAuthorizeRequestTicket(req AuthorizeRequest) string {
+	ticket := utils.GenerateString(32)
+
+	service.caches.authorize.Set(ticket, req, 10*time.Minute)
+
+	return ticket
+}
+
+func (service *OIDCService) GetAuthorizeRequestByTicket(ticket string) (*AuthorizeRequest, bool) {
+	entry, ok := service.caches.authorize.Get(ticket)
+
+	if !ok {
+		return nil, false
+	}
+
+	return &entry, true
+}
+
+func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
+	service.caches.authorize.Delete(ticket)
+}
+
+// TODO: support signed request objects in the future
+func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
+	var req AuthorizeRequest
+
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
+	}
+
+	claims, ok := token.Claims.(*AuthorizeRequest)
+
+	if !ok {
+		return nil, errors.New("failed to parse claims from authorize request jwt")
+	}
+
+	return claims, nil
+}