cleanup

2026-04-20 01:06:45 +00:00 · 2026-01-16 12:01:52 +01:00
parent 3b832d1f21
commit 183619d1e1
20 changed files with 34 additions and 525 deletions
--- a/proxy/internal/auth/oidc/config.go
+++ b/proxy/internal/auth/oidc/config.go
@@ -2,19 +2,16 @@ package oidc

 // Config holds the global OIDC/OAuth configuration
 type Config struct {
-	// OIDC Provider settings
-	ProviderURL  string   `env:"NB_OIDC_PROVIDER_URL" json:"provider_url"`   // Identity provider URL (e.g., "https://accounts.google.com")
-	ClientID     string   `env:"NB_OIDC_CLIENT_ID" json:"client_id"`         // OAuth client ID
-	ClientSecret string   `env:"NB_OIDC_CLIENT_SECRET" json:"client_secret"` // OAuth client secret (empty for public clients)
-	RedirectURL  string   `env:"NB_OIDC_REDIRECT_URL" json:"redirect_url"`   // Redirect URL after auth (e.g., "http://localhost:54321/auth/callback")
-	Scopes       []string `env:"NB_OIDC_SCOPES" json:"scopes"`               // Requested scopes (default: ["openid", "profile", "email"])
+	ProviderURL  string   `env:"NB_OIDC_PROVIDER_URL" json:"provider_url"`
+	ClientID     string   `env:"NB_OIDC_CLIENT_ID" json:"client_id"`
+	ClientSecret string   `env:"NB_OIDC_CLIENT_SECRET" json:"client_secret"`
+	RedirectURL  string   `env:"NB_OIDC_REDIRECT_URL" json:"redirect_url"`
+	Scopes       []string `env:"NB_OIDC_SCOPES" json:"scopes"`

-	// JWT Validation settings
-	JWTKeysLocation             string   `env:"NB_OIDC_JWT_KEYS_LOCATION" json:"jwt_keys_location"`                             // JWKS URL for fetching public keys
-	JWTIssuer                   string   `env:"NB_OIDC_JWT_ISSUER" json:"jwt_issuer"`                                           // Expected issuer claim
-	JWTAudience                 []string `env:"NB_OIDC_JWT_AUDIENCE" json:"jwt_audience"`                                       // Expected audience claims
-	JWTIdpSignkeyRefreshEnabled bool     `env:"NB_OIDC_JWT_IDP_SIGNKEY_REFRESH_ENABLED" json:"jwt_idp_signkey_refresh_enabled"` // Enable automatic refresh of signing keys
+	JWTKeysLocation             string   `env:"NB_OIDC_JWT_KEYS_LOCATION" json:"jwt_keys_location"`
+	JWTIssuer                   string   `env:"NB_OIDC_JWT_ISSUER" json:"jwt_issuer"`
+	JWTAudience                 []string `env:"NB_OIDC_JWT_AUDIENCE" json:"jwt_audience"`
+	JWTIdpSignkeyRefreshEnabled bool     `env:"NB_OIDC_JWT_IDP_SIGNKEY_REFRESH_ENABLED" json:"jwt_idp_signkey_refresh_enabled"`

-	// Session settings
-	SessionCookieName string `env:"NB_OIDC_SESSION_COOKIE_NAME" json:"session_cookie_name"` // Cookie name for storing session (default: "auth_session")
+	SessionCookieName string `env:"NB_OIDC_SESSION_COOKIE_NAME" json:"session_cookie_name"`
 }
--- a/proxy/internal/auth/oidc/handler.go
+++ b/proxy/internal/auth/oidc/handler.go
@@ -24,7 +24,6 @@ type Handler struct {

 // NewHandler creates a new OIDC handler
 func NewHandler(config *Config, stateStore *StateStore) *Handler {
-	// Initialize JWT validator
 	var jwtValidator *jwt.Validator
 	if config.JWTKeysLocation != "" {
 		jwtValidator = jwt.NewValidator(
@@ -67,7 +66,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 		scopes = []string{"openid", "profile", "email"}
 	}

-	// Build authorization URL
 	authURL, err := url.Parse(h.config.ProviderURL)
 	if err != nil {
 		log.WithError(err).Error("Invalid OIDC provider URL")
@@ -80,7 +78,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 		authURL.Path = strings.TrimSuffix(authURL.Path, "/") + "/authorize"
 	}

-	// Build query parameters
 	params := url.Values{}
 	params.Set("client_id", h.config.ClientID)
 	params.Set("redirect_uri", h.config.RedirectURL)
@@ -88,8 +85,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 	params.Set("scope", strings.Join(scopes, " "))
 	params.Set("state", state)

-	// Add audience parameter to get an access token for the API
-	// This ensures we get a proper JWT for the API audience, not just an ID token
 	if len(h.config.JWTAudience) > 0 && h.config.JWTAudience[0] != h.config.ClientID {
 		params.Set("audience", h.config.JWTAudience[0])
 	}
@@ -103,7 +98,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 		"state":        state,
 	}).Info("Redirecting to OIDC provider for authentication")

-	// Redirect user to identity provider login page
 	http.Redirect(w, r, authURL.String(), http.StatusFound)
 }

--- a/proxy/internal/auth/oidc/state_store.go
+++ b/proxy/internal/auth/oidc/state_store.go
@@ -34,7 +34,6 @@ func (s *StateStore) Store(stateToken, originalURL, routeID string) {
 		RouteID:     routeID,
 	}

-	// Clean up expired states
 	s.cleanup()
 }