feat: add option to OIDC client to require re-authentication (#747)

Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>
2026-02-14 19:22:29 +00:00 · 2025-08-22 08:56:40 +02:00
parent 7ab0fd3028
commit 0cb039d35d
22 changed files with 362 additions and 44 deletions
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -3,10 +3,11 @@ package dto
 import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"

 type OidcClientMetaDataDto struct {
-	ID        string  `json:"id"`
-	Name      string  `json:"name"`
-	HasLogo   bool    `json:"hasLogo"`
-	LaunchURL *string `json:"launchURL"`
+	ID                       string  `json:"id"`
+	Name                     string  `json:"name"`
+	HasLogo                  bool    `json:"hasLogo"`
+	LaunchURL                *string `json:"launchURL"`
+	RequiresReauthentication bool    `json:"requiresReauthentication"`
 }

 type OidcClientDto struct {
@@ -29,13 +30,14 @@ type OidcClientWithAllowedGroupsCountDto struct {
 }

 type OidcClientCreateDto struct {
-	Name               string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
-	CallbackURLs       []string                 `json:"callbackURLs"`
-	LogoutCallbackURLs []string                 `json:"logoutCallbackURLs"`
-	IsPublic           bool                     `json:"isPublic"`
-	PkceEnabled        bool                     `json:"pkceEnabled"`
-	Credentials        OidcClientCredentialsDto `json:"credentials"`
-	LaunchURL          *string                  `json:"launchURL" binding:"omitempty,url"`
+	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
+	CallbackURLs             []string                 `json:"callbackURLs"`
+	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs"`
+	IsPublic                 bool                     `json:"isPublic"`
+	PkceEnabled              bool                     `json:"pkceEnabled"`
+	RequiresReauthentication bool                     `json:"requiresReauthentication"`
+	Credentials              OidcClientCredentialsDto `json:"credentials"`
+	LaunchURL                *string                  `json:"launchURL" binding:"omitempty,url"`
 }

 type OidcClientCredentialsDto struct {
@@ -50,12 +52,13 @@ type OidcClientFederatedIdentityDto struct {
 }

 type AuthorizeOidcClientRequestDto struct {
-	ClientID            string `json:"clientID" binding:"required"`
-	Scope               string `json:"scope" binding:"required"`
-	CallbackURL         string `json:"callbackURL"`
-	Nonce               string `json:"nonce"`
-	CodeChallenge       string `json:"codeChallenge"`
-	CodeChallengeMethod string `json:"codeChallengeMethod"`
+	ClientID              string `json:"clientID" binding:"required"`
+	Scope                 string `json:"scope" binding:"required"`
+	CallbackURL           string `json:"callbackURL"`
+	Nonce                 string `json:"nonce"`
+	CodeChallenge         string `json:"codeChallenge"`
+	CodeChallengeMethod   string `json:"codeChallengeMethod"`
+	ReauthenticationToken string `json:"reauthenticationToken"`
 }

 type AuthorizeOidcClientResponseDto struct {