Add OIDC provider functionality with validation setup

config.example.yaml

@@ -63,6 +63,42 @@ oauth:
       # Allow insecure connections (self-signed certificates)
       insecure: false
 
+# OIDC Provider Configuration
+oidc:
+  # Enable OIDC provider functionality
+  enabled: false
+  # OIDC issuer URL (defaults to appUrl if not set)
+  issuer: ""
+  # Access token expiry in seconds (3600 = 1 hour)
+  accessTokenExpiry: 3600
+  # ID token expiry in seconds (3600 = 1 hour)
+  idTokenExpiry: 3600
+  # OIDC Client Configuration
+  clients:
+    # Client ID (used as the key)
+    myapp:
+      # Client secret (or use clientSecretFile)
+      clientSecret: "your_client_secret_here"
+      # Path to file containing client secret (optional, alternative to clientSecret)
+      clientSecretFile: ""
+      # Client name for display purposes
+      clientName: "My Application"
+      # Allowed redirect URIs
+      redirectUris:
+        - "https://myapp.example.com/callback"
+        - "http://localhost:3000/callback"
+      # Allowed grant types (defaults to ["authorization_code"] if not specified)
+      grantTypes:
+        - "authorization_code"
+      # Allowed response types (defaults to ["code"] if not specified)
+      responseTypes:
+        - "code"
+      # Allowed scopes (defaults to ["openid", "profile", "email"] if not specified)
+      scopes:
+        - "openid"
+        - "profile"
+        - "email"
+
 # UI Customization
 ui:
   # Custom title for login page

go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/gin-gonic/gin v1.11.0
 	github.com/glebarez/sqlite v1.11.0
 	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.1.0
 	github.com/google/uuid v1.6.0

go.sum

@@ -127,6 +127,8 @@ github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PU
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=

internal/assets/migrations/000004_oidc_clients.down.sql

@@ -0,0 +1,2 @@
+DROP TABLE IF EXISTS "oidc_clients";
+

internal/assets/migrations/000004_oidc_clients.up.sql

@@ -0,0 +1,12 @@
+CREATE TABLE IF NOT EXISTS "oidc_clients" (
+    "client_id" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "client_secret" TEXT NOT NULL,
+    "client_name" TEXT NOT NULL,
+    "redirect_uris" TEXT NOT NULL,
+    "grant_types" TEXT NOT NULL,
+    "response_types" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" INTEGER NOT NULL,
+    "updated_at" INTEGER NOT NULL
+);
+

internal/bootstrap/router_bootstrap.go

@@ -102,5 +102,15 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 
 	healthController.SetupRoutes()
 
+	// Setup OIDC controller if OIDC is enabled
+	if app.config.OIDC.Enabled && app.services.oidcService != nil {
+		oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{
+			AppURL:      app.config.AppURL,
+			CookieDomain: app.context.cookieDomain,
+		}, apiRouter, app.services.oidcService, app.services.authService)
+
+		oidcController.SetupRoutes()
+	}
+
 	return engine, nil
 }

internal/bootstrap/service_bootstrap.go

@@ -13,6 +13,7 @@ type Services struct {
 	dockerService        *service.DockerService
 	ldapService          *service.LdapService
 	oauthBrokerService   *service.OAuthBrokerService
+	oidcService          *service.OIDCService
 }
 
 func (app *BootstrapApp) initServices() (Services, error) {
@@ -96,5 +97,39 @@ func (app *BootstrapApp) initServices() (Services, error) {
 
 	services.oauthBrokerService = oauthBrokerService
 
+	// Initialize OIDC service if enabled
+	if app.config.OIDC.Enabled {
+		issuer := app.config.OIDC.Issuer
+		if issuer == "" {
+			issuer = app.config.AppURL
+		}
+
+		oidcService := service.NewOIDCService(service.OIDCServiceConfig{
+			AppURL:            app.config.AppURL,
+			Issuer:             issuer,
+			AccessTokenExpiry:  app.config.OIDC.AccessTokenExpiry,
+			IDTokenExpiry:     app.config.OIDC.IDTokenExpiry,
+			Database:           databaseService.GetDatabase(),
+		})
+
+		err = oidcService.Init()
+		if err != nil {
+			log.Warn().Err(err).Msg("Failed to initialize OIDC service, continuing without it")
+		} else {
+			services.oidcService = oidcService
+			log.Info().Msg("OIDC service initialized")
+
+			// Sync clients from config
+			if len(app.config.OIDC.Clients) > 0 {
+				err = oidcService.SyncClientsFromConfig(app.config.OIDC.Clients)
+				if err != nil {
+					log.Warn().Err(err).Msg("Failed to sync OIDC clients from config")
+				} else {
+					log.Info().Int("count", len(app.config.OIDC.Clients)).Msg("Synced OIDC clients from config")
+				}
+			}
+		}
+	}
+
 	return services, nil
 }

internal/config/config.go

@@ -26,6 +26,7 @@ type Config struct {
 	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
 	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
 	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
+	OIDC              OIDCConfig         `description:"OIDC provider configuration." yaml:"oidc"`
 	UI                UIConfig           `description:"UI customization." yaml:"ui"`
 	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental      ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
@@ -68,6 +69,24 @@ type LdapConfig struct {
 	SearchFilter string `description:"LDAP search filter." yaml:"searchFilter"`
 }
 
+type OIDCConfig struct {
+	Enabled          bool                        `description:"Enable OIDC provider functionality." yaml:"enabled"`
+	Issuer           string                      `description:"OIDC issuer URL (defaults to appUrl)." yaml:"issuer"`
+	AccessTokenExpiry int                        `description:"Access token expiry time in seconds." yaml:"accessTokenExpiry"`
+	IDTokenExpiry     int                        `description:"ID token expiry time in seconds." yaml:"idTokenExpiry"`
+	Clients           map[string]OIDCClientConfig `description:"OIDC client configurations." yaml:"clients"`
+}
+
+type OIDCClientConfig struct {
+	ClientSecret     string   `description:"OIDC client secret." yaml:"clientSecret"`
+	ClientSecretFile string   `description:"Path to the file containing the OIDC client secret." yaml:"clientSecretFile"`
+	ClientName       string   `description:"Client name for display purposes." yaml:"clientName"`
+	RedirectURIs     []string `description:"Allowed redirect URIs." yaml:"redirectUris"`
+	GrantTypes       []string `description:"Allowed grant types (defaults to ['authorization_code'])." yaml:"grantTypes"`
+	ResponseTypes    []string `description:"Allowed response types (defaults to ['code'])." yaml:"responseTypes"`
+	Scopes           []string `description:"Allowed scopes (defaults to ['openid', 'profile', 'email'])." yaml:"scopes"`
+}
+
 type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }