Skip to content

feat: SSO/OIDC provider integration (Sprint 20)#136

Merged
BadgerOps merged 18 commits intomasterfrom
feat/sso-oidc
Feb 19, 2026
Merged

feat: SSO/OIDC provider integration (Sprint 20)#136
BadgerOps merged 18 commits intomasterfrom
feat/sso-oidc

Conversation

@BadgerOps
Copy link
Owner

@BadgerOps BadgerOps commented Feb 18, 2026

Summary

  • Generic OIDC provider integration using coreos/go-oidc/v3 + golang.org/x/oauth2 with Authorization Code Flow
  • JIT user provisioning from IdP claims with configurable group-to-role mapping
  • Silent session re-authentication via prompt=none hidden iframe for OIDC users
  • AES-256-GCM client secret encryption at rest
  • Local auth toggle — disable password login when OIDC is configured (break-glass admin preserved)
  • User active-status cache in DualAuthMiddleware (30s TTL via sync.Map)
  • Full admin CRUD API for OIDC providers with test connection endpoint
  • OIDC provider management UI in Config > Security settings (add/edit/delete providers, role mapping editor, test connection)
  • SSO login buttons on login page (one per enabled provider)

New API Endpoints

  • GET /api/v1/auth/oidc/providers — list enabled providers (public)
  • GET /api/v1/auth/oidc/login — initiate OIDC login flow
  • GET /api/v1/auth/oidc/callback — handle IdP callback with JIT provisioning
  • POST /api/v1/auth/oidc/refresh — silent re-auth redirect URL
  • GET/POST /api/v1/settings/oidc/providers — admin list/create
  • GET/PATCH/DELETE /api/v1/settings/oidc/providers/{id} — admin CRUD
  • POST /api/v1/settings/oidc/providers/{id}/test — test provider discovery

New Environment Variables

  • CLOUDPAM_OIDC_ENCRYPTION_KEY — 32-byte hex AES key (auto-generated if unset)
  • CLOUDPAM_OIDC_CALLBACK_URL — callback URL (default: http://localhost:8080/api/v1/auth/oidc/callback)

Test plan

  • All Go tests pass (go test ./... -count=1)
  • Zero lint issues (golangci-lint run ./...)
  • Default build succeeds (go build ./cmd/cloudpam)
  • SQLite build succeeds (go build -tags sqlite ./cmd/cloudpam)
  • TypeScript type check passes (npx tsc --noEmit)
  • Frontend production build succeeds (npm run build)
  • Manual test with Authentik or other OIDC IdP

Closes #130, closes #131

🤖 Generated with Claude Code

BadgerOps and others added 17 commits February 18, 2026 16:14
@BadgerOps @claude
docs: SSO/OIDC integration design for Sprint 20
b4077f8 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
docs: SSO/OIDC implementation plan — 17 tasks for Sprint 20
6b9d9c5 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
deps: add coreos/go-oidc and golang.org/x/oauth2 for OIDC support
e395843 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: OIDC domain types, migration 0017, OIDCProviderStore with memor…
4588ce0 
…y impl

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: AES-256-GCM encryption for OIDC client secrets
2e802d7 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: SQLite OIDCProviderStore implementation
45cf5d8 
Implements all 7 methods of the OIDCProviderStore interface for the
SQLite storage backend: CreateProvider, GetProvider, GetProviderByIssuer,
ListProviders, ListEnabledProviders, UpdateProvider, and DeleteProvider.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: OIDC provider package — discovery, code exchange, claim mapping
a57e276 
Add claims.go with Claims struct and MapRole function for IdP group-to-role
mapping. Add provider.go wrapping coreos/go-oidc + oauth2 with NewProvider
(OIDC discovery), AuthCodeURL, and Exchange methods. Includes mock OIDC
server tests with RSA-signed JWTs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
security: cached user active-status check in DualAuthMiddleware
3004e70 
Add a 30-second TTL cache for user active-status lookups in the session
authentication path. Deactivated users are now blocked within 30 seconds
of deactivation without adding a DB query per request.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: enforce local auth toggle — reject password login when disabled
8c6109f 
Check local_auth_enabled setting before accepting password login.
When disabled, returns 403 directing users to SSO.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: OIDC login, callback, and refresh handlers with JIT provisioning
dcbb0d5 
Add handleOIDCLogin (redirect to IdP), handleOIDCCallback (exchange code,
JIT user provisioning, session creation), handleOIDCRefresh (silent re-auth),
and handleListPublicProviders. Includes comprehensive test coverage.

Also adds GetByOIDCIdentity to UserStore interface with implementations
for memory, SQLite, and PostgreSQL stores.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: OIDC provider admin CRUD with secret encryption and test endpoint
315b95a 
Add admin endpoints for managing OIDC provider configurations:
- GET/POST /api/v1/settings/oidc/providers (list, create)
- GET/PATCH/DELETE /api/v1/settings/oidc/providers/{id}
- POST /api/v1/settings/oidc/providers/{id}/test (discovery test)

Client secrets are encrypted at rest (AES-256-GCM) and masked in
API responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: SSO login buttons on login page
cd7da95 
Add useOIDCProviders hook to fetch enabled OIDC providers.
Show "Sign in with {name}" buttons below the login form when
OIDC providers are configured. Uses direct server redirect
to the identity provider's authorization endpoint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: wire OIDC subsystem into main.go
29b89b1 
Initialize OIDCProviderStore, encryption key, and OIDCServer.
Register OIDC public routes and admin routes.
Add OIDC paths to CSRF exemption list.
Wire settingsStore into UserServer for local auth toggle.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: OIDC provider management UI in Security settings
40206b1 
Replace SSO/OIDC placeholder with full provider management:
- Provider list with add/edit/delete
- Provider config form (issuer, client ID/secret, scopes, roles)
- Test Connection button per provider
- Role mapping configuration
- Local auth toggle with confirmation
- Add local_auth_enabled to SecuritySettings type

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
feat: silent session re-auth for OIDC users via hidden iframe
46653a4 
Add useSessionRefresh hook that monitors session lifetime and
triggers prompt=none re-auth when session enters last 20% of
its lifetime. Update OIDC callback to detect iframe mode via
Sec-Fetch-Dest header and return postMessage instead of redirect.
Extend /auth/me response with auth_provider and session_expires_at.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
docs: update CHANGELOG and CLAUDE.md for v0.8.0 OIDC integration
13be73a 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BadgerOps @claude
build: rebuild frontend with OIDC components
6c69e7e 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 18, 2026
View reviewed changes
@BadgerOps @claude
fix: sanitize OIDC callback error param and add missing PostgreSQL ta…
ec52d52 
…bles

- HTML-escape errParam in OIDC callback iframe response to prevent
  reflected XSS (CodeQL go/reflected-xss)
- URL-encode errParam in redirect to prevent parameter injection
- Add users, sessions, and settings table creation to PostgreSQL
  migration 0017, since these tables only existed in SQLite migrations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BadgerOps
BadgerOps commented Feb 19, 2026
View reviewed changes
Copy link
Owner Author

@BadgerOps BadgerOps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@BadgerOps BadgerOps merged commit b3a5acb into master Feb 19, 2026
16 checks passed
@BadgerOps BadgerOps deleted the feat/sso-oidc branch February 19, 2026 01:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OIDC User Provisioning (JIT) SSO/OIDC Provider Integration

1 participant

@BadgerOps