feat(auth): add OAuth2/OIDC authentication package

[cpunion]

• Add AuthConfig, AuthCredential, AuthScheme types
• Add AuthHandler for OAuth2 flow orchestration
• Add CredentialManager and CredentialService for token management
• Add OAuth2 token exchange helpers
• Add unit tests for auth package

[gemini-code-assist]

Summary of Changes

Hello @cpunion, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new, robust authentication package designed to streamline the handling of various authentication methods, particularly focusing on OAuth2 and OpenID Connect. It provides foundational types for defining authentication schemes and credentials, along with a manager to orchestrate the entire credential lifecycle, from initial acquisition to refresh and persistence. This enhancement aims to simplify secure integration with external services requiring authentication.

Highlights

• New Authentication Package: Introduced a comprehensive auth package to handle various authentication schemes, including API Key, HTTP (Basic/Bearer), OAuth2, and OpenID Connect, aligning with OpenAPI 3.0 specifications.
• Structured Auth Types: Added AuthConfig, AuthCredential, and AuthScheme types to standardize how authentication configurations and credentials are defined and managed within the system. This includes detailed structures for OAuth2 flows and Google Service Accounts.
• OAuth2 Flow Orchestration: Implemented AuthHandler to orchestrate OAuth2/OIDC flows, including generating authorization URIs and processing authentication responses, simplifying the integration of user-facing authentication.
• Credential Lifecycle Management: Developed CredentialManager and CredentialService (with in-memory and session-state implementations) to manage the full lifecycle of credentials, from loading and exchanging (e.g., auth code to access token) to refreshing expired tokens and persisting them.
• OAuth2 Token Exchange and Refresh: Provided dedicated OAuth2Exchanger and OAuth2Refresher components to handle the specific logic for exchanging authorization codes/client credentials for access tokens and automatically refreshing tokens before they expire.
• Helper Functions and Unit Tests: Included helper functions for easily creating common authentication scheme and credential pairs, along with comprehensive unit tests for all new authentication components to ensure correctness and reliability.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive authentication package for handling OAuth2/OIDC, API keys, and other schemes. The implementation is well-structured with clear separation of concerns for configuration, credentials, handlers, and services. The code is generally of high quality with good test coverage for the new components. My review has identified several critical and high-severity issues, primarily related to error handling and the correct use of the OAuth2 library. Specifically, there are multiple places where errors are silently ignored, which can lead to hard-to-debug failures and potential security vulnerabilities. Additionally, the implementation of the OAuth2 client credentials flow is incorrect, and there's a logic bug in handling OIDC schemes. Addressing these points will significantly improve the robustness and security of this new authentication package.

[gemini-code-assist]

GenerateAuthRequest is designed to work with both SecuritySchemeTypeOAuth2 and SecuritySchemeTypeOpenIDConnect. However, generateAuthURI only performs a type assertion for *OAuth2Scheme. If an *OpenIDConnectScheme is passed, this assertion will fail, ok will be false, and the function will return nil. This causes auth URI generation to fail silently for OIDC. The logic must be updated to handle *OpenIDConnectScheme as well, likely by extracting the necessary flow information from it.

[gemini-code-assist]

The error from crypto/rand.Read is ignored. If this call fails (e.g., due to entropy exhaustion on the system), the buffer b will not be filled with random data, resulting in a predictable OAuth state parameter. This completely undermines the CSRF protection that the state parameter is meant to provide. This error is critical and must be handled, for example by panicking, as the application cannot proceed securely.

Example fix:

if _, err := rand.Read(b); err != nil {
    panic(fmt.Sprintf("CRITICAL: failed to generate random state for OAuth: %v", err))
}

[gemini-code-assist]

This is not the correct way to perform an OAuth2 client credentials grant with the golang.org/x/oauth2 library. The config.Exchange function is intended for the authorization code flow. For the client credentials flow, you should use the golang.org/x/oauth2/clientcredentials package. Using Exchange this way is undocumented, likely to fail, and could break in future library versions.

Here is the correct approach:

import "golang.org/x/oauth2/clientcredentials"
// ...

conf := &clientcredentials.Config{
    ClientID:     cred.OAuth2.ClientID,
    ClientSecret: cred.OAuth2.ClientSecret,
    TokenURL:     oauth2Scheme.Flows.ClientCredentials.TokenURL,
    Scopes:       scopeKeys(oauth2Scheme.Flows.ClientCredentials.Scopes),
}

token, err := conf.Token(ctx)
if err != nil {
    return nil, fmt.Errorf("failed to exchange client credentials: %w", err)
}

[gemini-code-assist]

Errors from json.Marshal are ignored on lines 54 and 61. If marshalling fails (e.g., due to an unsupported type in the future), this will lead to silent failures and incorrect credential key generation, potentially causing key collisions. These errors should be handled, for example by having generateCredentialKey return an error which is propagated up to NewAuthConfig.

[gemini-code-assist]

The error returned by svc.LoadCredential is ignored. If the credential service fails to load a credential (e.g., due to a database connection issue or I/O error), the error is silently dropped. This can hide underlying infrastructure problems and may lead to unnecessary re-authentication flows. The error should be handled, at a minimum by logging it to aid in debugging.

[gemini-code-assist]

The error from ref.Refresh is silently ignored. If token refresh fails, the manager returns the original, likely expired, credential. This will cause subsequent API calls to fail with an authentication error, which can be hard to debug. The refresh error should be propagated to the caller of GetAuthCredential so it can be handled appropriately (e.g., by initiating a new auth flow).

[gemini-code-assist]

The error from json.Unmarshal is silently ignored. If the credentialJSON is invalid, the function will proceed without setting ServiceAccountCredential, and the caller will not be notified of the configuration error. This can be very difficult to debug. The function should be modified to return an error to the caller if unmarshalling fails.