✨ feat(oidc): Refactor OIDC client with golang.org/x/oauth2 and go-oidc#6
Merged
SebastienLaurent-CF merged 3 commits intomainfrom Dec 4, 2025
Merged
✨ feat(oidc): Refactor OIDC client with golang.org/x/oauth2 and go-oidc#6SebastienLaurent-CF merged 3 commits intomainfrom
SebastienLaurent-CF merged 3 commits intomainfrom
Conversation
This commit refactors the `internal/oidc` package to leverage the `golang.org/x/oauth2` and `github.com/coreos/go-oidc` libraries. The manual implementation of OAuth2/OIDC flows, including discovery, token requests, and JSON parsing, has been replaced by robust, industry-standard libraries. Key changes include: - Replaced manual OIDC discovery with `oidc.NewProvider`. - Updated token retrieval (password and client credentials grants) to use `oauth2.Config` and `clientcredentials.Config`. - Refactored token refreshing to use `oauth2.TokenSource` mechanisms. - Eliminated custom `TokenResponse` struct in favor of `oauth2.Token`. - Enhanced test suite (`internal/oidc/client_test.go`) to reflect new implementation and ensure compatibility with `go-oidc` expectations. - Updated `cmd/authk/root.go` to use `token.Expiry` for refresh timing, removing custom `ExpiresIn` logic. This refactoring significantly improves security (due to strict validation of OIDC specs by go-oidc), maintainability, and reduces the amount of custom code.
This commit addresses the recent drop in test coverage reported by Coveralls and fixes a linting issue. Changes include: - **internal/oidc/client_test.go:** - Added error checking for `w.Write` call in mock server to resolve an `errcheck` linting error. - Introduced `TestClient_GetToken_Password` to specifically test the Resource Owner Password Credentials flow, increasing coverage for `GetToken` function. - **internal/env/env_test.go:** - Added `TestFind_NotFound` to verify error handling when a file is not found. - Added `TestFind_WithSeparator` to test `Find` function behavior with paths containing separators. These changes collectively improve the overall test coverage and code quality.
The OIDC client now correctly handles "basic" and "post" as authentication method configurations, aligning with the `schema.cue` definition. Previously, only "client_secret_basic" and "client_secret_post" were recognized, leading to an "unsupported auth method" error when "basic" or "post" were used in the configuration. This change ensures that the OIDC client initialization works as expected with the simplified auth method names defined in the schema, while maintaining backward compatibility with the more verbose OIDC standard names.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit refactors the
internal/oidcpackage to leverage thegolang.org/x/oauth2andgithub.com/coreos/go-oidclibraries.The manual implementation of OAuth2/OIDC flows, including discovery, token requests, and JSON parsing, has been replaced by robust, industry-standard libraries.
Key changes include:
oidc.NewProvider.oauth2.Configandclientcredentials.Config.oauth2.TokenSourcemechanisms.TokenResponsestruct in favor ofoauth2.Token.internal/oidc/client_test.go) to reflect new implementation and ensure compatibility withgo-oidcexpectations.cmd/authk/root.goto usetoken.Expiryfor refresh timing, removing customExpiresInlogic.This refactoring significantly improves security (due to strict validation of OIDC specs by go-oidc), maintainability, and reduces the amount of custom code.