Add signed JWT auto sign-in flow (LibreGraph.SignedLoginOK)#233
Merged
longsleep merged 1 commit intolibregraph:masterfrom Mar 27, 2026
Merged
Add signed JWT auto sign-in flow (LibreGraph.SignedLoginOK)#233longsleep merged 1 commit intolibregraph:masterfrom
longsleep merged 1 commit intolibregraph:masterfrom
Conversation
When --allow-client-signed-logins is enabled, trusted apps can sign in users without an interactive password challenge by sending an OIDC authorization request that includes the LibreGraph.SignedLoginOK scope together with a signed request object carrying a preferred_username claim. The signed login path is built directly into IdentifierIdentityManager: - checkAndRecordJTI: in-memory JTI replay prevention (10 min window) - authenticateSignedLogin: validates the signed JWT, looks up the user by preferred_username, writes a logon cookie so subsequent silent-renew and re-auth requests succeed via the normal cookie path without needing a new signed JWT each time - authorizeSignedLogin: verifies client identity against the signed request object and approves scopes via the client's trusted_scopes list WriteLogonCookie is introduced on Identifier to write the cookie mid-flow without firing onSetLogonCallbacks (which would produce a spurious browser-state cookie header in the same response). SetUserToLogonCookie is refactored to delegate to it.
longsleep
force-pushed
the
longsleep-signed-login
branch
from
27ba0ea to
877c934
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When --allow-client-signed-logins is enabled, trusted apps can sign in users without an interactive password challenge by sending an OIDC authorization request that includes the LibreGraph.SignedLoginOK scope together with a signed request object carrying a preferred_username claim.
The signed login path is built directly into IdentifierIdentityManager:
WriteLogonCookie is introduced on Identifier to write the cookie mid-flow without firing onSetLogonCallbacks (which would produce a spurious browser-state cookie header in the same response). SetUserToLogonCookie is refactored to delegate to it.