[PR #145] [MERGED] feat: Add per-route OIDC client ID and secret support #172

New Issue

Closed

opened 2025-12-29 15:18:51 +01:00 by adam · 0 comments

adam commented 2025-12-29 15:18:51 +01:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/yusing/godoxy/pull/145
Author: @deandre
Created: 9/7/2025
Status: ✅ Merged
Merged: 9/8/2025
Merged by: @yusing

Base: main ← Head: per-route-oidc

---

📝 Commits (2)

• de9f20f Implement per-route OIDC
• 26ee8e6 address sonarqube feedback

📊 Changes

5 files changed (+130 additions, -14 deletions)

View changed files

📝 internal/auth/oauth_refresh.go (+1 -1)
📝 internal/auth/oidc.go (+64 -12)
📝 internal/auth/oidc_test.go (+4 -1)
📝 internal/net/gphttp/middleware/oidc.go (+26 -0)
➕ internal/net/gphttp/middleware/oidc_test.go (+35 -0)

📄 Description

Summary

This PR implements the ability to specify custom OIDC client ID and secret per route, allowing different applications to use different OIDC clients while maintaining cookie isolation to prevent conflicts.

Changes

• App-scoped cookie names: Cookie names are now scoped to the specific OIDC client ID to prevent conflicts between different applications
• Custom OIDC provider creation: Added NewOIDCProviderWithCustomClient() function to create OIDC providers with custom credentials
• Per-route middleware configuration: Extended OIDC middleware to support client_id, client_secret, and scopes per route

Usage Examples

Docker Labels

services:
  app1:
    image: nginx:alpine
    labels:
      proxy.aliases: app1.example.com
      proxy.#1.port: 80
      proxy.#1.middlewares.oidc: |
        client_id: "app1-client-id"
        client_secret: "app1-client-secret"
        scopes: "openid,profile,email,groups"
        allowed_users: ["app1-user1", "app1-user2"]
        allowed_groups: ["app1-group"]

  app2:
    image: nginx:alpine
    labels:
      proxy.aliases: app2.example.com
      proxy.#1.port: 80
      proxy.#1.middlewares.oidc: |
        client_id: "app2-client-id"
        client_secret: "app2-client-secret"
        allowed_groups: ["app2-group", "shared-group"]

  app3:
    image: nginx:alpine
    labels:
      proxy.aliases: app3.example.com
      proxy.#1.port: 80
      proxy.#1.middlewares.oidc: |
        # Uses global OIDC config (no client_id/client_secret)
        allowed_users: ["app3-user"]

YAML Configuration

# Global OIDC configuration (used as fallback)
oidc:
  issuer_url: "https://your-oidc-provider.com"
  client_id: "global-client-id"
  client_secret: "global-client-secret"
  allowed_users: ["admin", "user1"]
  allowed_groups: ["admins", "users"]

routes:
  # App with custom client credentials
  - name: "app1"
    url: "http://app1:8080"
    middleware:
      oidc:
        client_id: "app1-client-id"
        client_secret: "app1-client-secret"
        scopes: "openid,profile,email,groups"
        allowed_users: ["app1-user1", "app1-user2"]
        allowed_groups: ["app1-group"]

  # App with different client and group-based access
  - name: "app2"
    url: "http://app2:8080"
    middleware:
      oidc:
        client_id: "app2-client-id"
        client_secret: "app2-client-secret"
        allowed_groups: ["app2-group", "shared-group"]

  # App using global OIDC configuration
  - name: "app3"
    url: "http://app3:8080"
    middleware:
      oidc:
        # No client_id/client_secret specified, uses global config
        allowed_users: ["app3-user"]

  # App with custom scopes only
  - name: "app4"
    url: "http://app4:8080"
    middleware:
      oidc:
        scopes: "openid,profile,email,groups,custom-scope"
        allowed_groups: ["app4-group"]

Breaking Changes

None. This is fully backward compatible.

Testing

• All existing tests pass
• New tests added for middleware functionality
• Tested with multiple OIDC clients using different credentials

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/yusing/godoxy/pull/145 **Author:** [@deandre](https://github.com/deandre) **Created:** 9/7/2025 **Status:** ✅ Merged **Merged:** 9/8/2025 **Merged by:** [@yusing](https://github.com/yusing) **Base:** `main` ← **Head:** `per-route-oidc` --- ### 📝 Commits (2) - [`de9f20f`](https://github.com/yusing/godoxy/commit/de9f20f5b183677b863900b9aa085476e21a65f5) Implement per-route OIDC - [`26ee8e6`](https://github.com/yusing/godoxy/commit/26ee8e67ea3277958ada610afac14569ed370900) address sonarqube feedback ### 📊 Changes **5 files changed** (+130 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `internal/auth/oauth_refresh.go` (+1 -1) 📝 `internal/auth/oidc.go` (+64 -12) 📝 `internal/auth/oidc_test.go` (+4 -1) 📝 `internal/net/gphttp/middleware/oidc.go` (+26 -0) ➕ `internal/net/gphttp/middleware/oidc_test.go` (+35 -0) </details> ### 📄 Description ## Summary This PR implements the ability to specify custom OIDC client ID and secret per route, allowing different applications to use different OIDC clients while maintaining cookie isolation to prevent conflicts. ## Changes - **App-scoped cookie names**: Cookie names are now scoped to the specific OIDC client ID to prevent conflicts between different applications - **Custom OIDC provider creation**: Added `NewOIDCProviderWithCustomClient()` function to create OIDC providers with custom credentials - **Per-route middleware configuration**: Extended OIDC middleware to support `client_id`, `client_secret`, and `scopes` per route ## Usage Examples ### Docker Labels ```yaml services: app1: image: nginx:alpine labels: proxy.aliases: app1.example.com proxy.#1.port: 80 proxy.#1.middlewares.oidc: | client_id: "app1-client-id" client_secret: "app1-client-secret" scopes: "openid,profile,email,groups" allowed_users: ["app1-user1", "app1-user2"] allowed_groups: ["app1-group"] app2: image: nginx:alpine labels: proxy.aliases: app2.example.com proxy.#1.port: 80 proxy.#1.middlewares.oidc: | client_id: "app2-client-id" client_secret: "app2-client-secret" allowed_groups: ["app2-group", "shared-group"] app3: image: nginx:alpine labels: proxy.aliases: app3.example.com proxy.#1.port: 80 proxy.#1.middlewares.oidc: | # Uses global OIDC config (no client_id/client_secret) allowed_users: ["app3-user"] ``` ### YAML Configuration ```yaml # Global OIDC configuration (used as fallback) oidc: issuer_url: "https://your-oidc-provider.com" client_id: "global-client-id" client_secret: "global-client-secret" allowed_users: ["admin", "user1"] allowed_groups: ["admins", "users"] routes: # App with custom client credentials - name: "app1" url: "http://app1:8080" middleware: oidc: client_id: "app1-client-id" client_secret: "app1-client-secret" scopes: "openid,profile,email,groups" allowed_users: ["app1-user1", "app1-user2"] allowed_groups: ["app1-group"] # App with different client and group-based access - name: "app2" url: "http://app2:8080" middleware: oidc: client_id: "app2-client-id" client_secret: "app2-client-secret" allowed_groups: ["app2-group", "shared-group"] # App using global OIDC configuration - name: "app3" url: "http://app3:8080" middleware: oidc: # No client_id/client_secret specified, uses global config allowed_users: ["app3-user"] # App with custom scopes only - name: "app4" url: "http://app4:8080" middleware: oidc: scopes: "openid,profile,email,groups,custom-scope" allowed_groups: ["app4-group"] ``` ## Breaking Changes None. This is fully backward compatible. ## Testing - All existing tests pass - New tests added for middleware functionality - Tested with multiple OIDC clients using different credentials --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

adam added the pull-request label 2025-12-29 15:18:51 +01:00

adam closed this issue 2025-12-29 15:18:51 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

compat

feat/agent-stream

dev

main-backup

feat/custom-json-marshaling

feat/non-root-non-host-mode

v0.24.0

v0.23.1

v0.23.0

v0.22.1

v0.22.0

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.14

v0.20.13

v0.20.12

v0.20.11

v0.20.10

v0.20.9

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.6

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.2

v0.16.0-pathfix

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.9

v0.11.8

v0.11.7

v0.11.6-buildfix

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2-2

v0.11.2-1

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.10

v0.9.9-1

v0.9.9

v0.9.8

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4-1

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.1

0.8.0

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.4-1

0.6.4

0.6.3

0.6.2

0.6.1

0.6

0.6-rp1

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.5.0-rc6

0.5.0-rc5

0.5.0-rc4

0.5.0-rc3

0.5.0-rc2

0.5.0-rc1

0.5.0-beta3

0.5.0-beta2

0.5.0-beta

0.4.8-1

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.1

0.3

0.2.2

0.2.1

0.2-alpha

0.1-stable

Labels

Clear labels

bug

enhancement

pull-request

Mirrored from GitHub Pull Request

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/godoxy-yusing#172