feat(auth): support standard OIDC providers (Keycloak, Dex, etc.)#9622
Open
dfliess wants to merge 1 commit into
Open
feat(auth): support standard OIDC providers (Keycloak, Dex, etc.)#9622dfliess wants to merge 1 commit into
dfliess wants to merge 1 commit into
Conversation
The auth module assumes Auth0 in three places: issuer URL construction (trailing slash), signup parameter (screen_hint), and logout endpoint (/v2/logout). This breaks any standard OIDC provider. Fix all three, fully backward compatible: - AUTH_DOMAIN with "://" is used verbatim as issuer; without it, the old "https://"+domain+"/" behavior is preserved. - Signup uses prompt=create (OIDC standard) instead of screen_hint. - Logout reads end_session_endpoint from discovery and falls back to Auth0's /v2/logout when absent. Tested with Keycloak 26. Auth0 continues to work unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for standard OIDC providers (Keycloak, Dex, Better Auth) alongside Auth0, making the auth module provider-agnostic. Three changes, all fully backward compatible:
Issuer URL —
AUTH_DOMAINcontaining://is used verbatim as the issuer URL, enabling providers whose issuer has no trailing slash. Without://, the existing Auth0 behavior is preserved ("https://"+domain+"/").Signup — Uses
prompt=create(OIDC standard) instead ofscreen_hint=signup.Logout — Reads
end_session_endpointfrom the OIDC discovery document and usespost_logout_redirect_uri(RP-Initiated Logout). Falls back to Auth0's/v2/logoutwithreturnTowhen the endpoint is absent.Test plan
://in AUTH_DOMAIN)Files changed
admin/server/auth/auth.go— issuer URL construction, discovery claims, struct fieldadmin/server/auth/handlers.go— signup param, logout endpoint