Add OIDC middleware #2138
Open
Add OIDC middleware #2138
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Release/v1.42.3
* doc: gofr/grpc package documentation overview * doc: gofr/datasource package documentation overview * doc: gofr/file package documentation overview * doc: add a dot in the end of a package overview comment for consistency * fix: move grpc package go doc comment to an actual grpc package * docs: fix MongoDB time import and ClickHouse data types - Add missing 'time' import in MongoDB example that uses time.Second - Fix ClickHouse User struct Age field type from string to int - Fix ClickHouse INSERT to use integer value instead of string - Fix typo: 'successful inserted' -> 'successfully inserted' - Revert version file change to 'dev' as requested These changes ensure MongoDB example compiles and ClickHouse example uses consistent data types between struct and INSERT statement. * docs: update package comment for datasource to reflect current usage * docs: fix Dgraph port to use correct gRPC port 9080 DGraph uses gRPC and the default gRPC port is 9080, not 8080. This ensures the example uses the correct port for DGraph connections. * Apply suggestions from code review Co-authored-by: Divya Darshana <[email protected]> * docs: update packages comments according to review * Update pkg/gofr/file/file.go Co-authored-by: Divya Darshana <[email protected]> * build(deps): bump gofr.dev in /examples/using-add-filestore Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.2 to 1.42.3. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.2...v1.42.3) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump gofr.dev in /pkg/gofr/datasource/file/ftp Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.2 to 1.42.3. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.2...v1.42.3) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 Bumps [golang.org/x/term](https://github.com/golang/term) from 0.32.0 to 0.33.0. - [Commits](golang/term@v0.32.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump gofr.dev in /pkg/gofr/datasource/pubsub/eventhub Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.2 to 1.42.3. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.2...v1.42.3) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump google.golang.org/api from 0.238.0 to 0.241.0 Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.238.0 to 0.241.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.238.0...v0.241.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.241.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/surrealdb/surrealdb.go Bumps [github.com/surrealdb/surrealdb.go](https://github.com/surrealdb/surrealdb.go) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/surrealdb/surrealdb.go/releases) - [Changelog](https://github.com/surrealdb/surrealdb.go/blob/main/RELEASE_NOTES.md) - [Commits](surrealdb/surrealdb.go@v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: github.com/surrealdb/surrealdb.go dependency-version: 0.3.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/redis/go-redis/extra/redisotel/v9 Bumps [github.com/redis/go-redis/extra/redisotel/v9](https://github.com/redis/go-redis) from 9.10.0 to 9.11.0. - [Release notes](https://github.com/redis/go-redis/releases) - [Changelog](https://github.com/redis/go-redis/blob/master/CHANGELOG.md) - [Commits](redis/go-redis@v9.10.0...v9.11.0) --- updated-dependencies: - dependency-name: github.com/redis/go-redis/extra/redisotel/v9 dependency-version: 9.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump gofr.dev in /pkg/gofr/datasource/file/s3 Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.2 to 1.42.3. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.2...v1.42.3) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump gofr.dev in /pkg/gofr/datasource/file/sftp Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.2 to 1.42.3. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.2...v1.42.3) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump gofr.dev in /pkg/gofr/datasource/pubsub/nats Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.2 to 1.42.3. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.2...v1.42.3) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump golang.org/x/text from 0.26.0 to 0.27.0 Bumps [golang.org/x/text](https://github.com/golang/text) from 0.26.0 to 0.27.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * add missing table end tag in redis documentation * Update page.md Fix and clean up ScyllaDB documentation example * fix and clean up ScyllaDB documentation example * refactor newContext to avoid creating contextLogger separately * fix tests * resolve linter * remove context embedding in cmd struct and add contextLogger in newCMD method * Elasticsearch migration (gofr-dev#2051) * fixed docs rendering issue * minor fix * add elasticsearch documentation * minor fix * Remove redundant docs (gofr-dev#2093) * skip-coverage-workflow (gofr-dev#2094) --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: olxandr <[email protected]> Co-authored-by: olxandr <[email protected]> Co-authored-by: SAMMILLERR <[email protected]> Co-authored-by: Divya Darshana <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vikash Kumar <[email protected]> Co-authored-by: Dhruv Rishikesh Janakala <[email protected]> Co-authored-by: Arihant Pal <[email protected]> Co-authored-by: Zopdev <[email protected]> Co-authored-by: coolwednesday <[email protected]>
* Merge pull request gofr-dev#2067 from sathwikshetty33/development * build(deps): bump gofr.dev in /examples/using-add-filestore (gofr-dev#2097) * build(deps): bump modernc.org/sqlite from 1.38.0 to 1.38.1 (gofr-dev#2099) * build(deps): bump gofr.dev in /pkg/gofr/datasource/pubsub/eventhub (gofr-dev#2106) * build(deps): bump gofr.dev in /pkg/gofr/datasource/file/ftp (gofr-dev#2100) * build(deps): bump gofr.dev in /pkg/gofr/datasource/pubsub/nats (gofr-dev#2108) * build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2 (gofr-dev#2098) * build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.2 to 5.2.3 (gofr-dev#2101) * build(deps): bump github.com/ClickHouse/clickhouse-go/v2 (gofr-dev#2102) * build(deps): bump google.golang.org/grpc in /pkg/gofr/datasource/dgraph (gofr-dev#2107) * build(deps): bump gofr.dev in /pkg/gofr/datasource/file/sftp (gofr-dev#2104) * build(deps): bump gofr.dev in /pkg/gofr/datasource/file/s3 (gofr-dev#2105) * build(deps): bump google.golang.org/api from 0.241.0 to 0.243.0 (gofr-dev#2103) * Scylla migration support (gofr-dev#2085) * update release version to v1.42.5 --------- Co-authored-by: Sathwik Shetty <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Om Kulkarni <[email protected]>
* Fix/pubsub migration get last version (gofr-dev#2119) * add chaining of next migrator in getLastVersion method of pubsub.go * fix linter * feat: add OnStart hook for synchronous startup jobs (gofr-dev#2079) * feat: improve OnStart hook with DI context, update docs, and ensure code quality * refactor: improve OnStart hook context, move logic to method, and test DI access * feat(onstart): implement all reviewer feedback - Move OnStart logic to a dedicated, testable method. - Fix all linter issues (deep-exit and cyclomatic complexity). - Add unit tests for success and error cases. - Add comprehensive documentation with a realistic example. - Update the example app to demonstrate a real-world use case. * fix: improve startup error handling for OnStart hooks (graceful shutdown on context cancel) * fix: address linter errors in OnStart tests - Fix dynamic error definition - Fix unused parameters with underscore - Use t.Context() instead of context.Background() - Use assert.NoError instead of assert.Nil * fix: remove os.Exit call to resolve deep-exit linter error * fix: resolve remaining linter errors - Fix cuddled return statement in newContextForHooks - Fix cuddled assignment in OnStart test - Remove os.Exit call to resolve deep-exit error * refactor: remove newContextForHooks and reuse existing newContext function * fix: resolve linting errors and refactor Run() method for better maintainability - Fix err113: Replace dynamic error creation with static error in TestApp_OnStart - Fix gocyclo: Refactor Run() method by extracting helper methods to reduce cyclomatic complexity - Fix ws1: Correct whitespace issues in gofr_test.go and run.go - Add helper methods: handleStartupHooks, startShutdownHandler, startTelemetryIfEnabled, startAllServers - Improve code organization and readability while maintaining functionality * fix: resolve remaining linting issues in TestApp_OnStart - Fix err113: Move error variable to package level to avoid dynamic error creation - Fix error-naming: Rename hookFailedErr to errHookFailed following Go naming conventions - Fix whitespace: Remove unnecessary blank line before app assignment - All linting issues in modified files are now resolved * fix: resolve godot and wsl linter errors in run.go and gofr_test.go * Update go.work.sum * fix: restore comments as requested by reviewer * Update run.go * Update run.go * fix: address reviewer comments - add godoc comment to OnStart method and move startup-hooks.md to proper directory structure * fix: restore metrics server comments and ensure OnStart hook runs before route registration * fix: implement proper context usage in runOnStartHooks and fix example API usage * Update go.work.sum * fix: correct spelling of 'canceled' in comment * minor documentation fix * revert go.sum changes * Update pkg/gofr/gofr_test.go Co-authored-by: ccoVeille <[email protected]> * revert go.work.sum changes --------- Co-authored-by: HeerakKashyap <[email protected]> Co-authored-by: Umang Mundhra <[email protected]> Co-authored-by: coolwednesday <[email protected]> Co-authored-by: Divya Darshana <[email protected]> Co-authored-by: ccoVeille <[email protected]> * build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.22.0 to 1.23.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.22.0...v1.23.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-version: 1.23.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump go.opentelemetry.io/otel/exporters/prometheus Bumps [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) from 0.59.0 to 0.59.1. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@exporters/prometheus/v0.59.0...exporters/prometheus/v0.59.1) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-version: 0.59.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump gofr.dev in /examples/using-add-filestore Bumps [gofr.dev](https://github.com/gofr-dev/gofr) from 1.42.4 to 1.42.5. - [Release notes](https://github.com/gofr-dev/gofr/releases) - [Commits](gofr-dev/gofr@v1.42.4...v1.42.5) --- updated-dependencies: - dependency-name: gofr.dev dependency-version: 1.42.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/ClickHouse/clickhouse-go/v2 Bumps [github.com/ClickHouse/clickhouse-go/v2](https://github.com/ClickHouse/clickhouse-go) from 2.39.0 to 2.40.1. - [Release notes](https://github.com/ClickHouse/clickhouse-go/releases) - [Changelog](https://github.com/ClickHouse/clickhouse-go/blob/main/CHANGELOG.md) - [Commits](ClickHouse/clickhouse-go@v2.39.0...v2.40.1) --- updated-dependencies: - dependency-name: github.com/ClickHouse/clickhouse-go/v2 dependency-version: 2.40.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump crate-ci/typos in the actions group Bumps the actions group with 1 update: [crate-ci/typos](https://github.com/crate-ci/typos). Updates `crate-ci/typos` from 1.34.0 to 1.35.1 - [Release notes](https://github.com/crate-ci/typos/releases) - [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md) - [Commits](crate-ci/typos@v1.34.0...v1.35.1) --- updated-dependencies: - dependency-name: crate-ci/typos dependency-version: 1.35.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.22.0 to 1.23.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.22.0...v1.23.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-version: 1.23.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump google.golang.org/api from 0.243.0 to 0.244.0 Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.243.0 to 0.244.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.243.0...v0.244.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.244.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump modernc.org/sqlite from 1.38.1 to 1.38.2 Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.38.1 to 1.38.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.1...v1.38.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.3 to 5.3.0 Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.2.3 to 5.3.0. - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md) - [Commits](golang-jwt/jwt@v5.2.3...v5.3.0) --- updated-dependencies: - dependency-name: github.com/golang-jwt/jwt/v5 dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Merge pull request gofr-dev#2135 from gofr-dev/fix-docs * update release version to v1.43.0 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: HootingConjuror <[email protected]> Co-authored-by: HeerakKashyap <[email protected]> Co-authored-by: coolwednesday <[email protected]> Co-authored-by: Divya Darshana <[email protected]> Co-authored-by: ccoVeille <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…fo support - Implement OIDC userinfo middleware to fetch and inject user profile - Add discovery helper to fetch OIDC provider metadata dynamically - Include comprehensive tests for userinfo middleware and discovery - Add detailed docs on usage and integration
|
Hi, @Umang01-hash @coolwednesday . Please review this PR. Thank you so much! |
ccoVeille
reviewed
Aug 7, 2025
| return cachedMeta, nil | ||
| } | ||
|
|
||
| resp, err := http.Get(discoveryURL) |
There was a problem hiding this comment.
And http.Get without passing a contexf doesn't sound a good idea
- Use strings.CutPrefix for token extraction - DiscoveryCache struct with per-URL cache/mutex - HTTP requests now use context - Updated tests for middleware and discovery - Updated docs for new usage patterns
|
Hi @ccoVeille @Umang01-hash @coolwednesday . I've updated the files according to the recommendations. Please review. |
ccoVeille
approved these changes
Aug 12, 2025
| @@ -1,3 +1,3 @@ | |||
| package version | |||
|
|
|||
| const Framework = "dev" | |||
| const Framework = "v1.43.0" | |||
There was a problem hiding this comment.
Hi, this change was not intentional. It seems it got included in my PR because I accidentally staged all changes using git add . while preparing my commit. Please let me know if you’d like me to remove it. @ccoVeille
There was a problem hiding this comment.
@meher745 Please revert back this change.
|
@ccoVeille , kindly merge the pull request. Thanks! |
|
I'm an active code reviewer of gofr. But I'm not a maintainer. I cannot merge. Let's wait for a maintainer feedback |
|
@meher745 There's a lot of redundancy in your code right now - consider using the existing Auth Middleware which accepts AuthProvider. |
Umang01-hash
requested changes
Aug 25, 2025
There was a problem hiding this comment.
@meher745 Here are a few review suggestions for your PR:
- Instead of using dynamic errors (fmt.Errorf()) please use predefined errors.
- For the documentation i see we can improve on how we are portraying this feature to user, the code included should be well formatted, include proper spaces and comments. Remove repeteted things and big technical jagrons let's try to keep it simple so that evry user can understand it. Also the documentation file is directly placed under
docs/advanced-guidewhich is not correct. We need to follow the exact same way other documentations are following. - Please resolve all the linter and code quality errors in your code.
| @@ -1,3 +1,3 @@ | |||
| package version | |||
|
|
|||
| const Framework = "dev" | |||
| const Framework = "v1.43.0" | |||
There was a problem hiding this comment.
@meher745 Please revert back this change.
| @@ -0,0 +1,76 @@ | |||
| // File: pkg/gofr/http/middleware/oidc.go | |||
|
|
|||
| package middleware | |||
There was a problem hiding this comment.
To integrate OIDC with the existing AuthProvider based AuthMiddleware, you can implement a new OIDCAuthProvider struct in oidc.go that satisfies the AuthProvider interface. This allows you to reuse the unified authentication flow for OIDC, just like Basic, API key, and OAuth. Simply extract (& validate if needed) the Bearer token in ExtractAuthHeader, and return user info or claims as needed. Then, pass your provider to AuthMiddleware for consistent middleware usage.
|
@meher745 Are you still working in this PR? |
Yes I am. I am almost done with the desired changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces comprehensive OpenID Connect (OIDC) support into the GoFr framework by adding:
OIDC Discovery Metadata Fetching & Caching (discovery.go)
Implements dynamic fetching and caching of OIDC provider metadata (including issuer, JWKS URI, and userinfo endpoint) from the standard .well-known/openid-configuration URL.
OIDC Userinfo Middleware (oidc.go)
Middleware to fetch user profile information from the OIDC userinfo endpoint after OAuth JWT token validation. This middleware injects the retrieved user info into the request context for downstream handlers to use.
Dedicated Tests (oidc_test.go, discovery_test.go)
Thorough test coverage for both userinfo middleware and discovery metadata fetching utilities, covering success scenarios, error handling, caching behavior, and edge cases.
Documentation (docs/advanced-guide/oidc.md)
Detailed usage guide explaining how to configure and use the new OIDC features alongside GoFr’s built-in OAuth middleware. Includes examples for discovery, middleware registration, and handler access to user info.
Implementation Highlights
Usage Flow:
Testing
All new tests pass:
Existing package tests:
Thanks for considering this contribution!