mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

feat(gatekeeper): add PR merge automation service
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details

Browse Source
This commit is contained in:
Jason Woltje
2026-03-10 21:35:11 -05:00
parent 3289677056
commit 6e2b9a307e
27 changed files with 1089 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/scratchpads/86-authentik-oidc-integration-security-fixes.md
View File

@@ -7,11 +7,13 @@ The initial implementation (commit 6878d57) was high quality but included placeh
## Security-Critical Issues
### 1. JWT Token Validation (CRITICAL)
**Problem**: `validateToken()` always returns `valid: false`
**Risk**: Cannot verify authenticity of federated tokens
**Solution**: Implement proper JWT validation with signature verification
### 2. OIDC Discovery (CRITICAL)
**Problem**: `generateAuthUrl()` returns hardcoded placeholder URL
**Risk**: Cannot initiate real federated authentication flows
**Solution**: Implement OIDC discovery and proper authorization URL generation
@@ -19,9 +21,11 @@ The initial implementation (commit 6878d57) was high quality but included placeh
## Implementation Plan
### 1. Add Dependencies
- [x] Add `jose` library for JWT handling (industry-standard, secure)
### 2. Implement JWT Validation
- [ ] Fetch OIDC discovery metadata from issuer
- [ ] Cache JWKS (JSON Web Key Set) for performance
- [ ] Verify JWT signature using remote public key
@@ -31,6 +35,7 @@ The initial implementation (commit 6878d57) was high quality but included placeh
- [ ] Return proper validation results
### 3. Implement OIDC Discovery
- [ ] Fetch `.well-known/openid-configuration` from remote instance
- [ ] Cache discovery metadata
- [ ] Generate proper OAuth2 authorization URL
@@ -39,6 +44,7 @@ The initial implementation (commit 6878d57) was high quality but included placeh
- [ ] Support standard OIDC scopes (openid, profile, email)
### 4. Update Tests
- [ ] Replace mock-based tests with real behavior tests
- [ ] Test valid JWT validation
- [ ] Test expired/invalid token rejection
@@ -47,6 +53,7 @@ The initial implementation (commit 6878d57) was high quality but included placeh
- [ ] Maintain 85%+ test coverage
### 5. Security Considerations
- Cache JWKS to avoid excessive network calls
- Validate token expiration strictly
- Use PKCE to prevent authorization code interception
@@ -57,6 +64,7 @@ The initial implementation (commit 6878d57) was high quality but included placeh
## Implementation Notes
**PKCE Flow**:
1. Generate random code_verifier (base64url-encoded random bytes)
2. Generate code_challenge = base64url(SHA256(code_verifier))
3. Store code_verifier in session/database
@@ -64,6 +72,7 @@ The initial implementation (commit 6878d57) was high quality but included placeh
5. Send code_verifier in token exchange
**JWT Validation Flow**:
1. Parse JWT without verification to get header
2. Fetch JWKS from issuer (cache for 1 hour)
3. Find matching key by kid (key ID)