Skip to content

feat(oidc): add Hugging Face OpenID Connect Provider#198

Draft
halvaradop wants to merge 1 commit into
masterfrom
feat/add-huggingface-oidc
Draft

feat(oidc): add Hugging Face OpenID Connect Provider#198
halvaradop wants to merge 1 commit into
masterfrom
feat/add-huggingface-oidc

Conversation

@halvaradop

@halvaradop halvaradop commented Jun 25, 2026

Copy link
Copy Markdown
Member

Description

This pull request adds support for the Hugging Face OpenID Connect (OIDC) provider to the list of authentication providers available in Aura Auth.

This is the second OIDC provider supported by Aura Auth. Additional OAuth/OIDC providers will be added in future releases to provide broader coverage of commonly used identity providers for web applications.

Usage

import { createAuth } from "@aura-stack/auth"

export const auth = createAuth({
  oauth: ["hugging"],
})

export const { handlers } = auth

Note

This PR will remain in draft status until the Hugging Face OIDC provider has been fully validated with Aura Auth.

While the implementation passes the basic authentication flows and core use cases, it has not yet been comprehensively tested. Additional verification is required to ensure all provider-specific behaviors work as expected and to identify any edge cases before the feature is considered production-ready.

@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth Ready Ready Preview, Comment Jun 25, 2026 4:36pm

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a Hugging Face OAuth/OpenID provider and a documentation page covering app setup, configuration, sign-in flows, session retrieval, and related references.

Changes

Hugging Face OAuth provider and docs

Layer / File(s) Summary
Provider module
packages/core/src/oauth/huggingface.ts
Adds Hugging Face profile-related types and a provider factory with Hugging Face metadata and profile mapping.
Setup and configuration docs
docs/src/content/docs/(core)/oauth/huggingface.mdx
Adds documentation for app registration, installation, environment variables, auth instance configuration, and provider customization.
Sign-in and references docs
docs/src/content/docs/(core)/oauth/huggingface.mdx
Adds documentation for direct, client-side, and server-side sign-in, session retrieval, and resource links.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

oauth

Poem

🐇 I hopped through OAuth fields at dawn,
With Hugging Face the trail grew long.
Sessions sparkled, sign-ins sang,
Docs and code together rang.
A cozy carrot-crafted charm!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely matches the main change: adding a Hugging Face OpenID Connect provider.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/add-huggingface-oidc

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
packages/core/src/oauth/huggingface.ts (1)

56-62: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Profile mapping drops available claims.

HuggingFaceProfile exposes email_verified (and preferred_username), but the mapping only forwards sub/name/email/image. If the upstream User/Aura profile shape supports email_verified/nickname (as the preset in packages/core/test/presets.ts suggests), consider mapping them through. The as DefaultUser cast also suppresses any field-shape mismatch.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/src/oauth/huggingface.ts` around lines 56 - 62, The Hugging
Face profile mapper in the `profile` callback is dropping supported claims and
the `as DefaultUser` cast is hiding shape mismatches. Update the mapping in
`packages/core/src/oauth/huggingface.ts` to forward the additional available
fields such as `email_verified` and `preferred_username`/`nickname` when the
target user shape supports them, and remove the broad cast so the
`HuggingFaceProfile` to user mapping is type-checked against the actual
interface.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/src/content/docs/`(core)/oauth/huggingface.mdx:
- Line 19: The Hugging Face OAuth setup instructions reference the wrong
callback provider path, so update the Redirect URL in the documentation to use
the Hugging Face callback route instead of the GitHub one. Fix the text in the
HuggingFace docs content by replacing the provider segment in the redirect URL
with the Hugging Face provider id so it matches the route used by the OAuth
flow.
- Line 156: The server-side sign-in example in the Hugging Face docs uses the
wrong provider identifier; update the api.signIn call in the Hugging Face page
to use "huggingface" instead of "github". Keep the fix localized to the sign-in
example so it matches the documented provider and the surrounding HuggingFace
OAuth content.
- Line 100: The OAuth example in the HuggingFace docs is using GitHub-only
scopes, so update the scope value in the Hugging Face configuration example to
use Hugging Face/OIDC scopes instead. Adjust the example near the OAuth settings
so it references valid scopes like those used by Hugging Face, and make sure the
surrounding docs text matches the provider-specific behavior to avoid misleading
users.

---

Nitpick comments:
In `@packages/core/src/oauth/huggingface.ts`:
- Around line 56-62: The Hugging Face profile mapper in the `profile` callback
is dropping supported claims and the `as DefaultUser` cast is hiding shape
mismatches. Update the mapping in `packages/core/src/oauth/huggingface.ts` to
forward the additional available fields such as `email_verified` and
`preferred_username`/`nickname` when the target user shape supports them, and
remove the broad cast so the `HuggingFaceProfile` to user mapping is
type-checked against the actual interface.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fb59048d-489e-4568-8e1c-dc2ddcee2e5c

📥 Commits

Reviewing files that changed from the base of the PR and between 99a5419 and a8145e7.

📒 Files selected for processing (2)
  • docs/src/content/docs/(core)/oauth/huggingface.mdx
  • packages/core/src/oauth/huggingface.ts

1. Navigate to your Hugging Face profile and go to **Settings > Connected Apps > Developer Applications**.
2. Click **Create App**.
3. Fill in the "Application name" and "Homepage URL".
4. Set the **Redirect URL** to `http://localhost:3000/auth/callback/github`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Redirect URL uses the wrong provider path (github).

The callback path must match the Hugging Face provider id, otherwise the configured redirect URI won't match the route and the OAuth flow will fail.

🔧 Proposed fix
-4. Set the **Redirect URL** to `http://localhost:3000/auth/callback/github`.
+4. Set the **Redirect URL** to `http://localhost:3000/auth/callback/huggingface`.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
4. Set the **Redirect URL** to `http://localhost:3000/auth/callback/github`.
4. Set the **Redirect URL** to `http://localhost:3000/auth/callback/huggingface`.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/huggingface.mdx at line 19, The Hugging
Face OAuth setup instructions reference the wrong callback provider path, so
update the Redirect URL in the documentation to use the Hugging Face callback
route instead of the GitHub one. Fix the text in the HuggingFace docs content by
replacing the provider segment in the redirect URL with the Hugging Face
provider id so it matches the route used by the OAuth flow.

export const auth = createAuth({
oauth: [
huggingface({
scope: "read:user user:email",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Hugging Face OAuth supported scopes openid profile email read-repos

💡 Result:

Hugging Face OAuth supports the scopes you mentioned (openid, profile, email, read-repos), along with several others [1][2]. The scopes you listed function as follows: - openid: Retrieves the ID token in addition to the access token [1][3]. - profile: Retrieves the user's profile information, such as their username and avatar [1][3]. - email: Retrieves the user's email address [1][3]. - read-repos: Grants read access to the user's personal repositories [1][3]. Other currently supported scopes include [1][3]: - gated-repos: Grants read access to public gated repositories you have been granted access to (distinct from read-repos, which covers private repositories) [1][3]. - write-repos: Grants read and write access to the user's personal repositories [1][3]. - manage-repos: Grants full access to personal repositories, including the ability to create and delete them [1][3]. - contribute-repos: Allows the application to create repositories and access those it has created [1][3]. - read-collections / write-collections: Provides access to manage personal collections [1][3]. - read-billing: Checks if the user has a payment method configured [1][3]. - inference-api: Enables making inference requests on behalf of the user [1][3]. - write-discussions: Allows interacting with discussions, including opening issues or pull requests [1][3]. - jobs and webhooks: Provides management capabilities for jobs and webhooks, respectively [1][3]. By default, issued tokens inherit the scopes configured for the OAuth app, but you can request specific scopes by using the scope parameter during the authorization request [1][3]. For applications using Hugging Face Spaces, openid and profile are typically included by default, while others can be added via the Space's metadata [4][5]. Detailed metadata for all supported scopes is available via the OpenID configuration endpoint at https://huggingface.co/.well-known/openid-configuration [3].

Citations:


Scopes are GitHub-style, not Hugging Face.

read:user and user:email are GitHub OAuth scopes. Hugging Face supports OIDC scopes like openid, profile, email, and read-repos. Update the example to prevent misleading users.

🔧 Proposed fix
-        scope: "read:user user:email",
+        scope: "openid profile email read-repos",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
scope: "read:user user:email",
scope: "openid profile email read-repos",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/huggingface.mdx at line 100, The OAuth
example in the HuggingFace docs is using GitHub-only scopes, so update the scope
value in the Hugging Face configuration example to use Hugging Face/OIDC scopes
instead. Adjust the example near the OAuth settings so it references valid
scopes like those used by Hugging Face, and make sure the surrounding docs text
matches the provider-specific behavior to avoid misleading users.

import { api } from "./auth"

export const serverSignIn = async () => {
const response = await api.signIn("github", {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Server-side sign-in uses "github" instead of "huggingface".

This page documents the Hugging Face provider; the server-side example calls api.signIn("github", ...).

🔧 Proposed fix
-  const response = await api.signIn("github", {
+  const response = await api.signIn("huggingface", {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const response = await api.signIn("github", {
const response = await api.signIn("huggingface", {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/huggingface.mdx at line 156, The
server-side sign-in example in the Hugging Face docs uses the wrong provider
identifier; update the api.signIn call in the Hugging Face page to use
"huggingface" instead of "github". Keep the fix localized to the sign-in example
so it matches the documented provider and the surrounding HuggingFace OAuth
content.

@halvaradop halvaradop marked this pull request as draft June 25, 2026 16:44
@halvaradop halvaradop added the oauth Changes related to OAuth flows, providers, tokens, or authentication integration. label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

oauth Changes related to OAuth flows, providers, tokens, or authentication integration.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant