Skip to content

feat(backend): add OIDC JWT issuance and revocation#378

Open
kimanicode wants to merge 1 commit into
ChainForgee:mainfrom
kimanicode:feat/oidc-jwt-issuance-218
Open

feat(backend): add OIDC JWT issuance and revocation#378
kimanicode wants to merge 1 commit into
ChainForgee:mainfrom
kimanicode:feat/oidc-jwt-issuance-218

Conversation

@kimanicode

Copy link
Copy Markdown
Contributor

Summary

Implements OIDC-compatible JWT issuance and revocation for the backend.
Closes #218.

Adds AuthOidcModule with /oauth/token, /oauth/userinfo, /oauth/introspect, and /oauth/revoke.
Issues RS256 access and refresh tokens using PEM keys from JWT_PRIVATE_KEY / JWT_PUBLIC_KEY.
Embeds jti, role, token use, NGO/API-key scope, issuer, audience, issued-at, and expiry claims.
Adds JwtAuthGuard, which verifies JWTs with jose@^4, checks Redis revocation state, and populates the existing request.user shape with authType: 'jwt'.
Uses the existing hand-rolled cache/redis.service.ts raw ioredis client for revocation sorted-set operations (zadd, zscore, zremrangebyscore).
Keeps ApiKeyGuard unchanged and adds regression coverage confirming API-key behavior still works.
No existing password/login flow exists in src/auth, so /oauth/token supports client_credentials using the existing ChainForge API key as client_secret, plus refresh_token.

Testing

  • pnpm --filter backend exec tsc --noEmit -p tsconfig.json
  • pnpm build
  • pnpm --filter backend test
  • pnpm --filter backend test -- api-key.guard.spec.ts
  • cd app/backend && pnpm test:e2e -- auth-oidc.e2e-spec.ts

Results:

  • Backend type-check passed.
  • Full repo build passed.
  • Backend test suite passed: 46 passed, 1 skipped.
  • Existing ApiKeyGuard suite passed unchanged: 7 passed.
  • OIDC E2E flow passed: issue -> userinfo -> refresh -> revoke -> introspect inactive.

Notes:

  • pnpm lint at repo root fails in app/mobile due an existing ESLint ESM/CJS config issue.
  • pnpm test at repo root fails in app/mobile due an existing Jest runtime/mock mismatch.
  • Backend lint completes with existing warnings and no errors.

Screenshots

N/A

Checklist

  • Tests added or updated for new/changed behavior
  • Existing backend tests pass
  • No secrets, keys, or seed phrases committed
  • Follows the coding conventions in the relevant service README
  • PR is focused on a single concern

Comment thread app/backend/src/auth-oidc/token.service.ts Fixed
@kimanicode
kimanicode force-pushed the feat/oidc-jwt-issuance-218 branch from 9c41ad4 to a600911 Compare July 17, 2026 14:55
Comment thread app/backend/src/auth-oidc/token.service.ts Fixed
@kimanicode
kimanicode force-pushed the feat/oidc-jwt-issuance-218 branch from a600911 to 009c3c5 Compare July 17, 2026 15:33
// SHA-256 fingerprint of a high-entropy API key/client secret for
// exact-match lookup (matches ApiKeyGuard and ApiKey.keyHash), not
// password hashing.
return createHash('sha256').update(rawClientSecret).digest('hex'); // lgtm[js/insufficient-password-hash]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

JWT issuance and revocation via OIDC for frontend (and JWT backend)

2 participants