hzhang/Dialectic.Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(oidc): backend-mediated OIDC login + session cookies + cli config

Browse Source 
Adds the OpenID Connect login flow Dialectic.Frontend will drive. Pattern
mirrors Fabric.Backend.Center: SPA → /api/auth/oidc/start → IdP →
/api/auth/oidc/callback → 302 to SPA with one-time ticket in URL fragment
→ SPA POST /api/auth/oidc/exchange → HttpOnly session cookie set.

What's added:

  - internal/oidc/service.go — runtime OIDC service:
    * BuildAuthorizeURL (PKCE S256 + random state, 10min ttl)
    * HandleCallback (token exchange + ID token verify + ticket mint, 60s ttl)
    * ExchangeTicket (ticket → session JWT, HS256 24h)
    * VerifySession (cookie validation)
    * GetConfig/SetConfig with sync.Map-backed state/ticket stores
    * SweepExpired (call from background goroutine; clears stale entries)
  - internal/db/migrations/004_oidc_config.sql — single-row oidc_config
    table (issuer/client_id/client_secret/redirect_uri/post_login_redirect/
    scopes/enabled). Runtime-mutable via dialectic-cli.
  - internal/httpapi/handlers/auth.go — 5 endpoints:
    GET  /api/auth/oidc/status   — { enabled }
    GET  /api/auth/oidc/start    — 302 to IdP
    GET  /api/auth/oidc/callback — IdP returns; we 302 to SPA with ticket
    POST /api/auth/oidc/exchange — ticket → cookie + user
    GET  /api/auth/me            — current session user (401 if anon)
    POST /api/auth/logout        — clears cookie
  - internal/auth: replaces the OIDCBrowser Phase-2C stub with one that
    reads the session cookie via SessionVerifier; keeps dev-bypass
    behind cfg.OIDCOnly gate (set OIDC_ONLY=true in prod to disable
    dev-bypass entirely)
  - cmd/dialectic-cli/main.go — new binary; subcommand
    'config oidc [--issuer ... --client-id ... --client-secret ...
                  --callback-url ... --enabled true|false]'
    Runs against same DB the backend uses; reachable via
    'docker exec dialectic-backend dialectic-cli config oidc ...'
  - Dockerfile: build both binaries; put on PATH for docker exec

Config:

  - SESSION_SIGNING_KEY env: required in prod, ephemeral random in dev.
    HS256 secret for session JWTs. Stable across restarts (rotation
    invalidates every session — kill switch).
  - OIDC_ONLY env: 'true' disables the dev-bypass path entirely; use
    in prod once OIDC is configured.
  - OIDC_ISSUER + OIDC_CLIENT_ID env are no longer required at boot —
    they're advisory bootstrap values for the oidc_config DB row.

Deps:
  - github.com/coreos/go-oidc/v3 (discovery + JWKS verify)
  - golang.org/x/oauth2 (token exchange + PKCE)
  - github.com/golang-jwt/jwt/v5 (session JWT)
  - Bumped go.mod toolchain to 1.25.

Pairs with Dialectic.Frontend (next commit) which removes the
/agents/:id admin page and adds the login button + /oidc/callback
SPA route + AuthProvider that talks to these new endpoints.
This commit is contained in:
h z
2026-05-24 01:40:36 +01:00
parent 0b16b52ee7
commit 2463129dbd
11 changed files with 949 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

451
internal/oidc/service.go Normal file
View File

@@ -0,0 +1,451 @@
// Package oidc implements the runtime-configurable OpenID Connect login
// flow for Dialectic. Mirrors Fabric.Backend.Center's pattern:
//
// 1. Browser hits GET /api/auth/oidc/start
// 2. We 302 to the IdP authorize endpoint (PKCE + state)
// 3. IdP redirects back to /api/auth/oidc/callback?code=...&state=...
// 4. We exchange the code for tokens, verify the ID token, mint a
// one-time "ticket" (short random string), and 302 to the SPA at
// the post-login redirect with the ticket in the URL fragment.
// 5. SPA POSTs the ticket to /api/auth/oidc/exchange and gets a
// session JWT set as an HTTP-only cookie.
//
// Why a ticket vs cookie at callback: the callback URL gets logged by
// every nginx / cloudflare in the path. A short-lived ticket that we
// then trade for a real cookie is much safer than putting the session
// JWT in the callback URL.
//
// Storage:
// - config persisted to oidc_config (single-row table; mutated by
// `dialectic-cli config oidc ...`).
// - state + PKCE verifier kept in-memory (sync.Map keyed by state;
// entries expire after 10 min). Single-instance backend is OK with
// in-memory; multi-instance would need a shared store (DB or redis).
// - tickets also in-memory, 60s ttl.
//
// Session JWT:
// - HS256, signed with cfg.SystemAPIKey OR a dedicated SessionSigningKey
// env (latter is cleaner — see config.go).
// - 24h ttl, cookie HttpOnly + Secure + SameSite=Lax + path=/.
// - Claims: sub (user_id), email, name, exp.
package oidc
import (
"context"
"crypto/rand"
"crypto/sha256"
"database/sql"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
"net/url"
"strings"
"sync"
"time"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/golang-jwt/jwt/v5"
"github.com/jmoiron/sqlx"
"golang.org/x/oauth2"
)
type Config struct {
Issuer string `db:"issuer"`
ClientID string `db:"client_id"`
ClientSecret string `db:"client_secret"`
RedirectURI string `db:"redirect_uri"`
PostLoginRedirect string `db:"post_login_redirect"`
Scopes string `db:"scopes"` // space-separated
Enabled bool `db:"enabled"`
}
type Service struct {
db *sqlx.DB
sessionSecret []byte
sessionTTL time.Duration
state sync.Map // state -> *stateEntry
tickets sync.Map // ticket -> *ticketEntry
cachedProvider *oidc.Provider
cachedProviderAt time.Time
cachedIssuer string
mu sync.Mutex
}
type stateEntry struct {
verifier string
expiresAt time.Time
postRedir string // the eventual SPA URL to bounce to
}
type ticketEntry struct {
userID string
email string
name string
expiresAt time.Time
}
// NewService wires the OIDC service. sessionSecret is the HS256 signing
// key for session JWTs — must be a stable per-deployment secret (>= 32
// bytes random). sessionTTL is how long the cookie stays valid (default
// 24h is fine for a dashboard).
func NewService(db *sqlx.DB, sessionSecret []byte, sessionTTL time.Duration) *Service {
if sessionTTL <= 0 {
sessionTTL = 24 * time.Hour
}
return &Service{
db: db,
sessionSecret: sessionSecret,
sessionTTL: sessionTTL,
}
}
// IsEnabled returns true iff a fully-configured + flag-on OIDC config
// is in the DB. Safe to call frequently — direct DB hit, no cache (the
// SPA polls this on every load).
func (s *Service) IsEnabled(ctx context.Context) (bool, error) {
c, err := s.GetConfig(ctx)
if err != nil {
return false, err
}
if c == nil {
return false, nil
}
return c.Enabled && c.Issuer != "" && c.ClientID != "" && c.RedirectURI != "", nil
}
func (s *Service) GetConfig(ctx context.Context) (*Config, error) {
var c Config
err := s.db.GetContext(ctx, &c, `SELECT issuer, client_id, client_secret, redirect_uri, post_login_redirect, scopes, enabled FROM oidc_config WHERE id='singleton'`)
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
if err != nil {
return nil, err
}
return &c, nil
}
// SetConfig mutates only the fields present in patch (non-nil pointer).
// Pass &"" to clear a string; pass nil to leave unchanged. Enabled is
// the only field where false has a meaning distinct from "unchanged"
// so use a pointer.
type ConfigPatch struct {
Issuer *string
ClientID *string
ClientSecret *string
RedirectURI *string
PostLoginRedirect *string
Scopes *string
Enabled *bool
}
func (s *Service) SetConfig(ctx context.Context, p ConfigPatch) (*Config, error) {
// Read-modify-write under a tx so two concurrent CLI invocations
// don't lose updates.
tx, err := s.db.BeginTxx(ctx, nil)
if err != nil {
return nil, err
}
defer func() { _ = tx.Rollback() }()
var c Config
if err := tx.GetContext(ctx, &c, `SELECT issuer, client_id, client_secret, redirect_uri, post_login_redirect, scopes, enabled FROM oidc_config WHERE id='singleton' FOR UPDATE`); err != nil {
return nil, err
}
if p.Issuer != nil {
c.Issuer = *p.Issuer
}
if p.ClientID != nil {
c.ClientID = *p.ClientID
}
if p.ClientSecret != nil {
c.ClientSecret = *p.ClientSecret
}
if p.RedirectURI != nil {
c.RedirectURI = *p.RedirectURI
}
if p.PostLoginRedirect != nil {
c.PostLoginRedirect = *p.PostLoginRedirect
}
if p.Scopes != nil {
c.Scopes = *p.Scopes
}
if p.Enabled != nil {
c.Enabled = *p.Enabled
}
if _, err := tx.ExecContext(ctx,
`UPDATE oidc_config SET issuer=?, client_id=?, client_secret=?, redirect_uri=?, post_login_redirect=?, scopes=?, enabled=? WHERE id='singleton'`,
c.Issuer, c.ClientID, c.ClientSecret, c.RedirectURI, c.PostLoginRedirect, c.Scopes, c.Enabled,
); err != nil {
return nil, err
}
if err := tx.Commit(); err != nil {
return nil, err
}
// Bust provider cache — the issuer might have changed.
s.mu.Lock()
s.cachedProvider = nil
s.cachedIssuer = ""
s.mu.Unlock()
return &c, nil
}
// provider returns a cached *oidc.Provider; cache invalidates when the
// issuer changes (SetConfig clears it) or after 1 hour (defensive
// against stale JWKS cache).
func (s *Service) provider(ctx context.Context, issuer string) (*oidc.Provider, error) {
s.mu.Lock()
defer s.mu.Unlock()
if s.cachedProvider != nil && s.cachedIssuer == issuer && time.Since(s.cachedProviderAt) < time.Hour {
return s.cachedProvider, nil
}
p, err := oidc.NewProvider(ctx, issuer)
if err != nil {
return nil, fmt.Errorf("oidc discovery for %s: %w", issuer, err)
}
s.cachedProvider = p
s.cachedIssuer = issuer
s.cachedProviderAt = time.Now()
return p, nil
}
// BuildAuthorizeURL generates the IdP authorize URL + remembers the
// PKCE verifier + state. Caller redirects the browser to the URL.
func (s *Service) BuildAuthorizeURL(ctx context.Context) (string, error) {
c, err := s.GetConfig(ctx)
if err != nil {
return "", err
}
if c == nil || !c.Enabled {
return "", errors.New("oidc not enabled")
}
if c.Issuer == "" || c.ClientID == "" || c.RedirectURI == "" {
return "", errors.New("oidc config incomplete (need issuer + client_id + redirect_uri)")
}
p, err := s.provider(ctx, c.Issuer)
if err != nil {
return "", err
}
verifier := randomBase64URL(48)
challenge := pkceS256(verifier)
state := randomBase64URL(24)
s.state.Store(state, &stateEntry{
verifier: verifier,
expiresAt: time.Now().Add(10 * time.Minute),
postRedir: c.PostLoginRedirect,
})
cfg := oauth2.Config{
ClientID: c.ClientID,
ClientSecret: c.ClientSecret,
Endpoint: p.Endpoint(),
RedirectURL: c.RedirectURI,
Scopes: strings.Fields(c.Scopes),
}
return cfg.AuthCodeURL(state,
oauth2.AccessTypeOnline,
oauth2.SetAuthURLParam("code_challenge", challenge),
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
), nil
}
// HandleCallback exchanges the code for tokens, verifies the ID token,
// mints a one-time ticket, and returns the ticket + post-login redirect.
// Caller (HTTP handler) 302's the browser there with the ticket in the
// URL fragment.
func (s *Service) HandleCallback(ctx context.Context, code, state string) (ticket, redirect string, err error) {
if code == "" || state == "" {
return "", "", errors.New("missing code or state")
}
v, ok := s.state.LoadAndDelete(state)
if !ok {
return "", "", errors.New("unknown state (expired or replay)")
}
entry := v.(*stateEntry)
if time.Now().After(entry.expiresAt) {
return "", "", errors.New("state expired")
}
c, err := s.GetConfig(ctx)
if err != nil || c == nil || !c.Enabled {
return "", "", errors.New("oidc not enabled")
}
p, err := s.provider(ctx, c.Issuer)
if err != nil {
return "", "", err
}
cfg := oauth2.Config{
ClientID: c.ClientID,
ClientSecret: c.ClientSecret,
Endpoint: p.Endpoint(),
RedirectURL: c.RedirectURI,
Scopes: strings.Fields(c.Scopes),
}
tok, err := cfg.Exchange(ctx, code,
oauth2.SetAuthURLParam("code_verifier", entry.verifier),
)
if err != nil {
return "", "", fmt.Errorf("token exchange: %w", err)
}
rawID, ok := tok.Extra("id_token").(string)
if !ok || rawID == "" {
return "", "", errors.New("no id_token in response")
}
verifier := p.Verifier(&oidc.Config{ClientID: c.ClientID})
idTok, err := verifier.Verify(ctx, rawID)
if err != nil {
return "", "", fmt.Errorf("id_token verify: %w", err)
}
var claims struct {
Sub string `json:"sub"`
Email string `json:"email"`
PreferredUsername string `json:"preferred_username"`
Name string `json:"name"`
}
if err := idTok.Claims(&claims); err != nil {
return "", "", fmt.Errorf("claims decode: %w", err)
}
// Pick the most useful display name.
displayName := claims.Name
if displayName == "" {
displayName = claims.PreferredUsername
}
if displayName == "" {
displayName = claims.Email
}
if claims.Sub == "" {
return "", "", errors.New("id_token missing sub claim")
}
// Mint one-time ticket (60s, single-use).
t := randomBase64URL(32)
s.tickets.Store(t, &ticketEntry{
userID: claims.Sub,
email: claims.Email,
name: displayName,
expiresAt: time.Now().Add(60 * time.Second),
})
redirect = entry.postRedir
if redirect == "" {
redirect = "/"
}
return t, redirect, nil
}
// ExchangeTicket validates the ticket and returns a signed session JWT
// + its expiry. Single-use; deleted on first read regardless of result.
func (s *Service) ExchangeTicket(ticket string) (jwt string, expiresAt time.Time, user UserClaims, err error) {
if ticket == "" {
err = errors.New("missing ticket")
return
}
v, ok := s.tickets.LoadAndDelete(ticket)
if !ok {
err = errors.New("unknown ticket (expired, used, or invalid)")
return
}
entry := v.(*ticketEntry)
if time.Now().After(entry.expiresAt) {
err = errors.New("ticket expired")
return
}
user = UserClaims{
Sub: entry.userID,
Email: entry.email,
Name: entry.name,
}
expiresAt = time.Now().Add(s.sessionTTL)
jwt, err = s.signSession(user, expiresAt)
return
}
// UserClaims is what a session cookie carries. Kept tiny: sub + email
// + name. Anything heavier (roles, group memberships) should hit
// /api/auth/me which can re-derive on demand.
type UserClaims struct {
Sub string `json:"sub"`
Email string `json:"email"`
Name string `json:"name"`
}
func (s *Service) signSession(u UserClaims, expiresAt time.Time) (string, error) {
tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"sub": u.Sub,
"email": u.Email,
"name": u.Name,
"exp": expiresAt.Unix(),
})
return tok.SignedString(s.sessionSecret)
}
// VerifySession parses a session JWT and returns the claims if valid.
// Used by auth middleware.
func (s *Service) VerifySession(raw string) (*UserClaims, error) {
tok, err := jwt.Parse(raw, func(t *jwt.Token) (any, error) {
if t.Method != jwt.SigningMethodHS256 {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
}
return s.sessionSecret, nil
})
if err != nil {
return nil, err
}
claims, ok := tok.Claims.(jwt.MapClaims)
if !ok || !tok.Valid {
return nil, errors.New("invalid token")
}
sub, _ := claims["sub"].(string)
email, _ := claims["email"].(string)
name, _ := claims["name"].(string)
if sub == "" {
return nil, errors.New("token missing sub")
}
return &UserClaims{Sub: sub, Email: email, Name: name}, nil
}
// SweepExpired removes expired state + ticket entries. Call from a
// background goroutine every ~1min so the maps don't grow unbounded
// on a forever-running process.
func (s *Service) SweepExpired() {
now := time.Now()
s.state.Range(func(k, v any) bool {
if e, ok := v.(*stateEntry); ok && now.After(e.expiresAt) {
s.state.Delete(k)
}
return true
})
s.tickets.Range(func(k, v any) bool {
if e, ok := v.(*ticketEntry); ok && now.After(e.expiresAt) {
s.tickets.Delete(k)
}
return true
})
}
// randomBase64URL returns a URL-safe random string of the given byte length
// (so the resulting string is ~1.3x longer after base64). Panics on
// crypto/rand failure (the process is doomed anyway).
func randomBase64URL(n int) string {
b := make([]byte, n)
if _, err := rand.Read(b); err != nil {
panic("rand: " + err.Error())
}
return base64.RawURLEncoding.EncodeToString(b)
}
// pkceS256 returns the BASE64URL(SHA256(verifier)) PKCE code challenge.
func pkceS256(verifier string) string {
h := sha256.Sum256([]byte(verifier))
return base64.RawURLEncoding.EncodeToString(h[:])
}
// hashCallbackHint is a tiny utility for logging callback errors
// without dumping the raw URL (which may contain tokens). Not used in
// hot path; here so callers can build observability later.
func hashCallbackHint(u *url.URL) string {
if u == nil {
return ""
}
h := sha256.Sum256([]byte(u.Path + "?" + u.RawQuery))
return hex.EncodeToString(h[:6])
}
// silence unused — keep available for future logging.
var _ = hashCallbackHint