Boring
This is quite a boring project, to be honest with you. Lots of edge cases, redirects on top of redirects, and so on.
I created this project to get more familiar with the OIDC specification for my current job, because I noticed there are a lot of issues people run into when it comes to OIDC clients or IdPs.
I can't say I learned a lot, to be honest. What I did realise is that this is actually the nature of such a large specification. It's all edge cases and ifs.
Don't get me wrong, this is one of my most ambitious solo projects, and you'll see in the repository that even though I chose a narrow scope, only handling the authorization code flow, and that nothing outside of the protocol handling is production grade, it still has a lot of moving parts. Because that's the specification.
Boring Details: Yay
The project's main scope is to handle the journey of an authorization request from initiation to the token exchange. If you're not familiar with this protocol, the main use case consists of a client redirecting its user to the IdP's /authorize endpoint, which handles the user login and then sends the user to the provided redirect_uri. Once the user is fully authenticated, there are a couple of flows that can be used to get the credentials to the client. The authorization code flow provides a code to the client's redirect_uri that the client can then exchange for a token. This is the flow I chose for the scope of this project because it's the most common one.
I chose server-side rendering for all the UI in this project, honestly because I hate JavaScript. So I used HTMX and Go templates instead.
For the persistence layer I used SQLite. I know, complaining about JavaScript and then using SQLite doesn't look too good, and I agree. But you have to understand, I had to.
Conclusion
I know this is not the usual article about exciting projects, where oh, this happened because of this and then I decided to do that. This was my honest experience, and it was a grind simply because it's a large project for a solo dev and I had to narrow the scope so much.
I'm sure there are people more excited about authentication protocols than I am. And I'm not really saying I learned nothing; there are things I picked up, but they're also just things mentioned in the specification. I still enjoyed the coding and the problem solving, and I'm thinking of building a fully featured IdP handling OIDC, OAuth2, and SAML, but I won't do it alone and I won't do it for free, lol.
Thank you for sticking through!