feat: OIDC Identity Provider — Phase 1 endpoints · 42bc476882 - bincio-auth

feat: OIDC Identity Provider — Phase 1 endpoints

Add OIDC/OAuth2 endpoints to bincio-auth so it acts as a full IdP:
  GET  /.well-known/openid-configuration
  GET  /.well-known/jwks.json
  GET  /oauth2/authorize  (auth-code flow, redirects to /login/ if no session)
  POST /oauth2/token      (exchanges code for RS256 id_token; PKCE supported)
  GET  /oauth2/userinfo   (Bearer token → profile claims)

Infrastructure:
  - oauth2_clients + oauth2_codes tables in db.py with CRUD helpers
  - RS256 sign/verify helpers in tokens.py (create_id_token, get_jwks)
  - oidc_private_key_pem / oidc_issuer state + _issue_id_token in deps.py
  - serve_cmd reads BINCIO_OIDC_PRIVATE_KEY_FILE / BINCIO_OIDC_ISSUER env vars
  - `bincio-auth client add/list` commands for managing OAuth2 clients

This commit is contained in:

Davide Scaini

2026-06-03 15:11:43 +02:00

parent c341c27ad4

commit 42bc476882

7 changed files with 525 additions and 15 deletions

									
										pyproject.toml
									
		+2
		-1
	
												View File
												
				@@ -15,7 +15,8 @@ dependencies = [

				    "uvicorn[standard]>=0.29",

				    "python-multipart>=0.0.9",

				    "bcrypt>=4.1",

				    "PyJWT>=2.8",

				    "PyJWT[crypto]>=2.8",

				    "cryptography>=42.0",

				    "click>=8.1",

				    "rich>=13.0",

				]