brut/bincio-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: OIDC Identity Provider — Phase 1 endpoints

Browse Source 
Add OIDC/OAuth2 endpoints to bincio-auth so it acts as a full IdP:
  GET  /.well-known/openid-configuration
  GET  /.well-known/jwks.json
  GET  /oauth2/authorize  (auth-code flow, redirects to /login/ if no session)
  POST /oauth2/token      (exchanges code for RS256 id_token; PKCE supported)
  GET  /oauth2/userinfo   (Bearer token → profile claims)

Infrastructure:
  - oauth2_clients + oauth2_codes tables in db.py with CRUD helpers
  - RS256 sign/verify helpers in tokens.py (create_id_token, get_jwks)
  - oidc_private_key_pem / oidc_issuer state + _issue_id_token in deps.py
  - serve_cmd reads BINCIO_OIDC_PRIVATE_KEY_FILE / BINCIO_OIDC_ISSUER env vars
  - `bincio-auth client add/list` commands for managing OAuth2 clients
This commit is contained in:
Davide Scaini
2026-06-03 15:11:43 +02:00
parent c341c27ad4
commit 42bc476882
7 changed files with 525 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bincio/auth/deps.py
+24 -1
View File
@@ -11,12 +11,14 @@ import jwt as _jwt
from fastapi import Cookie, HTTPException, Request, Response
from bincio.auth.db import User, get_user, open_db
from bincio.auth.tokens import create_token, decode_token
from bincio.auth.tokens import create_id_token, create_token, decode_token
# ── Module-level state (set by CLI before uvicorn starts) ─────────────────────
data_dir: Path | None = None
jwt_secret: str = ""
oidc_private_key_pem: str = "" # RS256 private key PEM (loaded from file at startup)
oidc_issuer: str = "" # e.g. "https://bincio.org"
_db = None
# ── Constants ─────────────────────────────────────────────────────────────────
@@ -63,6 +65,27 @@ def _issue_jwt(user: User) -> str:
)
_ID_TOKEN_TTL = 3600 # 1 hour — short-lived; clients use refresh or re-auth
def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str:
"""Issue an RS256 OIDC id_token for the given user and client."""
claims: dict = {
"iss": oidc_issuer,
"sub": user.handle,
"aud": client_id,
"name": user.display_name,
"preferred_username": user.handle,
# bincio-specific claims (used by bincio-activity for authz)
"is_admin": user.is_admin,
"wiki_access": user.wiki_access,
"activity_access": user.activity_access,
}
if nonce:
claims["nonce"] = nonce
return create_id_token(claims, oidc_private_key_pem, _ID_TOKEN_TTL)
# ── Rate limiting ─────────────────────────────────────────────────────────────
def _check_rate_limit(