heph-pwa: Login with Authentik (Authorization Code + PKCE) #9

Merged

eblume merged 2 commits from heph-pwa-oidc-login into main 2026-06-05 07:32:27 -07:00

Conversation 0 Commits 2 Files changed 10 +427 -27

eblume commented 2026-06-05 07:25:47 -07:00

Owner

Copy link

Replaces the manual bearer-token paste in heph-pwa with a proper browser OIDC sign-in.

Hub (Rust)

• New unauthenticated GET /config -> {issuer, client_id}, added after the auth layer so the app can read it before it has a token. Sourced from a new TokenVerifier::oidc_config(). Returns {} when the hub runs without OIDC. Covered by web_serve.rs tests.

PWA (vanilla JS)

• src/oauth.js — Authorization Code + PKCE (S256): discovery, authorize redirect, callback code->token exchange, and silent refresh (offline_access).
• Settings gains a Login with Authentik button (zero-config via /config); the manual token field stays under an "Or paste a bearer token" disclosure for OIDC-less hubs.
• rpc.js retries once on 401 through a refresh hook; app.js completes the callback / refreshes on load; sw.js skips caching the ?code=... callback URL and ships oauth.js in the shell.

Requires (blumeops)

The PWA origin must be a registered redirect URI on the Authentik heph provider (redirect_uris is currently []). Add https://heph.ops.eblu.me/ (+ http://localhost:8787/ for dev). Authentik also keys token-endpoint CORS off those origins.

Tested

cargo clippy clean; cargo test -p hephd green (incl. 2 new /config tests); PWA parser tests pass; JS syntax-checked. Full browser login verified after the redirect URIs land and a hub build is deployed.

🤖 Generated with Claude Code

Replaces the manual bearer-token paste in heph-pwa with a proper browser OIDC sign-in. ## Hub (Rust) - New unauthenticated `GET /config` -> `{issuer, client_id}`, added *after* the auth layer so the app can read it before it has a token. Sourced from a new `TokenVerifier::oidc_config()`. Returns `{}` when the hub runs without OIDC. Covered by `web_serve.rs` tests. ## PWA (vanilla JS) - `src/oauth.js` — Authorization Code + **PKCE** (S256): discovery, authorize redirect, callback code->token exchange, and **silent refresh** (`offline_access`). - Settings gains a **Login with Authentik** button (zero-config via `/config`); the manual token field stays under an "Or paste a bearer token" disclosure for OIDC-less hubs. - `rpc.js` retries once on 401 through a refresh hook; `app.js` completes the callback / refreshes on load; `sw.js` skips caching the `?code=...` callback URL and ships `oauth.js` in the shell. ## Requires (blumeops) The PWA origin must be a registered redirect URI on the Authentik `heph` provider (`redirect_uris` is currently `[]`). Add `https://heph.ops.eblu.me/` (+ `http://localhost:8787/` for dev). Authentik also keys token-endpoint CORS off those origins. ## Tested `cargo clippy` clean; `cargo test -p hephd` green (incl. 2 new `/config` tests); PWA parser tests pass; JS syntax-checked. Full browser login verified after the redirect URIs land and a hub build is deployed. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 2 commits 2026-06-05 07:25:47 -07:00

doc(heph-pwa): in-app Authentik login replaces manual token paste ... a0be0f1085

Document the PKCE 'Login with Authentik' flow, the hub /config zero-config
discovery, and the redirect-URI prerequisite on the Authentik heph provider.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(heph-pwa): Login with Authentik (Authorization Code + PKCE) ... 1f81a2e6d9

Replace the manual bearer-token paste with a proper browser OIDC sign-in.

- Hub: unauthenticated GET /config -> {issuer, client_id} (added after the auth
  layer), sourced from the verifier's new TokenVerifier::oidc_config(). Lets the
  PWA self-configure when served from the hub. Tests in web_serve.rs.
- PWA: src/oauth.js implements PKCE (S256), the authorize redirect, the callback
  token exchange, and silent refresh (offline_access). Settings gains a "Login
  with Authentik" button (manual token kept under a fallback disclosure); rpc.js
  retries once on 401 via a refresh hook; app.js completes the callback / refreshes
  on load; sw.js skips caching the callback URL and ships oauth.js in the shell.

Requires the PWA origin registered as a redirect URI on the Authentik provider.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume merged commit 36bd27226f into main 2026-06-05 07:32:27 -07:00

eblume referenced this pull request from a commit 2026-06-05 07:32:30 -07:00

Merge pull request 'heph-pwa: Login with Authentik (Authorization Code + PKCE)' (#9) from heph-pwa-oidc-login into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/hephaestus!9

No description provided.