Add support for SSO / OpenID Connect (OIDC) (#996)

* ent re-generation

* add oidc integration

* document oidc integration

* go fmt

* address backend linter findings

* run prettier on index.vue

* State cookie domain can mismatch when Hostname override is used (breaks CSRF check). Add SameSite.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Delete state cookie with matching domain and MaxAge; add SameSite.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Fix endpoint path in comments and error to include /api/v1.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Also use request context when verifying the ID token.

* Do not return raw auth errors to clients (user-enumeration risk).

* consistently set cookie the same way across function

* remove baseURL after declaration

* only enable OIDC routes if OIDC is enabled

* swagger doc for failure

* Only block when provider=local; move the check after parsing provider

* fix extended session comment

* reduce pii logging

* futher reduce pii logging

* remove unused DiscoveryDocument

* remove unused offline_access from default oidc scopes

* remove offline access from AuthCodeURL

* support host from X-Forwarded-Host

* set sane default claim names if unset

* error strings should not be capitalized

* Revert "run prettier on index.vue"

This reverts commit aa22330a23.

* Add timeout to provider discovery

* Split scopes robustly

* refactor hostname calculation

* address frontend prettier findings

* add property oidc on type APISummary

* LoginOIDC: Normalize inputs, only create if not found

* add oidc email verification

* oidc handleCallback: clear state cookie before each return

* add support for oidc nonce parameter

* Harden first-login race: handle concurrent creates gracefully and fix log key.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* support email verified claim as bool or string

* fail fast on empty email

* PKCE verifier

* fix: add timing delay to attachment test to resolve CI race condition

The attachment test was failing intermittently in CI due to a race condition
between attachment creation and retrieval. Adding a small 100ms delay after
attachment creation ensures the file system and database operations complete
before the test attempts to verify the attachment exists.

* Revert "fix: add timing delay to attachment test to resolve CI race condition"

This reverts commit 4aa8b2a0d829753e8d2dd1ba76f4b1e04e28c45e.

* oidc error state, use ref

* rename oidc.force to oidc.authRedirect

* remove hardcoded oidc error timeout

* feat: sub/iss based identity matching and userinfo endpoint collection

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Matthew Kilgore <matthew@kilgore.dev>

frontend/lib/api/types/data-contracts.ts

@@ -862,6 +862,12 @@ export interface APISummary {
   labelPrinting: boolean;
   latest: Latest;
   message: string;
+  oidc?: {
+    enabled: boolean;
+    autoRedirect?: boolean;
+    allowLocal?: boolean;
+    buttonText?: string;
+  };
   title: string;
   versions: string[];
 }

frontend/locales/en.json

@@ -297,6 +297,7 @@
         "dont_join_group": "Don't want to join a group?",
         "joining_group": "You're Joining an Existing Group!",
         "login": "Login",
+        "or": "or",
         "register": "Register",
         "remember_me": "Remember Me",
         "set_email": "What's your email?",
@@ -308,6 +309,14 @@
             "invalid_email": "Invalid email address",
             "invalid_email_password": "Invalid email or password",
             "login_success": "Logged in successfully",
+            "oidc_access_denied": "Access denied: Your account does not have the required role/group membership",
+            "oidc_auth_failed": "OIDC authentication failed",
+            "oidc_invalid_response": "Invalid OIDC response received",
+            "oidc_provider_error": "OIDC provider returned an error",
+            "oidc_security_error": "OIDC security error - possible CSRF attack",
+            "oidc_session_expired": "OIDC session has expired",
+            "oidc_token_expired": "OIDC token has expired",
+            "oidc_token_invalid": "OIDC token signature is invalid",
             "problem_registering": "Problem registering user",
             "user_registered": "User registered"
         }

frontend/pages/index.vue

@@ -41,6 +41,9 @@
   const ctx = useAuthContext();
 
   const api = usePublicApi();
+  // Use ref for OIDC error state management
+  const oidcError = ref<string | null>(null);
+  const shownErrorMessage = ref(false);
 
   const { data: status } = useAsyncData(async () => {
     const { data } = await api.status();
@@ -57,6 +60,11 @@
       email.value = "demo@example.com";
       loginPassword.value = "demo";
     }
+
+    // Auto-redirect to OIDC if autoRedirect is enabled, but not if there's an OIDC initialization error
+    if (status?.oidc?.enabled && status?.oidc?.autoRedirect && !oidcError.value && !shownErrorMessage.value) {
+      loginWithOIDC();
+    }
   });
 
   const isEvilAccentTheme = useIsThemeInList([
@@ -138,6 +146,34 @@
     if (groupToken.value !== "") {
       registerForm.value = true;
     }
+
+    // Handle OIDC error notifications from URL parameters
+    const oidcErrorParam = route.query.oidc_error;
+    if (typeof oidcErrorParam === "string" && oidcErrorParam.startsWith("oidc_")) {
+      // Set the error state to prevent auto-redirect
+      oidcError.value = oidcErrorParam;
+      shownErrorMessage.value = true;
+
+      const translationKey = `index.toast.${oidcErrorParam}`;
+      let errorMessage = t(translationKey);
+
+      // If there are additional details, append them
+      const details = route.query.details;
+      if (typeof details === "string" && details.trim() !== "") {
+        errorMessage += `: ${details}`;
+      }
+
+      toast.error(errorMessage);
+
+      // Clean up the URL by removing the error parameters
+      const newQuery = { ...route.query };
+      delete newQuery.oidc_error;
+      delete newQuery.details;
+      router.replace({ query: newQuery });
+
+      // Clear the error state after showing the message
+      oidcError.value = null;
+    }
   });
 
   const loading = ref(false);
@@ -165,6 +201,10 @@
     loading.value = false;
   }
 
+  function loginWithOIDC() {
+    window.location.href = "/api/v1/users/login/oidc";
+  }
+
   const [registerForm, toggleLogin] = useToggle();
 </script>
 
@@ -187,7 +227,10 @@
     <div>
       <header
         class="mx-auto p-4 sm:flex sm:items-end sm:p-6 lg:p-14"
-        :class="{ 'text-accent': !isEvilAccentTheme, 'text-white': isLofiTheme }"
+        :class="{
+          'text-accent': !isEvilAccentTheme,
+          'text-white': isLofiTheme,
+        }"
       >
         <div class="z-10">
           <h2 class="mt-1 flex text-4xl font-bold tracking-tight sm:text-5xl lg:text-6xl">
@@ -195,7 +238,13 @@
             <AppLogo class="-mb-4 w-12" />
             x
           </h2>
-          <p class="ml-1 text-lg" :class="{ 'text-foreground': !isEvilForegroundTheme, 'text-white': isLofiTheme }">
+          <p
+            class="ml-1 text-lg"
+            :class="{
+              'text-foreground': !isEvilForegroundTheme,
+              'text-white': isLofiTheme,
+            }"
+          >
             {{ $t("index.tagline") }}
           </p>
         </div>
@@ -285,9 +334,11 @@
                     {{ $t("index.login") }}
                   </CardTitle>
                 </CardHeader>
-                <CardContent class="flex flex-col gap-2">
+                <CardContent v-if="status?.oidc?.allowLocal !== false" class="flex flex-col gap-2">
                   <template v-if="status && status.demo">
-                    <p class="text-center text-xs italic">{{ $t("global.demo_instance") }}</p>
+                    <p class="text-center text-xs italic">
+                      {{ $t("global.demo_instance") }}
+                    </p>
                     <p class="text-center text-xs">
                       <b>{{ $t("global.email") }}</b> demo@example.com
                     </p>
@@ -301,17 +352,42 @@
                     <FormCheckbox v-model="remember" :label="$t('index.remember_me')" />
                   </div>
                 </CardContent>
-                <CardFooter>
-                  <Button class="w-full" type="submit" :class="loading ? 'loading' : ''" :disabled="loading">
+                <CardFooter class="flex flex-col gap-2">
+                  <Button
+                    v-if="status?.oidc?.allowLocal !== false"
+                    class="w-full"
+                    type="submit"
+                    :class="loading ? 'loading' : ''"
+                    :disabled="loading"
+                  >
                     {{ $t("index.login") }}
                   </Button>
+
+                  <div
+                    v-if="status?.oidc?.enabled && status?.oidc?.allowLocal !== false"
+                    class="flex w-full items-center gap-2"
+                  >
+                    <hr class="flex-1" />
+                    <span class="text-xs text-muted-foreground">{{ $t("index.or") }}</span>
+                    <hr class="flex-1" />
+                  </div>
+
+                  <Button
+                    v-if="status?.oidc?.enabled"
+                    type="button"
+                    variant="outline"
+                    class="w-full"
+                    @click="loginWithOIDC"
+                  >
+                    {{ status.oidc.buttonText || "Sign in with OIDC" }}
+                  </Button>
                 </CardFooter>
               </Card>
             </form>
           </Transition>
           <div class="mt-6 text-center">
             <Button
-              v-if="status && status.allowRegistration"
+              v-if="status && status.allowRegistration && status?.oidc?.allowLocal !== false"
               class="group"
               variant="link"
               data-testid="register-button"