Skip to content

Replace Zitadel authentication with oauth-kit#4

Open
domenkozar wants to merge 11 commits intomainfrom
replace-zitadel-with-oauth-kit
Open

Replace Zitadel authentication with oauth-kit#4
domenkozar wants to merge 11 commits intomainfrom
replace-zitadel-with-oauth-kit

Conversation

@domenkozar
Copy link
Copy Markdown
Member

@domenkozar domenkozar commented Jan 20, 2026

Summary

  • Replace Zitadel OIDC with session-based OAuth using oauth-kit library and GitHub provider
  • Simplify frontend by removing all OIDC/PKCE flow handling
  • Remove Zitadel infrastructure (nix service, terraform config)

Changes

Backend:

  • Add oauth-kit and tower-sessions dependencies
  • Create PostgresUserStore for user management
  • Replace token introspection with session-based BetaUser extractor
  • Add OAuth account and role tables migration

Frontend:

  • Remove Oidc.elm, Oidc/Model.elm, Oidc/Msg.elm
  • Simplify Shared.elm to fetch /api/v1/account/me on init
  • SignIn/SignOut redirect to /auth/signin/github and /auth/signout

Infrastructure:

  • Remove nix/zitadel/ directory
  • Remove terraform/zitadel/ directory
  • Update secretspec for GitHub OAuth credentials

Test plan

  • Run migrations: cargo run -p devenv-backend migrate
  • Start app with devenv up
  • Test sign in via GitHub
  • Verify session persists across page reloads
  • Test sign out clears session
  • Verify beta access check works

🤖 Generated with Claude Code

@domenkozar domenkozar force-pushed the replace-zitadel-with-oauth-kit branch 3 times, most recently from e7e822c to eb51a29 Compare January 22, 2026 10:37
domenkozar and others added 2 commits January 23, 2026 10:13
@domenkozar @claude
Replace Zitadel authentication with oauth-kit
bc1d1f8 
Switch from Zitadel OIDC to session-based OAuth using oauth-kit library
with GitHub as the provider. This significantly simplifies the auth flow.

Backend changes:
- Add oauth-kit and tower-sessions-cookie-store dependencies
- Use encrypted cookie sessions (private feature) instead of memory store
- Create PostgresUserStore for user management with transactional account creation
- Replace token introspection with session-based BetaUser extractor
- Add OAuth account and role tables migration
- Remove entire zitadel module

Frontend changes:
- Remove OIDC/PKCE flow handling (Oidc.elm, Oidc/Model.elm, Oidc/Msg.elm)
- Simplify Shared.elm to use /api/v1/account/me endpoint
- SignIn/SignOut now just redirect to /auth/signin/github and /auth/signout
- Remove crypto operations from interop.ts

Infrastructure:
- Remove nix/zitadel service and packages
- Remove terraform/zitadel configuration
- Update devenv.nix with nix-main-c dependency
- Update secretspec for GitHub OAuth credentials and SESSION_SECRET

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@domenkozar @claude
update secretspec and README for self-service secret setup
f1dbdb2 
Auto-generate SESSION_SECRET via secretspec, improve secret
descriptions to guide users through prompts, and simplify
README to rely on secretspec prompts during devenv up.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@domenkozar domenkozar force-pushed the replace-zitadel-with-oauth-kit branch from eb51a29 to f1dbdb2 Compare February 12, 2026 12:08
domenkozar and others added 8 commits February 17, 2026 10:31
@domenkozar @claude
Migrate from buildRustPackage to crate2nix for incremental Rust builds
e7d5359 
Switch devenv-backend and devenv-driver to crate2nix (buildRustCrate per-crate)
so only changed crates rebuild, fixing the issue where devenv-driver recompiled
on every `devenv up`. devenv-init stays on buildRustPackage with a custom musl
cross-compilation setup for its fully static VM init binary.

Key changes:
- Add crate2nix and rust-overlay inputs to devenv.yaml
- Create crate-config.nix with per-crate overrides for native deps, nix C/C++
  libs, bindgen, secretspec proc macro, and various buildRustCrate workarounds
- Rewrite package.nix to use crate2nix for backend/driver, custom musl build
  for init
- Add required-features to runner binaries so crate2nix skips them when the
  client feature is disabled
- Add crate2nix generate task that runs when Cargo.lock changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@domenkozar @claude
Apply rust-overlay as nixpkgs overlay for pkgs.rust-bin
d629c7e 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@domenkozar @claude
Replace mkCapWrapper with processes.runner.linux.capabilities
d0bc9da 
Remove the bespoke mkCapWrapper shell-script approach that copied binaries
and prompted for sudo setcap. Instead, set ambient capabilities directly on
the runner process via processes.runner.linux.capabilities so child processes
(cloud-hypervisor, virtiofsd, nft, sysctl, tuntap) inherit them automatically
via execve.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@domenkozar @claude
Migrate to native devenv tasks, ports, and readiness probes
ec69f90 
Replace process-compose configuration with devenv native equivalents:
tasks for migrations, `after` for ordering, `ready.http.get` for
health checks, and `ports.*.allocate` for dynamic port allocation.

Generate elm-land.json from Nix so the proxy URL uses the dynamic
backend port, and remove the static file from version control.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@domenkozar @claude
Allow overriding backend port via PORT environment variable
28eb19e 
This lets the dynamically allocated devenv port flow through to the
backend server configuration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@domenkozar @claude
Regenerate Cargo.nix and frontend API client
bf95e2d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@domenkozar @claude
Deduplicate helpers and remove dead OIDC config
01b4093 
Extract conn() and nullable_json() helpers in oauth_store to remove
repeated pool-get and null-check patterns. Extract viewAvatar in
Main.elm to unify duplicated avatar rendering. Remove stale
OAUTH_CLIENT_ID and OAUTH_AUDIENCE env vars from elm-land config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@domenkozar @claude
Use GitHub login instead of display name for owner routing
f18d387 
The frontend was using user.name (display name from OAuth) for
Github_Owner_ route paths, which breaks for users whose display name
differs from their GitHub login. Extract the login from
oauth_account.raw_profile JSONB and thread it through as username.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@domenkozar domenkozar mentioned this pull request Mar 26, 2026
Open
@domenkozar @claude
Refactor backend and frontend: remove dead code, fix error handling, …
03c2e32 
…clean up imports

Backend:
- Extract webhook helpers (deduplicate Push/PR handlers, replace panics with errors)
- Replace all .unwrap() on pool connections with proper error handling
- Use read lock instead of write lock in RunnerState::try_send_to
- Replace Account stub with typed AccountResponse matching actual API shape
- Remove dead InternalError enum and unused digest dependency
- Remove dead Runner::disconnected function
- Simplify platform conversion using existing From impls and str::parse
- Remove redundant inner imports in github/model.rs
- Make logger port configurable via PORT env var

Frontend:
- Remove dead scrollToElementEffect and associated Msg variants (Repo_.elm)
- Remove dead viewRevBranch from Label.elm (superseded by GitHubCommit)
- Remove dead add function from Breadcrumbs.elm
- Deduplicate Breadcrumbs factory functions via composition
- Remove dead navButton and commented login button block
- Clean up unused imports across 11 Elm files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@domenkozar