yujunjun/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2025-07-24 09:20:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
ragflow/api/apps/auth
History
yurhett 9c6c6c51e0
Fix: use jwks_uri from OIDC metadata for JWKS client (#8136) 
### What problem does this PR solve?
Issue: #8051

The current implementation assumes JWKS endpoints follow the standard
`/.well-known/jwks.json` convention. This breaks authentication for OIDC
providers that use non-standard JWKS paths, resulting in 404 errors
during token validation.

Root Cause Analysis
- The OpenID Connect specification doesn't mandate a fixed path for JWKS
endpoints
- Some identity providers (like certain Keycloak configurations) use
custom endpoints
- Our previous approach constructed JWKS URLs by convention rather than
discovery

### Solution Approach
Instead of constructing JWKS URLs by appending to the issuer URI, we
now:
1. Properly leverage the `jwks_uri` from the OIDC discovery metadata
2. Honor the identity provider's actual configured endpoint

```python
# Before (fragile approach)
jwks_url = f"{self.issuer}/.well-known/jwks.json"

# After (standards-compliant)
jwks_cli = jwt.PyJWKClient(self.jwks_uri)  # Use discovered endpoint
```

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
2025-06-10 10:16:58 +08:00
..
__init__.py
Refa: Deprecate /github_callback in favor of /oauth/callback/<channel> for GitHub OAuth integration (#7587)
2025-05-15 14:39:37 +08:00
github.py
Refa: Deprecate /github_callback in favor of /oauth/callback/<channel> for GitHub OAuth integration (#7587)
2025-05-15 14:39:37 +08:00
oauth.py
Feat: Add OAuth state parameter for CSRF protection (#7709)
2025-05-20 09:40:31 +08:00
oidc.py
Fix: use jwks_uri from OIDC metadata for JWKS client (#8136)
2025-06-10 10:16:58 +08:00
README.md
Docs: Improve oauth configuration documentation and examples (#7675)
2025-05-16 14:17:39 +08:00

README.md

Auth

The Auth module provides implementations of OAuth2 and OpenID Connect (OIDC) authentication for integration with third-party identity providers.

Features

  • Supports both OAuth2 and OIDC authentication protocols
  • Automatic OIDC configuration discovery (via /.well-known/openid-configuration)
  • JWT token validation
  • Unified user information handling

Usage

# OAuth2 configuration
oauth_config = {
    "type": "oauth2",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "authorization_url": "https://your-oauth-provider.com/oauth/authorize",
    "token_url": "https://your-oauth-provider.com/oauth/token",
    "userinfo_url": "https://your-oauth-provider.com/oauth/userinfo",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
}

# OIDC configuration
oidc_config = {
    "type": "oidc",
    "issuer": "https://your-oauth-provider.com/oidc",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
}

# Github OAuth configuration
github_config = {
    "type": "github"
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
}

# Get client instance
client = get_auth_client(oauth_config)

Authentication Flow

  1. Get authorization URL:
auth_url = client.get_authorization_url()
  1. After user authorization, exchange authorization code for token:
token_response = client.exchange_code_for_token(authorization_code)
access_token = token_response["access_token"]
  1. Fetch user information:
user_info = client.fetch_user_info(access_token)

User Information Structure

All authentication methods return user information following this structure:

{
    "email": "user@example.com",
    "username": "username",
    "nickname": "User Name",
    "avatar_url": "https://example.com/avatar.jpg"
}