[PR #640] [MERGED] feat: allow introspection and device code endpoints to use Federated Client Credentials #709

New Issue

Closed

opened 2025-10-08 00:15:42 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2025-10-08 00:15:42 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/640
Author: @ItalyPaleAle
Created: 6/9/2025
Status: ✅ Merged
Merged: 6/9/2025
Merged by: @stonith404

Base: main ← Head: fix-introspection-auth

---

📝 Commits (10+)

• d9137a6 WIP
• ef742f0 WIP: Convert refresh tokens to signed ones
• 84d0097 Updated introspection endpoint too
• 80de3b8 Introspect token supports federated credentials
• fe0cb4a Fix
• 2164ba0 Lint
• 58efcbc Merge branch 'main' of https://github.com/pocket-id/pocket-id into fix-introspection-auth
• 8d9f91b Allow client assertions for the device code endpoint too
• 7b0829a Address review feedback
• 3a9997d Merge branch 'main' of https://github.com/pocket-id/pocket-id into fix-introspection-auth

📊 Changes

13 files changed (+788 additions, -125 deletions)

View changed files

📝 backend/internal/controller/e2etest_controller.go (+22 -0)
📝 backend/internal/controller/oidc_controller.go (+15 -3)
📝 backend/internal/dto/oidc_dto.go (+5 -3)
📝 backend/internal/service/e2etest_service.go (+4 -0)
📝 backend/internal/service/jwt_service.go (+106 -7)
📝 backend/internal/service/jwt_service_test.go (+195 -12)
📝 backend/internal/service/oidc_service.go (+145 -72)
📝 backend/internal/service/oidc_service_test.go (+8 -8)
➕ backend/internal/utils/http_util.go (+18 -0)
➕ backend/internal/utils/http_util_test.go (+65 -0)
📝 backend/internal/utils/jwt_util.go (+3 -2)
📝 tests/data.ts (+2 -0)
📝 tests/specs/oidc.spec.ts (+200 -18)

📄 Description

Follow-up from #566 to complete the work started there

• Add support for using federated client credentials to the introspection endpoint, to validate auth and refresh tokens. Calls to the endpoint use Authorization: Bearer <jwt> for authorization.
• Add support for using federated client credentials to the device code endpoint
• As part of that change, and for other reasons discussed on Discord, the refresh token's format has changed, and it's now a JWT containing the actual refresh code (stored in the DB, hashed), plus the ID of the client that uses it and the ID of the user it belongs to
  • This is required because otherwise there's no way to know the client ID when introspecting a refresh token using federated client credentials
  • It also allows more careful database lookups
  • The RFC doesn't mandate anything about the format of refresh tokens, which are opaque strings for clients, so this remains fully-compliant

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/640 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 6/9/2025 **Status:** ✅ Merged **Merged:** 6/9/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `fix-introspection-auth` --- ### 📝 Commits (10+) - [`d9137a6`](https://github.com/pocket-id/pocket-id/commit/d9137a6ed067b3b6f65fb8696d53c6537547e331) WIP - [`ef742f0`](https://github.com/pocket-id/pocket-id/commit/ef742f06c78483782906cdb9815f2eeced67f6f2) WIP: Convert refresh tokens to signed ones - [`84d0097`](https://github.com/pocket-id/pocket-id/commit/84d0097f393de070691c3410e62c6babded48ac1) Updated introspection endpoint too - [`80de3b8`](https://github.com/pocket-id/pocket-id/commit/80de3b88a7039a32e8b28c8ada1d6967366dc7f1) Introspect token supports federated credentials - [`fe0cb4a`](https://github.com/pocket-id/pocket-id/commit/fe0cb4a3929054c67138d1b224b2ca5b80bc02c8) Fix - [`2164ba0`](https://github.com/pocket-id/pocket-id/commit/2164ba06062c26c4688ec6aaf038a08cb5b417fa) Lint - [`58efcbc`](https://github.com/pocket-id/pocket-id/commit/58efcbc8cab392561b1684bd23ddfb191d35a68c) Merge branch 'main' of https://github.com/pocket-id/pocket-id into fix-introspection-auth - [`8d9f91b`](https://github.com/pocket-id/pocket-id/commit/8d9f91bccc775360f9beaf7a880bac59c9afc6e1) Allow client assertions for the device code endpoint too - [`7b0829a`](https://github.com/pocket-id/pocket-id/commit/7b0829ad45d596c0328d31bd503239ea74d267dc) Address review feedback - [`3a9997d`](https://github.com/pocket-id/pocket-id/commit/3a9997d9a38269e41577867cbdce08f3af700670) Merge branch 'main' of https://github.com/pocket-id/pocket-id into fix-introspection-auth ### 📊 Changes **13 files changed** (+788 additions, -125 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/controller/e2etest_controller.go` (+22 -0) 📝 `backend/internal/controller/oidc_controller.go` (+15 -3) 📝 `backend/internal/dto/oidc_dto.go` (+5 -3) 📝 `backend/internal/service/e2etest_service.go` (+4 -0) 📝 `backend/internal/service/jwt_service.go` (+106 -7) 📝 `backend/internal/service/jwt_service_test.go` (+195 -12) 📝 `backend/internal/service/oidc_service.go` (+145 -72) 📝 `backend/internal/service/oidc_service_test.go` (+8 -8) ➕ `backend/internal/utils/http_util.go` (+18 -0) ➕ `backend/internal/utils/http_util_test.go` (+65 -0) 📝 `backend/internal/utils/jwt_util.go` (+3 -2) 📝 `tests/data.ts` (+2 -0) 📝 `tests/specs/oidc.spec.ts` (+200 -18) </details> ### 📄 Description Follow-up from #566 to complete the work started there - Add support for using federated client credentials to the introspection endpoint, to validate auth and refresh tokens. Calls to the endpoint use `Authorization: Bearer <jwt>` for authorization. - Add support for using federated client credentials to the device code endpoint - As part of that change, and for other reasons discussed on Discord, the refresh token's format has changed, and it's now a JWT containing the actual refresh code (stored in the DB, hashed), plus the ID of the client that uses it and the ID of the user it belongs to - This is required because otherwise there's no way to know the client ID when introspecting a refresh token using federated client credentials - It also allows more careful database lookups - The RFC doesn't mandate anything about the format of refresh tokens, which are opaque strings for clients, so this remains fully-compliant --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2025-10-08 00:15:42 +03:00

OVERLORD closed this issue 2025-10-08 00:15:43 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#709