feat: OIDC provider for "Login with Pangolin" by mallendeo · Pull Request #2568 · fosrl/pangolin

mallendeo · 2026-03-01T03:58:11Z

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Implements Pangolin as an OIDC provider for “Login with Pangolin”, with full OAuth client management for admins and app-consent management for users.

See https://github.com/orgs/fosrl/discussions/21

Initial scaffolding/discovery was AI-assisted (Opus 4.6 / Codex 5.3); final code was manually reviewed and refactored.

What’s included

OAuth 2.0 Authorization Code flow with PKCE
OIDC endpoints: discovery, authorize, token, userinfo, JWKS, revoke
OIDC logout support:
- RP-initiated logout (end_session_endpoint)
- back-channel logout dispatch
Admin OAuth Clients UI: create, edit, delete, rotate secret, advanced settings
User "Connected Apps" page to revoke grants
Edit profile dialog (name, username) to support profile claims
Claims updates, including given_name, family_name, and org-scoped groups
i18n strings (English only, AI translation removed / out of scope)
SQLite + PostgreSQL schema/migration updates for v1.17.0

How to test

If upgrading from a previous install, route /.well-known to the API service.

In config/traefik/dynamic_config.yml, update the Next.js and API router rules:

next-router:
  rule: "Host(`yourdomain.com`) && !PathPrefix(`/api/v1`) && !PathPrefix(`/.well-known`)"
  # ...

api-router:
  rule: "Host(`yourdomain.com`) && (PathPrefix(`/api/v1`) || PathPrefix(`/.well-known`))"
  # ...

Restart Traefik after changing this.

Create an OAuth client

Go to Org Settings > OAuth Clients
Click Create Client
Fill in name, redirect URI, and scopes
Save the client ID and secret shown in the dialog

Verify discovery

curl https://yourdomain.com/.well-known/openid-configuration

Expected: JSON with fields like issuer, authorization_endpoint,
token_endpoint, userinfo_endpoint, jwks_uri, revocation_endpoint,
and end_session_endpoint.

Available scopes and claims

Scope	Claims
openid	sub
profile	name, preferred_username, given_name, family_name
email	email, email_verified
groups	groups (organization/role memberships, formatted like :)

Endpoints

Endpoint	Path
Discovery	/.well-known/openid-configuration
Authorization	/oauth/authorize (browser redirect)
Token	/api/v1/oauth/token
Userinfo	/api/v1/oauth/userinfo
JWKS	/api/v1/oauth/jwks
Revoke	/api/v1/oauth/revoke
Logout	/api/v1/oauth/logout

Demo

TODO

… redirect

…istency

…h-package

…ch, UI)

…mponents

mallendeo added 22 commits February 27, 2026 23:42

feat: implement oidc provider and oauth client management

8c48803

fix: localize oauth oidc ui strings

d915b8e

feat: refactor oauth clients ui to match pangolin patterns, fix login…

7c1d5aa

… redirect

fix: add missing oauth i18n keys to all locales

cb5be1f

fix: patch zod-to-openapi to support ZodCatch type

744ea72

feat: improve oauth consent page ui

3888e07

feat: add connected apps page for managing oauth consents

3763def

feat: add edit profile dialog for name and username

466b8ed

feat: add given_name and family_name to OIDC claims

59a93e2

fix: add missing i18n keys to all locales

4841ef8

fix: pre-PR cleanup for connected apps and edit profile

764a7a8

fix: address security issues in OAuth and user endpoints

c312cf2

fix: bug fixes and dead code removal

9cfc3d1

refactor: extract shared OAuth helpers and deduplicate utilities

bc2dec5

fix: address security and reliability issues in OAuth implementation

08887b5

refactor: use varchar() instead of text() in PG OAuth tables for cons…

556b2b5

…istency

fix: add missing i18n keys, reject secretless OAuth clients, pin patc…

203e281

…h-package

fix: address remaining review findings

000f21b

feat: translate new OAuth/OIDC i18n keys across all 15 locales

6d0481c

chore: bump version to 1.17.0 and rename migration scripts

ee58bd2

fix: remove generated migrations.ts from git tracking

ccc2a26

fix: improve OAuth client UI and route .well-known to API

1a12406

mallendeo force-pushed the feat/oidc-provider branch from c6dfd3a to 0196b71 Compare March 1, 2026 14:22

mallendeo added 3 commits March 1, 2026 11:36

fix: redesign oauth client settings pages

23a6b59

fix: move patch-package to dependencies for Docker build

d8ce36c

fix: remove duplicate section headers from oauth client pages

dd40e56

mallendeo changed the title ~~feat: OIDC provider~~ feat: OIDC provider for "Login with Pangolin" Mar 1, 2026

mallendeo added 3 commits March 1, 2026 17:54

revert: remove ai-translated i18n keys from non-English locales

2efdb99

feat: implement OIDC back-channel logout (RFC spec, DB schema, dispat…

f734274

…ch, UI)

fix: remove ALTER TABLE fallback from 1.17.0 migrations

3422454

mallendeo added 3 commits March 3, 2026 00:22

refactor: deduplicate OAuthClientRow type, move OAuthClientForm to co…

c195f38

…mponents

fix: add getOAuthClient action enum for single client route

4c0c0ed

fix: add logActionAudit to OAuth client CRUD routes

e9aef4e

mallendeo force-pushed the feat/oidc-provider branch 2 times, most recently from 4e3c4f5 to 9b15e5c Compare March 3, 2026 12:57

mallendeo added 3 commits March 3, 2026 15:50

fix: tighten oauth logout token activity checks

9f51402

refactor: dedupe stale cleanup and type pg migration errors

493d0ed

refactor: simplify login flow and remove frontend any catches

13ecbec

mallendeo force-pushed the feat/oidc-provider branch from c932656 to 99d400e Compare March 3, 2026 22:44

mallendeo added 19 commits March 14, 2026 15:35

fix: harden oauth backchannel logout SSRF guard

742e8c3

fix: require id token hint for oauth logout revocation

13e686e

fix: scope oauth authorization to client org

354b97d

fix: sanitize custom login page redirect handoff

9d02412

fix: revoke oauth access tokens when disabling client

98abd72

fix: revoke oauth tokens before logout response

97dedca

fix: enforce current client scopes on refresh

8341267

fix: revalidate client state during consent approval

f210f0a

fix: revoke oauth grants on client secret rotation

9386197

fix: purge soft revoked oauth refresh tokens

6c1af5c

fix: rate limit oauth logout endpoint

2289020

fix: revoke outstanding oauth auth codes on logout

1538cdb

fix: require offline access scope for refresh tokens

7b96d19

fix: revoke stale oauth consent interactions

fee17de

fix: revalidate oauth token use against client org membership

3b04017

feat: add per-client oidc global logout option

9bf41c3

fix: bind oauth token consumption to client id

1428757

fix: revoke oauth grant families by grant id

9800e80

fix: accept active signing keys for oidc logout

3d580bb

mallendeo force-pushed the feat/oidc-provider branch from 99d400e to 3d580bb Compare March 14, 2026 23:52

fix: localize oauth client logout labels

d1bc400

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: OIDC provider for "Login with Pangolin"#2568

feat: OIDC provider for "Login with Pangolin"#2568
mallendeo wants to merge 91 commits intofosrl:devfrom
mallendeo:feat/oidc-provider

mallendeo commented Mar 1, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

mallendeo commented Mar 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Community Contribution License Agreement

Description

What’s included

How to test

Create an OAuth client

Verify discovery

Available scopes and claims

Endpoints

Demo

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

mallendeo commented Mar 1, 2026 •

edited

Loading