Add OIDC/SSO authentication support

Backend: - Add OIDCConfig, OIDCConfigService, OIDCService classes for OIDC flow - Add OIDC endpoints: status, config (get/update), login, callback - Support authorization code flow with PKCE-compatible state parameter - JWKS-based ID token validation with RS256 support - Auto-provisioning of users from OIDC claims - Admin group mapping for automatic admin role assignment Frontend: - Add SSO login button on login page (conditionally shown when enabled) - Add OIDC admin configuration page (/admin/oidc) - Add SSO Configuration link in admin menu - Add OIDC types and API functions Security: - CSRF protection via state parameter in secure cookie - Secure cookie settings (httponly, secure, samesite=lax) - Client secret stored encrypted in database - Token validation using provider's JWKS endpoint
2026-01-09 15:05:04 -06:00
parent 3ebdf51105
commit 1c31fe79cd
11 changed files with 1584 additions and 15 deletions
--- a/backend/app/schemas.py
+++ b/backend/app/schemas.py
@@ -784,6 +784,40 @@ class APIKeyCreateResponse(BaseModel):
    expires_at: Optional[datetime]


+# OIDC Configuration schemas
+class OIDCConfigResponse(BaseModel):
+    """OIDC configuration response (hides client secret)"""
+    enabled: bool
+    issuer_url: str
+    client_id: str
+    has_client_secret: bool  # True if secret is configured, but don't expose it
+    scopes: List[str]
+    auto_create_users: bool
+    admin_group: str
+
+
+class OIDCConfigUpdate(BaseModel):
+    """Update OIDC configuration"""
+    enabled: Optional[bool] = None
+    issuer_url: Optional[str] = None
+    client_id: Optional[str] = None
+    client_secret: Optional[str] = None  # Only set if changing
+    scopes: Optional[List[str]] = None
+    auto_create_users: Optional[bool] = None
+    admin_group: Optional[str] = None
+
+
+class OIDCStatusResponse(BaseModel):
+    """Public OIDC status response"""
+    enabled: bool
+    issuer_url: Optional[str] = None  # Only included if enabled
+
+
+class OIDCLoginResponse(BaseModel):
+    """OIDC login initiation response"""
+    authorization_url: str
+
+
 # Access Permission schemas
 class AccessPermissionCreate(BaseModel):
    """Grant access to a user for a project"""