feat(oidc): support token refreshing via offline_access scope

- refactored code - moved api/v1/auth to auth/ - security enhancement - env example update - default jwt ttl changed to 24 hours
2026-03-25 18:41:10 +01:00 · 2025-04-23 17:50:22 +08:00
parent 28c9a2e9d0
commit b815c6fd69
21 changed files with 668 additions and 310 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,23 +1,26 @@
 # set timezone to get correct log timestamp
 TZ=ETC/UTC

+# API JWT Configuration (common)
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+# the JWT token time-to-live
+# leave empty to use default (24 hours)
+# format: https://pkg.go.dev/time#Duration
+GODOXY_API_JWT_TOKEN_TTL=
+
 # API/WebUI user password login credentials (optional)
 # These fields are not required for OIDC authentication
 GODOXY_API_USER=admin
 GODOXY_API_PASSWORD=password
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-# the JWT token time-to-live
-GODOXY_API_JWT_TOKEN_TTL=1h

 # OIDC Configuration (optional)
 # Uncomment and configure these values to enable OIDC authentication.
+# For `GODOXY_OIDC_SCOPES` you may also include `offline_access` if your Idp supports it (e.g. Authentik)
+#
 # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
 # GODOXY_OIDC_CLIENT_ID=your-client-id
 # GODOXY_OIDC_CLIENT_SECRET=your-client-secret
-# Keep /api/auth/callback as the redirect URL, change the domain to match your setup.
-# GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback
-# Comma-separated list of scopes
 # GODOXY_OIDC_SCOPES=openid, profile, email
 #
 # User definitions: Uncomment and configure these values to restrict access to specific users or groups.