BLOG-85 Implement OIDC authentication #93

squid · 2025-07-30T03:39:21+08:00

squid commented

2025-07-30 03:39:21 +08:00

Description

Login with configured OIDC issuer, and then save the logged in information in server session.
Endpoints:
- GET /auth/login
- GET /auth/callback
- GET /auth/logout

Package Changes

actix-session = { version = "0.10.1", features = ["redis-session"] }
hex = "0.4.3"
openidconnect = { version = "4.0.1", features = [
    "reqwest",
    "reqwest-blocking",
] }

Screenshots

Reference

Resolves #85

Checklist

A milestone is set
The related issuse has been linked to this branch

### Description - Login with configured OIDC issuer, and then save the logged in information in server session. - Endpoints: - GET `/auth/login` - GET `/auth/callback` - GET `/auth/logout` ### Package Changes ```toml actix-session = { version = "0.10.1", features = ["redis-session"] } hex = "0.4.3" openidconnect = { version = "4.0.1", features = [ "reqwest", "reqwest-blocking", ] } ``` ### Screenshots <video src="attachments/8b15b576-61db-41b9-8587-b4b885018c93" title="Screencast From 2025-07-30 03-34-26.mp4" controls></video> ### Reference Resolves #85 ### Checklist - [x] A milestone is set - [x] The related issuse has been linked to this branch

Screencast From 2025-07-30 03-34-26.mp4

1.4 MiB

squid added this to the 0.3 milestone 2025-07-30 03:39:21 +08:00

squid added 7 commits 2025-07-30 03:39:21 +08:00

BLOG-85 init: auth crate

Frontend CI / build (push) Has been cancelled

Details

513e07b46a

BLOG-85 refactor: rename workflow

Frontend CI / build (push) Successful in 1m9s

Details

c4a0c20d7d

BLOG-85 feat: implement OIDC authentication flow 32b3d47715

- Added OIDC authentication support with new modules for handling OIDC login and callback.
- Introduced `AuthController`, `AuthOidcService`, and related DTOs for managing authentication state and user responses.
- Implemented session management using `actix-session` with Redis for storing authentication state.
- Created configuration management for OIDC settings, including provider metadata and client credentials.
- Updated server configuration to initialize OIDC services and session management.
- Refactored existing code to integrate new authentication features and ensure proper dependency management.

BLOG-85 feat: logout endpoint 14b7d745a1

BLOG-85 refactor: enhance configuration management with database, server, session, and storage modules

Frontend CI / build (push) Successful in 1m9s

Details

a9655edff6

BLOG-85 feat: Dockerfile add environment variables for Redis and OIDC configuration

Frontend CI / build (push) Successful in 1m19s

Details

64cad463cd

BLOG-85 refactor: remove unused dependency

Frontend CI / build (push) Successful in 1m5s

Details

PR Title Check / pr-title-check (pull_request) Successful in 13s

Details

Auto Comment On PR / add_improve_comment (pull_request) Successful in 16s

Details

161ef5327a

bot commented

2025-07-30 03:39:27 +08:00

/improve

bot commented

2025-07-30 03:39:34 +08:00

PR Code Suggestions ✨

Category	Suggestion	Impact
Possible issue	Add specific error for OIDC state mismatch The `AuthError::InvalidNonce` variant is currently used to indicate a mismatch in the OIDC `state` parameter. The `state` parameter is used for CSRF protection, distinct from the `nonce` parameter which protects against ID token replay attacks. Introduce a new error variant, `InvalidState`, to accurately represent issues with the `state` parameter. backend/feature/auth/src/application/error/auth_error.rs [2-7] `pub enum AuthError { OidcError(String), InvalidNonce, + InvalidState, InvalidAuthCode, InvalidIdToken, }` Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a conceptual error in using `InvalidNonce` for a `state` parameter mismatch. Introducing `InvalidState` improves the clarity and correctness of error handling, which is crucial for security and maintainability in an authentication feature.	High
	Use correct error for state validation Update the error returned when the `received_state` does not match the `expected_state`. This should use the newly introduced `AuthError::InvalidState` variant to accurately reflect the nature of the security validation failure, improving clarity and maintainability. backend/feature/auth/src/application/use_case/exchange_auth_code_use_case.rs [40-42] `if received_state != expected_state { - return Err(AuthError::InvalidNonce); + return Err(AuthError::InvalidState); }` Suggestion importance[1-10]: 9 __ Why: This suggestion directly addresses a logical flaw by correcting the error type returned for a `state` mismatch. It ensures that the system accurately reports the specific security validation failure, which is vital for debugging and maintaining the authentication flow.	High
	Handle new OIDC state error After introducing `AuthError::InvalidState` and using it for state validation, update the `oidc_callback_handler` to correctly handle this new error variant. This ensures that state validation failures are explicitly caught and result in an appropriate HTTP response. backend/feature/auth/src/framework/web/auth_web_routes.rs [83-85] `-AuthError::InvalidAuthCode \| AuthError::InvalidIdToken \| AuthError::InvalidNonce => { +AuthError::InvalidAuthCode \| AuthError::InvalidIdToken \| AuthError::InvalidNonce \| AuthError::InvalidState => { HttpResponse::BadRequest().finish() }` Suggestion importance[1-10]: 8 __ Why: This suggestion ensures that the newly introduced `AuthError::InvalidState` is properly handled in the web layer, providing a consistent HTTP response for state validation failures. It completes the error handling chain, making the application more robust.	Medium

## PR Code Suggestions ✨  <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=3>Possible issue</td> <td> <details><summary>Add specific error for OIDC state mismatch</summary> ___ **The <code>AuthError::InvalidNonce</code> variant is currently used to indicate a mismatch in the <br>OIDC <code>state</code> parameter. The <code>state</code> parameter is used for CSRF protection, distinct from <br>the <code>nonce</code> parameter which protects against ID token replay attacks. Introduce a new <br>error variant, <code>InvalidState</code>, to accurately represent issues with the <code>state</code> <br>parameter.** [backend/feature/auth/src/application/error/auth_error.rs [2-7]](https://git.squidspirit.com/squid/blog/src/branch/BLOG-85_oidc_login/backend/feature/auth/src/application/error/auth_error.rs#L2-L7) ```diff pub enum AuthError { OidcError(String), InvalidNonce, + InvalidState, InvalidAuthCode, InvalidIdToken, } ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a conceptual error in using `InvalidNonce` for a `state` parameter mismatch. Introducing `InvalidState` improves the clarity and correctness of error handling, which is crucial for security and maintainability in an authentication feature. </details></details></td><td align=center>High </td></tr><tr><td> <details><summary>Use correct error for state validation</summary> ___ **Update the error returned when the <code>received_state</code> does not match the <code>expected_state</code>. <br>This should use the newly introduced <code>AuthError::InvalidState</code> variant to accurately <br>reflect the nature of the security validation failure, improving clarity and <br>maintainability.** [backend/feature/auth/src/application/use_case/exchange_auth_code_use_case.rs [40-42]](https://git.squidspirit.com/squid/blog/src/branch/BLOG-85_oidc_login/backend/feature/auth/src/application/use_case/exchange_auth_code_use_case.rs#L40-L42) ```diff if received_state != expected_state { - return Err(AuthError::InvalidNonce); + return Err(AuthError::InvalidState); } ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion directly addresses a logical flaw by correcting the error type returned for a `state` mismatch. It ensures that the system accurately reports the specific security validation failure, which is vital for debugging and maintaining the authentication flow. </details></details></td><td align=center>High </td></tr><tr><td> <details><summary>Handle new OIDC state error</summary> ___ **After introducing <code>AuthError::InvalidState</code> and using it for state validation, update <br>the <code>oidc_callback_handler</code> to correctly handle this new error variant. This ensures <br>that state validation failures are explicitly caught and result in an appropriate <br>HTTP response.** [backend/feature/auth/src/framework/web/auth_web_routes.rs [83-85]](https://git.squidspirit.com/squid/blog/src/branch/BLOG-85_oidc_login/backend/feature/auth/src/framework/web/auth_web_routes.rs#L83-L85) ```diff -AuthError::InvalidAuthCode | AuthError::InvalidIdToken | AuthError::InvalidNonce => { +AuthError::InvalidAuthCode | AuthError::InvalidIdToken | AuthError::InvalidNonce | AuthError::InvalidState => { HttpResponse::BadRequest().finish() } ``` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This suggestion ensures that the newly introduced `AuthError::InvalidState` is properly handled in the web layer, providing a consistent HTTP response for state validation failures. It completes the error handling chain, making the application more robust. </details></details></td><td align=center>Medium </td></tr></tr></tbody></table>

squid added 1 commit 2025-07-30 03:43:29 +08:00

BLOG-85 feat: add InvalidState error to AuthError and update error handling in OIDC callback

PR Title Check / pr-title-check (pull_request) Successful in 13s

Details

Frontend CI / build (push) Successful in 1m8s

Details

7a153f0f86

squid commented

2025-07-30 03:45:15 +08:00

After introducing AuthError::InvalidState and using it for state validation, update
the oidc_callback_handler to correctly handle this new error variant. This ensures
that state validation failures are explicitly caught and result in an appropriate
HTTP response.

backend/feature/auth/src/framework/web/auth_web_routes.rs [83-85]
-AuthError::InvalidAuthCode | AuthError::InvalidIdToken | AuthError::InvalidNonce => {
+AuthError::InvalidAuthCode | AuthError::InvalidIdToken | AuthError::InvalidNonce | AuthError::InvalidState => {
     HttpResponse::BadRequest().finish()
 }

The above and related issues are addressed in 7a153f0f86.

> After introducing <code>AuthError::InvalidState</code> and using it for state validation, update <br>the <code>oidc_callback_handler</code> to correctly handle this new error variant. This ensures <br>that state validation failures are explicitly caught and result in an appropriate <br>HTTP response. > > [backend/feature/auth/src/framework/web/auth_web_routes.rs [83-85]](https://git.squidspirit.com/squid/blog/src/branch/BLOG-85_oidc_login/backend/feature/auth/src/framework/web/auth_web_routes.rs#L83-L85) > > ```diff > -AuthError::InvalidAuthCode | AuthError::InvalidIdToken | AuthError::InvalidNonce => { > +AuthError::InvalidAuthCode | AuthError::InvalidIdToken | AuthError::InvalidNonce | AuthError::InvalidState => { > HttpResponse::BadRequest().finish() > } > ``` The above and related issues are addressed in 7a153f0f861dfec9da672ed6930316cd02fb3211.

squid merged commit dd0567c937 into main

2025-07-30 03:46:50 +08:00

squid deleted branch BLOG-85_oidc_login

2025-07-30 03:46:50 +08:00

squid referenced this issue from a commit

2025-07-30 03:46:50 +08:00

BLOG-85 Implement OIDC authentication (#93)

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: squid/blog#93