refactor: migrate to deicod/oidcmw for OIDC and viewer

Replaced custom OIDC middleware and viewer implementations with the external github.com/deicod/oidcmw package to simplify code and leverage standardized functionality. Updated imports in cmd/graphql.go and rules files, refactored middleware setup, and adjusted viewer method calls. Removed obsolete custom packages and related documentation from README.md.

Author: dlukt

README.md

@@ -7,7 +7,7 @@ This is here to make things easier and help people get started with GraphQL and
 ## Assumptions
 
 - You use [Keycloak](https://www.keycloak.org/) as the OIDC IDP.
-  It can of course be used with any IDP. Just the claims struct is the default that Keycloak uses.
+  It can be used with any IDP, but a custom viewer would need to be constructed.
   You will have to add the audience in Keycloak to the token, because Keycloak is dumb like that.
 - [xid](https://github.com/rs/xid) is used for globally unique IDs
 - The `Profile` schema is the root of your related entities.
@@ -128,40 +128,9 @@ go generate ./...
 
 ## OIDC
 
-### Claims
-
-This package assumes Keycloak being the OIDC IDP.
-Therefore the [claims object](rules/claims/claims.go) reflects Keycloak's claim structure.
-Change this to your claim structure.
-For instance I'm using Zitadel, adding per project grants and flattening roles and adding them to the root level as `roles`.
-The claims structure looks like this:
-
-```go
-type Claims struct {
-    Aud   []string  `json:"aud"`
-    Exp   time.Time `json:"exp"`
-    Iat   time.Time `json:"iat"`
-    Iss   string    `json:"iss"`
-    Jti   string    `json:"jti"`
-    Nbf   time.Time `json:"nbf"`
-    Roles []string  `json:"roles"`
-    Sub   string    `json:"sub"`
-}
-```
-
-### Viewer and Middleware
-
-This template now derives a typed `Viewer` from the OIDC claims and attaches it to the request context via middleware:
-
-- `rules/viewer/viewer.go`: defines `Viewer` with helpers like `IsAuthenticated()`, `Subject()`, and `HasRole()`.
-- `middleware/viewer.go`: HTTP middleware that reads claims from context (populated by the OIDC middleware) and stores a `Viewer` in context.
-- Ent privacy rules and hooks prefer `Viewer` when present and fall back to raw claims.
-
-If you want to require auth for reads, remove `options.IsPermissive()` in `cmd/graphql.go`.
-
-### Making read access require auth
-
-On line 79 in `cmd/graphql.go` remove the `options.IsPermissive(),`.
+Uses [OIDC Middleware Guard](https://github.com/deicod/oidcmw) and its viewer with helper functions.
+It assumes a Keycloak claims structure.
+If you need the claims `viewer.RawClaims` which returns a `map[string]any`.
 
 ## Further reading
 

cmd/graphql.go

@@ -12,8 +12,6 @@ import (
 	"strings"
 	"time"
 
-	"code.icod.de/dalu/nethttpoidc"
-	"code.icod.de/dalu/oidc/options"
 	"entgo.io/contrib/entgql"
 	"entgo.io/ent/dialect"
 	entsql "entgo.io/ent/dialect/sql"
@@ -24,12 +22,12 @@ import (
 	"github.com/99designs/gqlgen/graphql/handler/transport"
 	"github.com/99designs/gqlgen/graphql/playground"
 	"github.com/MadAppGang/httplog"
+	oidcCfg "github.com/deicod/oidcmw/config"
+	oidcMW "github.com/deicod/oidcmw/middleware"
+	"github.com/deicod/oidcmw/viewer"
 	"github.com/dlukt/graphql-backend-starter/config"
 	"github.com/dlukt/graphql-backend-starter/ent"
 	"github.com/dlukt/graphql-backend-starter/graph"
-	"github.com/dlukt/graphql-backend-starter/middleware"
-	"github.com/dlukt/graphql-backend-starter/rules/claims"
-	"github.com/dlukt/graphql-backend-starter/rules/viewer"
 	"github.com/gorilla/websocket"
 	"github.com/rs/cors"
 	"github.com/spf13/cobra"
@@ -73,34 +71,54 @@ var graphqlCmd = &cobra.Command{
 			log.Fatal("opening ent client", e)
 		}
 
+		var oidcConfig oidcCfg.Config
+
+		if graphqlDebug {
+			oidcConfig = oidcCfg.Config{
+				Issuer: config.OidcConfigDev.Issuer,
+				Audiences: []string{
+					"account",
+					config.OidcConfigDev.Audience,
+				},
+				AuthorizedParties: []string{
+					config.OidcConfigDev.AuthorizedParty,
+				},
+				AllowAnonymousRequests: true,
+			}
+		} else {
+			oidcConfig = oidcCfg.Config{
+				Issuer: config.OidcConfigProd.Issuer,
+				Audiences: []string{
+					"account",
+					config.OidcConfigProd.Audience,
+				},
+				AuthorizedParties: []string{
+					config.OidcConfigProd.AuthorizedParty,
+				},
+				AllowAnonymousRequests: true,
+			}
+		}
+		mw, e := oidcMW.NewMiddleware(oidcConfig)
+		if e != nil {
+			return e
+		}
 		srv := NewDefaultServer(graph.NewSchema(client))
 		srv.Use(entgql.Transactioner{TxOpener: client})
 
-		cfg := config.OidcConfigDev
-
-		// Compose middleware: OIDC first, then Viewer, then GraphQL server.
-		viewerHandler := middleware.WithViewer(srv)
-		oidcHandler := nethttpoidc.New(viewerHandler,
-			options.WithIssuer(cfg.Issuer),
-			options.WithRequiredTokenType("JWT"),
-			options.WithRequiredAudience(cfg.Audience),
-			options.IsPermissive(),
-		)
-
 		corsHandler := cors.AllowAll()
 		fmt.Println("debug:", graphqlDebug)
 		if !graphqlDebug {
 			http.Handle("/query", corsHandler.Handler(
 				httplog.HandlerWithFormatter(
 					httplog.DefaultLogFormatter,
-					oidcHandler,
+					mw(srv),
 				)))
 		} else {
 			http.Handle("/", playground.Handler("graphql", "/query"))
 			http.Handle("/query", corsHandler.Handler(
 				httplog.HandlerWithFormatter(
 					httplog.DefaultLogFormatterWithRequestHeader,
-					oidcHandler,
+					mw(srv),
 				)))
 		}
 
@@ -190,10 +208,9 @@ func NewDefaultServer(es graphql.ExecutableSchema) *handler.Server {
 			}
 			token := strings.TrimPrefix(auth, "Bearer ")
 			if m := decodeJWTClaims(token); m != nil {
-				ctx = context.WithValue(ctx, options.DefaultClaimsContextKeyName, m)
-				c := claimsFromMap(m)
-				v := viewer.NewFromClaims(c)
-				ctx = viewer.NewContext(ctx, v)
+				ctx = context.WithValue(ctx, "claims", m)
+				v := viewer.FromClaims(m)
+				ctx = viewer.WithViewer(ctx, v)
 			}
 			return ctx, nil, nil
 		},
@@ -239,15 +256,3 @@ func decodeJWTClaims(token string) map[string]any {
 	}
 	return out
 }
-
-func claimsFromMap(m map[string]any) *claims.Claims {
-	j, err := json.Marshal(m)
-	if err != nil {
-		return nil
-	}
-	var c claims.Claims
-	if err := json.Unmarshal(j, &c); err != nil {
-		return nil
-	}
-	return &c
-}

config/oidc.go

@@ -1,16 +1,19 @@
 package config
 
 type OIDCConfig struct {
-	Issuer   string
-	Audience string
+	Issuer          string
+	Audience        string
+	AuthorizedParty string
 }
 
 var OidcConfigDev = OIDCConfig{
-	Issuer:   "https://localhost:8080/auth/realms/starter",
-	Audience: "dev",
+	Issuer:          "https://auth.icod.de/realms/dev",
+	Audience:        "spa",
+	AuthorizedParty: "spa",
 }
 
 var OidcConfigProd = OIDCConfig{
-	Issuer:   "https://localhost:8080/auth/realms/starter",
-	Audience: "spa",
+	Issuer:          "https://auth.icod.de/realms/dev",
+	Audience:        "spa",
+	AuthorizedParty: "spa",
 }