This commit adds OpenID Connect (OIDC) provider functionality to tinyauth,
allowing it to act as an OIDC identity provider for other applications.
Features:
- OIDC discovery endpoint at /.well-known/openid-configuration
- Authorization endpoint for OAuth 2.0 authorization code flow
- Token endpoint for exchanging authorization codes for tokens
- ID token generation with JWT signing
- JWKS endpoint for public key distribution
- Support for PKCE (code challenge/verifier)
- Nonce validation for ID tokens
- Configurable OIDC clients with redirect URIs, scopes, and grant types
Validation:
- Docker Compose setup for local testing
- OIDC test client (oidc-whoami) with session management
- Nginx reverse proxy configuration
- DNS server (dnsmasq) for custom domain resolution
- Chrome launch script for easy testing
Configuration:
- OIDC configuration in config.yaml
- Example configuration in config.example.yaml
- Database migrations for OIDC client storage
* chore: add yaml config ref
* feat: add initial implementation of a traefik like cli
* refactor: remove dependency on traefik
* chore: update example env
* refactor: update build
* chore: remove unused code
* fix: fix translations not loading
* feat: add experimental config file support
* chore: mod tidy
* fix: review comments
* refactor: move tinyauth to separate package
* chore: add quotes to all env variables
* chore: resolve go mod and sum conflicts
* chore: go mod tidy
* fix: review comments
Previously IsRedirectSafe rejected redirects to the exact cookie domain
when AppURL had multiple subdomain levels, because it stripped the first
label twice.
* feat: add header decoder
* feat: allow for dash substitute over slash for environments like kubernetes
* feat: use decoded headers in proxy controller
* refactor: simplify decode header to node function
* refactor: use stdlib prefix check in header decoder
* fix: lowercase key and filter before comparing
* wip: add middlewares
* refactor: use context fom middleware in handlers
* refactor: use controller approach in handlers
* refactor: move oauth providers into services (non-working)
* feat: create oauth broker service
* refactor: use a boostrap service to bootstrap the app
* refactor: split utils into smaller files
* refactor: use more clear name for frontend assets
* feat: allow customizability of resources dir
* fix: fix typo in ui middleware
* fix: validate resource file paths in ui middleware
* refactor: move resource handling to a controller
* feat: add some logging
* fix: configure middlewares before groups
* fix: use correct api path in login mutation
* fix: coderabbit suggestions
* fix: further coderabbit suggestions
* refactor: move to traefik paerser for label parsing
* fix: sanitize headers before adding to map
* refactor: use splitn in header parser
* refactor: ignore containers that failed to get inspected in docker
* refactor: return all values from body in the providers
* refactor: only accept claims following the OIDC spec
* feat: map info from OIDC claims to headers
* feat: add support for required oauth groups
* fix: bot suggestions
* feat: get claims from github and google
* fix: close body correctly
* wip
* feat: finalize totp gen code
* refactor: split login screen and forms
* feat: add totp logic and ui
* refactor: make totp pending expiry time fixed
* refactor: skip all checks when disable continue is enabled
* fix: fix cli not exiting on invalid input
