bincio-auth

brut/bincio-auth

Fork 0

Commit Graph

Author	SHA1	Message	Date
Davide Scaini	42bc476882	feat: OIDC Identity Provider — Phase 1 endpoints Add OIDC/OAuth2 endpoints to bincio-auth so it acts as a full IdP: GET /.well-known/openid-configuration GET /.well-known/jwks.json GET /oauth2/authorize (auth-code flow, redirects to /login/ if no session) POST /oauth2/token (exchanges code for RS256 id_token; PKCE supported) GET /oauth2/userinfo (Bearer token → profile claims) Infrastructure: - oauth2_clients + oauth2_codes tables in db.py with CRUD helpers - RS256 sign/verify helpers in tokens.py (create_id_token, get_jwks) - oidc_private_key_pem / oidc_issuer state + _issue_id_token in deps.py - serve_cmd reads BINCIO_OIDC_PRIVATE_KEY_FILE / BINCIO_OIDC_ISSUER env vars - `bincio-auth client add/list` commands for managing OAuth2 clients	2026-06-03 15:11:43 +02:00
Davide Scaini	3dafe3840b	deploy: add systemd unit + show-secret CLI command bincio-auth.service: runs at port 4040, reads BINCIO_AUTH_JWT_SECRET from /etc/bincio/secrets.env (shared with bincio-activity). show-secret: prints the JWT secret stored by 'bincio-auth init', so the operator can add it to secrets.env without raw sqlite3.	2026-06-02 15:09:00 +02:00
Davide Scaini	ddd15cae0f	auth: add FastAPI service — models, deps, server, routers, CLI Steps 3–7 of the migration plan: - models.py: Pydantic request/response types - deps.py: shared state, JWT-based auth helpers, rate limiting - server.py: FastAPI app with CORS + gzip - routers/auth.py: login, logout, /api/me, reset-password, register - routers/invites.py: GET/POST /api/invites - routers/admin.py: user listing, suspend/unsuspend, delete, access flags, reset-password-code - cli.py: `bincio-auth init` (creates DB + admin + JWT secret) and `bincio-auth serve` Cookie carries a signed JWT (HS256); consumers validate locally with shared secret.	2026-06-02 14:38:56 +02:00

Author

SHA1

Message

Date

Davide Scaini

42bc476882

feat: OIDC Identity Provider — Phase 1 endpoints

Add OIDC/OAuth2 endpoints to bincio-auth so it acts as a full IdP:
  GET  /.well-known/openid-configuration
  GET  /.well-known/jwks.json
  GET  /oauth2/authorize  (auth-code flow, redirects to /login/ if no session)
  POST /oauth2/token      (exchanges code for RS256 id_token; PKCE supported)
  GET  /oauth2/userinfo   (Bearer token → profile claims)

Infrastructure:
  - oauth2_clients + oauth2_codes tables in db.py with CRUD helpers
  - RS256 sign/verify helpers in tokens.py (create_id_token, get_jwks)
  - oidc_private_key_pem / oidc_issuer state + _issue_id_token in deps.py
  - serve_cmd reads BINCIO_OIDC_PRIVATE_KEY_FILE / BINCIO_OIDC_ISSUER env vars
  - `bincio-auth client add/list` commands for managing OAuth2 clients

2026-06-03 15:11:43 +02:00

Davide Scaini

3dafe3840b

deploy: add systemd unit + show-secret CLI command

bincio-auth.service: runs at port 4040, reads BINCIO_AUTH_JWT_SECRET
from /etc/bincio/secrets.env (shared with bincio-activity).

show-secret: prints the JWT secret stored by 'bincio-auth init',
so the operator can add it to secrets.env without raw sqlite3.

2026-06-02 15:09:00 +02:00

Davide Scaini

ddd15cae0f

auth: add FastAPI service — models, deps, server, routers, CLI

Steps 3–7 of the migration plan:
- models.py: Pydantic request/response types
- deps.py: shared state, JWT-based auth helpers, rate limiting
- server.py: FastAPI app with CORS + gzip
- routers/auth.py: login, logout, /api/me, reset-password, register
- routers/invites.py: GET/POST /api/invites
- routers/admin.py: user listing, suspend/unsuspend, delete, access flags, reset-password-code
- cli.py: `bincio-auth init` (creates DB + admin + JWT secret) and `bincio-auth serve`

Cookie carries a signed JWT (HS256); consumers validate locally with shared secret.

2026-06-02 14:38:56 +02:00

3 Commits