feat: add oauth2 code verifier

* fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me>
2025-06-16 21:38:28 +02:00 · 2025-04-23 16:05:00 +02:00 · 2025-04-23 16:05:00 +02:00 · b7a0cf2470
commit b7a0cf2470
parent 13d6bd67b1
18 changed files with 469 additions and 192 deletions
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@ -10354,6 +10354,12 @@
      },
      "OAuthCallbackDto": {
        "properties": {
+          "codeVerifier": {
+            "type": "string"
+          },
+          "state": {
+            "type": "string"
+          },
          "url": {
            "type": "string"
          }
@ -10365,8 +10371,14 @@
      },
      "OAuthConfigDto": {
        "properties": {
+          "codeChallenge": {
+            "type": "string"
+          },
          "redirectUri": {
            "type": "string"
+          },
+          "state": {
+            "type": "string"
          }
        },
        "required": [
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@ -688,12 +688,16 @@ export type TestEmailResponseDto = {
 };
 export type OAuthConfigDto = {
    redirectUri: string;
+    state?: string;
+    codeChallenge?: string;
 };
 export type OAuthAuthorizeResponseDto = {
    url: string;
 };
 export type OAuthCallbackDto = {
    url: string;
+    state?: string;
+    codeVerifier?: string;
 };
 export type PartnerResponseDto = {
    avatarColor: UserAvatarColor;