Simplify echo-http authentication to environment-based OAuth2/OIDC#24
Merged
lambdalisue merged 9 commits intomainfrom Jan 6, 2026
Merged
Simplify echo-http authentication to environment-based OAuth2/OIDC#24lambdalisue merged 9 commits intomainfrom
lambdalisue merged 9 commits intomainfrom
Conversation
…ation Rename environment variables from OIDC_* prefix to hierarchical AUTH_* prefix system to prepare for OAuth2 Client Credentials Grant support. The new naming separates concerns: - AUTH_*: OAuth2-wide config (client validation, scopes, tokens) - AUTH_CODE_*: Authorization Code Flow specific (PKCE, sessions, redirects) - OIDC_*: OIDC-specific features (id_token signing) This enables sharing client validation and scope configuration across multiple OAuth2 grant types while maintaining clear boundaries between flow-specific settings. BREAKING CHANGE: All OIDC_* environment variables renamed: - OIDC_CLIENT_ID → AUTH_ALLOWED_CLIENT_ID - OIDC_CLIENT_SECRET → AUTH_ALLOWED_CLIENT_SECRET - OIDC_SUPPORTED_SCOPES → AUTH_SUPPORTED_SCOPES - OIDC_TOKEN_EXPIRY → AUTH_TOKEN_EXPIRY - OIDC_REQUIRE_PKCE → AUTH_CODE_REQUIRE_PKCE - OIDC_SESSION_TTL → AUTH_CODE_SESSION_TTL - OIDC_VALIDATE_REDIRECT_URI → AUTH_CODE_VALIDATE_REDIRECT_URI - OIDC_ALLOWED_REDIRECT_URIS → AUTH_CODE_ALLOWED_REDIRECT_URIS
Separate OIDC endpoints from Authentication endpoints and consolidate all environment variables into a dedicated top-level section. The new structure improves discoverability: - Environment Variables section moved to front (after Base URL) - Server and OAuth2/OIDC configs grouped by category - OIDC endpoints elevated to independent top-level section - Authentication endpoints now only cover Basic/Bearer auth This separation clarifies that OIDC is a full-featured OAuth2 protocol distinct from simple authentication mechanisms, and prepares the documentation for additional OAuth2 grant types (Client Credentials).
Standardizes documentation structure across echo-grpc, echo-graphql, and echo-connectrpc to match echo-http's layout. This improves consistency and makes configuration easier to find. Changes: - Move Environment Variables to top-level section after Base URL - Add Server Configuration subsection (HOST, PORT) to all servers - Remove redundant Endpoints table from echo-graphql - Add visual separator (---) between config and content sections - Standardize default value formatting with backticks All servers now follow: Base URL → Environment Variables → Content
Implements OAuth2 and OpenID Connect endpoints alongside existing
path-based OIDC handlers to support both hardcoded testing scenarios
and environment-configured deployments.
New capabilities:
- Authorization Code flow with optional PKCE
- Client Credentials grant
- Resource Owner Password Credentials grant
- OAuth2/OIDC discovery metadata endpoints
- JWKS endpoint for public key distribution
- UserInfo endpoint with scope-based claims
- Session management with configurable TTL
Configuration via environment variables:
- AUTH_ALLOWED_GRANT_TYPES: Supported OAuth2 grant types
- AUTH_ALLOWED_USERNAME/PASSWORD: Resource owner credentials
- Existing AUTH_* variables for client validation, scopes, expiry
Routes added under /oauth2/* namespace maintain separation from
existing /oidc/{user}/{pass}/* path-based testing endpoints.
Introduces Basic Auth endpoint that validates credentials against environment variables (AUTH_ALLOWED_USERNAME, AUTH_ALLOWED_PASSWORD). This provides a simple authentication mechanism alongside the existing OAuth2/OIDC endpoints. Capabilities: - Standard Basic Auth with RFC 7617 compliance - Credentials validated from environment configuration - Helpful error messages with curl examples - WWW-Authenticate challenge header on failures Route added: - GET /basic-auth - Validates Basic Auth credentials The implementation follows the same pattern as OAuth2 handlers, using the global config for credential validation and providing developer-friendly error responses with working examples.
…dentials
Introduces Bearer token endpoint that validates SHA1(username:password)
tokens against environment variables (AUTH_ALLOWED_USERNAME,
AUTH_ALLOWED_PASSWORD). This complements Basic Auth by providing
token-based authentication for testing scenarios.
Capabilities:
- Bearer token validation using SHA1 hash algorithm
- Constant-time comparison to prevent timing attacks
- Case-insensitive "Bearer" scheme recognition
- Helpful error messages with token generation examples
- WWW-Authenticate challenge header on failures
Route added:
- GET /bearer-auth - Validates Bearer token (SHA1 hash)
Token format: SHA1("username:password") encoded as hex string.
This provides a simple token derivation method for testing OAuth2
clients that require Bearer authentication.
Remove BasicAuthHandler, HiddenBasicAuthHandler, and BearerHandler
implementations. These URL path-based handlers were an experimental
approach that proved less practical than environment-based
authentication. The AuthResponse type is retained as it may be useful
for future authentication implementations.
BREAKING CHANGE: /basic-auth/{user}/{pass}, /hidden-basic-auth/{user}/{pass},
and /bearer endpoints are no longer available.
Remove the /oidc/{user}/{pass}/* endpoint implementation. The path-based
authentication approach made credential management difficult and exposed
credentials in URLs (a security anti-pattern). The environment-based
OAuth2/OIDC implementation (/.well-known/* endpoints) provides a more
secure and standards-compliant alternative.
BREAKING CHANGE: /oidc/{user}/{pass}/* endpoints (discovery, authorize,
callback, token, userinfo, demo) are no longer available.
…ntication Remove documentation for path-based authentication endpoints that were deleted in commits 35cf881 and 763416b. Update to reflect current environment-based implementation: - Replace /basic-auth/{user}/{pass} with /basic-auth - Replace /hidden-basic-auth/{user}/{pass} (removed entirely) - Replace /bearer with /bearer-auth - Replace /oidc/{user}/{pass}/* with /oauth2/* and /.well-known/* Clarify Bearer authentication requires both AUTH_ALLOWED_USERNAME and AUTH_ALLOWED_PASSWORD to compute SHA1(username:password) token. Add token generation examples for easier testing.
There was a problem hiding this comment.
Pull request overview
This PR refactors the echo-http authentication system from path-based credentials to environment-based OAuth2/OIDC authentication. The changes remove deprecated endpoints that exposed credentials in URL paths and replace them with standard OAuth2/OIDC discovery endpoints that use environment variables for credential configuration.
Key Changes:
- Environment-based authentication using
AUTH_*environment variables instead of path-based credentials - New OAuth2 token endpoint supporting multiple grant types (authorization_code, client_credentials, password, refresh_token)
- Standard OAuth2/OIDC discovery endpoints (
/.well-known/*,/oauth2/*)
Reviewed changes
Copilot reviewed 31 out of 32 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| echo-http/main.go | Updated routing to use new OAuth2/OIDC endpoints, removed path-based auth routes |
| echo-http/config.go | Renamed environment variables from OIDC_* to AUTH_* prefix, added new auth configuration |
| echo-http/handlers/config.go | Updated Config struct with new OAuth2/OIDC configuration fields |
| echo-http/handlers/auth.go | Simplified to only contain AuthResponse type definition |
| echo-http/handlers/basic_auth.go | New environment-based Basic Auth handler with helpful error messages |
| echo-http/handlers/bearer_auth.go | New Bearer token handler using SHA1(username:password) for token generation |
| echo-http/handlers/oauth2_*.go | New OAuth2/OIDC implementation with discovery, authorization, token, and utility handlers |
| echo-http/handlers/oidc*.go | Removed old path-based OIDC implementation |
| echo-http/README.md | Updated documentation with new endpoints and usage examples |
| echo-*/docs/api.md | Standardized API documentation structure across all echo servers |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+512
to
+525
| ### GET /bearer-auth | ||
|
|
||
| Similar to `/basic-auth` but returns 404 instead of 401 on authentication failure. | ||
| Useful for testing authentication without browser prompts. | ||
| Validate Bearer token authentication. The expected token is SHA1(username:password). | ||
|
|
||
| | Parameter | Type | Description | | ||
| | --------- | ------ | ----------------- | | ||
| | `user` | string | Expected username | | ||
| | `pass` | string | Expected password | | ||
| Configure credentials via environment variables: | ||
|
|
||
| ```bash | ||
| curl -u testuser:testpass http://localhost:80/hidden-basic-auth/testuser/testpass | ||
| ``` | ||
| - `AUTH_ALLOWED_USERNAME`: Username | ||
| - `AUTH_ALLOWED_PASSWORD`: Password | ||
|
|
||
| ### GET /bearer | ||
| Generate the token: | ||
|
|
||
| Validate Bearer token authentication. Returns 200 if a valid Bearer token is present, | ||
| 401 otherwise. | ||
| ```bash | ||
| echo -n "username:password" | shasum -a 1 | cut -d' ' -f1 | ||
| ``` |
There was a problem hiding this comment.
This documentation defines the Bearer auth token as SHA1(username:password), which relies on the weak and deprecated SHA1 hash of low-entropy credentials as the sole authentication secret. An attacker who guesses or learns the username/password can trivially recompute this deterministic, unsalted hash, making the Bearer token easy to forge and undermining any expectation of token strength. For any usage beyond very limited local testing, use a cryptographically strong, random bearer token format (or at least a modern hash/KDF) instead of SHA1 of credentials.
Comment on lines
+627
to
+628
| - Returns an empty key set because this implementation uses `alg: "none"` (no signature) | ||
| - In a production OIDC provider, this would contain public keys in JWK format |
There was a problem hiding this comment.
The docs describe ID tokens using JWT with id_token_signing_alg_values_supported: ["none"] and an empty JWKS set, meaning clients are expected to accept completely unsigned tokens. Any relying party that treats these ID tokens as proof of identity can have authentication trivially bypassed by an attacker who forges a JWT with alg: "none", since there is no cryptographic verification. Make it extremely clear that this configuration must never be used in production and, for stronger guarantees even in tests, prefer signed tokens with a proper key pair advertised via JWKS.
Suggested change
| - Returns an empty key set because this implementation uses `alg: "none"` (no signature) | |
| - In a production OIDC provider, this would contain public keys in JWK format | |
| - This example returns an empty key set because this demo implementation issues unsigned ID tokens with `alg: "none"` (no signature). | |
| - **Do not use this configuration in production.** Relying parties must not treat unsigned ID tokens as proof of identity, because they can be trivially forged and bypass authentication. | |
| - For any non-trivial testing and all production deployments, configure signed tokens (for example, `RS256`) and expose the corresponding public keys here in JWK format so clients can verify token signatures. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
The previous implementation used credentials in URL paths (
/basic-auth/{user}/{pass},/oidc/{user}/{pass}/*), which created security and usability issues:The new environment-based approach:
/.well-known/*,/oauth2/*)Bearer authentication now uses SHA1(username:password) for predictable token generation, making it easier to script tests.
Breaking Changes
/basic-auth/{user}/{pass},/hidden-basic-auth/{user}/{pass},/bearer/oidc/{user}/{pass}/*endpoints/basic-auth,/bearer-auth(environment-based)/oauth2/*and/.well-known/*endpointsOIDC_*toAUTH_*prefix for consistencyTest Plan