feat(auth): add generic OIDC and OAuth 2.0 plugins#1056
Open
feat(auth): add generic OIDC and OAuth 2.0 plugins#1056
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds OIDC and OAuth2 authentication plugins with env-driven provider construction and profile normalization, unit tests for both plugins, registry/export updates, and an expanded SSO configuration block in Changes
Sequence Diagram(s)sequenceDiagram
participant Client as Client
participant App as App
participant Plugin as AuthPlugin
participant IdP as IdentityProvider
participant JWKS as JWKS/UserInfo
Client->>App: initiate login
App->>Plugin: build provider (read env vars)
App->>Client: redirect to authorization endpoint
Client->>IdP: authorize (user auth/consent)
IdP->>Client: redirect back with code/state
Client->>App: callback with code
App->>Plugin: exchange code for token
Plugin->>JWKS: fetch userinfo / jwks if needed
JWKS-->>Plugin: user profile / keys
Plugin->>App: normalized profile (id, email, name, image, username)
App->>Client: establish session / return success
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip CodeRabbit can enforce grammar and style rules using `languagetool`.Configure the |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.env.example:
- Line 111: The .env.example file is missing a trailing newline which triggers
dotenv-linter's EndingBlankLine; add a single blank line (newline character) at
the end of the file after the AUTH_OAUTH_ENABLE_PKCE="false" line so the file
ends with a newline.
In `@src/lib/plugins/auth/oauth.ts`:
- Around line 16-18: The authorization.params.scope currently defaults to the
OIDC scopes "openid email profile", which is inappropriate for this non-OIDC
relaxed OAuth plugin; change the fallback so it does not assume OIDC — e.g. use
process.env.AUTH_OAUTH_SCOPE || undefined (or omit the scope key entirely when
the env var is not set) in the authorization object so the plugin won't default
to "openid email profile"; update the authorization -> params -> scope usage in
src/lib/plugins/auth/oauth.ts accordingly.
- Line 27: The current spread expression in oauth.ts flips the PKCE toggle so
PKCE is off by default; change the condition so PKCE is enabled unless
explicitly opted-out. Update the spread around the checks setting (the
expression using process.env.AUTH_OAUTH_ENABLE_PKCE) to treat "false" as the
opt-out (i.e., only include { checks: ["state"] } when AUTH_OAUTH_ENABLE_PKCE
=== "false"), ensuring PKCE is active by default in the oauth plugin.
In `@src/lib/plugins/auth/oidc.ts`:
- Around line 20-38: The auth provider object in oidc.ts uses three `any`
escapes (the `token_endpoint_auth_method as any` value, the `profile(profile:
any)` parameter, and the final `} as any`) which bypass TypeScript checks;
change the provider object's type to the proper NextAuth provider type (e.g.
annotate the whole object as NextAuthConfig["providers"][number] or the Provider
type from next-auth) and remove all `as any` casts, give
`token_endpoint_auth_method` the correct union/string type instead of casting,
and type the `profile` parameter (e.g. `profile: Record<string, unknown>` or a
dedicated interface matching OIDC claims) so the returned shape conforms to
NextAuth provider `profile` signature; ensure the final export uses the typed
provider object instead of `as any`.
- Line 27: The OIDC PKCE flag is inverted so PKCE is disabled unless
AUTH_OIDC_ENABLE_PKCE is exactly "true"; update the conditional around
process.env.AUTH_OIDC_ENABLE_PKCE so PKCE is enabled by default and only
disabled when the env var is explicitly "false" (e.g. change the ternary to
check === "false" or explicitly parse the env value), keeping the branch that
adds checks: ["state"] when PKCE is active; locate the expression in oidc.ts
that uses process.env.AUTH_OIDC_ENABLE_PKCE and adjust it to flip the logic
accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 32384b86-0d3f-4383-8b52-4eca4f4d98ce
📒 Files selected for processing (7)
.env.exampleprompts.config.tssrc/__tests__/lib/plugins/auth/oauth.test.tssrc/__tests__/lib/plugins/auth/oidc.test.tssrc/lib/plugins/auth/index.tssrc/lib/plugins/auth/oauth.tssrc/lib/plugins/auth/oidc.ts
Amaya54
force-pushed
the
feat/sso-oauth-plugin
branch
from
8c09cfe to
979bf70
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.idea/copilot.data.migration.ask2agent.xml:
- Around line 1-6: The committed JetBrains IDEA metadata file
.idea/copilot.data.migration.ask2agent.xml is developer-specific and should be
excluded from version control; remove this file from the commit (git rm --cached
or revert the addition) and add a rule to ignore it by updating .gitignore (or
.idea/.gitignore) to include .idea/copilot.data.migration.ask2agent.xml so it
isn’t re-added in future commits, then commit the updated .gitignore and the
removal.
In `@src/lib/plugins/auth/oidc.ts`:
- Around line 45-53: The profile mapper function profile(profile) must validate
required fields instead of returning undefined/empty values: ensure id
(profile.sub || profile.id) is present and email (profile.email) is present and
a string; if either is missing, throw or return a clear error so authentication
fails loudly (this prevents the downstream jwt callback in src/lib/auth/index.ts
from silently skipping user lookup when user.email is falsy). Also tighten
username/image fallbacks to deterministic strings (not undefined) and ensure the
mapped object matches Session.user types (email as string, id non-empty) before
returning.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6006318e-3ded-4be1-9d48-6180c846230e
⛔ Files ignored due to path filters (1)
prisma/dev.dbis excluded by!**/*.db
📒 Files selected for processing (9)
.env.example.idea/.gitignore.idea/copilot.data.migration.ask2agent.xml.idea/misc.xml.idea/modules.xml.idea/prompts.chat.iml.idea/vcs.xmlsrc/lib/plugins/auth/oauth.tssrc/lib/plugins/auth/oidc.ts
✅ Files skipped from review due to trivial changes (5)
- .idea/.gitignore
- .idea/modules.xml
- .idea/prompts.chat.iml
- .idea/misc.xml
- .idea/vcs.xml
🚧 Files skipped from review as they are similar to previous changes (2)
- src/lib/plugins/auth/oauth.ts
- .env.example
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/lib/plugins/auth/oauth.ts`:
- Line 23: Replace the hardcoded fallback string in the provider config (the
name field currently set as name: process.env.AUTH_OAUTH_NAME || "OAuth Login")
with a next-intl translation lookup; import/get a server-side translator (e.g.,
getTranslator from 'next-intl/server' or your app's i18n helper), call the
translator with a new key like 'providers.oauthLogin' and use that result as the
fallback (e.g., name: process.env.AUTH_OAUTH_NAME || t('providers.oauthLogin')),
and add the 'providers.oauthLogin' entry to your locale files.
- Around line 4-13: The GenericOAuthProfile mapper currently returns profile.sub
/ profile.id as-is (which may be numeric) and hardcodes the fallback provider
name "OAuth Login"; update the mapping logic in the oauth provider (the function
that transforms GenericOAuthProfile into the user/session payload) to coerce
identifiers to strings (e.g., use String(profile.sub ?? profile.id ?? '') or
.toString() when present) so the Session/JWT `id: string` contract is always
satisfied, mirror the same change in the OIDC provider mapping logic in oidc.ts,
and replace the hardcoded "OAuth Login" fallback with the i18n text from
getTranslations() so the provider name is localized.
In `@src/lib/plugins/auth/oidc.ts`:
- Line 23: The provider label currently hardcodes "Single Sign-On" in the object
property name inside oidc.ts; replace that hardcoded fallback with a next-intl
lookup (e.g., use intl.formatMessage or the project’s i18n helper) so the
fallback becomes a localized message id (e.g., "auth.provider.oidc.name")
instead of plain English. Update the code that supplies the provider config (the
name property in the oidc provider object) to call the next-intl formatter at
runtime (or accept a function that resolves the localized string) and add the
corresponding message key to the translations catalog. Ensure you reference the
name property in oidc.ts and the new message id when making the change.
- Around line 34-39: The current client.token_endpoint_auth_method mapping
defaults to "client_secret_post" which makes the strict OIDC plugin less secure;
change the ternary so that when tokenAuthMethod isn't "client_secret_basic" or
"none" it defaults to "client_secret_basic" (i.e. ensure
token_endpoint_auth_method resolves to "client_secret_basic" by default instead
of "client_secret_post"), updating the logic that references tokenAuthMethod and
token_endpoint_auth_method in the client object in oidc.ts.
- Around line 45-64: The OIDC profile callback currently falls back to
profile.id which violates the OIDC spec; update the profile(profile) handler in
src/lib/plugins/auth/oidc.ts to require profile.sub as the unique identifier
(use const id = profile.sub and remove the profile.id fallback) and keep the
existing validation that throws an Error when id is missing so providers without
sub must use the oauth plugin instead.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 1f09822c-1224-4c3c-ae81-d734917ae8c0
📒 Files selected for processing (2)
src/lib/plugins/auth/oauth.tssrc/lib/plugins/auth/oidc.ts
Amaya54
force-pushed
the
feat/sso-oauth-plugin
branch
2 times, most recently
from
be16d7a to
ca2eb63
Compare
Author
|
@coderabbitai resume |
✅ Actions performedReviews resumed. |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/__tests__/lib/plugins/auth/oidc.test.ts`:
- Around line 43-46: The test is incorrectly simulating an absent env var by
assigning undefined to process.env.AUTH_OIDC_ENABLE_PKCE; instead delete that
property to truly remove it (so the code path in oidc.ts that checks
process.env.AUTH_OIDC_ENABLE_PKCE === "false" behaves as when the var is
absent). Update the test in oidc.test.ts to delete
process.env.AUTH_OIDC_ENABLE_PKCE before calling oidcPlugin.getProvider(), then
assert on provider.checks to verify PKCE default behavior.
In `@src/lib/plugins/auth/oauth.ts`:
- Around line 23-42: The OAuth provider config builds derived URLs and uses
non-null assertions (e.g., name, clientId, clientSecret, issuer) causing runtime
faults when env vars are missing; update the initialization that creates the
provider object to first validate required env vars (AUTH_OAUTH_ID,
AUTH_OAUTH_SECRET, AUTH_OAUTH_ISSUER) and abort or skip registering the provider
if they are absent, use a safe fallback for name (e.g., default label when
AUTH_OAUTH_NAME is unset), and only compute authorization.url, token, and
userinfo when issuer or wellKnown are present so you never produce
`undefined/authorize`-style URLs (adjust logic around authorization.url, token,
and userinfo fields and respect tokenAuthMethod for
client.token_endpoint_auth_method).
In `@src/lib/plugins/auth/oidc.ts`:
- Around line 22-28: Validate required OIDC env vars before constructing the
provider: check process.env.AUTH_OIDC_ID, AUTH_OIDC_SECRET, and AUTH_OIDC_ISSUER
and throw a clear error if any are missing so we fail fast (do this in the
module initialization that builds the provider object); also provide a safe
fallback for process.env.AUTH_OIDC_NAME (e.g. "oidc" or "OIDC Provider") instead
of using the non-null assertion, and compute wellKnown using the validated
issuer (use issuer + "/.well-known/openid-configuration" only when issuer is
present).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: efb1a631-fc33-41e0-9104-cafc9755b405
📒 Files selected for processing (7)
.env.exampleprompts.config.tssrc/__tests__/lib/plugins/auth/oauth.test.tssrc/__tests__/lib/plugins/auth/oidc.test.tssrc/lib/plugins/auth/index.tssrc/lib/plugins/auth/oauth.tssrc/lib/plugins/auth/oidc.ts
✅ Files skipped from review due to trivial changes (1)
- prompts.config.ts
Amaya54
force-pushed
the
feat/sso-oauth-plugin
branch
2 times, most recently
from
31a4d7c to
b1a1b2c
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
src/lib/plugins/auth/oauth.ts (1)
30-30:⚠️ Potential issue | 🟡 MinorHardcoded fallback string violates i18n guidelines.
The
"OAuth Login"fallback is user-facing and should usenext-intlfor localization. As per coding guidelines, "Usenext-intlfor all user-facing strings; never hardcode text."Note: The same issue exists in the OIDC plugin (
src/lib/plugins/auth/oidc.ts) with"OIDC Login".🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/lib/plugins/auth/oauth.ts` at line 30, The hardcoded user-facing fallback "OAuth Login" assigned to the name property (name: process.env.AUTH_OAUTH_NAME || "OAuth Login") must be replaced with a next-intl translation lookup instead of a literal string; update the code that builds the plugin config in src/lib/plugins/auth/oauth.ts to call the next-intl translator (use the translator/getMessage helper used elsewhere in the codebase) to provide the localized string key (e.g., "auth.oauth.login") and fall back to process.env.AUTH_OAUTH_NAME only if translation is unavailable, and make the same change for the analogous name property in src/lib/plugins/auth/oidc.ts where "OIDC Login" is currently hardcoded.
🧹 Nitpick comments (1)
src/lib/plugins/auth/oauth.ts (1)
4-13: Interface types should allow numeric identifiers.The
GenericOAuthProfileinterface typessubandidasstring, but legacy providers often return numeric IDs. While the code correctly coerces to string on line 68, the interface should reflect reality to avoid type-casting surprises during debugging.♻️ Suggested type update
export interface GenericOAuthProfile extends Record<string, unknown> { - sub?: string; - id?: string; + sub?: string | number; + id?: string | number; name?: string; preferred_username?: string; email?: string; picture?: string; avatar_url?: string; nickname?: string; }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/lib/plugins/auth/oauth.ts` around lines 4 - 13, The GenericOAuthProfile interface currently types sub and id as string but some providers return numeric IDs; update the interface (GenericOAuthProfile) so sub and id accept string | number (or string | number | undefined) to match real-world responses and avoid unnecessary casting elsewhere (e.g., where code coerces profile.sub/profile.id to string). Ensure other fields remain unchanged and keep the optional (?) modifiers.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/lib/plugins/auth/index.ts`:
- Around line 17-18: The current auth-plugin error string is incomplete; update
the error message used where available auth plugins are listed (the code that
throws/logs when invalid provider is configured) to include all seven plugins:
credentials, google, azure, github, apple, oidc, oauth; locate the code that
constructs the message (the same module that references registerAuthPlugin and
the registered plugins) and replace the hardcoded list with the full list or,
better, derive it from the registered plugins so the message always reflects
registerAuthPlugin(oidcPlugin) and registerAuthPlugin(oauthPlugin) additions.
---
Duplicate comments:
In `@src/lib/plugins/auth/oauth.ts`:
- Line 30: The hardcoded user-facing fallback "OAuth Login" assigned to the name
property (name: process.env.AUTH_OAUTH_NAME || "OAuth Login") must be replaced
with a next-intl translation lookup instead of a literal string; update the code
that builds the plugin config in src/lib/plugins/auth/oauth.ts to call the
next-intl translator (use the translator/getMessage helper used elsewhere in the
codebase) to provide the localized string key (e.g., "auth.oauth.login") and
fall back to process.env.AUTH_OAUTH_NAME only if translation is unavailable, and
make the same change for the analogous name property in
src/lib/plugins/auth/oidc.ts where "OIDC Login" is currently hardcoded.
---
Nitpick comments:
In `@src/lib/plugins/auth/oauth.ts`:
- Around line 4-13: The GenericOAuthProfile interface currently types sub and id
as string but some providers return numeric IDs; update the interface
(GenericOAuthProfile) so sub and id accept string | number (or string | number |
undefined) to match real-world responses and avoid unnecessary casting elsewhere
(e.g., where code coerces profile.sub/profile.id to string). Ensure other fields
remain unchanged and keep the optional (?) modifiers.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cbf5f99d-5f26-4c79-96f1-63f8a7f75cf9
📒 Files selected for processing (7)
.env.exampleprompts.config.tssrc/__tests__/lib/plugins/auth/oauth.test.tssrc/__tests__/lib/plugins/auth/oidc.test.tssrc/lib/plugins/auth/index.tssrc/lib/plugins/auth/oauth.tssrc/lib/plugins/auth/oidc.ts
🚧 Files skipped from review as they are similar to previous changes (4)
- src/tests/lib/plugins/auth/oauth.test.ts
- prompts.config.ts
- src/lib/plugins/auth/oidc.ts
- src/tests/lib/plugins/auth/oidc.test.ts
Amaya54
force-pushed
the
feat/sso-oauth-plugin
branch
from
b1a1b2c to
e07b951
Compare
Author
|
@coderabbitai resolve |
✅ Actions performedComments resolved. Auto-approval is disabled; enable |
andrzejsydor
approved these changes
Mar 8, 2026
Draft
4 tasks
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.env.example (2)
116-116: Consider explicitly documenting the default value.While the example value
"client_secret_basic"happens to match the default (as seen in src/lib/plugins/auth/oauth.ts:45-48), explicitly labeling it as(default)would make the behavior clearer when the variable is not set.📝 Suggested clarification
-# AUTH_OAUTH_TOKEN_AUTH_METHOD="client_secret_basic" # Allowed values: "client_secret_basic", "client_secret_post", "none" +# AUTH_OAUTH_TOKEN_AUTH_METHOD="client_secret_basic" # Allowed values: "client_secret_basic" (default), "client_secret_post", "none"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.env.example at line 116, The .env.example comment for AUTH_OAUTH_TOKEN_AUTH_METHOD should explicitly state the default; update the line for AUTH_OAUTH_TOKEN_AUTH_METHOD to indicate "(default: client_secret_basic)" so consumers know what will be used when the variable is unset—reference the default behavior implemented in src/lib/plugins/auth/oauth.ts (the token auth method default around the logic that picks "client_secret_basic"/"client_secret_post"/"none") to ensure the text matches the code.
98-98: Document default value for AUTH_OIDC_TOKEN_AUTH_METHOD.The example shows
"client_secret_post", but according to the plugin code (src/lib/plugins/auth/oidc.ts:43-46), the default value when not set is"client_secret_basic". Consider documenting this default to help users understand the behavior when the variable is not set.📝 Suggested clarification
-# AUTH_OIDC_TOKEN_AUTH_METHOD="client_secret_post" # Allowed values: "client_secret_basic", "client_secret_post", "none" +# AUTH_OIDC_TOKEN_AUTH_METHOD="client_secret_post" # Allowed values: "client_secret_basic" (default), "client_secret_post", "none"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.env.example at line 98, The .env.example comment for AUTH_OIDC_TOKEN_AUTH_METHOD shows "client_secret_post" but the OIDC plugin's default logic in auth/oidc.ts returns "client_secret_basic" when the env var is unset; update the .env.example line for AUTH_OIDC_TOKEN_AUTH_METHOD to indicate the actual default (e.g., add a note like 'default: "client_secret_basic" when unset') so users know the real behavior, referencing the AUTH_OIDC_TOKEN_AUTH_METHOD variable name and the OIDC plugin default logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.env.example:
- Around line 86-87: Update the .env.example comment to clarify AUTH_OIDC_SECRET
is conditional: state that AUTH_OIDC_SECRET is required only when
AUTH_OIDC_TOKEN_AUTH_METHOD is not set to "none" (i.e., for token client
authentication methods), and optional/ignored when
AUTH_OIDC_TOKEN_AUTH_METHOD="none"; reference the related config keys
AUTH_OIDC_SECRET and AUTH_OIDC_TOKEN_AUTH_METHOD and ensure the comment explains
that behavior so users know when to provide AUTH_OIDC_SECRET.
- Around line 104-105: Update the .env.example comment to document that
AUTH_OAUTH_SECRET is conditionally required based on
AUTH_OAUTH_TOKEN_AUTH_METHOD; specifically note that AUTH_OAUTH_SECRET must be
set unless AUTH_OAUTH_TOKEN_AUTH_METHOD is explicitly set to "none", referencing
the related config variables AUTH_OAUTH_SECRET and AUTH_OAUTH_TOKEN_AUTH_METHOD
(as used in src/lib/plugins/auth/oauth.ts) so users understand the conditional
requirement.
---
Nitpick comments:
In @.env.example:
- Line 116: The .env.example comment for AUTH_OAUTH_TOKEN_AUTH_METHOD should
explicitly state the default; update the line for AUTH_OAUTH_TOKEN_AUTH_METHOD
to indicate "(default: client_secret_basic)" so consumers know what will be used
when the variable is unset—reference the default behavior implemented in
src/lib/plugins/auth/oauth.ts (the token auth method default around the logic
that picks "client_secret_basic"/"client_secret_post"/"none") to ensure the text
matches the code.
- Line 98: The .env.example comment for AUTH_OIDC_TOKEN_AUTH_METHOD shows
"client_secret_post" but the OIDC plugin's default logic in auth/oidc.ts returns
"client_secret_basic" when the env var is unset; update the .env.example line
for AUTH_OIDC_TOKEN_AUTH_METHOD to indicate the actual default (e.g., add a note
like 'default: "client_secret_basic" when unset') so users know the real
behavior, referencing the AUTH_OIDC_TOKEN_AUTH_METHOD variable name and the OIDC
plugin default logic.
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.env.example (2)
105-105:⚠️ Potential issue | 🟡 MinorDocument that
AUTH_OAUTH_SECRETis conditional, not always required.Line 105 should state this is required unless
AUTH_OAUTH_TOKEN_AUTH_METHOD="none"to align withsrc/lib/plugins/auth/oauth.ts.Suggested doc fix
-# AUTH_OAUTH_SECRET="dummy-oauth-client-secret" +# AUTH_OAUTH_SECRET="dummy-oauth-client-secret" # Required unless AUTH_OAUTH_TOKEN_AUTH_METHOD is "none"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.env.example at line 105, Update the .env.example entry for AUTH_OAUTH_SECRET to indicate it is conditional: document that AUTH_OAUTH_SECRET is required only when AUTH_OAUTH_TOKEN_AUTH_METHOD is not set to "none" (refer to src/lib/plugins/auth/oauth.ts and the AUTH_OAUTH_TOKEN_AUTH_METHOD setting). Replace the commented line with a short explanatory comment clarifying the dependency and the valid value of AUTH_OAUTH_TOKEN_AUTH_METHOD that makes the secret optional.
87-87:⚠️ Potential issue | 🟡 MinorDocument that
AUTH_OIDC_SECRETis conditional, not always required.Line 87 should clarify that this secret is required unless
AUTH_OIDC_TOKEN_AUTH_METHOD="none"to match runtime validation insrc/lib/plugins/auth/oidc.ts.Suggested doc fix
-# AUTH_OIDC_SECRET="dummy-oidc-client-secret" +# AUTH_OIDC_SECRET="dummy-oidc-client-secret" # Required unless AUTH_OIDC_TOKEN_AUTH_METHOD is "none"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.env.example at line 87, Update the .env.example comment for AUTH_OIDC_SECRET to state it's conditional: note that AUTH_OIDC_SECRET is only required when AUTH_OIDC_TOKEN_AUTH_METHOD is not set to "none" (match the runtime validation in src/lib/plugins/auth/oidc.ts); reference both variable names AUTH_OIDC_SECRET and AUTH_OIDC_TOKEN_AUTH_METHOD in the line so readers know the secret can be omitted when AUTH_OIDC_TOKEN_AUTH_METHOD="none".
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.env.example:
- Line 89: Update the .env.example comments to mark the WELLKNOWN variables as
optional overrides: change the AUTH_OIDC_WELLKNOWN and AUTH_OAUTH_WELLKNOWN
example lines to indicate they are optional (e.g., "optional override - default
discovered from ISSUER") so readers know the OIDC and OAuth plugins will derive
endpoints from the issuer if these are not provided; keep the same variable
names (AUTH_OIDC_WELLKNOWN, AUTH_OAUTH_WELLKNOWN) so the examples are clearly
identified as overrides rather than required configuration.
---
Duplicate comments:
In @.env.example:
- Line 105: Update the .env.example entry for AUTH_OAUTH_SECRET to indicate it
is conditional: document that AUTH_OAUTH_SECRET is required only when
AUTH_OAUTH_TOKEN_AUTH_METHOD is not set to "none" (refer to
src/lib/plugins/auth/oauth.ts and the AUTH_OAUTH_TOKEN_AUTH_METHOD setting).
Replace the commented line with a short explanatory comment clarifying the
dependency and the valid value of AUTH_OAUTH_TOKEN_AUTH_METHOD that makes the
secret optional.
- Line 87: Update the .env.example comment for AUTH_OIDC_SECRET to state it's
conditional: note that AUTH_OIDC_SECRET is only required when
AUTH_OIDC_TOKEN_AUTH_METHOD is not set to "none" (match the runtime validation
in src/lib/plugins/auth/oidc.ts); reference both variable names AUTH_OIDC_SECRET
and AUTH_OIDC_TOKEN_AUTH_METHOD in the line so readers know the secret can be
omitted when AUTH_OIDC_TOKEN_AUTH_METHOD="none".
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 25366a9b-c747-47e4-9a55-a162f1b74385
📒 Files selected for processing (2)
.env.exampleprompts.config.ts
✅ Files skipped from review due to trivial changes (1)
- prompts.config.ts
| # AUTH_OIDC_ID="dummy-oidc-client-id" | ||
| # AUTH_OIDC_SECRET="dummy-oidc-client-secret" | ||
| # AUTH_OIDC_ISSUER="https://oidc.example.com" | ||
| # AUTH_OIDC_WELLKNOWN="https://oidc.example.com/.well-known/openid-configuration" |
There was a problem hiding this comment.
Mark *_WELLKNOWN as optional to avoid misleading setup docs.
Line 89 and Line 107 currently read like required examples, but both plugins can operate without explicit WELLKNOWN (OIDC defaults from issuer; OAuth can derive endpoints from issuer). Please annotate these as optional overrides.
Suggested doc fix
-# AUTH_OIDC_WELLKNOWN="https://oidc.example.com/.well-known/openid-configuration"
+# AUTH_OIDC_WELLKNOWN="https://oidc.example.com/.well-known/openid-configuration" # Optional override
...
-# AUTH_OAUTH_WELLKNOWN="https://sso.example.com/.well-known/openid-configuration"
+# AUTH_OAUTH_WELLKNOWN="https://sso.example.com/.well-known/openid-configuration" # Optional overrideAlso applies to: 107-107
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.env.example at line 89, Update the .env.example comments to mark the
WELLKNOWN variables as optional overrides: change the AUTH_OIDC_WELLKNOWN and
AUTH_OAUTH_WELLKNOWN example lines to indicate they are optional (e.g.,
"optional override - default discovered from ISSUER") so readers know the OIDC
and OAuth plugins will derive endpoints from the issuer if these are not
provided; keep the same variable names (AUTH_OIDC_WELLKNOWN,
AUTH_OAUTH_WELLKNOWN) so the examples are clearly identified as overrides rather
than required configuration.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR expands the authentication plugin registry by creating both a strict Generic OIDC plugin and a relaxed Generic OAuth 2.0 plugin to support a wide range of enterprise SSO integrations out-of-the-box.
Key Changes:
audclaims, nonopenidscope, missing ID Token).Type of Change
Additional Notes
Context on creating two separate plugins:
During testing with Enterprise WAFs and legacy SSO protocols, we found that strict OIDC adherence (which Auth.js enforces globally by default) would often incorrectly crash active authentication flows if the identity provider was missing the aud array in the token, or required credentials to be posted inside the body via client_secret_post instead of the Authorization header.
By splitting the logic into an oidc plugin and a loose oauth plugin with togglable PKCE bypasses, developers can now seamlessly integrate nearly any identity provider simply by configuring their environment parameters!
Closes #1092
Summary by CodeRabbit
New Features
Tests
Chores