feat(backend): add OIDC JWT issuance and revocation#378
Open
kimanicode wants to merge 1 commit into
Open
Conversation
kimanicode
force-pushed
the
feat/oidc-jwt-issuance-218
branch
from
July 17, 2026 14:55
9c41ad4 to
a600911
Compare
kimanicode
force-pushed
the
feat/oidc-jwt-issuance-218
branch
from
July 17, 2026 15:33
a600911 to
009c3c5
Compare
| // SHA-256 fingerprint of a high-entropy API key/client secret for | ||
| // exact-match lookup (matches ApiKeyGuard and ApiKey.keyHash), not | ||
| // password hashing. | ||
| return createHash('sha256').update(rawClientSecret).digest('hex'); // lgtm[js/insufficient-password-hash] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements OIDC-compatible JWT issuance and revocation for the backend.
Closes #218.
Adds AuthOidcModule with /oauth/token, /oauth/userinfo, /oauth/introspect, and /oauth/revoke.
Issues RS256 access and refresh tokens using PEM keys from JWT_PRIVATE_KEY / JWT_PUBLIC_KEY.
Embeds jti, role, token use, NGO/API-key scope, issuer, audience, issued-at, and expiry claims.
Adds JwtAuthGuard, which verifies JWTs with jose@^4, checks Redis revocation state, and populates the existing request.user shape with authType: 'jwt'.
Uses the existing hand-rolled cache/redis.service.ts raw ioredis client for revocation sorted-set operations (zadd, zscore, zremrangebyscore).
Keeps ApiKeyGuard unchanged and adds regression coverage confirming API-key behavior still works.
No existing password/login flow exists in src/auth, so /oauth/token supports client_credentials using the existing ChainForge API key as client_secret, plus refresh_token.
Testing
Results:
Notes:
Screenshots
N/A
Checklist