Conversation
Add a dedicated two-factor authentication page and integrate it into the auth routing system. This includes a new standalone MFA challenge page to handle page reloads and bookmarks, as well as an enhanced login template with a sliding transition for inline MFA prompts and OTP input styling. - Add `/two-factor` route to `authPageRoutes` - Update `PageName` type to include `two-factor` - Implement `templates/default/two-factor.html` - Update `templates/default/login.html` with MFA slider and OTP UI components
…d CORS Introduce a runtime configuration system to manage OAuth resource server audiences and CORS origins dynamically. This removes the need for server restarts when adding or updating applications in the admin UI. - Create `src/runtime-config.ts` to manage mutable sets of origins and audiences - Seed runtime config from environment variables and database application URLs at startup - Integrate dynamic updates into application CRUD operations in `src/routes/admin/applications.ts` - Update `src/auth.ts` to use live configuration for `trustedOrigins` and `validAudiences` - Expand OIDC claims to include `phone`, `email_verified`, `picture`, and `updated_at` - Add `phone` scope to available OAuth scopes - Update frontend `ApplicationDetailView.
Co-authored-by: Copilot <copilot@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces significant improvements to OAuth resource server audience management (RFC 8707), CORS origin handling, and the developer experience in the application detail view. The changes ensure that both CORS origins and valid OAuth audiences are now dynamically managed and updated in real-time, without requiring a server restart. Additionally, the frontend now provides clearer integration instructions and a more comprehensive overview of supported OAuth scopes and claims.
Dynamic configuration and OAuth improvements:
Refactored CORS and OAuth audience handling to use live, mutable sets (
trustedOrigins,validAudiences) that are seeded from environment variables and application URLs at startup, and updated automatically on application create/update/delete. This ensures immediate reflection of changes without a restart. (src/auth.ts,src/index.ts,.env.example,docker-compose.yml) [1] [2] [3] [4] [5] [6] [7] [8]Updated the OAuth provider configuration to support the
phonescope and to include additional user claims (such asemailVerified,image,phone,updatedAt) in both ID tokens and access tokens, improving standards compliance and downstream integration. (src/auth.ts,frontend/src/components/applications/ApplicationFormModal.vue) [1] [2] [3] [4] [5]Frontend developer experience enhancements:
Overhauled the Application Detail view to provide dynamic, tabbed code examples for TypeScript (
oauth4webapi), Python (authlib), and IOServer (ioserver-oidc), all demonstrating correct use of theresourceparameter for RFC 8707 JWT access tokens. The view now also displays key endpoints (JWKS URI, discovery endpoint), the configured audience/resource, and warnings if the application URL is missing. (frontend/src/views/ApplicationDetailView.vue) [1] [2] [3] [4]Added a comprehensive "Scopes & Claims" table to the Application Detail view, showing which scopes are enabled for the application, their types (standard OIDC vs. custom), and the claims they return. This helps developers understand the available data and permissions at a glance. (
frontend/src/views/ApplicationDetailView.vue)These changes collectively improve standards compliance, security, and developer usability for OAuth integrations.