cleanup

proxy/internal/auth/config.go

@@ -0,0 +1,25 @@
+package auth
+
+import "github.com/netbirdio/netbird/proxy/internal/auth/methods"
+
+// Config holds the authentication configuration for a route
+// Only ONE auth method should be configured per route
+type Config struct {
+	// HTTP Basic authentication (username/password)
+	BasicAuth *methods.BasicAuthConfig
+
+	// PIN authentication
+	PIN *methods.PINConfig
+
+	// Bearer token with JWT validation and OAuth/OIDC flow
+	// When enabled, uses the global OIDCConfig from proxy Config
+	Bearer *methods.BearerConfig
+}
+
+// IsEmpty returns true if no auth methods are configured
+func (c *Config) IsEmpty() bool {
+	if c == nil {
+		return true
+	}
+	return c.BasicAuth == nil && c.PIN == nil && c.Bearer == nil
+}

proxy/internal/auth/constants.go

@@ -0,0 +1,9 @@
+package auth
+
+const (
+	// DefaultSessionCookieName is the default cookie name for session storage
+	DefaultSessionCookieName = "auth_session"
+
+	// ErrorInternalServer is the default internal server error message
+	ErrorInternalServer = "Internal Server Error"
+)

proxy/internal/auth/methods/basic_auth.go

@@ -0,0 +1,26 @@
+package methods
+
+import (
+	"crypto/subtle"
+	"net/http"
+)
+
+// BasicAuthConfig holds HTTP Basic authentication settings
+type BasicAuthConfig struct {
+	Username string
+	Password string
+}
+
+// Validate checks Basic Auth credentials from the request
+func (c *BasicAuthConfig) Validate(r *http.Request) bool {
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		return false
+	}
+
+	// Use constant-time comparison to prevent timing attacks
+	usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(c.Username)) == 1
+	passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(c.Password)) == 1
+
+	return usernameMatch && passwordMatch
+}

proxy/internal/auth/methods/bearer_auth.go

@@ -0,0 +1,10 @@
+package methods
+
+// BearerConfig holds JWT/OAuth/OIDC bearer token authentication settings
+// The actual OIDC/JWT configuration comes from the global proxy Config.OIDCConfig
+// This just enables Bearer auth for a specific route
+type BearerConfig struct {
+	// Enable bearer token authentication for this route
+	// Uses the global OIDC configuration from proxy Config
+	Enabled bool
+}

proxy/internal/auth/methods/pin_auth.go

@@ -0,0 +1,33 @@
+package methods
+
+import (
+	"crypto/subtle"
+	"net/http"
+)
+
+const (
+	// DefaultPINHeader is the default header name for PIN authentication
+	DefaultPINHeader = "X-PIN"
+)
+
+// PINConfig holds PIN authentication settings
+type PINConfig struct {
+	PIN    string
+	Header string // Header name (default: "X-PIN")
+}
+
+// Validate checks PIN from the request header
+func (c *PINConfig) Validate(r *http.Request) bool {
+	header := c.Header
+	if header == "" {
+		header = DefaultPINHeader
+	}
+
+	providedPIN := r.Header.Get(header)
+	if providedPIN == "" {
+		return false
+	}
+
+	// Use constant-time comparison to prevent timing attacks
+	return subtle.ConstantTimeCompare([]byte(providedPIN), []byte(c.PIN)) == 1
+}

proxy/internal/auth/middleware.go

@@ -0,0 +1,312 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/proxy/internal/auth/oidc"
+)
+
+// Middleware wraps an HTTP handler with authentication middleware
+type Middleware struct {
+	next           http.Handler
+	config         *Config
+	routeID        string
+	rejectResponse func(w http.ResponseWriter, r *http.Request)
+	oidcHandler    *oidc.Handler // OIDC handler for OAuth flow (contains config and JWT validator)
+}
+
+// authResult holds the result of an authentication attempt
+type authResult struct {
+	authenticated bool
+	method        string
+	userID        string
+}
+
+// ServeHTTP implements the http.Handler interface
+func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// If no auth configured, allow request
+	if m.config.IsEmpty() {
+		m.allowWithoutAuth(w, r)
+		return
+	}
+
+	// Try to authenticate the request
+	result := m.authenticate(w, r)
+	if result == nil {
+		// Authentication triggered a redirect (e.g., OIDC flow)
+		return
+	}
+
+	// Reject if authentication failed
+	if !result.authenticated {
+		m.rejectRequest(w, r)
+		return
+	}
+
+	// Authentication successful - continue to next handler
+	m.continueWithAuth(w, r, result)
+}
+
+// allowWithoutAuth allows requests when no authentication is configured
+func (m *Middleware) allowWithoutAuth(w http.ResponseWriter, r *http.Request) {
+	log.WithFields(log.Fields{
+		"route_id":    m.routeID,
+		"auth_method": "none",
+		"path":        r.URL.Path,
+	}).Debug("No authentication configured, allowing request")
+	r.Header.Set("X-Auth-Method", "none")
+	m.next.ServeHTTP(w, r)
+}
+
+// authenticate attempts to authenticate the request using configured methods
+// Returns nil if a redirect occurred (e.g., OIDC flow initiated)
+func (m *Middleware) authenticate(w http.ResponseWriter, r *http.Request) *authResult {
+	// Try Basic Auth
+	if result := m.tryBasicAuth(r); result.authenticated {
+		return result
+	}
+
+	// Try PIN Auth
+	if result := m.tryPINAuth(r); result.authenticated {
+		return result
+	}
+
+	// Try Bearer/OIDC Auth
+	return m.tryBearerAuth(w, r)
+}
+
+// tryBasicAuth attempts Basic authentication
+func (m *Middleware) tryBasicAuth(r *http.Request) *authResult {
+	if m.config.BasicAuth == nil {
+		return &authResult{}
+	}
+
+	if !m.config.BasicAuth.Validate(r) {
+		return &authResult{}
+	}
+
+	result := &authResult{
+		authenticated: true,
+		method:        "basic",
+	}
+
+	// Extract username from Basic Auth
+	if username, _, ok := r.BasicAuth(); ok {
+		result.userID = username
+	}
+
+	return result
+}
+
+// tryPINAuth attempts PIN authentication
+func (m *Middleware) tryPINAuth(r *http.Request) *authResult {
+	if m.config.PIN == nil {
+		return &authResult{}
+	}
+
+	if !m.config.PIN.Validate(r) {
+		return &authResult{}
+	}
+
+	return &authResult{
+		authenticated: true,
+		method:        "pin",
+		userID:        "pin_user",
+	}
+}
+
+// tryBearerAuth attempts Bearer token authentication with JWT validation
+// Returns nil if OIDC redirect occurred
+func (m *Middleware) tryBearerAuth(w http.ResponseWriter, r *http.Request) *authResult {
+	if m.config.Bearer == nil || m.oidcHandler == nil {
+		return &authResult{}
+	}
+
+	cookieName := m.oidcHandler.SessionCookieName()
+
+	// Handle auth token in query parameter (from OIDC callback)
+	if m.handleAuthTokenParameter(w, r, cookieName) {
+		return nil // Redirect occurred
+	}
+
+	// Try session cookie
+	if result := m.trySessionCookie(r, cookieName); result.authenticated {
+		return result
+	}
+
+	// Try Authorization header
+	if result := m.tryAuthorizationHeader(r); result.authenticated {
+		return result
+	}
+
+	// No valid auth - redirect to OIDC provider
+	m.oidcHandler.RedirectToProvider(w, r, m.routeID)
+	return nil // Redirect occurred
+}
+
+// handleAuthTokenParameter processes the _auth_token query parameter from OIDC callback
+// Returns true if a redirect occurred
+func (m *Middleware) handleAuthTokenParameter(w http.ResponseWriter, r *http.Request, cookieName string) bool {
+	authToken := r.URL.Query().Get("_auth_token")
+	if authToken == "" {
+		return false
+	}
+
+	log.WithFields(log.Fields{
+		"route_id": m.routeID,
+		"host":     r.Host,
+	}).Info("Found auth token in query parameter, setting cookie and redirecting")
+
+	// Validate the token before setting cookie
+	if !m.oidcHandler.ValidateJWT(authToken) {
+		log.WithFields(log.Fields{
+			"route_id": m.routeID,
+		}).Warn("Invalid token in query parameter")
+		return false
+	}
+
+	// Set session cookie
+	cookie := &http.Cookie{
+		Name:     cookieName,
+		Value:    authToken,
+		Path:     "/",
+		MaxAge:   3600, // 1 hour
+		HttpOnly: true,
+		Secure:   false, // Set to false for HTTP testing, true for HTTPS in production
+		SameSite: http.SameSiteLaxMode,
+	}
+	http.SetCookie(w, cookie)
+
+	// Redirect to same URL without the token parameter
+	redirectURL := m.buildCleanRedirectURL(r)
+
+	log.WithFields(log.Fields{
+		"route_id":     m.routeID,
+		"redirect_url": redirectURL,
+	}).Debug("Redirecting to clean URL after setting cookie")
+
+	http.Redirect(w, r, redirectURL, http.StatusFound)
+	return true
+}
+
+// buildCleanRedirectURL builds a redirect URL without the _auth_token parameter
+func (m *Middleware) buildCleanRedirectURL(r *http.Request) string {
+	cleanURL := *r.URL
+	q := cleanURL.Query()
+	q.Del("_auth_token")
+	cleanURL.RawQuery = q.Encode()
+
+	scheme := "http"
+	if r.TLS != nil {
+		scheme = "https"
+	}
+
+	return fmt.Sprintf("%s://%s%s", scheme, r.Host, cleanURL.String())
+}
+
+// trySessionCookie attempts authentication using a session cookie
+func (m *Middleware) trySessionCookie(r *http.Request, cookieName string) *authResult {
+	log.WithFields(log.Fields{
+		"route_id":    m.routeID,
+		"cookie_name": cookieName,
+		"host":        r.Host,
+		"path":        r.URL.Path,
+	}).Debug("Checking for session cookie")
+
+	cookie, err := r.Cookie(cookieName)
+	if err != nil || cookie.Value == "" {
+		log.WithFields(log.Fields{
+			"route_id": m.routeID,
+			"error":    err,
+		}).Debug("No session cookie found")
+		return &authResult{}
+	}
+
+	log.WithFields(log.Fields{
+		"route_id":    m.routeID,
+		"cookie_name": cookieName,
+	}).Debug("Session cookie found, validating JWT")
+
+	if !m.oidcHandler.ValidateJWT(cookie.Value) {
+		log.WithFields(log.Fields{
+			"route_id": m.routeID,
+		}).Debug("JWT validation failed for session cookie")
+		return &authResult{}
+	}
+
+	return &authResult{
+		authenticated: true,
+		method:        "bearer_session",
+		userID:        m.oidcHandler.ExtractUserID(cookie.Value),
+	}
+}
+
+// tryAuthorizationHeader attempts authentication using the Authorization header
+func (m *Middleware) tryAuthorizationHeader(r *http.Request) *authResult {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
+		return &authResult{}
+	}
+
+	token := strings.TrimPrefix(authHeader, "Bearer ")
+	if !m.oidcHandler.ValidateJWT(token) {
+		return &authResult{}
+	}
+
+	return &authResult{
+		authenticated: true,
+		method:        "bearer",
+		userID:        m.oidcHandler.ExtractUserID(token),
+	}
+}
+
+// rejectRequest rejects an unauthenticated request
+func (m *Middleware) rejectRequest(w http.ResponseWriter, r *http.Request) {
+	log.WithFields(log.Fields{
+		"route_id": m.routeID,
+		"path":     r.URL.Path,
+	}).Warn("Authentication failed")
+
+	if m.rejectResponse != nil {
+		m.rejectResponse(w, r)
+	} else {
+		w.Header().Set("WWW-Authenticate", `Bearer realm="Restricted"`)
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+	}
+}
+
+// continueWithAuth continues the request with authenticated user info
+func (m *Middleware) continueWithAuth(w http.ResponseWriter, r *http.Request, result *authResult) {
+	log.WithFields(log.Fields{
+		"route_id":    m.routeID,
+		"auth_method": result.method,
+		"user_id":     result.userID,
+		"path":        r.URL.Path,
+	}).Debug("Authentication successful")
+
+	// Store auth info in headers for logging
+	r.Header.Set("X-Auth-Method", result.method)
+	r.Header.Set("X-Auth-User-ID", result.userID)
+
+	// Continue to next handler
+	m.next.ServeHTTP(w, r)
+}
+
+// Wrap wraps an HTTP handler with authentication middleware
+func Wrap(next http.Handler, authConfig *Config, routeID string, rejectResponse func(w http.ResponseWriter, r *http.Request), oidcHandler *oidc.Handler) http.Handler {
+	if authConfig == nil {
+		authConfig = &Config{} // Empty config = no auth
+	}
+
+	return &Middleware{
+		next:           next,
+		config:         authConfig,
+		routeID:        routeID,
+		rejectResponse: rejectResponse,
+		oidcHandler:    oidcHandler,
+	}
+}

proxy/internal/auth/oidc/config.go

@@ -0,0 +1,20 @@
+package oidc
+
+// Config holds the global OIDC/OAuth configuration
+type Config struct {
+	// OIDC Provider settings
+	ProviderURL  string   `env:"NB_OIDC_PROVIDER_URL" json:"provider_url"`   // Identity provider URL (e.g., "https://accounts.google.com")
+	ClientID     string   `env:"NB_OIDC_CLIENT_ID" json:"client_id"`         // OAuth client ID
+	ClientSecret string   `env:"NB_OIDC_CLIENT_SECRET" json:"client_secret"` // OAuth client secret (empty for public clients)
+	RedirectURL  string   `env:"NB_OIDC_REDIRECT_URL" json:"redirect_url"`   // Redirect URL after auth (e.g., "http://localhost:54321/auth/callback")
+	Scopes       []string `env:"NB_OIDC_SCOPES" json:"scopes"`               // Requested scopes (default: ["openid", "profile", "email"])
+
+	// JWT Validation settings
+	JWTKeysLocation             string   `env:"NB_OIDC_JWT_KEYS_LOCATION" json:"jwt_keys_location"`                             // JWKS URL for fetching public keys
+	JWTIssuer                   string   `env:"NB_OIDC_JWT_ISSUER" json:"jwt_issuer"`                                           // Expected issuer claim
+	JWTAudience                 []string `env:"NB_OIDC_JWT_AUDIENCE" json:"jwt_audience"`                                       // Expected audience claims
+	JWTIdpSignkeyRefreshEnabled bool     `env:"NB_OIDC_JWT_IDP_SIGNKEY_REFRESH_ENABLED" json:"jwt_idp_signkey_refresh_enabled"` // Enable automatic refresh of signing keys
+
+	// Session settings
+	SessionCookieName string `env:"NB_OIDC_SESSION_COOKIE_NAME" json:"session_cookie_name"` // Cookie name for storing session (default: "auth_session")
+}

proxy/internal/auth/oidc/handler.go

@@ -0,0 +1,291 @@
+package oidc
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/shared/auth/jwt"
+)
+
+// Handler manages OIDC authentication flow
+type Handler struct {
+	config       *Config
+	stateStore   *StateStore
+	jwtValidator *jwt.Validator
+}
+
+// NewHandler creates a new OIDC handler
+func NewHandler(config *Config, stateStore *StateStore) *Handler {
+	// Initialize JWT validator
+	var jwtValidator *jwt.Validator
+	if config.JWTKeysLocation != "" {
+		jwtValidator = jwt.NewValidator(
+			config.JWTIssuer,
+			config.JWTAudience,
+			config.JWTKeysLocation,
+			config.JWTIdpSignkeyRefreshEnabled,
+		)
+	}
+
+	return &Handler{
+		config:       config,
+		stateStore:   stateStore,
+		jwtValidator: jwtValidator,
+	}
+}
+
+// RedirectToProvider initiates the OAuth/OIDC authentication flow by redirecting to the provider
+func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, routeID string) {
+	// Generate random state for CSRF protection
+	state, err := generateRandomString(32)
+	if err != nil {
+		log.WithError(err).Error("Failed to generate OIDC state")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	// Store state with original URL for redirect after auth
+	// Include the full URL with scheme and host
+	scheme := "http"
+	if r.TLS != nil {
+		scheme = "https"
+	}
+	originalURL := fmt.Sprintf("%s://%s%s", scheme, r.Host, r.URL.String())
+	h.stateStore.Store(state, originalURL, routeID)
+
+	// Default scopes if not configured
+	scopes := h.config.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+
+	// Build authorization URL
+	authURL, err := url.Parse(h.config.ProviderURL)
+	if err != nil {
+		log.WithError(err).Error("Invalid OIDC provider URL")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	// Append /authorize if it doesn't exist (common OIDC endpoint)
+	if !strings.HasSuffix(authURL.Path, "/authorize") && !strings.HasSuffix(authURL.Path, "/auth") {
+		authURL.Path = strings.TrimSuffix(authURL.Path, "/") + "/authorize"
+	}
+
+	// Build query parameters
+	params := url.Values{}
+	params.Set("client_id", h.config.ClientID)
+	params.Set("redirect_uri", h.config.RedirectURL)
+	params.Set("response_type", "code")
+	params.Set("scope", strings.Join(scopes, " "))
+	params.Set("state", state)
+
+	// Add audience parameter to get an access token for the API
+	// This ensures we get a proper JWT for the API audience, not just an ID token
+	if len(h.config.JWTAudience) > 0 && h.config.JWTAudience[0] != h.config.ClientID {
+		params.Set("audience", h.config.JWTAudience[0])
+	}
+
+	authURL.RawQuery = params.Encode()
+
+	log.WithFields(log.Fields{
+		"route_id":     routeID,
+		"provider_url": authURL.String(),
+		"redirect_url": h.config.RedirectURL,
+		"state":        state,
+	}).Info("Redirecting to OIDC provider for authentication")
+
+	// Redirect user to identity provider login page
+	http.Redirect(w, r, authURL.String(), http.StatusFound)
+}
+
+// HandleCallback creates an HTTP handler for the OIDC callback endpoint
+func (h *Handler) HandleCallback() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Get authorization code and state from query parameters
+		code := r.URL.Query().Get("code")
+		state := r.URL.Query().Get("state")
+
+		if code == "" || state == "" {
+			log.Error("Missing code or state in OIDC callback")
+			http.Error(w, "Invalid callback parameters", http.StatusBadRequest)
+			return
+		}
+
+		// Verify state to prevent CSRF
+		oidcSt, ok := h.stateStore.Get(state)
+		if !ok {
+			log.Error("Invalid or expired OIDC state")
+			http.Error(w, "Invalid or expired state parameter", http.StatusBadRequest)
+			return
+		}
+
+		// Delete state to prevent reuse
+		h.stateStore.Delete(state)
+
+		// Exchange authorization code for token
+		token, err := h.exchangeCodeForToken(code)
+		if err != nil {
+			log.WithError(err).Error("Failed to exchange code for token")
+			http.Error(w, "Authentication failed", http.StatusUnauthorized)
+			return
+		}
+
+		// Parse the original URL to add the token as a query parameter
+		origURL, err := url.Parse(oidcSt.OriginalURL)
+		if err != nil {
+			log.WithError(err).Error("Failed to parse original URL")
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		// Add token as query parameter so the original domain can set its own cookie
+		// We use a special parameter name that the auth middleware will look for
+		q := origURL.Query()
+		q.Set("_auth_token", token)
+		origURL.RawQuery = q.Encode()
+
+		log.WithFields(log.Fields{
+			"route_id":      oidcSt.RouteID,
+			"original_url":  oidcSt.OriginalURL,
+			"redirect_url":  origURL.String(),
+			"callback_host": r.Host,
+		}).Info("OIDC authentication successful, redirecting with token parameter")
+
+		// Redirect back to original URL with token parameter
+		http.Redirect(w, r, origURL.String(), http.StatusFound)
+	}
+}
+
+// exchangeCodeForToken exchanges an authorization code for an access token
+func (h *Handler) exchangeCodeForToken(code string) (string, error) {
+	// Build token endpoint URL
+	tokenURL, err := url.Parse(h.config.ProviderURL)
+	if err != nil {
+		return "", fmt.Errorf("invalid OIDC provider URL: %w", err)
+	}
+
+	// Auth0 uses /oauth/token, standard OIDC uses /token
+	// Check if path already contains token endpoint
+	if !strings.Contains(tokenURL.Path, "/token") {
+		tokenURL.Path = strings.TrimSuffix(tokenURL.Path, "/") + "/oauth/token"
+	}
+
+	// Build request body
+	data := url.Values{}
+	data.Set("grant_type", "authorization_code")
+	data.Set("code", code)
+	data.Set("redirect_uri", h.config.RedirectURL)
+	data.Set("client_id", h.config.ClientID)
+
+	// Only include client_secret if it's provided (not needed for public/SPA clients)
+	if h.config.ClientSecret != "" {
+		data.Set("client_secret", h.config.ClientSecret)
+	}
+
+	// Make token exchange request
+	resp, err := http.PostForm(tokenURL.String(), data)
+	if err != nil {
+		return "", fmt.Errorf("token exchange request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return "", fmt.Errorf("token exchange failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Parse response
+	var tokenResp struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+		ExpiresIn   int    `json:"expires_in"`
+		IDToken     string `json:"id_token"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return "", fmt.Errorf("failed to decode token response: %w", err)
+	}
+
+	if tokenResp.AccessToken == "" {
+		return "", fmt.Errorf("no access token in response")
+	}
+
+	// Return the ID token if available (contains user claims), otherwise access token
+	if tokenResp.IDToken != "" {
+		return tokenResp.IDToken, nil
+	}
+
+	return tokenResp.AccessToken, nil
+}
+
+// ValidateJWT validates a JWT token
+func (h *Handler) ValidateJWT(tokenString string) bool {
+	if h.jwtValidator == nil {
+		log.Error("JWT validation failed: JWT validator not initialized")
+		return false
+	}
+
+	// Validate the token
+	ctx := context.Background()
+	parsedToken, err := h.jwtValidator.ValidateAndParse(ctx, tokenString)
+	if err != nil {
+		log.WithError(err).Error("JWT validation failed")
+		// Try to parse token without validation to see what's in it
+		parts := strings.Split(tokenString, ".")
+		if len(parts) == 3 {
+			// Decode payload (middle part)
+			payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+			if err == nil {
+				log.WithFields(log.Fields{
+					"payload": string(payload),
+				}).Debug("Token payload for debugging")
+			}
+		}
+		return false
+	}
+
+	// Token is valid if parsedToken is not nil and Valid is true
+	return parsedToken != nil && parsedToken.Valid
+}
+
+// ExtractUserID extracts the user ID from a JWT token
+func (h *Handler) ExtractUserID(tokenString string) string {
+	if h.jwtValidator == nil {
+		return ""
+	}
+
+	// Parse the token
+	ctx := context.Background()
+	parsedToken, err := h.jwtValidator.ValidateAndParse(ctx, tokenString)
+	if err != nil {
+		return ""
+	}
+
+	// parsedToken is already *jwtgo.Token from ValidateAndParse
+	// Create extractor to get user auth info
+	extractor := jwt.NewClaimsExtractor()
+	userAuth, err := extractor.ToUserAuth(parsedToken)
+	if err != nil {
+		log.WithError(err).Debug("Failed to extract user ID from JWT")
+		return ""
+	}
+
+	return userAuth.UserId
+}
+
+// SessionCookieName returns the configured session cookie name or default
+func (h *Handler) SessionCookieName() string {
+	if h.config.SessionCookieName != "" {
+		return h.config.SessionCookieName
+	}
+	return "auth_session"
+}

proxy/internal/auth/oidc/state.go

@@ -0,0 +1,10 @@
+package oidc
+
+import "time"
+
+// State represents stored OIDC state information for CSRF protection
+type State struct {
+	OriginalURL string
+	CreatedAt   time.Time
+	RouteID     string
+}

proxy/internal/auth/oidc/state_store.go

@@ -0,0 +1,66 @@
+package oidc
+
+import (
+	"sync"
+	"time"
+)
+
+const (
+	// StateExpiration is how long OIDC state tokens are valid
+	StateExpiration = 10 * time.Minute
+)
+
+// StateStore manages OIDC state tokens for CSRF protection
+type StateStore struct {
+	mu     sync.RWMutex
+	states map[string]*State
+}
+
+// NewStateStore creates a new OIDC state store
+func NewStateStore() *StateStore {
+	return &StateStore{
+		states: make(map[string]*State),
+	}
+}
+
+// Store saves a state token with associated metadata
+func (s *StateStore) Store(stateToken, originalURL, routeID string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.states[stateToken] = &State{
+		OriginalURL: originalURL,
+		CreatedAt:   time.Now(),
+		RouteID:     routeID,
+	}
+
+	// Clean up expired states
+	s.cleanup()
+}
+
+// Get retrieves a state by token
+func (s *StateStore) Get(stateToken string) (*State, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	st, ok := s.states[stateToken]
+	return st, ok
+}
+
+// Delete removes a state token
+func (s *StateStore) Delete(stateToken string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	delete(s.states, stateToken)
+}
+
+// cleanup removes expired state tokens (must be called with lock held)
+func (s *StateStore) cleanup() {
+	cutoff := time.Now().Add(-StateExpiration)
+	for k, v := range s.states {
+		if v.CreatedAt.Before(cutoff) {
+			delete(s.states, k)
+		}
+	}
+}

proxy/internal/auth/oidc/utils.go

@@ -0,0 +1,15 @@
+package oidc
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+)
+
+// generateRandomString generates a cryptographically secure random string of the specified length
+func generateRandomString(length int) (string, error) {
+	bytes := make([]byte, length)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(bytes)[:length], nil
+}