Feat: Add /login/channels route and improve auth logic for frontend third-party login integration (#7521)

### What problem does this PR solve? Add `/login/channels` route and improve auth logic to support frontend integration with third-party login providers: - Add `/login/channels` route to provide authentication channel list with `display_name` and `icon` - Optimize user info parsing logic by prioritizing `avatar_url` and falling back to `picture` - Simplify OIDC token validation by removing unnecessary `kid` checks - Ensure `client_id` is safely cast to string during `audience` validation - Fix typo --- - Related pull request: #7379 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
2025-12-08 20:42:30 +08:00 · 2025-05-08 10:23:19 +08:00
parent 014a1535f2
commit e349635a3d
6 changed files with 42 additions and 14 deletions
--- a/api/apps/auth/README.md
+++ b/api/apps/auth/README.md
@ -20,7 +20,7 @@ oauth_config = {
    "authorization_url": "https://provider.com/oauth/authorize",
    "token_url": "https://provider.com/oauth/token",
    "userinfo_url": "https://provider.com/oauth/userinfo",
-    "redirect_uri": "https://your-app.com/oauth/callback/<channel>"
+    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
 }

 # OIDC configuration
@ -29,7 +29,7 @@ oidc_config = {
    "issuer": "https://provider.com/v1/oidc",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
-    "redirect_uri": "https://your-app.com/oauth/callback/<channel>"
+    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
 }

 # Get client instance
--- a/api/apps/auth/oauth.py
+++ b/api/apps/auth/oauth.py
@ -102,5 +102,7 @@ class OAuthClient:
        email = user_info.get("email")
        username = user_info.get("username", str(email).split("@")[0])
        nickname = user_info.get("nickname", username)
-        avatar_url = user_info.get("picture", "")
+        avatar_url = user_info.get("avatar_url", None)
+        if avatar_url is None:
+            avatar_url = user_info.get("picture", "")
        return UserInfo(email=email, username=username, nickname=nickname, avatar_url=avatar_url)
--- a/api/apps/auth/oidc.py
+++ b/api/apps/auth/oidc.py
@ -39,6 +39,7 @@ class OIDCClient(OAuthClient):
        })

        super().__init__(config)
+        self.issuer = config['issuer']
        self.jwks_uri = config['jwks_uri']


@ -60,11 +61,8 @@ class OIDCClient(OAuthClient):
        Parse and validate OIDC ID Token (JWT format) with signature verification.
        """
        try:
-            # Decode JWT header to extract key ID (kid) without verifying signature
+            # Decode JWT header without verifying signature
            headers = jwt.get_unverified_header(id_token)
-            kid = headers.get("kid")
-            if not kid:
-                raise ValueError("ID Token missing 'kid' in header")
            
            # OIDC usually uses `RS256` for signing
            alg = headers.get("alg", "RS256")
@ -79,7 +77,7 @@ class OIDCClient(OAuthClient):
                id_token,
                key=signing_key,
                algorithms=[alg],  
-                audience=self.client_id,
+                audience=str(self.client_id),
                issuer=self.issuer,
            )
            return decoded_token