heph-pwa: Login with Authentik (Authorization Code + PKCE) #9

Merged

eblume merged 2 commits from heph-pwa-oidc-login into main

2026-06-05 07:32:27 -07:00

Author	SHA1	Message	Date
Erich Blume	1f81a2e6d9	feat(heph-pwa): Login with Authentik (Authorization Code + PKCE) All checks were successful Build / validate (pull_request) Successful in 6m31s Details Replace the manual bearer-token paste with a proper browser OIDC sign-in. - Hub: unauthenticated GET /config -> {issuer, client_id} (added after the auth layer), sourced from the verifier's new TokenVerifier::oidc_config(). Lets the PWA self-configure when served from the hub. Tests in web_serve.rs. - PWA: src/oauth.js implements PKCE (S256), the authorize redirect, the callback token exchange, and silent refresh (offline_access). Settings gains a "Login with Authentik" button (manual token kept under a fallback disclosure); rpc.js retries once on 401 via a refresh hook; app.js completes the callback / refreshes on load; sw.js skips caching the callback URL and ships oauth.js in the shell. Requires the PWA origin registered as a redirect URI on the Authentik provider. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-05 07:17:05 -07:00
Erich Blume	a0be0f1085	doc(heph-pwa): in-app Authentik login replaces manual token paste Document the PKCE 'Login with Authentik' flow, the hub /config zero-config discovery, and the redirect-URI prerequisite on the Authentik heph provider. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-05 07:09:42 -07:00

Author

SHA1

Message

Date

Erich Blume

1f81a2e6d9

feat(heph-pwa): Login with Authentik (Authorization Code + PKCE)

Build / validate (pull_request) Successful in 6m31s

Details

Replace the manual bearer-token paste with a proper browser OIDC sign-in.

- Hub: unauthenticated GET /config -> {issuer, client_id} (added after the auth
  layer), sourced from the verifier's new TokenVerifier::oidc_config(). Lets the
  PWA self-configure when served from the hub. Tests in web_serve.rs.
- PWA: src/oauth.js implements PKCE (S256), the authorize redirect, the callback
  token exchange, and silent refresh (offline_access). Settings gains a "Login
  with Authentik" button (manual token kept under a fallback disclosure); rpc.js
  retries once on 401 via a refresh hook; app.js completes the callback / refreshes
  on load; sw.js skips caching the callback URL and ships oauth.js in the shell.

Requires the PWA origin registered as a redirect URI on the Authentik provider.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 07:17:05 -07:00

Erich Blume

a0be0f1085

doc(heph-pwa): in-app Authentik login replaces manual token paste

Document the PKCE 'Login with Authentik' flow, the hub /config zero-config
discovery, and the redirect-URI prerequisite on the Authentik heph provider.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 07:09:42 -07:00