From 01502122b2653f77ea49bcabc464abe62b97b6f1 Mon Sep 17 00:00:00 2001
From: Simon Franken <mail@simon-franken.de>
Date: Wed, 18 Feb 2026 20:05:32 +0100
Subject: [PATCH] Revert "update"

This reverts commit 5c86afd640da6afef44aeecd378afa86f22419eb.
---
 README.md                                     |  1 +
 backend/src/auth/oidc.ts                      | 76 +++++++++----------
 backend/src/config/index.ts                   |  3 +
 docker-compose.yml                            |  1 +
 .../templates/backend-deployment.yaml         |  2 +
 timetracker-chart/values.yaml                 |  1 +
 6 files changed, 45 insertions(+), 39 deletions(-)

diff --git a/README.md b/README.md
index c968518..a902ad5 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,7 @@ DATABASE_URL="postgresql://user:password@localhost:5432/timetracker"
 # OIDC Configuration
 OIDC_ISSUER_URL="https://your-oidc-provider.com"
 OIDC_CLIENT_ID="your-client-id"
+OIDC_REDIRECT_URI="http://localhost:3001/auth/callback"
 
 # Session
 SESSION_SECRET="your-secure-session-secret-min-32-chars"
diff --git a/backend/src/auth/oidc.ts b/backend/src/auth/oidc.ts
index a39a4fd..e81bd96 100644
--- a/backend/src/auth/oidc.ts
+++ b/backend/src/auth/oidc.ts
@@ -1,29 +1,30 @@
-import { Issuer, generators, Client, TokenSet } from "openid-client";
-import { config } from "../config";
-import type { AuthenticatedUser } from "../types";
+import { Issuer, generators, Client, TokenSet } from 'openid-client';
+import { config } from '../config';
+import type { AuthenticatedUser } from '../types';
 
 let oidcClient: Client | null = null;
 
 export async function initializeOIDC(): Promise<void> {
   try {
     const issuer = await Issuer.discover(config.oidc.issuerUrl);
-
+    
     oidcClient = new issuer.Client({
       client_id: config.oidc.clientId,
-      response_types: ["code"],
-      token_endpoint_auth_method: "none", // PKCE flow - no client secret
+      redirect_uris: [config.oidc.redirectUri],
+      response_types: ['code'],
+      token_endpoint_auth_method: 'none', // PKCE flow - no client secret
     });
-
-    console.log("OIDC client initialized");
+    
+    console.log('OIDC client initialized');
   } catch (error) {
-    console.error("Failed to initialize OIDC client:", error);
+    console.error('Failed to initialize OIDC client:', error);
     throw error;
   }
 }
 
 export function getOIDCClient(): Client {
   if (!oidcClient) {
-    throw new Error("OIDC client not initialized");
+    throw new Error('OIDC client not initialized');
   }
   return oidcClient;
 }
@@ -45,38 +46,40 @@ export function createAuthSession(): AuthSession {
 export function getAuthorizationUrl(session: AuthSession): string {
   const client = getOIDCClient();
   const codeChallenge = generators.codeChallenge(session.codeVerifier);
-
+  
   return client.authorizationUrl({
-    scope: "openid profile email",
+    scope: 'openid profile email',
     state: session.state,
     nonce: session.nonce,
     code_challenge: codeChallenge,
-    code_challenge_method: "S256",
+    code_challenge_method: 'S256',
   });
 }
 
 export async function handleCallback(
   params: Record<string, string>,
-  session: AuthSession,
+  session: AuthSession
 ): Promise<TokenSet> {
   const client = getOIDCClient();
-
-  const tokenSet = await client.callback(undefined, params, {
-    code_verifier: session.codeVerifier,
-    state: session.state,
-    nonce: session.nonce,
-  });
-
+  
+  const tokenSet = await client.callback(
+    config.oidc.redirectUri,
+    params,
+    {
+      code_verifier: session.codeVerifier,
+      state: session.state,
+      nonce: session.nonce,
+    }
+  );
+  
   return tokenSet;
 }
 
-export async function getUserInfo(
-  tokenSet: TokenSet,
-): Promise<AuthenticatedUser> {
+export async function getUserInfo(tokenSet: TokenSet): Promise<AuthenticatedUser> {
   const client = getOIDCClient();
-
+  
   const claims = tokenSet.claims();
-
+  
   // Try to get more detailed userinfo if available
   let userInfo: Record<string, unknown> = {};
   try {
@@ -85,21 +88,16 @@ export async function getUserInfo(
     // Some providers don't support userinfo endpoint
     // We'll use the claims from the ID token
   }
-
+  
   const id = String(claims.sub);
-  const username = String(
-    userInfo.preferred_username ||
-      claims.preferred_username ||
-      claims.name ||
-      id,
-  );
-  const email = String(userInfo.email || claims.email || "");
-  const fullName = String(userInfo.name || claims.name || "") || null;
-
+  const username = String(userInfo.preferred_username || claims.preferred_username || claims.name || id);
+  const email = String(userInfo.email || claims.email || '');
+  const fullName = String(userInfo.name || claims.name || '') || null;
+  
   if (!email) {
-    throw new Error("Email not provided by OIDC provider");
+    throw new Error('Email not provided by OIDC provider');
   }
-
+  
   return {
     id,
     username,
@@ -116,4 +114,4 @@ export async function verifyToken(tokenSet: TokenSet): Promise<boolean> {
   } catch {
     return false;
   }
-}
+}
\ No newline at end of file
diff --git a/backend/src/config/index.ts b/backend/src/config/index.ts
index 03a4e02..78b4d62 100644
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@@ -14,6 +14,9 @@ export const config = {
   oidc: {
     issuerUrl: process.env.OIDC_ISSUER_URL || "",
     clientId: process.env.OIDC_CLIENT_ID || "",
+    redirectUri:
+      process.env.OIDC_REDIRECT_URI ||
+      "http://localhost:3001/api/auth/callback",
   },
 
   session: {
diff --git a/docker-compose.yml b/docker-compose.yml
index c288aa0..2d54851 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -23,6 +23,7 @@ services:
       DATABASE_URL: "postgresql://timetracker:timetracker_password@db:5432/timetracker"
       OIDC_ISSUER_URL: ${OIDC_ISSUER_URL}
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
+      OIDC_REDIRECT_URI: "${API_URL}/auth/callback"
       SESSION_SECRET: ${SESSION_SECRET}
       PORT: 3001
       NODE_ENV: development
diff --git a/timetracker-chart/templates/backend-deployment.yaml b/timetracker-chart/templates/backend-deployment.yaml
index 9efb16a..841b46d 100644
--- a/timetracker-chart/templates/backend-deployment.yaml
+++ b/timetracker-chart/templates/backend-deployment.yaml
@@ -54,6 +54,8 @@ spec:
               value: {{ .Values.backend.oidc.issuerUrl | quote }}
             - name: OIDC_CLIENT_ID
               value: {{ .Values.backend.oidc.clientId | quote }}
+            - name: OIDC_REDIRECT_URI
+              value: {{ .Values.backend.oidc.redirectUri | quote }}
             - name: SESSION_SECRET
               value: {{ .Values.backend.session.secret | quote }}
             - name: APP_URL
diff --git a/timetracker-chart/values.yaml b/timetracker-chart/values.yaml
index 3d710ef..eb19fe3 100644
--- a/timetracker-chart/values.yaml
+++ b/timetracker-chart/values.yaml
@@ -41,6 +41,7 @@ backend:
   oidc:
     issuerUrl: ""
     clientId: ""
+    redirectUri: ""
 
   # Session configuration
   session: