OAuth2 implementation #2
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- /approve route - /authorize route - redirect to /approve page after successful login if oauth2 query parameters are set - create dummy client for development - run playwright using dev server locally, but use production build for CI tests
- api routes - db tables for access and authorization tokens - happy path e2e test - TODO: actual authentication, parameter validation, error handling
- checking that redirect_uri matches the client on the `/authorize` endpoint - warn resource owner (user) if redirect_uri does not match the client - bugfix: links to favicon and styles in layout
- changed scope parameter to a value that is client agnostic
… they are already signed in
…ment for ignoring a rule on the entire file
- disable biome.js noForEach rule
- prioritize warning the user if client id or redirect uri are invalid - redirect to `redirect_uri` with error info if response_type is invalid - fixed some typescript interfaces that didn't make sense
…ify query params validation
- check if user is signed in - validate query string same as in `GET /authorize` route
- change expected scope from `basic-info` to `openid`
…n to `/authorize` route
- these endpoints are "back channel", ie. they are not meant to be accessed by user's browser or use their auth server session cookie - `/userinfo` endpoint should instead use the provided access token to fetch correct user info
new validations include: - missing request parameters - invalid client credentials - mismatched redirect_uri
Also: - /authorize endpoint now returns actual authorization code
Note: had to change created_at column type in the database for this to work
also /userinfo now expects authorization header value to be base64 encoded
as recommended by OpenID specification: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
…s full token data
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Working OAuth2 implementation that uses Authorization Code flow with PKCE support.
Using PKCE (Proof Key for Code Exchange) secures the flow against CSRF and authorization code injection attacks.
Helmet plugin sets the headers that tell browsers not to embed the authorization URL in an iframe to prevent clickjacking attacks.
It only partially supports OpenID Connect (e.g. no ID token yet), this will be done in a separate PR.