diff --git a/.env.example b/.env.example
index c7851385b..f5fc43d6f 100644
--- a/.env.example
+++ b/.env.example
@@ -49,6 +49,32 @@
# 流模式无响应超时时间,单位秒,如果出现空补全可以尝试改为更大值
# STREAMING_TIMEOUT=300
+# OAuth2 服务器配置
+# 启用OAuth2服务器
+# OAUTH2_ENABLED=true
+# OAuth2签发者标识
+# OAUTH2_ISSUER=https://your-domain.com
+# 访问令牌有效期(分钟)
+# OAUTH2_ACCESS_TOKEN_TTL=10
+# 刷新令牌有效期(分钟)
+# OAUTH2_REFRESH_TOKEN_TTL=720
+# 允许的授权类型(逗号分隔)
+# OAUTH2_ALLOWED_GRANT_TYPES=client_credentials,authorization_code,refresh_token
+# 强制PKCE验证
+# OAUTH2_REQUIRE_PKCE=true
+# JWT签名算法
+# JWT_SIGNING_ALGORITHM=RS256
+# JWT密钥ID
+# JWT_KEY_ID=oauth2-key-1
+# JWT私钥文件路径
+# JWT_PRIVATE_KEY_FILE=/path/to/oauth2-private-key.pem
+# 自动创建用户(首次OAuth2登录时)
+# OAUTH2_AUTO_CREATE_USER=false
+# 自动创建用户的默认角色
+# OAUTH2_DEFAULT_USER_ROLE=1
+# 自动创建用户的默认分组
+# OAUTH2_DEFAULT_USER_GROUP=default
+
# Gemini 识别图片 最大图片数量
# GEMINI_VISION_MAX_IMAGE_NUM=16
diff --git a/controller/oauth.go b/controller/oauth.go
new file mode 100644
index 000000000..7d1bde7ea
--- /dev/null
+++ b/controller/oauth.go
@@ -0,0 +1,200 @@
+package controller
+
+import (
+ "encoding/json"
+ "net/http"
+ "one-api/setting/system_setting"
+ "one-api/src/oauth"
+
+ "github.com/gin-gonic/gin"
+)
+
+// GetJWKS 获取JWKS公钥集
+func GetJWKS(c *gin.Context) {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.JSON(http.StatusNotFound, gin.H{
+ "error": "OAuth2 server is disabled",
+ })
+ return
+ }
+
+ jwks := oauth.GetJWKS()
+ if jwks == nil {
+ c.JSON(http.StatusInternalServerError, gin.H{
+ "error": "JWKS not available",
+ })
+ return
+ }
+
+ // 设置CORS headers
+ c.Header("Access-Control-Allow-Origin", "*")
+ c.Header("Access-Control-Allow-Methods", "GET")
+ c.Header("Access-Control-Allow-Headers", "Content-Type")
+ c.Header("Cache-Control", "public, max-age=3600") // 缓存1小时
+
+ // 返回JWKS
+ c.Header("Content-Type", "application/json")
+
+ // 将JWKS转换为JSON字符串
+ jsonData, err := json.Marshal(jwks)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{
+ "error": "Failed to marshal JWKS",
+ })
+ return
+ }
+
+ c.String(http.StatusOK, string(jsonData))
+}
+
+// OAuthTokenEndpoint OAuth2 令牌端点
+func OAuthTokenEndpoint(c *gin.Context) {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.JSON(http.StatusNotFound, gin.H{
+ "error": "unsupported_grant_type",
+ "error_description": "OAuth2 server is disabled",
+ })
+ return
+ }
+
+ // 只允许POST请求
+ if c.Request.Method != "POST" {
+ c.JSON(http.StatusMethodNotAllowed, gin.H{
+ "error": "invalid_request",
+ "error_description": "Only POST method is allowed",
+ })
+ return
+ }
+
+ // 只允许application/x-www-form-urlencoded内容类型
+ contentType := c.GetHeader("Content-Type")
+ if contentType != "application/x-www-form-urlencoded" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "error": "invalid_request",
+ "error_description": "Content-Type must be application/x-www-form-urlencoded",
+ })
+ return
+ }
+
+ // 委托给OAuth2服务器处理
+ oauth.HandleTokenRequest(c)
+}
+
+// OAuthAuthorizeEndpoint OAuth2 授权端点
+func OAuthAuthorizeEndpoint(c *gin.Context) {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.JSON(http.StatusNotFound, gin.H{
+ "error": "server_error",
+ "error_description": "OAuth2 server is disabled",
+ })
+ return
+ }
+
+ // 委托给OAuth2服务器处理
+ oauth.HandleAuthorizeRequest(c)
+}
+
+// OAuthServerInfo 获取OAuth2服务器信息
+func OAuthServerInfo(c *gin.Context) {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.JSON(http.StatusNotFound, gin.H{
+ "error": "OAuth2 server is disabled",
+ })
+ return
+ }
+
+ // 返回OAuth2服务器的基本信息(类似OpenID Connect Discovery)
+ c.JSON(http.StatusOK, gin.H{
+ "issuer": settings.Issuer,
+ "authorization_endpoint": settings.Issuer + "/oauth/authorize",
+ "token_endpoint": settings.Issuer + "/oauth/token",
+ "jwks_uri": settings.Issuer + "/.well-known/jwks.json",
+ "grant_types_supported": settings.AllowedGrantTypes,
+ "response_types_supported": []string{"code"},
+ "token_endpoint_auth_methods_supported": []string{"client_secret_basic", "client_secret_post"},
+ "code_challenge_methods_supported": []string{"S256"},
+ "scopes_supported": []string{
+ "api:read",
+ "api:write",
+ "admin",
+ },
+ })
+}
+
+// OAuthIntrospect 令牌内省端点(RFC 7662)
+func OAuthIntrospect(c *gin.Context) {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.JSON(http.StatusNotFound, gin.H{
+ "error": "OAuth2 server is disabled",
+ })
+ return
+ }
+
+ // 只允许POST请求
+ if c.Request.Method != "POST" {
+ c.JSON(http.StatusMethodNotAllowed, gin.H{
+ "error": "invalid_request",
+ "error_description": "Only POST method is allowed",
+ })
+ return
+ }
+
+ token := c.PostForm("token")
+ if token == "" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "active": false,
+ })
+ return
+ }
+
+ // TODO: 实现令牌内省逻辑
+ // 1. 验证调用者的认证信息
+ // 2. 解析和验证JWT令牌
+ // 3. 返回令牌的元信息
+
+ c.JSON(http.StatusOK, gin.H{
+ "active": false, // 临时返回,需要实现实际的内省逻辑
+ })
+}
+
+// OAuthRevoke 令牌撤销端点(RFC 7009)
+func OAuthRevoke(c *gin.Context) {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.JSON(http.StatusNotFound, gin.H{
+ "error": "OAuth2 server is disabled",
+ })
+ return
+ }
+
+ // 只允许POST请求
+ if c.Request.Method != "POST" {
+ c.JSON(http.StatusMethodNotAllowed, gin.H{
+ "error": "invalid_request",
+ "error_description": "Only POST method is allowed",
+ })
+ return
+ }
+
+ token := c.PostForm("token")
+ if token == "" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "error": "invalid_request",
+ "error_description": "Missing token parameter",
+ })
+ return
+ }
+
+ // TODO: 实现令牌撤销逻辑
+ // 1. 验证调用者的认证信息
+ // 2. 撤销指定的令牌(加入黑名单或从存储中删除)
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ })
+}
diff --git a/controller/oauth_client.go b/controller/oauth_client.go
new file mode 100644
index 000000000..17efb5f42
--- /dev/null
+++ b/controller/oauth_client.go
@@ -0,0 +1,374 @@
+package controller
+
+import (
+ "net/http"
+ "one-api/common"
+ "one-api/model"
+ "strconv"
+ "strings"
+
+ "github.com/gin-gonic/gin"
+ "github.com/thanhpk/randstr"
+)
+
+// CreateOAuthClientRequest 创建OAuth客户端请求
+type CreateOAuthClientRequest struct {
+ Name string `json:"name" binding:"required"`
+ ClientType string `json:"client_type" binding:"required,oneof=confidential public"`
+ GrantTypes []string `json:"grant_types" binding:"required"`
+ RedirectURIs []string `json:"redirect_uris"`
+ Scopes []string `json:"scopes" binding:"required"`
+ Description string `json:"description"`
+ RequirePKCE bool `json:"require_pkce"`
+}
+
+// UpdateOAuthClientRequest 更新OAuth客户端请求
+type UpdateOAuthClientRequest struct {
+ ID string `json:"id" binding:"required"`
+ Name string `json:"name" binding:"required"`
+ ClientType string `json:"client_type" binding:"required,oneof=confidential public"`
+ GrantTypes []string `json:"grant_types" binding:"required"`
+ RedirectURIs []string `json:"redirect_uris"`
+ Scopes []string `json:"scopes" binding:"required"`
+ Description string `json:"description"`
+ RequirePKCE bool `json:"require_pkce"`
+ Status int `json:"status" binding:"required,oneof=1 2"`
+}
+
+// GetAllOAuthClients 获取所有OAuth客户端
+func GetAllOAuthClients(c *gin.Context) {
+ page, _ := strconv.Atoi(c.Query("page"))
+ if page < 1 {
+ page = 1
+ }
+ perPage, _ := strconv.Atoi(c.Query("per_page"))
+ if perPage < 1 || perPage > 100 {
+ perPage = 20
+ }
+
+ startIdx := (page - 1) * perPage
+ clients, err := model.GetAllOAuthClients(startIdx, perPage)
+ if err != nil {
+ c.JSON(http.StatusOK, gin.H{
+ "success": false,
+ "message": err.Error(),
+ })
+ return
+ }
+
+ // 清理敏感信息
+ for _, client := range clients {
+ client.Secret = maskSecret(client.Secret)
+ }
+
+ total, _ := model.CountOAuthClients()
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ "data": clients,
+ "total": total,
+ "page": page,
+ "per_page": perPage,
+ })
+}
+
+// SearchOAuthClients 搜索OAuth客户端
+func SearchOAuthClients(c *gin.Context) {
+ keyword := c.Query("keyword")
+ if keyword == "" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "关键词不能为空",
+ })
+ return
+ }
+
+ clients, err := model.SearchOAuthClients(keyword)
+ if err != nil {
+ c.JSON(http.StatusOK, gin.H{
+ "success": false,
+ "message": err.Error(),
+ })
+ return
+ }
+
+ // 清理敏感信息
+ for _, client := range clients {
+ client.Secret = maskSecret(client.Secret)
+ }
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ "data": clients,
+ })
+}
+
+// GetOAuthClient 获取单个OAuth客户端
+func GetOAuthClient(c *gin.Context) {
+ id := c.Param("id")
+ if id == "" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "ID不能为空",
+ })
+ return
+ }
+
+ client, err := model.GetOAuthClientByID(id)
+ if err != nil {
+ c.JSON(http.StatusNotFound, gin.H{
+ "success": false,
+ "message": "客户端不存在",
+ })
+ return
+ }
+
+ // 清理敏感信息
+ client.Secret = maskSecret(client.Secret)
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ "data": client,
+ })
+}
+
+// CreateOAuthClient 创建OAuth客户端
+func CreateOAuthClient(c *gin.Context) {
+ var req CreateOAuthClientRequest
+ if err := c.ShouldBindJSON(&req); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "请求参数错误: " + err.Error(),
+ })
+ return
+ }
+
+ // 验证授权类型
+ validGrantTypes := []string{"client_credentials", "authorization_code", "refresh_token"}
+ for _, grantType := range req.GrantTypes {
+ if !contains(validGrantTypes, grantType) {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "无效的授权类型: " + grantType,
+ })
+ return
+ }
+ }
+
+ // 如果包含authorization_code,则必须提供redirect_uris
+ if contains(req.GrantTypes, "authorization_code") && len(req.RedirectURIs) == 0 {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "授权码模式需要提供重定向URI",
+ })
+ return
+ }
+
+ // 生成客户端ID和密钥
+ clientID := generateClientID()
+ clientSecret := ""
+ if req.ClientType == "confidential" {
+ clientSecret = generateClientSecret()
+ }
+
+ // 获取创建者ID
+ createdBy := c.GetInt("id")
+
+ // 创建客户端
+ client := &model.OAuthClient{
+ ID: clientID,
+ Secret: clientSecret,
+ Name: req.Name,
+ ClientType: req.ClientType,
+ RequirePKCE: req.RequirePKCE,
+ Status: common.UserStatusEnabled,
+ CreatedBy: createdBy,
+ Description: req.Description,
+ }
+
+ client.SetGrantTypes(req.GrantTypes)
+ client.SetRedirectURIs(req.RedirectURIs)
+ client.SetScopes(req.Scopes)
+
+ err := model.CreateOAuthClient(client)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{
+ "success": false,
+ "message": "创建客户端失败: " + err.Error(),
+ })
+ return
+ }
+
+ // 返回结果(包含完整的客户端密钥,仅此一次)
+ c.JSON(http.StatusCreated, gin.H{
+ "success": true,
+ "message": "客户端创建成功",
+ "client_id": client.ID,
+ "client_secret": client.Secret, // 仅在创建时返回完整密钥
+ "data": client,
+ })
+}
+
+// UpdateOAuthClient 更新OAuth客户端
+func UpdateOAuthClient(c *gin.Context) {
+ var req UpdateOAuthClientRequest
+ if err := c.ShouldBindJSON(&req); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "请求参数错误: " + err.Error(),
+ })
+ return
+ }
+
+ // 获取现有客户端
+ client, err := model.GetOAuthClientByID(req.ID)
+ if err != nil {
+ c.JSON(http.StatusNotFound, gin.H{
+ "success": false,
+ "message": "客户端不存在",
+ })
+ return
+ }
+
+ // 验证授权类型
+ validGrantTypes := []string{"client_credentials", "authorization_code", "refresh_token"}
+ for _, grantType := range req.GrantTypes {
+ if !contains(validGrantTypes, grantType) {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "无效的授权类型: " + grantType,
+ })
+ return
+ }
+ }
+
+ // 更新客户端信息
+ client.Name = req.Name
+ client.ClientType = req.ClientType
+ client.RequirePKCE = req.RequirePKCE
+ client.Status = req.Status
+ client.Description = req.Description
+ client.SetGrantTypes(req.GrantTypes)
+ client.SetRedirectURIs(req.RedirectURIs)
+ client.SetScopes(req.Scopes)
+
+ err = model.UpdateOAuthClient(client)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{
+ "success": false,
+ "message": "更新客户端失败: " + err.Error(),
+ })
+ return
+ }
+
+ // 清理敏感信息
+ client.Secret = maskSecret(client.Secret)
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ "message": "客户端更新成功",
+ "data": client,
+ })
+}
+
+// DeleteOAuthClient 删除OAuth客户端
+func DeleteOAuthClient(c *gin.Context) {
+ id := c.Param("id")
+ if id == "" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "ID不能为空",
+ })
+ return
+ }
+
+ err := model.DeleteOAuthClient(id)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{
+ "success": false,
+ "message": "删除客户端失败: " + err.Error(),
+ })
+ return
+ }
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ "message": "客户端删除成功",
+ })
+}
+
+// RegenerateOAuthClientSecret 重新生成客户端密钥
+func RegenerateOAuthClientSecret(c *gin.Context) {
+ id := c.Param("id")
+ if id == "" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "ID不能为空",
+ })
+ return
+ }
+
+ client, err := model.GetOAuthClientByID(id)
+ if err != nil {
+ c.JSON(http.StatusNotFound, gin.H{
+ "success": false,
+ "message": "客户端不存在",
+ })
+ return
+ }
+
+ // 只有机密客户端才能重新生成密钥
+ if client.ClientType != "confidential" {
+ c.JSON(http.StatusBadRequest, gin.H{
+ "success": false,
+ "message": "只有机密客户端才能重新生成密钥",
+ })
+ return
+ }
+
+ // 生成新密钥
+ client.Secret = generateClientSecret()
+
+ err = model.UpdateOAuthClient(client)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{
+ "success": false,
+ "message": "重新生成密钥失败: " + err.Error(),
+ })
+ return
+ }
+
+ c.JSON(http.StatusOK, gin.H{
+ "success": true,
+ "message": "客户端密钥重新生成成功",
+ "client_secret": client.Secret, // 返回新生成的密钥
+ })
+}
+
+// generateClientID 生成客户端ID
+func generateClientID() string {
+ return "client_" + randstr.String(16)
+}
+
+// generateClientSecret 生成客户端密钥
+func generateClientSecret() string {
+ return randstr.String(32)
+}
+
+// maskSecret 掩码密钥显示
+func maskSecret(secret string) string {
+ if len(secret) <= 6 {
+ return strings.Repeat("*", len(secret))
+ }
+ return secret[:3] + strings.Repeat("*", len(secret)-6) + secret[len(secret)-3:]
+}
+
+// contains 检查字符串切片是否包含指定值
+func contains(slice []string, item string) bool {
+ for _, s := range slice {
+ if s == item {
+ return true
+ }
+ }
+ return false
+}
diff --git a/docs/oauth2-demo.html b/docs/oauth2-demo.html
new file mode 100644
index 000000000..594c2ba15
--- /dev/null
+++ b/docs/oauth2-demo.html
@@ -0,0 +1,909 @@
+
+
+
+
+
+ OAuth2 自动登录 Demo
+
+
+
+ OAuth2 服务器自动登录 Demo
+ 这个演示展示了如何使用OAuth2实现自动登录功能。
+
+
+
+
+
+
+
登录状态
+
未登录
+
+
+
+
选择登录方式:
+
+
+
+
+
+
+
+
已登录
+
+
+
+
+
+
+
+
+
+
令牌信息
+
+
+
+
+
+
+
请登录
+
+
+
+
+
+
+
+
+```
+
+## 🔍 调试和测试
+
+### 验证JWT令牌
+访问 [jwt.io](https://jwt.io) 解析令牌内容:
+```
+Header: {"alg":"RS256","typ":"JWT","kid":"oauth2-key-1"}
+Payload: {"sub":"user_id","aud":"your_client_id","exp":1234567890}
+```
+
+### 查看服务器信息
+```bash
+curl https://your-domain.com/.well-known/oauth-authorization-server
+```
+
+### 获取JWKS公钥
+```bash
+curl https://your-domain.com/.well-known/jwks.json
+```
+
+---
+
+这个demo涵盖了OAuth2服务器的完整使用流程,实现了真正的自动登录功能。用户只需要第一次授权,之后应用会自动处理令牌刷新和API认证。
\ No newline at end of file
diff --git a/docs/oauth2_setup.md b/docs/oauth2_setup.md
new file mode 100644
index 000000000..5cb3dd294
--- /dev/null
+++ b/docs/oauth2_setup.md
@@ -0,0 +1,258 @@
+# OAuth2 服务器设置指南
+
+## 概述
+
+该 OAuth2 服务器实现基于 RFC 6749 标准,支持以下特性:
+
+- **授权类型**: Client Credentials, Authorization Code + PKCE, Refresh Token
+- **JWT 访问令牌**: 使用 RS256 签名
+- **JWKS 端点**: 公钥自动发布和轮换
+- **兼容性**: 与现有认证系统完全兼容
+
+## 配置
+
+### 1. 环境变量配置
+
+在 `.env` 文件中添加以下配置:
+
+```env
+# OAuth2 基础配置
+OAUTH2_ENABLED=true
+OAUTH2_ISSUER=https://your-domain.com
+OAUTH2_ACCESS_TOKEN_TTL=10
+OAUTH2_REFRESH_TOKEN_TTL=720
+
+# JWT 签名配置
+JWT_SIGNING_ALGORITHM=RS256
+JWT_KEY_ID=oauth2-key-1
+JWT_PRIVATE_KEY_FILE=/path/to/private-key.pem
+
+# 授权类型(逗号分隔)
+OAUTH2_ALLOWED_GRANT_TYPES=client_credentials,authorization_code,refresh_token
+
+# 强制 PKCE
+OAUTH2_REQUIRE_PKCE=true
+
+# 自动创建用户
+OAUTH2_AUTO_CREATE_USER=false
+OAUTH2_DEFAULT_USER_ROLE=1
+OAUTH2_DEFAULT_USER_GROUP=default
+```
+
+### 2. 数据库迁移
+
+重启应用程序将自动创建 `oauth_clients` 表。
+
+### 3. 创建第一个 OAuth2 客户端
+
+通过管理员界面或 API 创建客户端:
+
+```bash
+curl -X POST http://localhost:8080/api/oauth_clients \
+ -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
+ -H "Content-Type: application/json" \
+ -d '{
+ "name": "测试服务",
+ "client_type": "confidential",
+ "grant_types": ["client_credentials"],
+ "scopes": ["api:read", "api:write"],
+ "description": "用于服务对服务认证的测试客户端"
+ }'
+```
+
+## OAuth2 端点
+
+### 标准端点
+
+- **令牌端点**: `POST /api/oauth/token`
+- **授权端点**: `GET /api/oauth/authorize`
+- **JWKS 端点**: `GET /.well-known/jwks.json`
+- **服务器信息**: `GET /.well-known/oauth-authorization-server`
+
+### 管理端点
+
+- **令牌内省**: `POST /api/oauth/introspect` (需要管理员权限)
+- **令牌撤销**: `POST /api/oauth/revoke`
+
+### 客户端管理端点
+
+- **列出客户端**: `GET /api/oauth_clients`
+- **创建客户端**: `POST /api/oauth_clients`
+- **更新客户端**: `PUT /api/oauth_clients`
+- **删除客户端**: `DELETE /api/oauth_clients/{id}`
+- **重新生成密钥**: `POST /api/oauth_clients/{id}/regenerate_secret`
+
+## 使用示例
+
+### 1. Client Credentials 流程
+
+```go
+package main
+
+import (
+ "context"
+ "golang.org/x/oauth2/clientcredentials"
+)
+
+func main() {
+ cfg := clientcredentials.Config{
+ ClientID: "your_client_id",
+ ClientSecret: "your_client_secret",
+ TokenURL: "https://your-domain.com/api/oauth/token",
+ Scopes: []string{"api:read"},
+ }
+
+ client := cfg.Client(context.Background())
+ resp, _ := client.Get("https://your-domain.com/api/protected")
+ // 处理响应...
+}
+```
+
+### 2. Authorization Code + PKCE 流程
+
+```go
+package main
+
+import (
+ "context"
+ "golang.org/x/oauth2"
+)
+
+func main() {
+ conf := oauth2.Config{
+ ClientID: "your_web_client_id",
+ ClientSecret: "your_web_client_secret",
+ RedirectURL: "https://your-app.com/callback",
+ Scopes: []string{"api:read"},
+ Endpoint: oauth2.Endpoint{
+ AuthURL: "https://your-domain.com/api/oauth/authorize",
+ TokenURL: "https://your-domain.com/api/oauth/token",
+ },
+ }
+
+ // 生成 PKCE 参数
+ verifier := oauth2.GenerateVerifier()
+
+ // 构建授权 URL
+ url := conf.AuthCodeURL("state", oauth2.S256ChallengeOption(verifier))
+
+ // 用户授权后,使用授权码交换令牌
+ token, _ := conf.Exchange(context.Background(), code, oauth2.VerifierOption(verifier))
+
+ // 使用令牌调用 API
+ client := conf.Client(context.Background(), token)
+ resp, _ := client.Get("https://your-domain.com/api/protected")
+}
+```
+
+### 3. cURL 示例
+
+```bash
+# 获取访问令牌
+curl -X POST https://your-domain.com/api/oauth/token \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -u "client_id:client_secret" \
+ -d "grant_type=client_credentials&scope=api:read"
+
+# 使用访问令牌调用 API
+curl -H "Authorization: Bearer ACCESS_TOKEN" \
+ https://your-domain.com/api/status
+```
+
+## 安全建议
+
+### 1. 密钥管理
+
+- 使用强随机密钥生成器
+- 定期轮换 RSA 密钥对
+- 将私钥存储在安全位置
+- 考虑使用 HSM 或密钥管理服务
+
+### 2. 网络安全
+
+- 强制使用 HTTPS
+- 配置适当的 CORS 策略
+- 实现速率限制
+- 启用请求日志和监控
+
+### 3. 客户端管理
+
+- 定期审查客户端列表
+- 撤销不再使用的客户端
+- 监控客户端使用情况
+- 为不同用途创建不同的客户端
+
+### 4. Scope 和权限
+
+- 实施最小权限原则
+- 定期审查 scope 定义
+- 为敏感操作创建特殊 scope
+- 实现细粒度的权限控制
+
+## 故障排除
+
+### 常见问题
+
+1. **"OAuth2 server is disabled"**
+ - 确保 `OAUTH2_ENABLED=true`
+ - 检查配置文件是否正确加载
+
+2. **"invalid_client"**
+ - 验证 client_id 和 client_secret
+ - 确保客户端状态为启用
+
+3. **"invalid_grant"**
+ - 检查授权类型是否被允许
+ - 验证 PKCE 参数(如果启用)
+
+4. **"invalid_scope"**
+ - 确保请求的 scope 在客户端配置中
+ - 检查 scope 格式(空格分隔)
+
+### 调试
+
+启用详细日志:
+
+```env
+GIN_MODE=debug
+LOG_LEVEL=debug
+```
+
+检查 JWKS 端点:
+
+```bash
+curl https://your-domain.com/.well-known/jwks.json
+```
+
+验证令牌:
+
+```bash
+# 可以使用 https://jwt.io 解码和验证 JWT 令牌
+```
+
+## 生产部署
+
+### 1. 负载均衡
+
+- OAuth2 服务器是无状态的,支持水平扩展
+- 确保所有实例使用相同的私钥
+- 使用 Redis 作为令牌存储
+
+### 2. 监控
+
+- 监控令牌签发速率
+- 跟踪客户端使用情况
+- 设置异常告警
+
+### 3. 备份
+
+- 备份私钥文件
+- 备份客户端配置数据
+- 制定灾难恢复计划
+
+### 4. 性能优化
+
+- 启用 JWKS 缓存
+- 使用连接池
+- 优化数据库查询
+- 考虑使用 CDN 分发 JWKS
\ No newline at end of file
diff --git a/examples/oauth2_test_client.go b/examples/oauth2_test_client.go
new file mode 100644
index 000000000..30a6ac233
--- /dev/null
+++ b/examples/oauth2_test_client.go
@@ -0,0 +1,125 @@
+package main
+
+import (
+ "context"
+ "fmt"
+ "io"
+ "log"
+ "net/http"
+
+ "golang.org/x/oauth2"
+ "golang.org/x/oauth2/clientcredentials"
+)
+
+func main() {
+ // 测试 Client Credentials 流程
+ testClientCredentials()
+
+ // 测试 Authorization Code + PKCE 流程(需要浏览器交互)
+ // testAuthorizationCode()
+}
+
+// testClientCredentials 测试服务对服务认证
+func testClientCredentials() {
+ fmt.Println("=== Testing Client Credentials Flow ===")
+
+ cfg := clientcredentials.Config{
+ ClientID: "client_demo123456789", // 需要先创建客户端
+ ClientSecret: "demo_secret_32_chars_long_123456",
+ TokenURL: "http://127.0.0.1:8080/api/oauth/token",
+ Scopes: []string{"api:read", "api:write"},
+ EndpointParams: map[string][]string{
+ "audience": {"api://new-api"},
+ },
+ }
+
+ // 创建HTTP客户端
+ httpClient := cfg.Client(context.Background())
+
+ // 调用受保护的API
+ resp, err := httpClient.Get("http://127.0.0.1:8080/api/status")
+ if err != nil {
+ log.Printf("Request failed: %v", err)
+ return
+ }
+ defer resp.Body.Close()
+
+ body, err := io.ReadAll(resp.Body)
+ if err != nil {
+ log.Printf("Failed to read response: %v", err)
+ return
+ }
+
+ fmt.Printf("Status: %s\n", resp.Status)
+ fmt.Printf("Response: %s\n", string(body))
+}
+
+// testAuthorizationCode 测试授权码流程
+func testAuthorizationCode() {
+ fmt.Println("=== Testing Authorization Code + PKCE Flow ===")
+
+ conf := oauth2.Config{
+ ClientID: "client_web123456789", // Web客户端
+ ClientSecret: "web_secret_32_chars_long_123456",
+ RedirectURL: "http://localhost:9999/callback",
+ Scopes: []string{"api:read", "api:write"},
+ Endpoint: oauth2.Endpoint{
+ AuthURL: "http://127.0.0.1:8080/api/oauth/authorize",
+ TokenURL: "http://127.0.0.1:8080/api/oauth/token",
+ },
+ }
+
+ // 生成PKCE参数
+ codeVerifier := oauth2.GenerateVerifier()
+
+ // 构建授权URL
+ url := conf.AuthCodeURL(
+ "random-state-string",
+ oauth2.S256ChallengeOption(codeVerifier),
+ oauth2.SetAuthURLParam("audience", "api://new-api"),
+ )
+
+ fmt.Printf("Visit this URL to authorize:\n%s\n\n", url)
+ fmt.Printf("After authorization, you'll get a code. Use it to exchange for tokens.\n")
+
+ // 在实际应用中,这里需要启动一个HTTP服务器来接收回调
+ // 或者手动输入从回调URL中获取的授权码
+
+ fmt.Print("Enter the authorization code: ")
+ var code string
+ fmt.Scanln(&code)
+
+ if code != "" {
+ // 交换令牌
+ token, err := conf.Exchange(
+ context.Background(),
+ code,
+ oauth2.VerifierOption(codeVerifier),
+ )
+ if err != nil {
+ log.Printf("Token exchange failed: %v", err)
+ return
+ }
+
+ fmt.Printf("Access Token: %s\n", token.AccessToken)
+ fmt.Printf("Token Type: %s\n", token.TokenType)
+ fmt.Printf("Expires In: %v\n", token.Expiry)
+
+ // 使用令牌调用API
+ client := conf.Client(context.Background(), token)
+ resp, err := client.Get("http://127.0.0.1:8080/api/status")
+ if err != nil {
+ log.Printf("API request failed: %v", err)
+ return
+ }
+ defer resp.Body.Close()
+
+ body, err := io.ReadAll(resp.Body)
+ if err != nil {
+ log.Printf("Failed to read response: %v", err)
+ return
+ }
+
+ fmt.Printf("API Response: %s\n", string(body))
+ }
+}
diff --git a/go.mod b/go.mod
index 501d966d5..505abcdec 100644
--- a/go.mod
+++ b/go.mod
@@ -11,20 +11,24 @@ require (
github.com/aws/aws-sdk-go-v2/credentials v1.17.11
github.com/aws/aws-sdk-go-v2/service/bedrockruntime v1.33.0
github.com/aws/smithy-go v1.22.5
- github.com/bytedance/gopkg v0.0.0-20220118071334-3db87571198b
+ github.com/bytedance/gopkg v0.0.0-20221122125632-68358b8ecec6
github.com/gin-contrib/cors v1.7.2
github.com/gin-contrib/gzip v0.0.6
github.com/gin-contrib/sessions v0.0.5
github.com/gin-contrib/static v0.0.1
github.com/gin-gonic/gin v1.9.1
github.com/glebarez/sqlite v1.9.0
+ github.com/go-oauth2/gin-server v1.1.0
+ github.com/go-oauth2/oauth2/v4 v4.5.4
github.com/go-playground/validator/v10 v10.20.0
github.com/go-redis/redis/v8 v8.11.5
github.com/golang-jwt/jwt v3.2.2+incompatible
+ github.com/golang-jwt/jwt/v5 v5.3.0
github.com/google/uuid v1.6.0
github.com/gorilla/websocket v1.5.0
github.com/jinzhu/copier v0.4.0
github.com/joho/godotenv v1.5.1
+ github.com/lestrrat-go/jwx/v2 v2.1.6
github.com/pkg/errors v0.9.1
github.com/pquerna/otp v1.5.0
github.com/samber/lo v1.39.0
@@ -38,6 +42,7 @@ require (
golang.org/x/crypto v0.35.0
golang.org/x/image v0.23.0
golang.org/x/net v0.35.0
+ golang.org/x/oauth2 v0.30.0
golang.org/x/sync v0.11.0
gorm.io/driver/mysql v1.4.3
gorm.io/driver/postgres v1.5.2
@@ -55,6 +60,7 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cloudwego/base64x v0.1.4 // indirect
github.com/cloudwego/iasm v0.2.0 // indirect
+ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/dlclark/regexp2 v1.11.5 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
@@ -65,7 +71,7 @@ require (
github.com/go-playground/locales v0.14.1 // indirect
github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/go-sql-driver/mysql v1.7.0 // indirect
- github.com/goccy/go-json v0.10.2 // indirect
+ github.com/goccy/go-json v0.10.3 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/gorilla/context v1.1.1 // indirect
github.com/gorilla/securecookie v1.1.1 // indirect
@@ -79,14 +85,25 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/cpuid/v2 v2.2.9 // indirect
github.com/leodido/go-urn v1.4.0 // indirect
+ github.com/lestrrat-go/blackmagic v1.0.3 // indirect
+ github.com/lestrrat-go/httpcc v1.0.1 // indirect
+ github.com/lestrrat-go/httprc v1.0.6 // indirect
+ github.com/lestrrat-go/iter v1.0.2 // indirect
+ github.com/lestrrat-go/option v1.0.1 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pelletier/go-toml/v2 v2.2.1 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+ github.com/segmentio/asm v1.2.0 // indirect
+ github.com/tidwall/btree v0.0.0-20191029221954-400434d76274 // indirect
+ github.com/tidwall/buntdb v1.1.2 // indirect
+ github.com/tidwall/grect v0.0.0-20161006141115-ba9a043346eb // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
+ github.com/tidwall/rtree v0.0.0-20180113144539-6cd427091e0e // indirect
+ github.com/tidwall/tinyqueue v0.0.0-20180302190814-1e39f5511563 // indirect
github.com/tklauser/go-sysconf v0.3.12 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
@@ -94,7 +111,7 @@ require (
github.com/yusufpapurcu/wmi v1.2.3 // indirect
golang.org/x/arch v0.12.0 // indirect
golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0 // indirect
- golang.org/x/sys v0.30.0 // indirect
+ golang.org/x/sys v0.31.0 // indirect
golang.org/x/text v0.22.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index 189d09de4..65131fff6 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,7 @@
github.com/Calcium-Ion/go-epay v0.0.4 h1:C96M7WfRLadcIVscWzwLiYs8etI1wrDmtFMuK2zP22A=
github.com/Calcium-Ion/go-epay v0.0.4/go.mod h1:cxo/ZOg8ClvE3VAnCmEzbuyAZINSq7kFEN9oHj5WQ2U=
+github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
+github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7XdTA=
github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
github.com/anknown/ahocorasick v0.0.0-20190904063843-d75dbd5169c0 h1:onfun1RA+KcxaMk1lfrRnwCd1UUuOjJM/lri5eM1qMs=
@@ -23,8 +25,8 @@ github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/boombuler/barcode v1.1.0 h1:ChaYjBR63fr4LFyGn8E8nt7dBSt3MiU3zMOZqFvVkHo=
github.com/boombuler/barcode v1.1.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/bytedance/gopkg v0.0.0-20220118071334-3db87571198b h1:LTGVFpNmNHhj0vhOlfgWueFJ32eK9blaIlHR2ciXOT0=
-github.com/bytedance/gopkg v0.0.0-20220118071334-3db87571198b/go.mod h1:2ZlV9BaUH4+NXIBF0aMdKKAnHTzqH+iMU4KUjAbL23Q=
+github.com/bytedance/gopkg v0.0.0-20221122125632-68358b8ecec6 h1:FCLDGi1EmB7JzjVVYNZiqc/zAJj2BQ5M0lfkVOxbfs8=
+github.com/bytedance/gopkg v0.0.0-20221122125632-68358b8ecec6/go.mod h1:5FoAH5xUHHCMDvQPy1rnj8moqLkLHFaDVBjHhcFwEi0=
github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc0=
github.com/bytedance/sonic v1.11.6/go.mod h1:LysEHSvpvDySVdC2f87zGWf6CIKJcAvqab1ZaiQtds4=
github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM=
@@ -39,16 +41,22 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
+github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
+github.com/gavv/httpexpect v2.0.0+incompatible h1:1X9kcRshkSKEjNJJxX9Y9mQ5BRfbxU5kORdjhlA1yX8=
+github.com/gavv/httpexpect v2.0.0+incompatible/go.mod h1:x+9tiU1YnrOvnB725RkpoLv1M62hOWzwo5OXotisrKc=
github.com/gin-contrib/cors v1.7.2 h1:oLDHxdg8W/XDoN/8zamqk/Drgt4oVZDvaV0YmvVICQw=
github.com/gin-contrib/cors v1.7.2/go.mod h1:SUJVARKgQ40dmrzgXEVxj2m7Ig1v1qIboQkPDTQ9t2E=
github.com/gin-contrib/gzip v0.0.6 h1:NjcunTcGAj5CO1gn4N8jHOSIeRFHIbn51z6K+xaN4d4=
@@ -67,6 +75,10 @@ github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9g
github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
github.com/glebarez/sqlite v1.9.0 h1:Aj6bPA12ZEx5GbSF6XADmCkYXlljPNUY+Zf1EQxynXs=
github.com/glebarez/sqlite v1.9.0/go.mod h1:YBYCoyupOao60lzp1MVBLEjZfgkq0tdB1voAQ09K9zw=
+github.com/go-oauth2/gin-server v1.1.0 h1:+7AyIfrcKaThZxxABRYECysxAfTccgpFdAqY1enuzBk=
+github.com/go-oauth2/gin-server v1.1.0/go.mod h1:f08F3l5/Pbayb4pjnv5PpUdQLFejgGfHrTjA6IZb0eM=
+github.com/go-oauth2/oauth2/v4 v4.5.4 h1:YjI0tmGW8oxVhn9QSBIxlr641QugWrJY5UWa6XmLcW0=
+github.com/go-oauth2/oauth2/v4 v4.5.4/go.mod h1:BXiOY+QZtZy2ewbsGk2B5P8TWmtz/Rf7ES5ZttQFxfQ=
github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
@@ -90,20 +102,26 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
+github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 h1:l5lAOZEym3oK3SQ2HBHWsJUfbNBiTXJDeW2QDxw9AQ0=
+github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
@@ -112,6 +130,8 @@ github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7Fsg
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/imkira/go-interpol v1.1.0 h1:KIiKr0VSG2CUW1hl1jpiyuzuJeKUUpC8iM1AIE7N1Vk=
+github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA=
github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
@@ -132,6 +152,10 @@ github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwA
github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/klauspost/compress v1.15.0 h1:xqfchp4whNFxn5A4XFyyYtitiWI8Hy5EW59jEwcyL6U=
+github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
@@ -148,6 +172,18 @@ github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgx
github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs=
+github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
+github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA=
+github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -160,6 +196,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
+github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
@@ -184,10 +222,18 @@ github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUA
github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
+github.com/smartystreets/assertions v1.1.0 h1:MkTeG1DMwsrdH7QtLXy5W+fUxWq+vmb6cLmyJ7aRtF0=
+github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
+github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -200,21 +246,35 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/stripe/stripe-go/v81 v81.4.0 h1:AuD9XzdAvl193qUCSaLocf8H+nRopOouXhxqJUzCLbw=
github.com/stripe/stripe-go/v81 v81.4.0/go.mod h1:C/F4jlmnGNacvYtBp/LUHCvVUJEZffFQCobkzwY1WOo=
github.com/thanhpk/randstr v1.0.6 h1:psAOktJFD4vV9NEVb3qkhRSMvYh4ORRaj1+w/hn4B+o=
github.com/thanhpk/randstr v1.0.6/go.mod h1:M/H2P1eNLZzlDwAzpkkkUvoyNNMbzRGhESZuEQk3r0U=
+github.com/tidwall/btree v0.0.0-20191029221954-400434d76274 h1:G6Z6HvJuPjG6XfNGi/feOATzeJrfgTNJY+rGrHbA04E=
+github.com/tidwall/btree v0.0.0-20191029221954-400434d76274/go.mod h1:huei1BkDWJ3/sLXmO+bsCNELL+Bp2Kks9OLyQFkzvA8=
+github.com/tidwall/buntdb v1.1.2 h1:noCrqQXL9EKMtcdwJcmuVKSEjqu1ua99RHHgbLTEHRo=
+github.com/tidwall/buntdb v1.1.2/go.mod h1:xAzi36Hir4FarpSHyfuZ6JzPJdjRZ8QlLZSntE2mqlI=
+github.com/tidwall/gjson v1.3.4/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls=
github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/grect v0.0.0-20161006141115-ba9a043346eb h1:5NSYaAdrnblKByzd7XByQEJVT8+9v0W/tIY0Oo4OwrE=
+github.com/tidwall/grect v0.0.0-20161006141115-ba9a043346eb/go.mod h1:lKYYLFIr9OIgdgrtgkZ9zgRxRdvPYsExnYBsEAd8W5M=
+github.com/tidwall/match v1.0.1/go.mod h1:LujAq0jyVjBy028G1WhWfIzbpQfMO8bBZ6Tyb0+pL9E=
github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/rtree v0.0.0-20180113144539-6cd427091e0e h1:+NL1GDIUOKxVfbp2KoJQD9cTQ6dyP2co9q4yzmT9FZo=
+github.com/tidwall/rtree v0.0.0-20180113144539-6cd427091e0e/go.mod h1:/h+UnNGt0IhNNJLkGikcdcJqm66zGD/uJGMRxK/9+Ao=
github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
+github.com/tidwall/tinyqueue v0.0.0-20180302190814-1e39f5511563 h1:Otn9S136ELckZ3KKDyCkxapfufrqDqwmGjcHfAyXRrE=
+github.com/tidwall/tinyqueue v0.0.0-20180302190814-1e39f5511563/go.mod h1:mLqSmt7Dv/CNneF2wfcChfN1rvapyQr01LGKnKex0DQ=
github.com/tiktoken-go/tokenizer v0.6.2 h1:t0GN2DvcUZSFWT/62YOgoqb10y7gSXBGs0A+4VCQK+g=
github.com/tiktoken-go/tokenizer v0.6.2/go.mod h1:6UCYI/DtOallbmL7sSy30p6YQv60qNyU/4aVigPOx6w=
github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
@@ -229,8 +289,24 @@ github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLY
github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY=
github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.34.0 h1:d3AAQJ2DRcxJYHm7OXNXtXt2as1vMDfxeIcFvhmGGm4=
+github.com/valyala/fasthttp v1.34.0/go.mod h1:epZA5N+7pY6ZaEKRmstzOuYJx9HI8DI1oaCGZpdH4h0=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 h1:6fRhSjgLCkTD3JnJxvaJ4Sj+TYblw757bqYgZaOq5ZY=
+github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0/go.mod h1:/LWChgwKmvncFJFHJ7Gvn9wZArjbV5/FppcK2fKk/tI=
+github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA=
+github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg=
+github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3IfnEUduWvb9is428/nNb5L3U01M=
+github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
@@ -247,6 +323,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
@@ -257,12 +335,12 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220110181412-a018aaa089fe/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
diff --git a/main.go b/main.go
index cc2288a61..b11e3a4b8 100644
--- a/main.go
+++ b/main.go
@@ -14,6 +14,7 @@ import (
"one-api/router"
"one-api/service"
"one-api/setting/ratio_setting"
+ "one-api/src/oauth"
"os"
"strconv"
@@ -203,5 +204,13 @@ func InitResources() error {
if err != nil {
return err
}
+
+ // Initialize OAuth2 server
+ err = oauth.InitOAuthServer()
+ if err != nil {
+ common.SysLog("Warning: Failed to initialize OAuth2 server: " + err.Error())
+ // OAuth2 失败不应该阻止系统启动
+ }
+
return nil
}
diff --git a/middleware/oauth_jwt.go b/middleware/oauth_jwt.go
new file mode 100644
index 000000000..3e8fe0c69
--- /dev/null
+++ b/middleware/oauth_jwt.go
@@ -0,0 +1,257 @@
+package middleware
+
+import (
+ "crypto/rsa"
+ "fmt"
+ "net/http"
+ "one-api/common"
+ "one-api/model"
+ "one-api/setting/system_setting"
+ "strings"
+
+ "github.com/gin-gonic/gin"
+ "github.com/golang-jwt/jwt/v5"
+)
+
+// OAuthJWTAuth OAuth2 JWT认证中间件
+func OAuthJWTAuth() gin.HandlerFunc {
+ return func(c *gin.Context) {
+ // 检查OAuth2是否启用
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ c.Next()
+ return
+ }
+
+ // 获取Authorization header
+ authHeader := c.GetHeader("Authorization")
+ if authHeader == "" {
+ c.Next() // 没有Authorization header,继续到下一个中间件
+ return
+ }
+
+ // 检查是否为Bearer token
+ if !strings.HasPrefix(authHeader, "Bearer ") {
+ c.Next() // 不是Bearer token,继续到下一个中间件
+ return
+ }
+
+ tokenString := strings.TrimPrefix(authHeader, "Bearer ")
+ if tokenString == "" {
+ abortWithOAuthError(c, "invalid_token", "Missing token")
+ return
+ }
+
+ // 验证JWT token
+ claims, err := validateOAuthJWT(tokenString)
+ if err != nil {
+ abortWithOAuthError(c, "invalid_token", err.Error())
+ return
+ }
+
+ // 验证token的有效性
+ if err := validateOAuthClaims(claims); err != nil {
+ abortWithOAuthError(c, "invalid_token", err.Error())
+ return
+ }
+
+ // 设置上下文信息
+ setOAuthContext(c, claims)
+ c.Next()
+ }
+}
+
+// validateOAuthJWT 验证OAuth2 JWT令牌
+func validateOAuthJWT(tokenString string) (jwt.MapClaims, error) {
+ // 解析JWT而不验证签名(先获取header中的kid)
+ token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+ // 检查签名方法
+ if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+ return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+ }
+
+ // 获取kid
+ kid, ok := token.Header["kid"].(string)
+ if !ok {
+ return nil, fmt.Errorf("missing kid in token header")
+ }
+
+ // 根据kid获取公钥
+ publicKey, err := getPublicKeyByKid(kid)
+ if err != nil {
+ return nil, fmt.Errorf("failed to get public key: %w", err)
+ }
+
+ return publicKey, nil
+ })
+
+ if err != nil {
+ return nil, fmt.Errorf("failed to parse token: %w", err)
+ }
+
+ if !token.Valid {
+ return nil, fmt.Errorf("invalid token")
+ }
+
+ claims, ok := token.Claims.(jwt.MapClaims)
+ if !ok {
+ return nil, fmt.Errorf("invalid token claims")
+ }
+
+ return claims, nil
+}
+
+// getPublicKeyByKid 根据kid获取公钥
+func getPublicKeyByKid(kid string) (*rsa.PublicKey, error) {
+ // 这里需要从JWKS获取公钥
+ // 在实际实现中,你可能需要从OAuth server获取JWKS
+ // 这里先实现一个简单版本
+
+ // TODO: 实现JWKS缓存和刷新机制
+ settings := system_setting.GetOAuth2Settings()
+ if settings.JWTKeyID == kid {
+ // 从OAuth server模块获取公钥
+ // 这需要在OAuth server初始化后才能使用
+ return nil, fmt.Errorf("JWKS functionality not yet implemented")
+ }
+
+ return nil, fmt.Errorf("unknown kid: %s", kid)
+}
+
+// validateOAuthClaims 验证OAuth2 claims
+func validateOAuthClaims(claims jwt.MapClaims) error {
+ settings := system_setting.GetOAuth2Settings()
+
+ // 验证issuer
+ if iss, ok := claims["iss"].(string); ok {
+ if iss != settings.Issuer {
+ return fmt.Errorf("invalid issuer")
+ }
+ } else {
+ return fmt.Errorf("missing issuer claim")
+ }
+
+ // 验证audience
+ // if aud, ok := claims["aud"].(string); ok {
+ // // TODO: 验证audience
+ // }
+
+ // 验证客户端ID
+ if clientID, ok := claims["client_id"].(string); ok {
+ // 验证客户端是否存在且有效
+ client, err := model.GetOAuthClientByID(clientID)
+ if err != nil {
+ return fmt.Errorf("invalid client")
+ }
+ if client.Status != common.UserStatusEnabled {
+ return fmt.Errorf("client disabled")
+ }
+ } else {
+ return fmt.Errorf("missing client_id claim")
+ }
+
+ return nil
+}
+
+// setOAuthContext 设置OAuth上下文信息
+func setOAuthContext(c *gin.Context, claims jwt.MapClaims) {
+ c.Set("oauth_claims", claims)
+ c.Set("oauth_authenticated", true)
+
+ // 提取基本信息
+ if clientID, ok := claims["client_id"].(string); ok {
+ c.Set("oauth_client_id", clientID)
+ }
+
+ if scope, ok := claims["scope"].(string); ok {
+ c.Set("oauth_scope", scope)
+ }
+
+ if sub, ok := claims["sub"].(string); ok {
+ c.Set("oauth_subject", sub)
+ }
+
+ // 对于client_credentials流程,subject就是client_id
+ // 对于authorization_code流程,subject是用户ID
+ if grantType, ok := claims["grant_type"].(string); ok {
+ c.Set("oauth_grant_type", grantType)
+ }
+}
+
+// abortWithOAuthError 返回OAuth错误响应
+func abortWithOAuthError(c *gin.Context, errorCode, description string) {
+ c.Header("WWW-Authenticate", fmt.Sprintf(`Bearer error="%s", error_description="%s"`, errorCode, description))
+ c.JSON(http.StatusUnauthorized, gin.H{
+ "error": errorCode,
+ "error_description": description,
+ })
+ c.Abort()
+}
+
+// RequireOAuthScope OAuth2 scope验证中间件
+func RequireOAuthScope(requiredScope string) gin.HandlerFunc {
+ return func(c *gin.Context) {
+ // 检查是否通过OAuth认证
+ if !c.GetBool("oauth_authenticated") {
+ abortWithOAuthError(c, "insufficient_scope", "OAuth2 authentication required")
+ return
+ }
+
+ // 获取token的scope
+ scope, exists := c.Get("oauth_scope")
+ if !exists {
+ abortWithOAuthError(c, "insufficient_scope", "No scope in token")
+ return
+ }
+
+ scopeStr, ok := scope.(string)
+ if !ok {
+ abortWithOAuthError(c, "insufficient_scope", "Invalid scope format")
+ return
+ }
+
+ // 检查是否包含所需的scope
+ scopes := strings.Split(scopeStr, " ")
+ for _, s := range scopes {
+ if strings.TrimSpace(s) == requiredScope {
+ c.Next()
+ return
+ }
+ }
+
+ abortWithOAuthError(c, "insufficient_scope", fmt.Sprintf("Required scope: %s", requiredScope))
+ }
+}
+
+// OptionalOAuthAuth 可选的OAuth认证中间件(不会阻止请求)
+func OptionalOAuthAuth() gin.HandlerFunc {
+ return func(c *gin.Context) {
+ // 尝试OAuth认证,但不会阻止请求
+ authHeader := c.GetHeader("Authorization")
+ if authHeader != "" && strings.HasPrefix(authHeader, "Bearer ") {
+ tokenString := strings.TrimPrefix(authHeader, "Bearer ")
+ if claims, err := validateOAuthJWT(tokenString); err == nil {
+ if validateOAuthClaims(claims) == nil {
+ setOAuthContext(c, claims)
+ }
+ }
+ }
+ c.Next()
+ }
+}
+
+// GetOAuthClaims 获取OAuth claims
+func GetOAuthClaims(c *gin.Context) (jwt.MapClaims, bool) {
+ claims, exists := c.Get("oauth_claims")
+ if !exists {
+ return nil, false
+ }
+
+ mapClaims, ok := claims.(jwt.MapClaims)
+ return mapClaims, ok
+}
+
+// IsOAuthAuthenticated 检查是否通过OAuth认证
+func IsOAuthAuthenticated(c *gin.Context) bool {
+ return c.GetBool("oauth_authenticated")
+}
diff --git a/model/main.go b/model/main.go
index 1a38d371b..bffbca249 100644
--- a/model/main.go
+++ b/model/main.go
@@ -265,6 +265,7 @@ func migrateDB() error {
&Setup{},
&TwoFA{},
&TwoFABackupCode{},
+ &OAuthClient{},
)
if err != nil {
return err
diff --git a/model/oauth_client.go b/model/oauth_client.go
new file mode 100644
index 000000000..a73ce8639
--- /dev/null
+++ b/model/oauth_client.go
@@ -0,0 +1,183 @@
+package model
+
+import (
+ "encoding/json"
+ "one-api/common"
+ "strings"
+ "time"
+
+ "gorm.io/gorm"
+)
+
+// OAuthClient OAuth2 客户端模型
+type OAuthClient struct {
+ ID string `json:"id" gorm:"type:varchar(64);primaryKey"`
+ Secret string `json:"secret" gorm:"type:varchar(128);not null"`
+ Name string `json:"name" gorm:"type:varchar(255);not null"`
+ Domain string `json:"domain" gorm:"type:varchar(255)"` // 允许的重定向域名
+ RedirectURIs string `json:"redirect_uris" gorm:"type:text"` // JSON array of redirect URIs
+ GrantTypes string `json:"grant_types" gorm:"type:varchar(255);default:'client_credentials'"`
+ Scopes string `json:"scopes" gorm:"type:varchar(255);default:'api:read'"`
+ RequirePKCE bool `json:"require_pkce" gorm:"default:true"`
+ Status int `json:"status" gorm:"type:int;default:1"` // 1: enabled, 2: disabled
+ CreatedBy int `json:"created_by" gorm:"type:int;not null"` // 创建者用户ID
+ CreatedTime int64 `json:"created_time" gorm:"bigint"`
+ LastUsedTime int64 `json:"last_used_time" gorm:"bigint;default:0"`
+ TokenCount int `json:"token_count" gorm:"type:int;default:0"` // 已签发的token数量
+ Description string `json:"description" gorm:"type:text"`
+ ClientType string `json:"client_type" gorm:"type:varchar(32);default:'confidential'"` // confidential, public
+ DeletedAt gorm.DeletedAt `gorm:"index"`
+}
+
+// GetRedirectURIs 获取重定向URI列表
+func (c *OAuthClient) GetRedirectURIs() []string {
+ if c.RedirectURIs == "" {
+ return []string{}
+ }
+ var uris []string
+ err := json.Unmarshal([]byte(c.RedirectURIs), &uris)
+ if err != nil {
+ common.SysLog("failed to unmarshal redirect URIs: " + err.Error())
+ return []string{}
+ }
+ return uris
+}
+
+// SetRedirectURIs 设置重定向URI列表
+func (c *OAuthClient) SetRedirectURIs(uris []string) {
+ data, err := json.Marshal(uris)
+ if err != nil {
+ common.SysLog("failed to marshal redirect URIs: " + err.Error())
+ return
+ }
+ c.RedirectURIs = string(data)
+}
+
+// GetGrantTypes 获取允许的授权类型列表
+func (c *OAuthClient) GetGrantTypes() []string {
+ if c.GrantTypes == "" {
+ return []string{"client_credentials"}
+ }
+ return strings.Split(c.GrantTypes, ",")
+}
+
+// SetGrantTypes 设置允许的授权类型列表
+func (c *OAuthClient) SetGrantTypes(types []string) {
+ c.GrantTypes = strings.Join(types, ",")
+}
+
+// GetScopes 获取允许的scope列表
+func (c *OAuthClient) GetScopes() []string {
+ if c.Scopes == "" {
+ return []string{"api:read"}
+ }
+ return strings.Split(c.Scopes, ",")
+}
+
+// SetScopes 设置允许的scope列表
+func (c *OAuthClient) SetScopes(scopes []string) {
+ c.Scopes = strings.Join(scopes, ",")
+}
+
+// ValidateRedirectURI 验证重定向URI是否有效
+func (c *OAuthClient) ValidateRedirectURI(uri string) bool {
+ allowedURIs := c.GetRedirectURIs()
+ for _, allowedURI := range allowedURIs {
+ if allowedURI == uri {
+ return true
+ }
+ }
+ return false
+}
+
+// ValidateGrantType 验证授权类型是否被允许
+func (c *OAuthClient) ValidateGrantType(grantType string) bool {
+ allowedTypes := c.GetGrantTypes()
+ for _, allowedType := range allowedTypes {
+ if allowedType == grantType {
+ return true
+ }
+ }
+ return false
+}
+
+// ValidateScope 验证scope是否被允许
+func (c *OAuthClient) ValidateScope(scope string) bool {
+ allowedScopes := c.GetScopes()
+ requestedScopes := strings.Split(scope, " ")
+
+ for _, requestedScope := range requestedScopes {
+ requestedScope = strings.TrimSpace(requestedScope)
+ if requestedScope == "" {
+ continue
+ }
+ found := false
+ for _, allowedScope := range allowedScopes {
+ if allowedScope == requestedScope {
+ found = true
+ break
+ }
+ }
+ if !found {
+ return false
+ }
+ }
+ return true
+}
+
+// BeforeCreate GORM hook - 在创建前设置时间
+func (c *OAuthClient) BeforeCreate(tx *gorm.DB) (err error) {
+ c.CreatedTime = time.Now().Unix()
+ return
+}
+
+// UpdateLastUsedTime 更新最后使用时间
+func (c *OAuthClient) UpdateLastUsedTime() error {
+ c.LastUsedTime = time.Now().Unix()
+ c.TokenCount++
+ return DB.Model(c).Select("last_used_time", "token_count").Updates(c).Error
+}
+
+// GetOAuthClientByID 根据ID获取OAuth客户端
+func GetOAuthClientByID(id string) (*OAuthClient, error) {
+ var client OAuthClient
+ err := DB.Where("id = ? AND status = ?", id, common.UserStatusEnabled).First(&client).Error
+ return &client, err
+}
+
+// GetAllOAuthClients 获取所有OAuth客户端
+func GetAllOAuthClients(startIdx int, num int) ([]*OAuthClient, error) {
+ var clients []*OAuthClient
+ err := DB.Order("created_time desc").Limit(num).Offset(startIdx).Find(&clients).Error
+ return clients, err
+}
+
+// SearchOAuthClients 搜索OAuth客户端
+func SearchOAuthClients(keyword string) ([]*OAuthClient, error) {
+ var clients []*OAuthClient
+ err := DB.Where("name LIKE ? OR id LIKE ? OR description LIKE ?",
+ "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%").Find(&clients).Error
+ return clients, err
+}
+
+// CreateOAuthClient 创建OAuth客户端
+func CreateOAuthClient(client *OAuthClient) error {
+ return DB.Create(client).Error
+}
+
+// UpdateOAuthClient 更新OAuth客户端
+func UpdateOAuthClient(client *OAuthClient) error {
+ return DB.Save(client).Error
+}
+
+// DeleteOAuthClient 删除OAuth客户端
+func DeleteOAuthClient(id string) error {
+ return DB.Where("id = ?", id).Delete(&OAuthClient{}).Error
+}
+
+// CountOAuthClients 统计OAuth客户端数量
+func CountOAuthClients() (int64, error) {
+ var count int64
+ err := DB.Model(&OAuthClient{}).Count(&count).Error
+ return count, err
+}
diff --git a/router/api-router.go b/router/api-router.go
index 773857385..5d8e95042 100644
--- a/router/api-router.go
+++ b/router/api-router.go
@@ -31,6 +31,19 @@ func SetApiRouter(router *gin.Engine) {
apiRouter.GET("/oauth/oidc", middleware.CriticalRateLimit(), controller.OidcAuth)
apiRouter.GET("/oauth/linuxdo", middleware.CriticalRateLimit(), controller.LinuxdoOAuth)
apiRouter.GET("/oauth/state", middleware.CriticalRateLimit(), controller.GenerateOAuthCode)
+
+ // OAuth2 Server endpoints
+ apiRouter.GET("/.well-known/jwks.json", controller.GetJWKS)
+ apiRouter.GET("/.well-known/oauth-authorization-server", controller.OAuthServerInfo)
+ apiRouter.POST("/oauth/token", middleware.CriticalRateLimit(), controller.OAuthTokenEndpoint)
+ apiRouter.GET("/oauth/authorize", controller.OAuthAuthorizeEndpoint)
+ apiRouter.POST("/oauth/introspect", middleware.AdminAuth(), controller.OAuthIntrospect)
+ apiRouter.POST("/oauth/revoke", middleware.CriticalRateLimit(), controller.OAuthRevoke)
+
+ // OAuth2 管理API (前端使用)
+ apiRouter.GET("/oauth/jwks", controller.GetJWKS)
+ apiRouter.GET("/oauth/server-info", controller.OAuthServerInfo)
+
apiRouter.GET("/oauth/wechat", middleware.CriticalRateLimit(), controller.WeChatAuth)
apiRouter.GET("/oauth/wechat/bind", middleware.CriticalRateLimit(), controller.WeChatBind)
apiRouter.GET("/oauth/email/bind", middleware.CriticalRateLimit(), controller.EmailBind)
@@ -234,5 +247,17 @@ func SetApiRouter(router *gin.Engine) {
modelsRoute.PUT("/", controller.UpdateModelMeta)
modelsRoute.DELETE("/:id", controller.DeleteModelMeta)
}
+
+ oauthClientsRoute := apiRouter.Group("/oauth_clients")
+ oauthClientsRoute.Use(middleware.AdminAuth())
+ {
+ oauthClientsRoute.GET("/", controller.GetAllOAuthClients)
+ oauthClientsRoute.GET("/search", controller.SearchOAuthClients)
+ oauthClientsRoute.GET("/:id", controller.GetOAuthClient)
+ oauthClientsRoute.POST("/", controller.CreateOAuthClient)
+ oauthClientsRoute.PUT("/", controller.UpdateOAuthClient)
+ oauthClientsRoute.DELETE("/:id", controller.DeleteOAuthClient)
+ oauthClientsRoute.POST("/:id/regenerate_secret", controller.RegenerateOAuthClientSecret)
+ }
}
}
diff --git a/setting/system_setting/oauth2.go b/setting/system_setting/oauth2.go
new file mode 100644
index 000000000..078fe69e9
--- /dev/null
+++ b/setting/system_setting/oauth2.go
@@ -0,0 +1,70 @@
+package system_setting
+
+import "one-api/setting/config"
+
+type OAuth2Settings struct {
+ Enabled bool `json:"enabled"`
+ Issuer string `json:"issuer"`
+ AccessTokenTTL int `json:"access_token_ttl"` // in minutes
+ RefreshTokenTTL int `json:"refresh_token_ttl"` // in minutes
+ AllowedGrantTypes []string `json:"allowed_grant_types"` // client_credentials, authorization_code, refresh_token
+ RequirePKCE bool `json:"require_pkce"` // force PKCE for authorization code flow
+ JWTSigningAlgorithm string `json:"jwt_signing_algorithm"`
+ JWTKeyID string `json:"jwt_key_id"`
+ JWTPrivateKeyFile string `json:"jwt_private_key_file"`
+ AutoCreateUser bool `json:"auto_create_user"` // auto create user on first OAuth2 login
+ DefaultUserRole int `json:"default_user_role"` // default role for auto-created users
+ DefaultUserGroup string `json:"default_user_group"` // default group for auto-created users
+ ScopeMappings map[string][]string `json:"scope_mappings"` // scope to permissions mapping
+}
+
+// 默认配置
+var defaultOAuth2Settings = OAuth2Settings{
+ Enabled: false,
+ AccessTokenTTL: 10, // 10 minutes
+ RefreshTokenTTL: 720, // 12 hours
+ AllowedGrantTypes: []string{"client_credentials", "authorization_code", "refresh_token"},
+ RequirePKCE: true,
+ JWTSigningAlgorithm: "RS256",
+ JWTKeyID: "oauth2-key-1",
+ AutoCreateUser: false,
+ DefaultUserRole: 1, // common user
+ DefaultUserGroup: "default",
+ ScopeMappings: map[string][]string{
+ "api:read": {"read"},
+ "api:write": {"write"},
+ "admin": {"admin"},
+ },
+}
+
+func init() {
+ // 注册到全局配置管理器
+ config.GlobalConfig.Register("oauth2", &defaultOAuth2Settings)
+}
+
+func GetOAuth2Settings() *OAuth2Settings {
+ return &defaultOAuth2Settings
+}
+
+// UpdateOAuth2Settings 更新OAuth2配置
+func UpdateOAuth2Settings(settings OAuth2Settings) {
+ defaultOAuth2Settings = settings
+}
+
+// ValidateGrantType 验证授权类型是否被允许
+func (s *OAuth2Settings) ValidateGrantType(grantType string) bool {
+ for _, allowedType := range s.AllowedGrantTypes {
+ if allowedType == grantType {
+ return true
+ }
+ }
+ return false
+}
+
+// GetScopePermissions 获取scope对应的权限
+func (s *OAuth2Settings) GetScopePermissions(scope string) []string {
+ if perms, exists := s.ScopeMappings[scope]; exists {
+ return perms
+ }
+ return []string{}
+}
diff --git a/src/oauth/server.go b/src/oauth/server.go
new file mode 100644
index 000000000..65f53b121
--- /dev/null
+++ b/src/oauth/server.go
@@ -0,0 +1,80 @@
+package oauth
+
+import (
+ "crypto/rand"
+ "crypto/rsa"
+ "fmt"
+ "one-api/common"
+ "one-api/setting/system_setting"
+
+ "github.com/gin-gonic/gin"
+ "github.com/lestrrat-go/jwx/v2/jwk"
+)
+
+var (
+ simplePrivateKey *rsa.PrivateKey
+ simpleJWKSSet jwk.Set
+)
+
+// InitOAuthServer 简化版OAuth2服务器初始化
+func InitOAuthServer() error {
+ settings := system_setting.GetOAuth2Settings()
+ if !settings.Enabled {
+ common.SysLog("OAuth2 server is disabled")
+ return nil
+ }
+
+ // 生成RSA私钥(简化版本)
+ var err error
+ simplePrivateKey, err = rsa.GenerateKey(rand.Reader, 2048)
+ if err != nil {
+ return fmt.Errorf("failed to generate RSA key: %w", err)
+ }
+
+ // 创建JWKS
+ simpleJWKSSet, err = createSimpleJWKS(simplePrivateKey, settings.JWTKeyID)
+ if err != nil {
+ return fmt.Errorf("failed to create JWKS: %w", err)
+ }
+
+ common.SysLog("OAuth2 server initialized successfully (simple mode)")
+ return nil
+}
+
+// createSimpleJWKS 创建简单的JWKS
+func createSimpleJWKS(privateKey *rsa.PrivateKey, keyID string) (jwk.Set, error) {
+ pubJWK, err := jwk.FromRaw(&privateKey.PublicKey)
+ if err != nil {
+ return nil, err
+ }
+
+ _ = pubJWK.Set(jwk.KeyIDKey, keyID)
+ _ = pubJWK.Set(jwk.AlgorithmKey, "RS256")
+ _ = pubJWK.Set(jwk.KeyUsageKey, "sig")
+
+ jwks := jwk.NewSet()
+ _ = jwks.AddKey(pubJWK)
+
+ return jwks, nil
+}
+
+// GetJWKS 获取JWKS(简化版本)
+func GetJWKS() jwk.Set {
+ return simpleJWKSSet
+}
+
+// HandleTokenRequest 简化的令牌处理(临时实现)
+func HandleTokenRequest(c *gin.Context) {
+ c.JSON(501, map[string]string{
+ "error": "not_implemented",
+ "error_description": "OAuth2 token endpoint not fully implemented yet",
+ })
+}
+
+// HandleAuthorizeRequest 简化的授权处理(临时实现)
+func HandleAuthorizeRequest(c *gin.Context) {
+ c.JSON(501, map[string]string{
+ "error": "not_implemented",
+ "error_description": "OAuth2 authorize endpoint not fully implemented yet",
+ })
+}
diff --git a/web/src/components/modals/oauth2/CreateOAuth2ClientModal.jsx b/web/src/components/modals/oauth2/CreateOAuth2ClientModal.jsx
new file mode 100644
index 000000000..2d13e840c
--- /dev/null
+++ b/web/src/components/modals/oauth2/CreateOAuth2ClientModal.jsx
@@ -0,0 +1,318 @@
+/*
+Copyright (C) 2025 QuantumNous
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+
+For commercial licensing, please contact support@quantumnous.com
+*/
+
+import React, { useState } from 'react';
+import {
+ Modal,
+ Form,
+ Input,
+ Select,
+ TextArea,
+ Switch,
+ Space,
+ Typography,
+ Divider,
+ Tag,
+ Button,
+} from '@douyinfe/semi-ui';
+import { IconPlus, IconDelete } from '@douyinfe/semi-icons';
+import { API, showError, showSuccess, showInfo } from '../../../helpers';
+
+const { Text, Paragraph } = Typography;
+const { Option } = Select;
+
+const CreateOAuth2ClientModal = ({ visible, onCancel, onSuccess }) => {
+ const [formApi, setFormApi] = useState(null);
+ const [loading, setLoading] = useState(false);
+ const [redirectUris, setRedirectUris] = useState(['']);
+ const [clientType, setClientType] = useState('confidential');
+ const [grantTypes, setGrantTypes] = useState(['client_credentials']);
+
+ // 处理提交
+ const handleSubmit = async (values) => {
+ setLoading(true);
+ try {
+ // 过滤空的重定向URI
+ const validRedirectUris = redirectUris.filter(uri => uri.trim());
+
+ const payload = {
+ ...values,
+ client_type: clientType,
+ grant_types: grantTypes,
+ redirect_uris: validRedirectUris,
+ };
+
+ const res = await API.post('/api/oauth_clients/', payload);
+ const { success, message, client_id, client_secret } = res.data;
+
+ if (success) {
+ showSuccess('OAuth2客户端创建成功');
+
+ // 显示客户端信息
+ Modal.info({
+ title: '客户端创建成功',
+ content: (
+
+
请妥善保存以下信息:
+
+
+ 客户端ID:
+
+
+ {client_id}
+
+
+ {client_secret && (
+
+ 客户端密钥(仅此一次显示):
+
+
+ {client_secret}
+
+
+ )}
+
+
+ {client_secret
+ ? '客户端密钥仅显示一次,请立即复制保存。'
+ : '公开客户端无需密钥。'
+ }
+
+
+
+
+
+ );
+};
+
+export default OAuth2Setting;
\ No newline at end of file
diff --git a/web/src/pages/Setting/OAuth2/OAuth2ClientSettings.jsx b/web/src/pages/Setting/OAuth2/OAuth2ClientSettings.jsx
new file mode 100644
index 000000000..4afc6478e
--- /dev/null
+++ b/web/src/pages/Setting/OAuth2/OAuth2ClientSettings.jsx
@@ -0,0 +1,420 @@
+/*
+Copyright (C) 2025 QuantumNous
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+
+For commercial licensing, please contact support@quantumnous.com
+*/
+
+import React, { useEffect, useState } from 'react';
+import {
+ Card,
+ Table,
+ Button,
+ Space,
+ Tag,
+ Typography,
+ Input,
+ Popconfirm,
+ Modal,
+ Form,
+ Banner,
+ Row,
+ Col
+} from '@douyinfe/semi-ui';
+import { IconSearch, IconPlus } from '@douyinfe/semi-icons';
+import { API, showError, showSuccess, showInfo } from '../../../helpers';
+import CreateOAuth2ClientModal from '../../../components/modals/oauth2/CreateOAuth2ClientModal';
+import EditOAuth2ClientModal from '../../../components/modals/oauth2/EditOAuth2ClientModal';
+import { useTranslation } from 'react-i18next';
+
+const { Text, Title } = Typography;
+
+export default function OAuth2ClientSettings() {
+ const { t } = useTranslation();
+ const [loading, setLoading] = useState(false);
+ const [clients, setClients] = useState([]);
+ const [filteredClients, setFilteredClients] = useState([]);
+ const [searchKeyword, setSearchKeyword] = useState('');
+ const [showCreateModal, setShowCreateModal] = useState(false);
+ const [showEditModal, setShowEditModal] = useState(false);
+ const [editingClient, setEditingClient] = useState(null);
+ const [showSecretModal, setShowSecretModal] = useState(false);
+ const [currentSecret, setCurrentSecret] = useState('');
+
+ // 加载客户端列表
+ const loadClients = async () => {
+ setLoading(true);
+ try {
+ const res = await API.get('/api/oauth_clients/');
+ if (res.data.success) {
+ setClients(res.data.data || []);
+ setFilteredClients(res.data.data || []);
+ } else {
+ showError(res.data.message);
+ }
+ } catch (error) {
+ showError('加载OAuth2客户端失败');
+ } finally {
+ setLoading(false);
+ }
+ };
+
+ // 搜索过滤
+ const handleSearch = (value) => {
+ setSearchKeyword(value);
+ if (!value) {
+ setFilteredClients(clients);
+ } else {
+ const filtered = clients.filter(client =>
+ client.name?.toLowerCase().includes(value.toLowerCase()) ||
+ client.id?.toLowerCase().includes(value.toLowerCase()) ||
+ client.description?.toLowerCase().includes(value.toLowerCase())
+ );
+ setFilteredClients(filtered);
+ }
+ };
+
+ // 删除客户端
+ const handleDelete = async (client) => {
+ try {
+ const res = await API.delete(`/api/oauth_clients/${client.id}`);
+ if (res.data.success) {
+ showSuccess('删除成功');
+ loadClients();
+ } else {
+ showError(res.data.message);
+ }
+ } catch (error) {
+ showError('删除失败');
+ }
+ };
+
+ // 重新生成密钥
+ const handleRegenerateSecret = async (client) => {
+ try {
+ const res = await API.post(`/api/oauth_clients/${client.id}/regenerate_secret`);
+ if (res.data.success) {
+ setCurrentSecret(res.data.client_secret);
+ setShowSecretModal(true);
+ loadClients();
+ } else {
+ showError(res.data.message);
+ }
+ } catch (error) {
+ showError('重新生成密钥失败');
+ }
+ };
+
+ // 表格列定义
+ const columns = [
+ {
+ title: '客户端名称',
+ dataIndex: 'name',
+ key: 'name',
+ render: (text, record) => (
+
+ {text}
+
+ {record.id}
+
+ ),
+ },
+ {
+ title: '类型',
+ dataIndex: 'client_type',
+ key: 'client_type',
+ render: (text) => (
+
+ {text === 'confidential' ? '机密客户端' : '公开客户端'}
+
+ ),
+ },
+ {
+ title: '授权类型',
+ dataIndex: 'grant_types',
+ key: 'grant_types',
+ render: (grantTypes) => {
+ const types = typeof grantTypes === 'string' ? grantTypes.split(',') : (grantTypes || []);
+ return (
+
+ {types.map(type => (
+
+ {type === 'client_credentials' ? '客户端凭证' :
+ type === 'authorization_code' ? '授权码' :
+ type === 'refresh_token' ? '刷新令牌' : type}
+
+ ))}
+
+ );
+ },
+ },
+ {
+ title: '状态',
+ dataIndex: 'status',
+ key: 'status',
+ render: (status) => (
+
+ {status === 1 ? '启用' : '禁用'}
+
+ ),
+ },
+ {
+ title: '创建时间',
+ dataIndex: 'created_time',
+ key: 'created_time',
+ render: (time) => new Date(time * 1000).toLocaleString(),
+ },
+ {
+ title: '操作',
+ key: 'action',
+ render: (_, record) => (
+
+
+ {record.client_type === 'confidential' && (
+
+ )}
+ handleDelete(record)}
+ okText="确定"
+ cancelText="取消"
+ >
+
+
+
+ ),
+ },
+ ];
+
+ useEffect(() => {
+ loadClients();
+ }, []);
+
+ return (
+
+
+
+
+
+
+
+ }
+ placeholder="搜索客户端名称、ID或描述"
+ value={searchKeyword}
+ onChange={handleSearch}
+ showClear
+ />
+
+
+
+ }
+ onClick={() => setShowCreateModal(true)}
+ >
+ 创建OAuth2客户端
+
+
+
+
+ `第 ${range[0]}-${range[1]} 条,共 ${total} 条`,
+ pageSize: 10,
+ }}
+ empty={
+
+ 暂无OAuth2客户端
+
+ }
+ onClick={() => setShowCreateModal(true)}
+ style={{ marginTop: 10 }}
+ >
+ 创建第一个客户端
+
+
+ }
+ />
+
+ {/* 快速操作 */}
+
+ 快速操作
+
+
+
+
+
+
+
+
+
新的客户端密钥如下,请立即复制保存。关闭此窗口后将无法再次查看。
+
+ {currentSecret}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ );
+}
\ No newline at end of file
diff --git a/web/src/pages/Setting/index.jsx b/web/src/pages/Setting/index.jsx
index 255ec683e..fe7a60921 100644
--- a/web/src/pages/Setting/index.jsx
+++ b/web/src/pages/Setting/index.jsx
@@ -32,6 +32,7 @@ import {
MessageSquare,
Palette,
CreditCard,
+ Shield,
} from 'lucide-react';
import SystemSetting from '../../components/settings/SystemSetting';
@@ -45,6 +46,7 @@ import RatioSetting from '../../components/settings/RatioSetting';
import ChatsSetting from '../../components/settings/ChatsSetting';
import DrawingSetting from '../../components/settings/DrawingSetting';
import PaymentSetting from '../../components/settings/PaymentSetting';
+import OAuth2Setting from '../../components/settings/OAuth2Setting';
const Setting = () => {
const { t } = useTranslation();
@@ -134,6 +136,16 @@ const Setting = () => {
content: ,
itemKey: 'models',
});
+ panes.push({
+ tab: (
+
+
+ {t('OAuth2 & SSO')}
+
+ ),
+ content: ,
+ itemKey: 'oauth2',
+ });
panes.push({
tab: (