feat: support unsigned oidc request objects

[scottmckendry]

advertises request_parameter_supported and request_object_signing_alg_values_supported in discovery

decodes jwt in frontend to merge claims

now passes the "oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupported" conformance test:

Summary by CodeRabbit

• New Features
  • Added support for OpenID Connect "request" parameter processing so request objects can supply/override login parameters.
  • OpenID configuration endpoint now advertises support for the request parameter and the allowed request object signing algorithm "none".
• Tests
  • Updated configuration endpoint tests to cover the new advertised fields.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3d56bbb7-bab0-4903-aad5-51bc47d5db26

📥 Commits

Reviewing files that changed from the base of the PR and between a7131e7 and 0345102.

📒 Files selected for processing (3)

• frontend/src/lib/hooks/oidc.ts
• internal/controller/well_known_controller.go
• internal/controller/well_known_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• internal/controller/well_known_controller_test.go
• internal/controller/well_known_controller.go
• frontend/src/lib/hooks/oidc.ts

---

📝 Walkthrough

Walkthrough

Frontend: adds JWT request parameter decoding and merges decoded claims into OIDC params before validation. Backend: advertises request_parameter_supported: true and request_object_signing_alg_values_supported: ["none"] in the OIDC discovery response.

Changes

Cohort / File(s)	Summary
Frontend OIDC Hook frontend/src/lib/hooks/oidc.ts	Added b64urlDecode and decodeRequestObject(jwt) helpers. useOIDCParams now reads request query param, decodes JWT payload (requires alg: "none" and empty signature), and merges string-valued claims into params before oidcParamsSchema.safeParse, letting claim keys override top-level params.
Backend Well-Known Configuration internal/controller/well_known_controller.go, internal/controller/well_known_controller_test.go	Extended OpenIDConnectConfiguration with request_parameter_supported (bool) and request_object_signing_alg_values_supported (string array). Handler populates these fields; tests updated to assert the new fields.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant Frontend as Frontend (useOIDCParams)
  participant Backend as Backend (.well-known)

  Client->>Frontend: Navigate /auth?...&request=<JWT>
  Frontend->>Frontend: b64urlDecode & decodeRequestObject(JWT)\n(require alg:"none", empty signature)\nfilter string claims
  Frontend->>Frontend: Object.assign(params, decodedClaims)\nvalidate via oidcParamsSchema
  Client->>Backend: GET /.well-known/openid-configuration
  Backend-->>Client: JSON including request_parameter_supported:true\nand request_object_signing_alg_values_supported:["none"]

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• refactor: use zod for oidc params #771: Touches useOIDCParams and the oidcParamsSchema validation flow that this change merges claims into before parsing.
• feat: add nonce claim support to oidc server #686: Modifies the same useOIDCParams function (adds nonce handling); overlaps with parameter-derivation logic.
• feat: add pkce support to oidc server #766: Also edits useOIDCParams (PKCE fields handling); related to how OIDC params are produced/validated.

Suggested reviewers

• Rycochet

Poem

🐰 A tiny JWT rolled in with a sigh,
I unwrapped its claims beneath the sky,
Merged them with queries, neat and light,
Discovery now shouts "request: true" tonight,
Hop, validate, and onward we fly. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: support unsigned oidc request objects' accurately and concisely summarizes the main change—adding support for decoding and validating unsigned OIDC request objects in both frontend and backend.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.01%. Comparing base (b44dc75) to head (0345102).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #785      +/-   ##
==========================================
+ Coverage   19.97%   20.01%   +0.04%     
==========================================
  Files          50       50              
  Lines        3960     3962       +2     
==========================================
+ Hits          791      793       +2     
  Misses       3100     3100              
  Partials       69       69              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/src/lib/hooks/oidc.ts`:
- Around line 14-31: The function decodeRequestObject currently decodes the
payload without checking the JOSE header; update decodeRequestObject to first
base64url-decode and JSON.parse the header (parts[0]) and validate its "alg"
field before trusting payload claims—return {} if header is malformed or alg is
missing/not "none" (or not an explicitly allowed algorithm), then only proceed
to decode and return string-valued keys from the payload; ensure any header
parse errors are caught so the function still returns {} on failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a87a2671-60ad-4316-a943-8ee2962ba701

📥 Commits

Reviewing files that changed from the base of the PR and between b44dc75 and a7131e7.

📒 Files selected for processing (3)

• frontend/src/lib/hooks/oidc.ts
• internal/controller/well_known_controller.go
• internal/controller/well_known_controller_test.go