Skip to content

Migrate to go-oidc v3#281

Merged
mjudeikis merged 2 commits into
kbind-dev:mainfrom
xrstf:go-oidc-v3
Sep 15, 2025
Merged

Migrate to go-oidc v3#281
mjudeikis merged 2 commits into
kbind-dev:mainfrom
xrstf:go-oidc-v3

Conversation

@xrstf

@xrstf xrstf commented Aug 18, 2025

Copy link
Copy Markdown
Contributor

Summary

This upgrade is mostly because go-oidc switched to a Go-compatible versioning/branching system.

I also eliminated one TODO comment by tieing the oidc verifier's lifecycle to the server.

What Type of PR Is This?

/kind cleanup

Release Notes

NONE

Summary by CodeRabbit

  • Refactor
    • OIDC authentication initialization now uses request context, improving reliability and handling of cancellations/timeouts during sign-in.
  • Chores
    • Upgraded OIDC library to v3 and refreshed related dependencies for better compatibility and security.

@xrstf xrstf requested a review from a team as a code owner August 18, 2025 16:13
mjudeikis
mjudeikis previously approved these changes Sep 11, 2025
@mjudeikis

Copy link
Copy Markdown
Contributor

Built in conflict solver failed :/ will need manual rebase

On-behalf-of: @SAP christoph.mewes@sap.com
@coderabbitai

coderabbitai Bot commented Sep 15, 2025

Copy link
Copy Markdown

Walkthrough

Updated OIDC to use go-oidc/v3, added context.Context to NewOIDCServiceProvider and propagated it from server initialization. Provider creation now uses the passed context. go.mod updated to require go-oidc v3 and adjust JOSE dependencies.

Changes

Cohort / File(s) Summary
OIDC provider refactor
backend/http/oidc.go
Switch import to go-oidc/v3/oidc. Change NewOIDCServiceProvider signature to accept context.Context. Use oidc.NewProvider(ctx, issuerURL) instead of context.TODO(). Other logic unchanged.
Server wiring
backend/server.go
Update call site to pass ctx into http.NewOIDCServiceProvider(ctx, ...). No other flow changes.
Module dependencies
go.mod
Upgrade github.com/coreos/go-oidc to v3.15.0. Add indirect github.com/go-jose/go-jose/v4 v4.0.5. Remove old JOSE v2 and github.com/pquerna/cachecontrol.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant App as Server init
  participant HTTP as backend/http
  participant OIDC as go-oidc v3

  App->>HTTP: NewOIDCServiceProvider(ctx, clientID, secret, redirectURI, issuerURL)
  HTTP->>OIDC: oidc.NewProvider(ctx, issuerURL)
  OIDC-->>HTTP: Provider
  HTTP-->>App: *OIDCServiceProvider, error

  note over HTTP,OIDC: Context now controls provider discovery and cancellation
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hop through code with ears held high,
A ctx breeze now whispers by.
v3 carrots in my tidy stack,
The OIDC path is on the track.
With fewer TODOs in the glade,
I thump approval: context made! 🥕🐇

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title "Migrate to go-oidc v3" is concise and accurately reflects the primary change in the diff — upgrading the go-oidc dependency to v3 and updating related code (imports, go.mod, and affected function signature/call sites). It is clear, specific, and appropriate for a teammate scanning the project history.
Description Check ✅ Passed The PR description includes a Summary, the PR kind (/kind cleanup), and a Release Notes block as required by the template, but it omits the Related Issue(s) field and lacks detail about the concrete code changes (for example the go.mod upgrade, import path changes to go-oidc/v3, and the NewOIDCServiceProvider signature change) as well as the manual rebase note present in PR comments; overall it is mostly complete but could be more informative for reviewers.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.


Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
backend/http/oidc.go (1)

45-58: Bound discovery with a timeout to avoid startup hangs.

oidc.NewProvider performs network discovery; without a bounded context it can stall startup. Wrap with a short timeout.

Apply this diff inside the constructor:

-	provider, err := oidc.NewProvider(ctx, issuerURL)
+	ctx, cancel := context.WithTimeout(ctx, 15*time.Second)
+	defer cancel()
+	provider, err := oidc.NewProvider(ctx, issuerURL)

Also add the import:

// add
import "time"
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cbdcb1a and a71bf06.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (3)
  • backend/http/oidc.go (2 hunks)
  • backend/server.go (1 hunks)
  • go.mod (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
  • GitHub Check: Generate and push docs
  • GitHub Check: lint
  • GitHub Check: verify
  • GitHub Check: go-test
  • GitHub Check: go-test-e2e
🔇 Additional comments (4)
backend/http/oidc.go (1)

22-22: Import path migrated to go-oidc/v3 — LGTM.

backend/server.go (1)

74-74: Context plumbed into OIDC constructor — LGTM.
Call site and constructor signatures match: backend/server.go:73-76, backend/http/oidc.go:45-48.

go.mod (2)

32-32: Approved — go-oidc imports upgraded to v3; no stale imports found.
go.mod (line 32) and go.sum entries reference github.com/coreos/go-oidc/v3; backend/http/oidc.go imports github.com/coreos/go-oidc/v3/oidc.


92-92: Verify no legacy JOSE v2/gopkg.in imports (prevent mixed majors)

go.mod now pins github.com/go-jose/go-jose/v4 v4.0.5 (go.mod: line 92). Search the repo for imports referencing gopkg.in/go-jose.v2 or github.com/go-jose/go-jose/v2 and update/remove any hits to avoid mixed-major build/runtime issues.

Suggested command: rg -n 'gopkg.in/(square/)?go-jose|github.com/go-jose/go-jose/v2' . || grep -RInE 'gopkg.in/(square/)?go-jose|github.com/go-jose/go-jose/v2' .

@xrstf xrstf requested a review from mjudeikis September 15, 2025 11:26
@mjudeikis mjudeikis merged commit aae3218 into kbind-dev:main Sep 15, 2025
6 checks passed
@xrstf xrstf deleted the go-oidc-v3 branch November 3, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants