hzhang
2463129dbd
Adds the OpenID Connect login flow Dialectic.Frontend will drive. Pattern
mirrors Fabric.Backend.Center: SPA → /api/auth/oidc/start → IdP →
/api/auth/oidc/callback → 302 to SPA with one-time ticket in URL fragment
→ SPA POST /api/auth/oidc/exchange → HttpOnly session cookie set.
What's added:
- internal/oidc/service.go — runtime OIDC service:
* BuildAuthorizeURL (PKCE S256 + random state, 10min ttl)
* HandleCallback (token exchange + ID token verify + ticket mint, 60s ttl)
* ExchangeTicket (ticket → session JWT, HS256 24h)
* VerifySession (cookie validation)
* GetConfig/SetConfig with sync.Map-backed state/ticket stores
* SweepExpired (call from background goroutine; clears stale entries)
- internal/db/migrations/004_oidc_config.sql — single-row oidc_config
table (issuer/client_id/client_secret/redirect_uri/post_login_redirect/
scopes/enabled). Runtime-mutable via dialectic-cli.
- internal/httpapi/handlers/auth.go — 5 endpoints:
GET /api/auth/oidc/status — { enabled }
GET /api/auth/oidc/start — 302 to IdP
GET /api/auth/oidc/callback — IdP returns; we 302 to SPA with ticket
POST /api/auth/oidc/exchange — ticket → cookie + user
GET /api/auth/me — current session user (401 if anon)
POST /api/auth/logout — clears cookie
- internal/auth: replaces the OIDCBrowser Phase-2C stub with one that
reads the session cookie via SessionVerifier; keeps dev-bypass
behind cfg.OIDCOnly gate (set OIDC_ONLY=true in prod to disable
dev-bypass entirely)
- cmd/dialectic-cli/main.go — new binary; subcommand
'config oidc [--issuer ... --client-id ... --client-secret ...
--callback-url ... --enabled true|false]'
Runs against same DB the backend uses; reachable via
'docker exec dialectic-backend dialectic-cli config oidc ...'
- Dockerfile: build both binaries; put on PATH for docker exec
Config:
- SESSION_SIGNING_KEY env: required in prod, ephemeral random in dev.
HS256 secret for session JWTs. Stable across restarts (rotation
invalidates every session — kill switch).
- OIDC_ONLY env: 'true' disables the dev-bypass path entirely; use
in prod once OIDC is configured.
- OIDC_ISSUER + OIDC_CLIENT_ID env are no longer required at boot —
they're advisory bootstrap values for the oidc_config DB row.
Deps:
- github.com/coreos/go-oidc/v3 (discovery + JWKS verify)
- golang.org/x/oauth2 (token exchange + PKCE)
- github.com/golang-jwt/jwt/v5 (session JWT)
- Bumped go.mod toolchain to 1.25.
Pairs with Dialectic.Frontend (next commit) which removes the
/agents/:id admin page and adds the login button + /oidc/callback
SPA route + AuthProvider that talks to these new endpoints.
452 lines
14 KiB
Go
452 lines
14 KiB
Go
// Package oidc implements the runtime-configurable OpenID Connect login
|
|
// flow for Dialectic. Mirrors Fabric.Backend.Center's pattern:
|
|
//
|
|
// 1. Browser hits GET /api/auth/oidc/start
|
|
// 2. We 302 to the IdP authorize endpoint (PKCE + state)
|
|
// 3. IdP redirects back to /api/auth/oidc/callback?code=...&state=...
|
|
// 4. We exchange the code for tokens, verify the ID token, mint a
|
|
// one-time "ticket" (short random string), and 302 to the SPA at
|
|
// the post-login redirect with the ticket in the URL fragment.
|
|
// 5. SPA POSTs the ticket to /api/auth/oidc/exchange and gets a
|
|
// session JWT set as an HTTP-only cookie.
|
|
//
|
|
// Why a ticket vs cookie at callback: the callback URL gets logged by
|
|
// every nginx / cloudflare in the path. A short-lived ticket that we
|
|
// then trade for a real cookie is much safer than putting the session
|
|
// JWT in the callback URL.
|
|
//
|
|
// Storage:
|
|
// - config persisted to oidc_config (single-row table; mutated by
|
|
// `dialectic-cli config oidc ...`).
|
|
// - state + PKCE verifier kept in-memory (sync.Map keyed by state;
|
|
// entries expire after 10 min). Single-instance backend is OK with
|
|
// in-memory; multi-instance would need a shared store (DB or redis).
|
|
// - tickets also in-memory, 60s ttl.
|
|
//
|
|
// Session JWT:
|
|
// - HS256, signed with cfg.SystemAPIKey OR a dedicated SessionSigningKey
|
|
// env (latter is cleaner — see config.go).
|
|
// - 24h ttl, cookie HttpOnly + Secure + SameSite=Lax + path=/.
|
|
// - Claims: sub (user_id), email, name, exp.
|
|
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"database/sql"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/jmoiron/sqlx"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
type Config struct {
|
|
Issuer string `db:"issuer"`
|
|
ClientID string `db:"client_id"`
|
|
ClientSecret string `db:"client_secret"`
|
|
RedirectURI string `db:"redirect_uri"`
|
|
PostLoginRedirect string `db:"post_login_redirect"`
|
|
Scopes string `db:"scopes"` // space-separated
|
|
Enabled bool `db:"enabled"`
|
|
}
|
|
|
|
type Service struct {
|
|
db *sqlx.DB
|
|
sessionSecret []byte
|
|
sessionTTL time.Duration
|
|
state sync.Map // state -> *stateEntry
|
|
tickets sync.Map // ticket -> *ticketEntry
|
|
cachedProvider *oidc.Provider
|
|
cachedProviderAt time.Time
|
|
cachedIssuer string
|
|
mu sync.Mutex
|
|
}
|
|
|
|
type stateEntry struct {
|
|
verifier string
|
|
expiresAt time.Time
|
|
postRedir string // the eventual SPA URL to bounce to
|
|
}
|
|
|
|
type ticketEntry struct {
|
|
userID string
|
|
email string
|
|
name string
|
|
expiresAt time.Time
|
|
}
|
|
|
|
// NewService wires the OIDC service. sessionSecret is the HS256 signing
|
|
// key for session JWTs — must be a stable per-deployment secret (>= 32
|
|
// bytes random). sessionTTL is how long the cookie stays valid (default
|
|
// 24h is fine for a dashboard).
|
|
func NewService(db *sqlx.DB, sessionSecret []byte, sessionTTL time.Duration) *Service {
|
|
if sessionTTL <= 0 {
|
|
sessionTTL = 24 * time.Hour
|
|
}
|
|
return &Service{
|
|
db: db,
|
|
sessionSecret: sessionSecret,
|
|
sessionTTL: sessionTTL,
|
|
}
|
|
}
|
|
|
|
// IsEnabled returns true iff a fully-configured + flag-on OIDC config
|
|
// is in the DB. Safe to call frequently — direct DB hit, no cache (the
|
|
// SPA polls this on every load).
|
|
func (s *Service) IsEnabled(ctx context.Context) (bool, error) {
|
|
c, err := s.GetConfig(ctx)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
if c == nil {
|
|
return false, nil
|
|
}
|
|
return c.Enabled && c.Issuer != "" && c.ClientID != "" && c.RedirectURI != "", nil
|
|
}
|
|
|
|
func (s *Service) GetConfig(ctx context.Context) (*Config, error) {
|
|
var c Config
|
|
err := s.db.GetContext(ctx, &c, `SELECT issuer, client_id, client_secret, redirect_uri, post_login_redirect, scopes, enabled FROM oidc_config WHERE id='singleton'`)
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, nil
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &c, nil
|
|
}
|
|
|
|
// SetConfig mutates only the fields present in patch (non-nil pointer).
|
|
// Pass &"" to clear a string; pass nil to leave unchanged. Enabled is
|
|
// the only field where false has a meaning distinct from "unchanged"
|
|
// so use a pointer.
|
|
type ConfigPatch struct {
|
|
Issuer *string
|
|
ClientID *string
|
|
ClientSecret *string
|
|
RedirectURI *string
|
|
PostLoginRedirect *string
|
|
Scopes *string
|
|
Enabled *bool
|
|
}
|
|
|
|
func (s *Service) SetConfig(ctx context.Context, p ConfigPatch) (*Config, error) {
|
|
// Read-modify-write under a tx so two concurrent CLI invocations
|
|
// don't lose updates.
|
|
tx, err := s.db.BeginTxx(ctx, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer func() { _ = tx.Rollback() }()
|
|
var c Config
|
|
if err := tx.GetContext(ctx, &c, `SELECT issuer, client_id, client_secret, redirect_uri, post_login_redirect, scopes, enabled FROM oidc_config WHERE id='singleton' FOR UPDATE`); err != nil {
|
|
return nil, err
|
|
}
|
|
if p.Issuer != nil {
|
|
c.Issuer = *p.Issuer
|
|
}
|
|
if p.ClientID != nil {
|
|
c.ClientID = *p.ClientID
|
|
}
|
|
if p.ClientSecret != nil {
|
|
c.ClientSecret = *p.ClientSecret
|
|
}
|
|
if p.RedirectURI != nil {
|
|
c.RedirectURI = *p.RedirectURI
|
|
}
|
|
if p.PostLoginRedirect != nil {
|
|
c.PostLoginRedirect = *p.PostLoginRedirect
|
|
}
|
|
if p.Scopes != nil {
|
|
c.Scopes = *p.Scopes
|
|
}
|
|
if p.Enabled != nil {
|
|
c.Enabled = *p.Enabled
|
|
}
|
|
if _, err := tx.ExecContext(ctx,
|
|
`UPDATE oidc_config SET issuer=?, client_id=?, client_secret=?, redirect_uri=?, post_login_redirect=?, scopes=?, enabled=? WHERE id='singleton'`,
|
|
c.Issuer, c.ClientID, c.ClientSecret, c.RedirectURI, c.PostLoginRedirect, c.Scopes, c.Enabled,
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
if err := tx.Commit(); err != nil {
|
|
return nil, err
|
|
}
|
|
// Bust provider cache — the issuer might have changed.
|
|
s.mu.Lock()
|
|
s.cachedProvider = nil
|
|
s.cachedIssuer = ""
|
|
s.mu.Unlock()
|
|
return &c, nil
|
|
}
|
|
|
|
// provider returns a cached *oidc.Provider; cache invalidates when the
|
|
// issuer changes (SetConfig clears it) or after 1 hour (defensive
|
|
// against stale JWKS cache).
|
|
func (s *Service) provider(ctx context.Context, issuer string) (*oidc.Provider, error) {
|
|
s.mu.Lock()
|
|
defer s.mu.Unlock()
|
|
if s.cachedProvider != nil && s.cachedIssuer == issuer && time.Since(s.cachedProviderAt) < time.Hour {
|
|
return s.cachedProvider, nil
|
|
}
|
|
p, err := oidc.NewProvider(ctx, issuer)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("oidc discovery for %s: %w", issuer, err)
|
|
}
|
|
s.cachedProvider = p
|
|
s.cachedIssuer = issuer
|
|
s.cachedProviderAt = time.Now()
|
|
return p, nil
|
|
}
|
|
|
|
// BuildAuthorizeURL generates the IdP authorize URL + remembers the
|
|
// PKCE verifier + state. Caller redirects the browser to the URL.
|
|
func (s *Service) BuildAuthorizeURL(ctx context.Context) (string, error) {
|
|
c, err := s.GetConfig(ctx)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if c == nil || !c.Enabled {
|
|
return "", errors.New("oidc not enabled")
|
|
}
|
|
if c.Issuer == "" || c.ClientID == "" || c.RedirectURI == "" {
|
|
return "", errors.New("oidc config incomplete (need issuer + client_id + redirect_uri)")
|
|
}
|
|
p, err := s.provider(ctx, c.Issuer)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
verifier := randomBase64URL(48)
|
|
challenge := pkceS256(verifier)
|
|
state := randomBase64URL(24)
|
|
s.state.Store(state, &stateEntry{
|
|
verifier: verifier,
|
|
expiresAt: time.Now().Add(10 * time.Minute),
|
|
postRedir: c.PostLoginRedirect,
|
|
})
|
|
cfg := oauth2.Config{
|
|
ClientID: c.ClientID,
|
|
ClientSecret: c.ClientSecret,
|
|
Endpoint: p.Endpoint(),
|
|
RedirectURL: c.RedirectURI,
|
|
Scopes: strings.Fields(c.Scopes),
|
|
}
|
|
return cfg.AuthCodeURL(state,
|
|
oauth2.AccessTypeOnline,
|
|
oauth2.SetAuthURLParam("code_challenge", challenge),
|
|
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
|
|
), nil
|
|
}
|
|
|
|
// HandleCallback exchanges the code for tokens, verifies the ID token,
|
|
// mints a one-time ticket, and returns the ticket + post-login redirect.
|
|
// Caller (HTTP handler) 302's the browser there with the ticket in the
|
|
// URL fragment.
|
|
func (s *Service) HandleCallback(ctx context.Context, code, state string) (ticket, redirect string, err error) {
|
|
if code == "" || state == "" {
|
|
return "", "", errors.New("missing code or state")
|
|
}
|
|
v, ok := s.state.LoadAndDelete(state)
|
|
if !ok {
|
|
return "", "", errors.New("unknown state (expired or replay)")
|
|
}
|
|
entry := v.(*stateEntry)
|
|
if time.Now().After(entry.expiresAt) {
|
|
return "", "", errors.New("state expired")
|
|
}
|
|
c, err := s.GetConfig(ctx)
|
|
if err != nil || c == nil || !c.Enabled {
|
|
return "", "", errors.New("oidc not enabled")
|
|
}
|
|
p, err := s.provider(ctx, c.Issuer)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
cfg := oauth2.Config{
|
|
ClientID: c.ClientID,
|
|
ClientSecret: c.ClientSecret,
|
|
Endpoint: p.Endpoint(),
|
|
RedirectURL: c.RedirectURI,
|
|
Scopes: strings.Fields(c.Scopes),
|
|
}
|
|
tok, err := cfg.Exchange(ctx, code,
|
|
oauth2.SetAuthURLParam("code_verifier", entry.verifier),
|
|
)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("token exchange: %w", err)
|
|
}
|
|
rawID, ok := tok.Extra("id_token").(string)
|
|
if !ok || rawID == "" {
|
|
return "", "", errors.New("no id_token in response")
|
|
}
|
|
verifier := p.Verifier(&oidc.Config{ClientID: c.ClientID})
|
|
idTok, err := verifier.Verify(ctx, rawID)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("id_token verify: %w", err)
|
|
}
|
|
var claims struct {
|
|
Sub string `json:"sub"`
|
|
Email string `json:"email"`
|
|
PreferredUsername string `json:"preferred_username"`
|
|
Name string `json:"name"`
|
|
}
|
|
if err := idTok.Claims(&claims); err != nil {
|
|
return "", "", fmt.Errorf("claims decode: %w", err)
|
|
}
|
|
// Pick the most useful display name.
|
|
displayName := claims.Name
|
|
if displayName == "" {
|
|
displayName = claims.PreferredUsername
|
|
}
|
|
if displayName == "" {
|
|
displayName = claims.Email
|
|
}
|
|
if claims.Sub == "" {
|
|
return "", "", errors.New("id_token missing sub claim")
|
|
}
|
|
// Mint one-time ticket (60s, single-use).
|
|
t := randomBase64URL(32)
|
|
s.tickets.Store(t, &ticketEntry{
|
|
userID: claims.Sub,
|
|
email: claims.Email,
|
|
name: displayName,
|
|
expiresAt: time.Now().Add(60 * time.Second),
|
|
})
|
|
redirect = entry.postRedir
|
|
if redirect == "" {
|
|
redirect = "/"
|
|
}
|
|
return t, redirect, nil
|
|
}
|
|
|
|
// ExchangeTicket validates the ticket and returns a signed session JWT
|
|
// + its expiry. Single-use; deleted on first read regardless of result.
|
|
func (s *Service) ExchangeTicket(ticket string) (jwt string, expiresAt time.Time, user UserClaims, err error) {
|
|
if ticket == "" {
|
|
err = errors.New("missing ticket")
|
|
return
|
|
}
|
|
v, ok := s.tickets.LoadAndDelete(ticket)
|
|
if !ok {
|
|
err = errors.New("unknown ticket (expired, used, or invalid)")
|
|
return
|
|
}
|
|
entry := v.(*ticketEntry)
|
|
if time.Now().After(entry.expiresAt) {
|
|
err = errors.New("ticket expired")
|
|
return
|
|
}
|
|
user = UserClaims{
|
|
Sub: entry.userID,
|
|
Email: entry.email,
|
|
Name: entry.name,
|
|
}
|
|
expiresAt = time.Now().Add(s.sessionTTL)
|
|
jwt, err = s.signSession(user, expiresAt)
|
|
return
|
|
}
|
|
|
|
// UserClaims is what a session cookie carries. Kept tiny: sub + email
|
|
// + name. Anything heavier (roles, group memberships) should hit
|
|
// /api/auth/me which can re-derive on demand.
|
|
type UserClaims struct {
|
|
Sub string `json:"sub"`
|
|
Email string `json:"email"`
|
|
Name string `json:"name"`
|
|
}
|
|
|
|
func (s *Service) signSession(u UserClaims, expiresAt time.Time) (string, error) {
|
|
tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
|
|
"sub": u.Sub,
|
|
"email": u.Email,
|
|
"name": u.Name,
|
|
"exp": expiresAt.Unix(),
|
|
})
|
|
return tok.SignedString(s.sessionSecret)
|
|
}
|
|
|
|
// VerifySession parses a session JWT and returns the claims if valid.
|
|
// Used by auth middleware.
|
|
func (s *Service) VerifySession(raw string) (*UserClaims, error) {
|
|
tok, err := jwt.Parse(raw, func(t *jwt.Token) (any, error) {
|
|
if t.Method != jwt.SigningMethodHS256 {
|
|
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
|
|
}
|
|
return s.sessionSecret, nil
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
claims, ok := tok.Claims.(jwt.MapClaims)
|
|
if !ok || !tok.Valid {
|
|
return nil, errors.New("invalid token")
|
|
}
|
|
sub, _ := claims["sub"].(string)
|
|
email, _ := claims["email"].(string)
|
|
name, _ := claims["name"].(string)
|
|
if sub == "" {
|
|
return nil, errors.New("token missing sub")
|
|
}
|
|
return &UserClaims{Sub: sub, Email: email, Name: name}, nil
|
|
}
|
|
|
|
// SweepExpired removes expired state + ticket entries. Call from a
|
|
// background goroutine every ~1min so the maps don't grow unbounded
|
|
// on a forever-running process.
|
|
func (s *Service) SweepExpired() {
|
|
now := time.Now()
|
|
s.state.Range(func(k, v any) bool {
|
|
if e, ok := v.(*stateEntry); ok && now.After(e.expiresAt) {
|
|
s.state.Delete(k)
|
|
}
|
|
return true
|
|
})
|
|
s.tickets.Range(func(k, v any) bool {
|
|
if e, ok := v.(*ticketEntry); ok && now.After(e.expiresAt) {
|
|
s.tickets.Delete(k)
|
|
}
|
|
return true
|
|
})
|
|
}
|
|
|
|
// randomBase64URL returns a URL-safe random string of the given byte length
|
|
// (so the resulting string is ~1.3x longer after base64). Panics on
|
|
// crypto/rand failure (the process is doomed anyway).
|
|
func randomBase64URL(n int) string {
|
|
b := make([]byte, n)
|
|
if _, err := rand.Read(b); err != nil {
|
|
panic("rand: " + err.Error())
|
|
}
|
|
return base64.RawURLEncoding.EncodeToString(b)
|
|
}
|
|
|
|
// pkceS256 returns the BASE64URL(SHA256(verifier)) PKCE code challenge.
|
|
func pkceS256(verifier string) string {
|
|
h := sha256.Sum256([]byte(verifier))
|
|
return base64.RawURLEncoding.EncodeToString(h[:])
|
|
}
|
|
|
|
// hashCallbackHint is a tiny utility for logging callback errors
|
|
// without dumping the raw URL (which may contain tokens). Not used in
|
|
// hot path; here so callers can build observability later.
|
|
func hashCallbackHint(u *url.URL) string {
|
|
if u == nil {
|
|
return ""
|
|
}
|
|
h := sha256.Sum256([]byte(u.Path + "?" + u.RawQuery))
|
|
return hex.EncodeToString(h[:6])
|
|
}
|
|
|
|
// silence unused — keep available for future logging.
|
|
var _ = hashCallbackHint
|