- email column on users (migration-safe ALTER TABLE)
- email_reset_tokens table (1h TTL, single-use)
- smtp.py: send via STARTTLS, config from CLI/env vars
- POST /api/auth/request-reset — sends reset link, always 200 (no email leak)
- POST /api/auth/reset-password-token — consumes email token
- GET/POST /api/me/email — users can register/update their email
- reset-password page: email form primary, admin code form as toggle,
token form shown automatically when ?token= is in URL
- CLI: --smtp-host/port/user/password/from (BINCIO_SMTP_* env vars)
Add OIDC/OAuth2 endpoints to bincio-auth so it acts as a full IdP:
GET /.well-known/openid-configuration
GET /.well-known/jwks.json
GET /oauth2/authorize (auth-code flow, redirects to /login/ if no session)
POST /oauth2/token (exchanges code for RS256 id_token; PKCE supported)
GET /oauth2/userinfo (Bearer token → profile claims)
Infrastructure:
- oauth2_clients + oauth2_codes tables in db.py with CRUD helpers
- RS256 sign/verify helpers in tokens.py (create_id_token, get_jwks)
- oidc_private_key_pem / oidc_issuer state + _issue_id_token in deps.py
- serve_cmd reads BINCIO_OIDC_PRIVATE_KEY_FILE / BINCIO_OIDC_ISSUER env vars
- `bincio-auth client add/list` commands for managing OAuth2 clients
bincio-auth.service: runs at port 4040, reads BINCIO_AUTH_JWT_SECRET
from /etc/bincio/secrets.env (shared with bincio-activity).
show-secret: prints the JWT secret stored by 'bincio-auth init',
so the operator can add it to secrets.env without raw sqlite3.
Davide Scaini