search

Darkness4 / auth-htmx

Experiment with Go + HTMX and OAuth2/OIDC + WebAuthn
https://auth-htmx.mnguyen.fr
Apache License 2.0
95 stars 4 forks source link

Oidc #1

Closed gedw99 closed 1 year ago

gedw99 commented 1 year ago

https://github.com/zitadel/zitadel-go/issues/236

I suggested your repo as a basis / example.

Maybe you also interested in a generic oidc / oath system based on htmx.

Zitadel also supports passkeys and other fancy stuff

Darkness4 commented 1 year ago

I'm familiar with OIDC, especially since I use one (Keycloak) in my company, but I'm a bit rusty. It seems that zitadel is something similar.

As I understand it, OIDC is an identity provider with OAuth2 capability. I can use the OAuth2 flow easily by parsing the discovery document (google example), and instead of calling the Github API to verify and retrieve user information, I can use the ID token, validate it by verifying a signature and certificates and retrieve user information using the OIDC-compliant scope.

While it seems interesting to extend the experiment to OIDC, it's a shame that Github doesn't support OIDC. I may extend the example with Google Auth, through.

Theorically, it looks like I must:

  1. Change the scope of the login function and add openid profile email.
  2. Remove any hard-coded value about authorizationURL, userURL etc... and use the discovery document.
  3. Parse and verify the ID token in my getCurrentUser instead of calling the Github API.

To be fair, I should use the go-oidc package instead. And I should have used the package oauth2. Right now, the implementation is very "naive".

Darkness4 commented 1 year ago

Support added with go-oidc and oauth2: https://github.com/Darkness4/auth-htmx/commit/829a866a36aab9f499fd613bf8118fb92da5eab1