Skip to content

Replace Zitadel authentication with oauth-kit #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
domenkozar wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Replace Zitadel authentication with oauth-kit #4

domenkozar wants to merge 1 commit into from

Conversation

@domenkozar
Copy link
Member

@domenkozar domenkozar commented Jan 20, 2026

Summary

  • Replace Zitadel OIDC with session-based OAuth using oauth-kit library and GitHub provider
  • Simplify frontend by removing all OIDC/PKCE flow handling
  • Remove Zitadel infrastructure (nix service, terraform config)

Changes

Backend:

  • Add oauth-kit and tower-sessions dependencies
  • Create PostgresUserStore for user management
  • Replace token introspection with session-based BetaUser extractor
  • Add OAuth account and role tables migration

Frontend:

  • Remove Oidc.elm, Oidc/Model.elm, Oidc/Msg.elm
  • Simplify Shared.elm to fetch /api/v1/account/me on init
  • SignIn/SignOut redirect to /auth/signin/github and /auth/signout

Infrastructure:

  • Remove nix/zitadel/ directory
  • Remove terraform/zitadel/ directory
  • Update secretspec for GitHub OAuth credentials

Test plan

  • Run migrations: cargo run -p devenv-backend migrate
  • Start app with devenv up
  • Test sign in via GitHub
  • Verify session persists across page reloads
  • Test sign out clears session
  • Verify beta access check works

🤖 Generated with Claude Code

@domenkozar domenkozar force-pushed the replace-zitadel-with-oauth-kit branch 2 times, most recently from 117f49f to e7e822c Compare January 20, 2026 11:09
@domenkozar @claude
Replace Zitadel authentication with oauth-kit
eb51a29 
Switch from Zitadel OIDC to session-based OAuth using oauth-kit library
with GitHub as the provider. This significantly simplifies the auth flow.

Backend changes:
- Add oauth-kit and tower-sessions-cookie-store dependencies
- Use encrypted cookie sessions (private feature) instead of memory store
- Create PostgresUserStore for user management with transactional account creation
- Replace token introspection with session-based BetaUser extractor
- Add OAuth account and role tables migration
- Remove entire zitadel module

Frontend changes:
- Remove OIDC/PKCE flow handling (Oidc.elm, Oidc/Model.elm, Oidc/Msg.elm)
- Simplify Shared.elm to use /api/v1/account/me endpoint
- SignIn/SignOut now just redirect to /auth/signin/github and /auth/signout
- Remove crypto operations from interop.ts

Infrastructure:
- Remove nix/zitadel service and packages
- Remove terraform/zitadel configuration
- Update devenv.nix with nix-main-c dependency
- Update secretspec for GitHub OAuth credentials and SESSION_SECRET

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@domenkozar domenkozar force-pushed the replace-zitadel-with-oauth-kit branch from e7e822c to eb51a29 Compare January 22, 2026 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@domenkozar