feat(auth): DB-backed users + generic OIDC login#359
Merged
Conversation
- users table (000023) + app/user store/seed: YAML identity users seed into PG at boot (seed-if-absent; plain passwords bcrypt-hashed on ingest); /auth/login consults the table first, YAML stays the break-glass fallback - generic OIDC login (auth:oidc settings section, disabled by default): /auth/oidc/start + /auth/oidc/callback do the authorization-code + PKCE dance against any issuer publishing discovery metadata; on success the same scs session as password login is minted. First-login auto-provisioning is gated by registration=open|closed - sdk/oauth discovery falls back to /.well-known/openid-configuration when the RFC 8414 path is absent - Actor.Roles carried from user record through the session; whoami returns roles; config.json advertises features.oidc when enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two additions to the auth layer, both dormant by default:
DB-backed users. New
userstable (migration 000023) +app/userstore. YAML identity users (config/users/) seed into the table on boot — seed-if-absent, plain passwords bcrypt-hashed on ingest so cleartext never lands in Postgres.POST /auth/loginconsults the table first; YAML remains the break-glass fallback, so rotating an env-ref password can never lock you out.Actor/sessions/whoaminow carry roles.Generic OIDC login (
auth:oidcsettings section,enabled: falsedefault).GET /auth/oidc/start+/callbackrun the authorization-code + PKCE dance against any issuer publishing a discovery document, then mint the same scs session as password login — everything downstream is unchanged. First-login auto-provisioning is gated byregistration: open|closed. Extra authorize params some providers require go inauthParams(config, not code). Identity is read from the id_token, falling back to an inline user profile on the token response.sdk/oauthdiscovery now falls back to/.well-known/openid-configurationwhen the RFC 8414 path 404s.Flow covered by tests against a fake IdP (discovery fallback, PKCE exchange, provisioning open/closed, forged state, expired cookie, disabled user, inline-profile shape); also verified live end-to-end against a hosted provider with Google sign-in.