Skip to content

feat: add OIDC behaviour and JWT validation#4

Merged
Taure merged 2 commits intomainfrom
feat/oidc-behaviour
Mar 30, 2026
Merged

feat: add OIDC behaviour and JWT validation#4
Taure merged 2 commits intomainfrom
feat/oidc-behaviour

Conversation

@Taure
Copy link
Copy Markdown
Contributor

@Taure Taure commented Mar 30, 2026

Summary

  • nova_auth_oidc behaviour for OIDC provider configuration (providers, scopes, claims mapping)
  • nova_auth_oidc_jwt module for JWT payload decoding and claims mapping via nova_auth_claims

Test plan

  • Compiles clean
  • xref + dialyzer pass
  • Integration test with real OIDC provider

@Taure
feat: add OIDC behaviour and JWT validation module
fae8bce 
nova_auth_oidc defines the callback for OIDC provider configuration
(providers, scopes, claims mapping). nova_auth_oidc_jwt validates
ID tokens and maps claims to actor maps via nova_auth_claims.
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 30, 2026
edited
Loading

🟠 Code Coverage — 65%

173 of 266 lines covered.

🛡️ Security Audit

No vulnerabilities found in 12 dependencies.

ℹ️ 11 OTP CVEs auto-ignored (already fixed in running version)

These CVEs are patched in the installed OTP version but NVD data
has not been updated to reflect this. They are excluded from the
scan via an auto-generated .trivyignore.

CVE Details
CVE-2026-23943 Fixed in 28.4.1, running 28.4.1 — Pre-auth SSH DoS via unbounded zlib inflate
CVE-2026-23942 Fixed in 28.4.1, running 28.4.1 — SFTP root escape via component-agnostic prefix check in ssh_sftpd
CVE-2026-23941 Fixed in 28.4.1, running 28.4.1 — Request smuggling via first-wins Content-Length parsing in inets httpd
CVE-2026-21620 Fixed in 28.3.2, running 28.4.1 — TFTP Path Traversal
CVE-2016-1000107 Fixed in 28.0.4, running 28.4.1 — Httpd CGI Scripts Environment Variable Pollution AKA "httpoxy"
CVE-2025-58050 Fixed in 28.0.3, running 28.4.1 — Buffer Read Overflow on Regular Expressions with (*scs:) and (*ACCEPT)
CVE-2025-48038 Fixed in 28.0.3, running 28.4.1 — SSH Unverified File Handles can Cause Excessive Use of System Resources
CVE-2025-48039 Fixed in 28.0.3, running 28.4.1 — SSH Unverified Paths can Cause Excessive Use of System Resources
CVE-2025-48040 Fixed in 28.0.3, running 28.4.1 — SSH Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
CVE-2025-48041 Fixed in 28.0.3, running 28.4.1 — SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
CVE-2025-4748 Fixed in 28.0.1, running 28.4.1 — Absolute Path in Zip Module

@Taure Taure merged commit 43f21c8 into main Mar 30, 2026
16 checks passed
@Taure Taure deleted the feat/oidc-behaviour branch March 30, 2026 18:07
Taure added a commit that referenced this pull request Mar 31, 2026
@Taure
fix: start kura app in integration test setup (#7)
a45adef 
* feat: unified actor session and claims mapping

* feat: add unified actor session and claims mapping

Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims
for provider claim transformation, and allow_claim/2 policy. Make kura
optional so OIDC-only apps don't need a database. Simplify security
callbacks to use the shared actor session.

* fix: remove unused NOVA_AUTH_ACTOR_SESSION_KEY macro

Hank flagged it as dead code — the session key is defined locally
in nova_auth_actor instead.

* docs: update README and guides for unified actor session

- Update README to reflect optional kura, actor session, and link to nova_auth_oidc
- Update getting-started guide with OIDC-only and password auth paths
- Update configuration guide with optional password keys and actor type
- Add actor-session guide explaining the unified session concept
- Add claims-mapping guide with static and callback examples
- Add policies guide covering allow_claim and OIDC integration
- Update ex_doc config with new guides and Taure source URL

* chore: disable audit, upgrade erlang-ci to v2.0.9 (#4)

* chore: disable audit, upgrade erlang-ci to v2.0.9, fix permissions

* fix: add kura to plt_extra_apps for dialyzer

* feat: make PBKDF2 iterations configurable (#2)

* feat: unified actor session and claims mapping

* feat: add unified actor session and claims mapping

Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims
for provider claim transformation, and allow_claim/2 policy. Make kura
optional so OIDC-only apps don't need a database. Simplify security
callbacks to use the shared actor session.

* fix: remove unused NOVA_AUTH_ACTOR_SESSION_KEY macro

Hank flagged it as dead code — the session key is defined locally
in nova_auth_actor instead.

* feat: make PBKDF2 iterations configurable

Read from `{nova_auth, [{pbkdf2_iterations, N}]}` app env.
Defaults to 600,000 (OWASP recommendation). Lower values
trade security margin for speed in non-banking contexts.

* feat: add OIDC behaviour and JWT validation (#4)

* feat: add OIDC behaviour and JWT validation module

nova_auth_oidc defines the callback for OIDC provider configuration
(providers, scopes, claims mapping). nova_auth_oidc_jwt validates
ID tokens and maps claims to actor maps via nova_auth_claims.

* fix: suppress hank false positive for behaviour callback

* fix: restructure JWT decode for dialyzer compatibility

* fix: use erlang-ci @v2

* fix: start kura application in integration test setup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Taure