gofr icon indicating copy to clipboard operation
gofr copied to clipboard
verified publisher icon gofr-dev

Add OIDC middleware

Open meher745 opened this issue 4 months ago • 22 comments

This PR introduces comprehensive OpenID Connect (OIDC) support into the GoFr framework by adding:

OIDC Discovery Metadata Fetching & Caching (discovery.go) Implements dynamic fetching and caching of OIDC provider metadata (including issuer, JWKS URI, and userinfo endpoint) from the standard .well-known/openid-configuration URL.

OIDC Userinfo Middleware (oidc.go) Middleware to fetch user profile information from the OIDC userinfo endpoint after OAuth JWT token validation. This middleware injects the retrieved user info into the request context for downstream handlers to use.

Dedicated Tests (oidc_test.go, discovery_test.go) Thorough test coverage for both userinfo middleware and discovery metadata fetching utilities, covering success scenarios, error handling, caching behavior, and edge cases.

Documentation (docs/advanced-guide/oidc.md) Detailed usage guide explaining how to configure and use the new OIDC features alongside GoFr’s built-in OAuth middleware. Includes examples for discovery, middleware registration, and handler access to user info.

Implementation Highlights

  1. discovery.go:
  • Fetches OIDC metadata from the provider’s discovery URL.
  • Caches metadata with configurable expiration to minimize network calls.
  1. oidc.go:
  • Middleware extracts the validated Bearer token (via Authorization header).
  • Calls the provider’s userinfo endpoint with the token and parses JSON user details.
  • Injects user info into the Go standard context.Context, retrievable by the helper GetOIDCUserInfo.

Usage Flow:

  • Fetch discovery metadata at app startup.
  • Pass discovered JWKS URI and issuer to app.EnableOAuth.
  • Register the OIDC userinfo middleware after OAuth.
  • Access user profile info in route handlers via context helper.

Testing

All new tests pass:

  • oidc_test.go covers userinfo middleware success, token absence, userinfo endpoint failures, and JSON parsing errors.
  • discovery_test.go covers metadata fetching success, caching, HTTP errors, JSON errors, and network failures.

Existing package tests:

  • All existing and new OIDC-related tests pass locally.
  • There is one unrelated failing legacy test (TestGetJwtClaims) from the GoFr core package that does NOT concern this PR and does not affect the OIDC middleware functionality.

Thanks for considering this contribution!

meher745 avatar Aug 06 '25 14:08 meher745

Hi, @Umang01-hash @coolwednesday . Please review this PR. Thank you so much!

meher745 avatar Aug 06 '25 14:08 meher745

Hi @ccoVeille @Umang01-hash @coolwednesday . I've updated the files according to the recommendations. Please review.

meher745 avatar Aug 10 '25 11:08 meher745

@ccoVeille , kindly merge the pull request. Thanks!

meher745 avatar Aug 20 '25 16:08 meher745

I'm an active code reviewer of gofr. But I'm not a maintainer. I cannot merge.

Let's wait for a maintainer feedback

@coolwednesday @Umang01-hash

ccoVeille avatar Aug 20 '25 16:08 ccoVeille

@meher745 There's a lot of redundancy in your code right now - consider using the existing Auth Middleware which accepts AuthProvider. cc @Umang01-hash @coolwednesday

akshat-kumar-singhal avatar Aug 22 '25 05:08 akshat-kumar-singhal

@meher745 Are you still working in this PR?

Umang01-hash avatar Sep 02 '25 07:09 Umang01-hash

@meher745 Are you still working in this PR?

Yes I am. I am almost done with the desired changes.

meher745 avatar Sep 02 '25 07:09 meher745

Hi, @Umang01-hash @coolwednesday please let me know if the recent commits I made are fine. I'm kind of confused since I had to remove go.work.sum and go.sum, and build them again due to some import conflicts.

meher745 avatar Sep 05 '25 04:09 meher745

@Umang01-hash @coolwednesday Please review, thanks.

meher745 avatar Sep 19 '25 08:09 meher745

@ccoVeille @Umang01-hash @coolwednesday . Kindly review. Thanking you in advance!

meher745 avatar Sep 20 '25 10:09 meher745

Hey @meher745 !

There are a few review comments on your PR that still need to be addressed. Just checking in — are you currently working on this? If so, let’s aim to wrap it up soon, as it’s been pending for a while and we’re quite close to completing it.

If you need any help or clarification, feel free to reach out — happy to support however I can.

Looking forward to your update!

Umang01-hash avatar Oct 06 '25 05:10 Umang01-hash

Hi @Umang01-hash . I have gove through the suggestions and started working on them. I apologise for the delay since I had my semester exams going on. Will get back to you with updated pr soon! Thanks in advance.

meher745 avatar Oct 07 '25 21:10 meher745

Hi @meher745,

Thanks for the update — no worries at all! Looking forward to your updated PR.

Umang01-hash avatar Oct 08 '25 05:10 Umang01-hash

@meher745 Any updated on the requested changes? The PR has been open for quite a while, and we’re hoping to close it soon. If you need any help implementing the changes, feel free to reach out. Let’s try to wrap this up together!

Umang01-hash avatar Oct 23 '25 04:10 Umang01-hash

Hi @Umang01-hash @akshat-kumar-singhal . I apologize for the delay, please review the changes. Thanking you in advance!

meher745 avatar Oct 23 '25 15:10 meher745

@meher745 There is a merge conflict in your PR please resolve it.

Umang01-hash avatar Oct 24 '25 10:10 Umang01-hash

@Umang01-hash I've resolved the conflict, please check.

meher745 avatar Oct 24 '25 14:10 meher745

Screenshot 2025-10-29 at 11 08 22 AM

@meher745 Your PR is failing the following tests as well as the code quality steps. Please fix them.

Umang01-hash avatar Oct 29 '25 06:10 Umang01-hash

@meher745 Are you still active on this PR??

Umang01-hash avatar Nov 06 '25 05:11 Umang01-hash

Hi @Umang01-hash I will be making an updated PR by the coming Saturday. Thank you for your patience!

meher745 avatar Nov 06 '25 09:11 meher745

Hi @Umang01-hash, is it fine if I take a week ? My end semester exams are going on, and there seem to be some vital security checks which I don't want to rush. If it is not feasible, I will make the changes within a day. Please consider it since I have been working on this issue for the past 3 months. Thank you in advance!

meher745 avatar Nov 08 '25 16:11 meher745

Hi @Umang01-hash, is it fine if I take a week ? My end semester exams are going on, and there seem to be some vital security checks which I don't want to rush. If it is not feasible, I will make the changes within a day. Please consider it since I have been working on this issue for the past 3 months. Thank you in advance!

@meher745 Sure you can take your time. Let's try we will close this in this month for sure. If you need any help from my side feel free to let me know.

Umang01-hash avatar Nov 10 '25 04:11 Umang01-hash

Hi @meher, as there hasn’t been any recent activity on this PR, we’ll go ahead and close it for now. I’d like to take some time to step back and analyze how adding OIDC can be most beneficial for us. If you’d like to pick this up again in the future, please let me know in the issue ticket.

coolwednesday avatar Nov 25 '25 07:11 coolwednesday