feat(auth): add optional OIDC-based JWT validation for API routes by jescalada · Pull Request #30 · G-Research/git-proxy

jescalada · 2025-03-01T06:52:44Z

This PR adds optional JWT validation middleware for /repo, /user, and /push endpoints.

If jwt auth method is present and enabled in the proxy.config.json
- When logging in through the UI, you can access data as usual
- Direct API requests require a JWT bearer token to go through
  - The JWT token is validated through the configuration in the jwtConfig in proxy.config.json.
  - The user issues their own JWT using the clientID, authorityURL (and potentially, the expectedAudience) provided in the config
If jwt is not enabled, it works as it used to.
- All API resources are accessible even to unlogged users
- No JWT is required

To activate the JWT check, you must fill in the JWT details (proxy.config.json). The following will let you verify against my Google testing app:

{
  "type": "jwt",
  "enabled": true,
  "jwtConfig": {
    "clientID": "1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com",
    "authorityURL": "https://accounts.google.com"
  }
}

You can manually generate a sample JWT by accessing the following link in your browser:

https://accounts.google.com/o/oauth2/auth?client_id=1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com&redirect_uri=http://localhost:8080/api/auth/oidc/callback&response_type=code&scope=openid%20email%20profile

Upon successful login, it will redirect to the callback URL containing an auth code (code query param). Replace AUTHORIZATION_CODE below with the code, to issue a JWT:

curl -X POST "https://oauth2.googleapis.com/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=1009968223893-u92qq6itk7ej5008o4174gjubs5lhorg.apps.googleusercontent.com" \
     -d "client_secret=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" \
     -d "code=AUTHORIZATION_CODE" \
     -d "grant_type=authorization_code" \
     -d "redirect_uri=http://localhost:8080/api/auth/oidc/callback"

Note: Although my Google app secrets are exposed, only registered emails can use it. Let me know if you'd like to test it out, and I can add your email to the app!

Changelog

Add a jwtAuthHandler middleware for /repo, /user, and /push endpoints
- JWT check is optional based on config
- Descriptive 401 errors are returned if failed to verify
  - Missing token
  - Missing configuration
  - Invalid token format/algorithm
  - Expired token

…dleware

…routes

feat: implements config loader to enable remote or external configs

chore: bump by minor to v1.14.0

…methods

fix: decouple UI layout from admin routes

chore: bump by minor to v1.15.0

…methods

…-through-jwt

feat: enable multiple auth methods

chore: bump by minor to v1.16.0

jescalada · 2025-06-07T03:26:15Z

Merged in finos#967.

jescalada added 20 commits February 4, 2025 13:11

feat(auth): add NotAuthorized and NotFound pages

f2c1182

feat(auth): add AuthProvider and PrivateRoute wrapper

256523f

chore(auth): rename userLoggedIn endpoint

516ed7f

chore(auth): refactor routes to use PrivateRoute guard

47e95d4

fix(auth): temporary fix for username edit redirect

893e0b1

fix(auth): access user admin status correctly

d049463

chore(auth): refactor /admin routes into /dashboard

db04af6

chore(auth): rename Admin files into Dashboard

9736801

test(auth): Add default login redirect E2E test

e7ec1f0

fix(auth): fix redirect on local login

3702acd

fix(auth): improve error handling on repos page

f2560ab

test(auth): fix failing test (login before accessing page)

24ca06f

test(auth): fix login command and simplify login flow

2146bc0

feat(auth): refactor and improve existing auth methods

884f0a6

feat(auth): configure passport with all enabled auth methods

ce6023b

test(auth): fix tests for multiple auth methods

68fa115

Merge branch 'oidc-implementation' into enable-multiple-auth-methods

0a74501

fix(auth): refactor how auth strategies are loaded into API route mid…

627c0ea

…dleware

feat(auth): add JWT strategy and fix

534beeb

feat(auth): add dynamicAuthHandler middleware

8b1a173

jescalada self-assigned this Mar 1, 2025

jescalada added 4 commits March 8, 2025 13:28

feat(auth): update JWT auth middleware

6265bbd

feat(auth): add jwk-to-pem library for jwt validation

5202f7e

feat(auth): convert envs to proxy.config.json entries (jwt)

e8d0878

feat(auth): add missing proxy.config.json auth methods

c5b45b2

jescalada force-pushed the add-oidc-auth-to-api-through-jwt branch from f2c5e5e to c5b45b2 Compare March 8, 2025 05:07

jescalada added 4 commits March 8, 2025 14:36

fix(auth): fix undefined errors

b0c500c

fix(auth): fix mislabeled auth method

1446fcd

feat(auth): set jwtAuthHandler middleware for /push, /repo and /user …

85b3fed

…routes

chore(auth): fix linter errors

3410c29

JamieSlome and others added 28 commits May 20, 2025 15:49

Merge pull request finos#935 from G-Research/denis-coric/remote-config

fcc5a4c

feat: implements config loader to enable remote or external configs

chore: bump by minor to v1.14.0

0883127

Merge pull request finos#1021 from finos/release-1.14.0

fc6f166

chore: bump by minor to v1.14.0

fix(auth): fix bug when calling createUser on admin creation

0ddd27b

Merge remote-tracking branch 'origin/main' into enable-multiple-auth-…

3484694

…methods

chore(auth): add sample oidc config

e32408c

fix: admin to dashboard rename issues

c83421d

fix: failing Cypress test

bab0061

test(auth): add proxyquire for mocking

70dd346

test(auth): improve test coverage

71e7e52

test(auth): fix service close issue

678d932

test(auth): add extra tests and fix linter issues

ee8f2c1

fix: replaced loading text with actual spinner and removed debug lines

e96e876

feat: add snackbar for repo fetching errors

fd962d2

fix: revert react missing from PrivateRoute scope

304a2ec

Merge branch 'main' into layout-auth-decoupling

67d4155

Merge pull request finos#961 from jescalada/layout-auth-decoupling

a03b1e0

fix: decouple UI layout from admin routes

chore: bump by minor to v1.15.0

e220699

Merge pull request finos#1034 from finos/release-1.15.0

4e77a0f

chore: bump by minor to v1.15.0

Merge remote-tracking branch 'origin/main' into enable-multiple-auth-…

ddc20bf

…methods

Merge branch 'enable-multiple-auth-methods' into add-oidc-auth-to-api…

32537ee

…-through-jwt

chore: set default empty config

ec75f33

chore: clean up auth methods

048446f

Merge pull request finos#963 from jescalada/enable-multiple-auth-methods

dc69622

feat: enable multiple auth methods

chore: bump by minor to v1.16.0

c760d14

Merge branch 'main' into add-oidc-auth-to-api-through-jwt

a287ab7

Merge pull request finos#1035 from finos/release-1.16.0

98f6db8

chore: bump by minor to v1.16.0

Merge branch 'main' into add-oidc-auth-to-api-through-jwt

6912ba1

jescalada closed this Jun 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(auth): add optional OIDC-based JWT validation for API routes#30

feat(auth): add optional OIDC-based JWT validation for API routes#30
jescalada wants to merge 141 commits intoG-Research:mainfrom
jescalada:add-oidc-auth-to-api-through-jwt

jescalada commented Mar 1, 2025 •

edited

Loading

Uh oh!

jescalada commented Jun 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

jescalada commented Mar 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changelog

Uh oh!

jescalada commented Jun 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

jescalada commented Mar 1, 2025 •

edited

Loading