OIDC Server

[jmattheis]

This MR:

• Refactors the auth handling by replacing the old requireToken / callback structure with a simpler approach.
• Adds cookie-based token reading and /auth/local/{login,logout} endpoints for web UI authentication.
  • Without this, we'd have to redirect to an url https://gotify-ui.net/#/oidc/callback?token=... to store the token in the local storage. Using cookies seems to be more easy than securing this against CSRF and stuff. Also with HttpOnly cookies we guard against pontential token exposures.
  • Secure cookies are supported but disabled by default to avoid breaking existing HTTP installations. We could detect HTTPS via the Referer or X-Forwarded-Proto headers in the future.
• Add /gotifyinfo endpoint. In the android app we need to know if oidc is enabled, and the android app also displays the version. I didn't want to add this information to the /version endpoint so it's a new endpoint. I don't really like the naming, but I wanted something unique so that the android app can be sure it's a gotify/server instance.

Web UI: Standard OAuth2 Authorization Code + PKCE

This is the standard OIDC implementation with a library.

• A "Login with OIDC" button appears when OIDC is enabled (This is only visible in the production build, when the UI is served by gotify/server)
• Clicking it redirects to GET /auth/oidc/login, which then redirects to the IdP.
• After authentication the IdP redirects to /auth/oidc/callback, which:
  1. Exchanges the authorization code for tokens.
  2. Resolves the user via the userinfo endpoint (creating the user if configured).
  3. Creates a Gotify client, sets the session cookie, and redirects to the UI.

Android App flow

Android's recommended App Links (verified domains) aren't usable here because the server is self-hosted at a user-chosen domain.

I guess most of the android app, are doing their own OIDC flow against the IdP server to then obtain a token from the IdP server to then access the resources with the token. In our case, we need a client token from gotify.

We could let the android app do the whole OIDC flow, but this would require us to have a public oauth2 client, as we don't want to store the client_secret in the android app. Requesting the client secret from the server seems like a bad idea.

Another simple implementation would be to do the same flow as the Web-UI, but in the end redirecting to a custom URI scheme like gotify://oidc/callback?token=C123123123 and then using this token for authentication. I've decided against this because the custom URI scheme can be set by any app, and therefore intercept the token.

PKCE was exactly made to prevent this, so I've searched for a way to still get the benefits from PKCE, but not having to reimplement a OIDC like handshake.

This flow is non standard but it's basically stolen from Vaultwarden. I'm not that deep in security, but I'd expect they spend some time designing this, and ensuring it's secure.

It works like this.

1. The app generates a PKCE code_verifier / code_challenge pair.
2. The app POST /auth/oidc/external/authorize with code_challenge, a custom-scheme redirect_uri, and a client name. The server stores a pending session keyed by a random state token, and then reponds with the the authorization URL + state. Vaultwarden 1, Vaultwarden 2,
3. The app opens the authorization URL in a browser. The IdP authenticates the user and redirects to the app's custom URI (gotify://oidc/callback) with code and state.
4. POST /auth/oidc/external/token with code, state, and code_verifier. The server gets the pending session, relays the code_verifier to the IdP for PKCE validation, exchanges the code for tokens, resolves the user, and returns a Gotify client token + user info. Vaultwarden 1, Vaultwarden 2

PKCE is required, and only verified by the IdP. We could support non PKCE IdP by manually validating the challange on the /auth/oidc/external/token endpoint, simliar to Vaultwarden Impl, but I think most of the Idp will support PKCE, so it's required until someone requests it.

For testing I've added Dex and Authelia config in ./test/oidc.

Related MRs:

• OIDC Documentation website#100
• OIDC Android android#444

I've manually tested this with:

• Web-UI: Dex (on root, and subpath /gotify/ with a reverse proxy) and authelia
• Android with Dex and Authelia

Disclaimer: this PR was created with AI assistance.

[codecov]

Codecov Report

❌ Patch coverage is 53.80435% with 170 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.69%. Comparing base (1434380) to head (2674f72).

Files with missing lines	Patch %	Lines
api/oidc.go	25.85%	104 Missing and 5 partials ⚠️
auth/authentication.go	77.88%	11 Missing and 12 partials ⚠️
api/session.go	55.31%	13 Missing and 8 partials ⚠️
router/router.go	52.38%	8 Missing and 2 partials ⚠️
decaymap/decaymap.go	80.00%	4 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #941      +/-   ##
==========================================
- Coverage   78.70%   75.69%   -3.01%     
==========================================
  Files          57       61       +4     
  Lines        2517     2786     +269     
==========================================
+ Hits         1981     2109     +128     
- Misses        397      523     +126     
- Partials      139      154      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jmattheis]

Stuff I changed:

• Removed the client name from the state
• Used the decay map (Splitted into two commits, my modifications are separate)
• Added a client source to the api / ui

For inactive client deleting I've created #943, it's probably a bigger change, when all models get a createdAt field. So I didn't want to pollute this PR.

[jmattheis]

@eternal-flame-AD Can you recheck the review fixes? I merge this then, and do the step up auth in a separate MR to not have a big MR with all changes in it.

[eternal-flame-AD]

Sure, will take a look tomorrow , sorry have been busy

[eternal-flame-AD]

Wait why do we still need this source field? Seems a little arbitrary .. If there is a planned behavior that depends on this field we should have a fixed list of permitted values, if not I would say just remove it or use a more generic "comment" field.

lgtm otherwise, I'm not going to do a functional test as I'm unfamiliar with the technology so likely can't give advice better than it works or it doesn't. Your plan of putting it on docker for the proponents to test it seems like a good next step.

[jmattheis]

Wait why do we still need this source field? Seems a little arbitrary .. If there is a planned behavior that depends on this field we should have a fixed list of permitted values, if not I would say just remove it or use a more generic "comment" field.

I intended it to be used for the step up auth. When doing the session elevation, we need to know if we should present oidc or password authentication to the user. This could be based on the client source.

We could let the user decide for session elevation which authentication method to use, as it doesn't really matter for the gotify side if the same authentication was used for creating the client.

I think I'd prefer letting the user chose on session elevation, as this makes the logic simpler. What do you think?

[eternal-flame-AD]

I intended it to be used for the step up auth. When doing the session elevation, we need to know if we should present oidc or password authentication to the user. This could be based on the client source.

I would say let the user decide and don't worry about it. You can even reuse the login UI component.

Memorizing the original auth method feels to be achieving very little to me at least in term of security, might as well give the user the option to use either at the time of use. If you meant it as a convenience (so user don't have to select the auth method at the step up prompt) I don't think it's worth the complexity, and we still must have a list of permitted value instead of a freestyle field.

I can't think of a scenario where you would want to have a user to have client A (that must be stepped up with the user password) but client B which must be stepped up with OIDC instead, especially considering all clients are equal.

If the goal is to prevent the user from switching authentication methods: just mark the user with a login_method field or bitmask seems to be most straightforward and standard to me. (I.e. each user can be userpass only, OIDC only, oe both)

[jmattheis]

Okay, removed the client source commit(s).