From bcfc1cfe568401cc73aebf8616b80554245e9a41 Mon Sep 17 00:00:00 2001
From: Shalabh Agarwal <shalabhagarwal1024@gmail.com>
Date: Sat, 28 Feb 2026 01:08:05 +0530
Subject: [PATCH 1/5] sso changes

---
 .../2026.03.02T00.00.00.add-oidc-sso.sql      |  23 +
 client/src/components/Sidebar.tsx             |   2 +-
 client/src/graphql/generated.ts               | 320 +++++++++--
 client/src/webpages/App.tsx                   |   8 +
 client/src/webpages/auth/LoginSSO.tsx         |  11 +-
 client/src/webpages/auth/SignUp.tsx           |  22 +-
 client/src/webpages/dashboard/Dashboard.tsx   |   5 +
 client/src/webpages/settings/SSOSettings.tsx  | 538 +++++++++++++-----
 server/.env.example                           |   2 +
 server/api.ts                                 | 149 ++++-
 server/graphql/generated.ts                   | 103 +++-
 server/graphql/modules/authentication.ts      |   7 +-
 server/graphql/modules/org.ts                 | 167 +++++-
 server/graphql/schema.ts                      |   2 +
 server/package-lock.json                      |  32 ++
 server/package.json                           |   1 +
 server/services/SSOService/SSOService.ts      |  28 +-
 server/services/SSOService/dbTypes.ts         |   2 +-
 .../orgSettingsService/orgSettingsService.ts  |  82 ++-
 .../services/userManagementService/dbTypes.ts |   2 +-
 .../userManagementService.ts                  |   3 +-
 21 files changed, 1283 insertions(+), 226 deletions(-)
 create mode 100644 .devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql

diff --git a/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql b/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql
new file mode 100644
index 00000000..99ae0b42
--- /dev/null
+++ b/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql
@@ -0,0 +1,23 @@
+ -- Add OIDC columns
+ALTER TABLE public.org_settings
+ADD COLUMN IF NOT EXISTS oidc_enabled boolean DEFAULT false NOT NULL,
+ADD COLUMN IF NOT EXISTS issuer_url character varying(255),
+ADD COLUMN IF NOT EXISTS client_id character varying(255),
+ADD COLUMN IF NOT EXISTS client_secret character varying(255);
+
+-- Add OIDC settings constraint
+ALTER TABLE public.org_settings
+ADD CONSTRAINT oidc_settings_constraint CHECK (
+    (oidc_enabled = false) OR
+    ((oidc_enabled = true) AND (client_id IS NOT NULL) AND (client_secret IS NOT NULL) AND (issuer_url IS NOT NULL))
+);
+
+-- Add mutual exclusivity: SAML and OIDC cannot both be enabled
+ALTER TABLE public.org_settings
+ADD CONSTRAINT sso_saml_oidc_constraint CHECK (
+    ((saml_enabled = false) AND (oidc_enabled = true)) OR
+    ((saml_enabled = true) AND (oidc_enabled = false)) OR
+    ((saml_enabled = false) AND (oidc_enabled = false))
+);
+
+ALTER TYPE public.login_method_enum ADD VALUE IF NOT EXISTS 'oidc';
\ No newline at end of file
diff --git a/client/src/components/Sidebar.tsx b/client/src/components/Sidebar.tsx
index aa4d6b91..a0be719f 100644
--- a/client/src/components/Sidebar.tsx
+++ b/client/src/components/Sidebar.tsx
@@ -45,7 +45,7 @@ const MenuItemNames = makeEnumLike([
   'Users',
   'Employee Safety',
   'NCMEC Settings',
-  'SSO',
+  'SSO Settings',
   'Organization',
 ]);
 
diff --git a/client/src/graphql/generated.ts b/client/src/graphql/generated.ts
index d9b7e1b3..9491fc8e 100644
--- a/client/src/graphql/generated.ts
+++ b/client/src/graphql/generated.ts
@@ -1399,6 +1399,7 @@ export type GQLInviteUserInput = {
 export type GQLInviteUserToken = {
   readonly __typename: 'InviteUserToken';
   readonly email: Scalars['String'];
+  readonly oidcEnabled: Scalars['Boolean'];
   readonly orgId: Scalars['String'];
   readonly role: GQLUserRole;
   readonly samlEnabled: Scalars['Boolean'];
@@ -1935,6 +1936,7 @@ export type GQLLoginInput = {
 };
 
 export const GQLLoginMethod = {
+  Oidc: 'OIDC',
   Password: 'PASSWORD',
   Saml: 'SAML',
 } as const;
@@ -2368,6 +2370,7 @@ export type GQLMutation = {
   readonly setPluginIntegrationConfig: GQLSetIntegrationConfigResponse;
   readonly signUp: GQLSignUpResponse;
   readonly submitManualReviewDecision: GQLSubmitDecisionResponse;
+  readonly switchSSOMethod: GQLOrg;
   readonly updateAccountInfo?: Maybe<Scalars['Boolean']>;
   readonly updateAction: GQLMutateActionResponse;
   readonly updateAppealSettings: GQLAppealSettings;
@@ -2383,7 +2386,8 @@ export type GQLMutation = {
   readonly updateReportingRule: GQLUpdateReportingRuleResponse;
   readonly updateRole?: Maybe<Scalars['Boolean']>;
   readonly updateRoutingRule: GQLUpdateRoutingRuleResponse;
-  readonly updateSSOCredentials: Scalars['Boolean'];
+  readonly updateSSOOidcCredentials: Scalars['Boolean'];
+  readonly updateSSOSamlCredentials: Scalars['Boolean'];
   readonly updateTextBank: GQLMutateBankResponse;
   readonly updateThreadItemType: GQLMutateThreadItemTypeResponse;
   readonly updateUserItemType: GQLMutateUserItemTypeResponse;
@@ -2631,6 +2635,10 @@ export type GQLMutationSubmitManualReviewDecisionArgs = {
   input: GQLSubmitDecisionInput;
 };
 
+export type GQLMutationSwitchSsoMethodArgs = {
+  input: GQLSwitchSsoMethodInput;
+};
+
 export type GQLMutationUpdateAccountInfoArgs = {
   firstName?: InputMaybe<Scalars['String']>;
   lastName?: InputMaybe<Scalars['String']>;
@@ -2693,8 +2701,12 @@ export type GQLMutationUpdateRoutingRuleArgs = {
   input: GQLUpdateRoutingRuleInput;
 };
 
-export type GQLMutationUpdateSsoCredentialsArgs = {
-  input: GQLUpdateSsoCredentialsInput;
+export type GQLMutationUpdateSsoOidcCredentialsArgs = {
+  input: GQLUpdateSsoOidcCredentialsInput;
+};
+
+export type GQLMutationUpdateSsoSamlCredentialsArgs = {
+  input: GQLUpdateSsoSamlCredentialsInput;
 };
 
 export type GQLMutationUpdateTextBankArgs = {
@@ -2945,6 +2957,8 @@ export type GQLOrg = {
   readonly apiKey: Scalars['String'];
   readonly appealsRoutingRules: ReadonlyArray<GQLRoutingRule>;
   readonly banks?: Maybe<GQLMatchingBanks>;
+  readonly clientId?: Maybe<Scalars['String']>;
+  readonly clientSecret?: Maybe<Scalars['String']>;
   readonly contentTypes: ReadonlyArray<GQLContentType>;
   readonly defaultInterfacePreferences: GQLUserInterfacePreferences;
   readonly email: Scalars['String'];
@@ -2956,10 +2970,13 @@ export type GQLOrg = {
   readonly id: Scalars['ID'];
   readonly integrationConfigs: ReadonlyArray<GQLIntegrationConfig>;
   readonly isDemoOrg: Scalars['Boolean'];
+  readonly issuerUrl?: Maybe<Scalars['String']>;
   readonly itemTypes: ReadonlyArray<GQLItemType>;
   readonly mrtQueues: ReadonlyArray<GQLManualReviewQueue>;
   readonly name: Scalars['String'];
   readonly ncmecReports: ReadonlyArray<GQLNcmecReport>;
+  readonly oidcCallbackUrl?: Maybe<Scalars['String']>;
+  readonly oidcEnabled: Scalars['Boolean'];
   readonly onCallAlertEmail?: Maybe<Scalars['String']>;
   readonly pendingInvites: ReadonlyArray<GQLPendingInvite>;
   readonly policies: ReadonlyArray<GQLPolicy>;
@@ -2970,6 +2987,7 @@ export type GQLOrg = {
   readonly requiresPolicyForDecisionsInMrt: Scalars['Boolean'];
   readonly routingRules: ReadonlyArray<GQLRoutingRule>;
   readonly rules: ReadonlyArray<GQLRule>;
+  readonly samlEnabled: Scalars['Boolean'];
   readonly signals: ReadonlyArray<GQLSignal>;
   readonly ssoCert?: Maybe<Scalars['String']>;
   readonly ssoUrl?: Maybe<Scalars['String']>;
@@ -3165,6 +3183,7 @@ export type GQLQuery = {
   readonly getRecentDecisions: ReadonlyArray<GQLManualReviewDecision>;
   readonly getResolvedJobCounts: ReadonlyArray<GQLResolvedJobCount>;
   readonly getResolvedJobsForUser: Scalars['Int'];
+  readonly getSSOOidcCallbackUrl?: Maybe<Scalars['String']>;
   readonly getSSORedirectUrl?: Maybe<Scalars['String']>;
   readonly getSkippedJobCounts: ReadonlyArray<GQLSkippedJobCount>;
   readonly getSkippedJobsForUser: Scalars['Int'];
@@ -3910,6 +3929,12 @@ export type GQLRunRetroactionSuccessResponse = {
   readonly _?: Maybe<Scalars['Boolean']>;
 };
 
+export const GQLSsoMethod = {
+  Oidc: 'OIDC',
+  Saml: 'SAML',
+} as const;
+
+export type GQLSsoMethod = (typeof GQLSsoMethod)[keyof typeof GQLSsoMethod];
 export type GQLScalarSignalOutputType = {
   readonly __typename: 'ScalarSignalOutputType';
   readonly scalarType: GQLScalarType;
@@ -4242,6 +4267,15 @@ export type GQLSubmittedJobActionNotFoundError = GQLError & {
 
 export type GQLSupportedLanguages = GQLAllLanguages | GQLLanguages;
 
+export type GQLSwitchSsoMethodInput = {
+  readonly clientId?: InputMaybe<Scalars['String']>;
+  readonly clientSecret?: InputMaybe<Scalars['String']>;
+  readonly issuerUrl?: InputMaybe<Scalars['String']>;
+  readonly method: GQLSsoMethod;
+  readonly ssoCert?: InputMaybe<Scalars['String']>;
+  readonly ssoUrl?: InputMaybe<Scalars['String']>;
+};
+
 export type GQLTableDecisionCount = {
   readonly __typename: 'TableDecisionCount';
   readonly action_id?: Maybe<Scalars['String']>;
@@ -4530,7 +4564,15 @@ export type GQLUpdateRoutingRuleResponse =
   | GQLQueueDoesNotExistError
   | GQLRoutingRuleNameExistsError;
 
-export type GQLUpdateSsoCredentialsInput = {
+export type GQLUpdateSsoOidcCredentialsInput = {
+  readonly clientId: Scalars['String'];
+  readonly clientSecret: Scalars['String'];
+  readonly issuerUrl: Scalars['String'];
+  readonly oidcEnabled: Scalars['Boolean'];
+};
+
+export type GQLUpdateSsoSamlCredentialsInput = {
+  readonly samlEnabled: Scalars['Boolean'];
   readonly ssoCert: Scalars['String'];
   readonly ssoUrl: Scalars['String'];
 };
@@ -5234,6 +5276,7 @@ export type GQLInviteUserTokenQuery = {
           readonly role: GQLUserRole;
           readonly orgId: string;
           readonly samlEnabled: boolean;
+          readonly oidcEnabled: boolean;
         };
       };
 };
@@ -24100,18 +24143,60 @@ export type GQLGetSsoCredentialsQuery = {
   readonly myOrg?: {
     readonly __typename: 'Org';
     readonly id: string;
+    readonly samlEnabled: boolean;
+    readonly oidcEnabled: boolean;
     readonly ssoUrl?: string | null;
     readonly ssoCert?: string | null;
+    readonly issuerUrl?: string | null;
+    readonly clientId?: string | null;
+    readonly clientSecret?: string | null;
   } | null;
 };
 
-export type GQLUpdateSsoCredentialsMutationVariables = Exact<{
-  input: GQLUpdateSsoCredentialsInput;
+export type GQLGetSsoOidcCallbackUrlQueryVariables = Exact<{
+  [key: string]: never;
+}>;
+
+export type GQLGetSsoOidcCallbackUrlQuery = {
+  readonly __typename: 'Query';
+  readonly getSSOOidcCallbackUrl?: string | null;
+};
+
+export type GQLUpdateSsoSamlCredentialsMutationVariables = Exact<{
+  input: GQLUpdateSsoSamlCredentialsInput;
 }>;
 
-export type GQLUpdateSsoCredentialsMutation = {
+export type GQLUpdateSsoSamlCredentialsMutation = {
   readonly __typename: 'Mutation';
-  readonly updateSSOCredentials: boolean;
+  readonly updateSSOSamlCredentials: boolean;
+};
+
+export type GQLUpdateSsoOidcCredentialsMutationVariables = Exact<{
+  input: GQLUpdateSsoOidcCredentialsInput;
+}>;
+
+export type GQLUpdateSsoOidcCredentialsMutation = {
+  readonly __typename: 'Mutation';
+  readonly updateSSOOidcCredentials: boolean;
+};
+
+export type GQLSwitchSsoMethodMutationVariables = Exact<{
+  input: GQLSwitchSsoMethodInput;
+}>;
+
+export type GQLSwitchSsoMethodMutation = {
+  readonly __typename: 'Mutation';
+  readonly switchSSOMethod: {
+    readonly __typename: 'Org';
+    readonly id: string;
+    readonly samlEnabled: boolean;
+    readonly oidcEnabled: boolean;
+    readonly ssoUrl?: string | null;
+    readonly ssoCert?: string | null;
+    readonly issuerUrl?: string | null;
+    readonly clientId?: string | null;
+    readonly clientSecret?: string | null;
+  };
 };
 
 export const GQLCustomActionFragmentFragmentDoc = gql`
@@ -26188,6 +26273,7 @@ export const GQLInviteUserTokenDocument = gql`
           role
           orgId
           samlEnabled
+          oidcEnabled
         }
       }
       ... on InviteUserTokenExpiredError {
@@ -37771,8 +37857,13 @@ export const GQLGetSsoCredentialsDocument = gql`
     }
     myOrg {
       id
+      samlEnabled
+      oidcEnabled
       ssoUrl
       ssoCert
+      issuerUrl
+      clientId
+      clientSecret
     }
   }
 `;
@@ -37826,53 +37917,215 @@ export type GQLGetSsoCredentialsQueryResult = Apollo.QueryResult<
   GQLGetSsoCredentialsQuery,
   GQLGetSsoCredentialsQueryVariables
 >;
-export const GQLUpdateSsoCredentialsDocument = gql`
-  mutation UpdateSSOCredentials($input: UpdateSSOCredentialsInput!) {
-    updateSSOCredentials(input: $input)
+export const GQLGetSsoOidcCallbackUrlDocument = gql`
+  query GetSSOOidcCallbackUrl {
+    getSSOOidcCallbackUrl
+  }
+`;
+
+/**
+ * __useGQLGetSsoOidcCallbackUrlQuery__
+ *
+ * To run a query within a React component, call `useGQLGetSsoOidcCallbackUrlQuery` and pass it any options that fit your needs.
+ * When your component renders, `useGQLGetSsoOidcCallbackUrlQuery` returns an object from Apollo Client that contains loading, error, and data properties
+ * you can use to render your UI.
+ *
+ * @param baseOptions options that will be passed into the query, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options;
+ *
+ * @example
+ * const { data, loading, error } = useGQLGetSsoOidcCallbackUrlQuery({
+ *   variables: {
+ *   },
+ * });
+ */
+export function useGQLGetSsoOidcCallbackUrlQuery(
+  baseOptions?: Apollo.QueryHookOptions<
+    GQLGetSsoOidcCallbackUrlQuery,
+    GQLGetSsoOidcCallbackUrlQueryVariables
+  >,
+) {
+  const options = { ...defaultOptions, ...baseOptions };
+  return Apollo.useQuery<
+    GQLGetSsoOidcCallbackUrlQuery,
+    GQLGetSsoOidcCallbackUrlQueryVariables
+  >(GQLGetSsoOidcCallbackUrlDocument, options);
+}
+export function useGQLGetSsoOidcCallbackUrlLazyQuery(
+  baseOptions?: Apollo.LazyQueryHookOptions<
+    GQLGetSsoOidcCallbackUrlQuery,
+    GQLGetSsoOidcCallbackUrlQueryVariables
+  >,
+) {
+  const options = { ...defaultOptions, ...baseOptions };
+  return Apollo.useLazyQuery<
+    GQLGetSsoOidcCallbackUrlQuery,
+    GQLGetSsoOidcCallbackUrlQueryVariables
+  >(GQLGetSsoOidcCallbackUrlDocument, options);
+}
+export type GQLGetSsoOidcCallbackUrlQueryHookResult = ReturnType<
+  typeof useGQLGetSsoOidcCallbackUrlQuery
+>;
+export type GQLGetSsoOidcCallbackUrlLazyQueryHookResult = ReturnType<
+  typeof useGQLGetSsoOidcCallbackUrlLazyQuery
+>;
+export type GQLGetSsoOidcCallbackUrlQueryResult = Apollo.QueryResult<
+  GQLGetSsoOidcCallbackUrlQuery,
+  GQLGetSsoOidcCallbackUrlQueryVariables
+>;
+export const GQLUpdateSsoSamlCredentialsDocument = gql`
+  mutation UpdateSSOSamlCredentials($input: UpdateSSOSamlCredentialsInput!) {
+    updateSSOSamlCredentials(input: $input)
+  }
+`;
+export type GQLUpdateSsoSamlCredentialsMutationFn = Apollo.MutationFunction<
+  GQLUpdateSsoSamlCredentialsMutation,
+  GQLUpdateSsoSamlCredentialsMutationVariables
+>;
+
+/**
+ * __useGQLUpdateSsoSamlCredentialsMutation__
+ *
+ * To run a mutation, you first call `useGQLUpdateSsoSamlCredentialsMutation` within a React component and pass it any options that fit your needs.
+ * When your component renders, `useGQLUpdateSsoSamlCredentialsMutation` returns a tuple that includes:
+ * - A mutate function that you can call at any time to execute the mutation
+ * - An object with fields that represent the current status of the mutation's execution
+ *
+ * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
+ *
+ * @example
+ * const [gqlUpdateSsoSamlCredentialsMutation, { data, loading, error }] = useGQLUpdateSsoSamlCredentialsMutation({
+ *   variables: {
+ *      input: // value for 'input'
+ *   },
+ * });
+ */
+export function useGQLUpdateSsoSamlCredentialsMutation(
+  baseOptions?: Apollo.MutationHookOptions<
+    GQLUpdateSsoSamlCredentialsMutation,
+    GQLUpdateSsoSamlCredentialsMutationVariables
+  >,
+) {
+  const options = { ...defaultOptions, ...baseOptions };
+  return Apollo.useMutation<
+    GQLUpdateSsoSamlCredentialsMutation,
+    GQLUpdateSsoSamlCredentialsMutationVariables
+  >(GQLUpdateSsoSamlCredentialsDocument, options);
+}
+export type GQLUpdateSsoSamlCredentialsMutationHookResult = ReturnType<
+  typeof useGQLUpdateSsoSamlCredentialsMutation
+>;
+export type GQLUpdateSsoSamlCredentialsMutationResult =
+  Apollo.MutationResult<GQLUpdateSsoSamlCredentialsMutation>;
+export type GQLUpdateSsoSamlCredentialsMutationOptions =
+  Apollo.BaseMutationOptions<
+    GQLUpdateSsoSamlCredentialsMutation,
+    GQLUpdateSsoSamlCredentialsMutationVariables
+  >;
+export const GQLUpdateSsoOidcCredentialsDocument = gql`
+  mutation UpdateSSOOidcCredentials($input: UpdateSSOOidcCredentialsInput!) {
+    updateSSOOidcCredentials(input: $input)
+  }
+`;
+export type GQLUpdateSsoOidcCredentialsMutationFn = Apollo.MutationFunction<
+  GQLUpdateSsoOidcCredentialsMutation,
+  GQLUpdateSsoOidcCredentialsMutationVariables
+>;
+
+/**
+ * __useGQLUpdateSsoOidcCredentialsMutation__
+ *
+ * To run a mutation, you first call `useGQLUpdateSsoOidcCredentialsMutation` within a React component and pass it any options that fit your needs.
+ * When your component renders, `useGQLUpdateSsoOidcCredentialsMutation` returns a tuple that includes:
+ * - A mutate function that you can call at any time to execute the mutation
+ * - An object with fields that represent the current status of the mutation's execution
+ *
+ * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
+ *
+ * @example
+ * const [gqlUpdateSsoOidcCredentialsMutation, { data, loading, error }] = useGQLUpdateSsoOidcCredentialsMutation({
+ *   variables: {
+ *      input: // value for 'input'
+ *   },
+ * });
+ */
+export function useGQLUpdateSsoOidcCredentialsMutation(
+  baseOptions?: Apollo.MutationHookOptions<
+    GQLUpdateSsoOidcCredentialsMutation,
+    GQLUpdateSsoOidcCredentialsMutationVariables
+  >,
+) {
+  const options = { ...defaultOptions, ...baseOptions };
+  return Apollo.useMutation<
+    GQLUpdateSsoOidcCredentialsMutation,
+    GQLUpdateSsoOidcCredentialsMutationVariables
+  >(GQLUpdateSsoOidcCredentialsDocument, options);
+}
+export type GQLUpdateSsoOidcCredentialsMutationHookResult = ReturnType<
+  typeof useGQLUpdateSsoOidcCredentialsMutation
+>;
+export type GQLUpdateSsoOidcCredentialsMutationResult =
+  Apollo.MutationResult<GQLUpdateSsoOidcCredentialsMutation>;
+export type GQLUpdateSsoOidcCredentialsMutationOptions =
+  Apollo.BaseMutationOptions<
+    GQLUpdateSsoOidcCredentialsMutation,
+    GQLUpdateSsoOidcCredentialsMutationVariables
+  >;
+export const GQLSwitchSsoMethodDocument = gql`
+  mutation SwitchSSOMethod($input: SwitchSSOMethodInput!) {
+    switchSSOMethod(input: $input) {
+      id
+      samlEnabled
+      oidcEnabled
+      ssoUrl
+      ssoCert
+      issuerUrl
+      clientId
+      clientSecret
+    }
   }
 `;
-export type GQLUpdateSsoCredentialsMutationFn = Apollo.MutationFunction<
-  GQLUpdateSsoCredentialsMutation,
-  GQLUpdateSsoCredentialsMutationVariables
+export type GQLSwitchSsoMethodMutationFn = Apollo.MutationFunction<
+  GQLSwitchSsoMethodMutation,
+  GQLSwitchSsoMethodMutationVariables
 >;
 
 /**
- * __useGQLUpdateSsoCredentialsMutation__
+ * __useGQLSwitchSsoMethodMutation__
  *
- * To run a mutation, you first call `useGQLUpdateSsoCredentialsMutation` within a React component and pass it any options that fit your needs.
- * When your component renders, `useGQLUpdateSsoCredentialsMutation` returns a tuple that includes:
+ * To run a mutation, you first call `useGQLSwitchSsoMethodMutation` within a React component and pass it any options that fit your needs.
+ * When your component renders, `useGQLSwitchSsoMethodMutation` returns a tuple that includes:
  * - A mutate function that you can call at any time to execute the mutation
  * - An object with fields that represent the current status of the mutation's execution
  *
  * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
  *
  * @example
- * const [gqlUpdateSsoCredentialsMutation, { data, loading, error }] = useGQLUpdateSsoCredentialsMutation({
+ * const [gqlSwitchSsoMethodMutation, { data, loading, error }] = useGQLSwitchSsoMethodMutation({
  *   variables: {
  *      input: // value for 'input'
  *   },
  * });
  */
-export function useGQLUpdateSsoCredentialsMutation(
+export function useGQLSwitchSsoMethodMutation(
   baseOptions?: Apollo.MutationHookOptions<
-    GQLUpdateSsoCredentialsMutation,
-    GQLUpdateSsoCredentialsMutationVariables
+    GQLSwitchSsoMethodMutation,
+    GQLSwitchSsoMethodMutationVariables
   >,
 ) {
   const options = { ...defaultOptions, ...baseOptions };
   return Apollo.useMutation<
-    GQLUpdateSsoCredentialsMutation,
-    GQLUpdateSsoCredentialsMutationVariables
-  >(GQLUpdateSsoCredentialsDocument, options);
+    GQLSwitchSsoMethodMutation,
+    GQLSwitchSsoMethodMutationVariables
+  >(GQLSwitchSsoMethodDocument, options);
 }
-export type GQLUpdateSsoCredentialsMutationHookResult = ReturnType<
-  typeof useGQLUpdateSsoCredentialsMutation
+export type GQLSwitchSsoMethodMutationHookResult = ReturnType<
+  typeof useGQLSwitchSsoMethodMutation
 >;
-export type GQLUpdateSsoCredentialsMutationResult =
-  Apollo.MutationResult<GQLUpdateSsoCredentialsMutation>;
-export type GQLUpdateSsoCredentialsMutationOptions = Apollo.BaseMutationOptions<
-  GQLUpdateSsoCredentialsMutation,
-  GQLUpdateSsoCredentialsMutationVariables
+export type GQLSwitchSsoMethodMutationResult =
+  Apollo.MutationResult<GQLSwitchSsoMethodMutation>;
+export type GQLSwitchSsoMethodMutationOptions = Apollo.BaseMutationOptions<
+  GQLSwitchSsoMethodMutation,
+  GQLSwitchSsoMethodMutationVariables
 >;
 export const namedOperations = {
   Query: {
@@ -38000,6 +38253,7 @@ export const namedOperations = {
     OrgDefaultSafetySettings: 'OrgDefaultSafetySettings',
     OrgSettings: 'OrgSettings',
     GetSSOCredentials: 'GetSSOCredentials',
+    GetSSOOidcCallbackUrl: 'GetSSOOidcCallbackUrl',
   },
   Mutation: {
     RotateApiKey: 'RotateApiKey',
@@ -38079,7 +38333,9 @@ export const namedOperations = {
     UpdateNcmecOrgSettings: 'UpdateNcmecOrgSettings',
     SetOrgDefaultSafetySettings: 'SetOrgDefaultSafetySettings',
     UpdateOrgInfo: 'UpdateOrgInfo',
-    UpdateSSOCredentials: 'UpdateSSOCredentials',
+    UpdateSSOSamlCredentials: 'UpdateSSOSamlCredentials',
+    UpdateSSOOidcCredentials: 'UpdateSSOOidcCredentials',
+    SwitchSSOMethod: 'SwitchSSOMethod',
   },
   Fragment: {
     CustomActionFragment: 'CustomActionFragment',
diff --git a/client/src/webpages/App.tsx b/client/src/webpages/App.tsx
index cc1d5472..97e56abf 100644
--- a/client/src/webpages/App.tsx
+++ b/client/src/webpages/App.tsx
@@ -76,6 +76,14 @@ export default function App() {
             // just redirect them to login.
             element: <Navigate replace to="/login" />,
           },
+          {
+            path: 'login/sso_saml',
+            element: (
+              <RequireLoggedOut>
+                <LoginSSO />
+              </RequireLoggedOut>
+            ),
+          },
           {
             path: 'login/sso',
             element: (
diff --git a/client/src/webpages/auth/LoginSSO.tsx b/client/src/webpages/auth/LoginSSO.tsx
index 0d65b2dc..4281f86c 100644
--- a/client/src/webpages/auth/LoginSSO.tsx
+++ b/client/src/webpages/auth/LoginSSO.tsx
@@ -3,10 +3,12 @@ import { Label } from '@/coop-ui/Label';
 import { useGQLGetSsoRedirectUrlLazyQuery } from '@/graphql/generated';
 import { gql } from '@apollo/client';
 import { Input } from 'antd';
-import { useState } from 'react';
+import { useEffect, useState } from 'react';
 import { Helmet } from 'react-helmet-async';
 import { Link } from 'react-router-dom';
 
+import { toast } from '@/coop-ui/Toast';
+
 import CoopButton from '../dashboard/components/CoopButton';
 import CoopModal from '../dashboard/components/CoopModal';
 
@@ -27,6 +29,13 @@ export default function LoginSSO() {
   const [errorModalVisible, setErrorModalVisible] = useState(false);
 
   const [getSSORedirectUrl, { loading }] = useGQLGetSsoRedirectUrlLazyQuery();
+
+  useEffect(() => {
+    const params = new URLSearchParams(window.location.search);
+    if (params.get('error') === 'access_denied') {
+      toast.error('SSO login was cancelled. Please try again.');
+    }
+  }, []);
   const errorModal = (
     <CoopModal
       title={'SSO Unavailable'}
diff --git a/client/src/webpages/auth/SignUp.tsx b/client/src/webpages/auth/SignUp.tsx
index 07937c60..e45c8b2f 100644
--- a/client/src/webpages/auth/SignUp.tsx
+++ b/client/src/webpages/auth/SignUp.tsx
@@ -24,6 +24,7 @@ gql`
           role
           orgId
           samlEnabled
+          oidcEnabled
         }
       }
       ... on InviteUserTokenExpiredError {
@@ -133,6 +134,21 @@ export default function SignUp() {
           },
         },
       });
+    } else if (tokenInfo.oidcEnabled) {
+      // OIDC-enabled signup
+      await signUp({
+        variables: {
+          input: {
+            email: tokenInfo.email,
+            firstName,
+            lastName,
+            role: tokenInfo.role,
+            orgId: tokenInfo.orgId,
+            inviteUserToken: token!,
+            loginMethod: 'OIDC',
+          },
+        },
+      });
     } else {
       // Password-based signup
       if (!password || password.length < 8) {
@@ -240,7 +256,7 @@ export default function SignUp() {
             />
           </div>
 
-          {!tokenInfo.samlEnabled && (
+          {(!tokenInfo.samlEnabled && !tokenInfo.oidcEnabled) && (
             <div>
               <label className="block text-sm font-medium text-gray-700 mb-1">
                 Password
@@ -256,13 +272,13 @@ export default function SignUp() {
 
           <div className="w-full">
             <CoopButton
-              title={tokenInfo.samlEnabled ? 'Create Account' : 'Sign Up'}
+              title={(tokenInfo.samlEnabled || tokenInfo.oidcEnabled) ? 'Create Account' : 'Sign Up'}
               onClick={onSignUp}
               loading={signUpLoading}
               disabled={
                 !firstName ||
                 !lastName ||
-                (!tokenInfo.samlEnabled && (!password || password.length < 8))
+                ((!tokenInfo.samlEnabled && !tokenInfo.oidcEnabled) && (!password || password.length < 8))
               }
               size="large"
             />
diff --git a/client/src/webpages/dashboard/Dashboard.tsx b/client/src/webpages/dashboard/Dashboard.tsx
index c89baa05..e2d83190 100644
--- a/client/src/webpages/dashboard/Dashboard.tsx
+++ b/client/src/webpages/dashboard/Dashboard.tsx
@@ -662,6 +662,11 @@ export default function Dashboard() {
           urlPath: 'ncmec',
           requiredPermissions: [GQLUserPermission.ManageOrg],
         },
+        {
+          title: 'SSO Settings' as const,
+          urlPath: 'sso',
+          requiredPermissions: [GQLUserPermission.ManageOrg],
+        },
       ]),
     },
   ] satisfies MenuItem[];
diff --git a/client/src/webpages/settings/SSOSettings.tsx b/client/src/webpages/settings/SSOSettings.tsx
index 09be7bd1..378d13a3 100644
--- a/client/src/webpages/settings/SSOSettings.tsx
+++ b/client/src/webpages/settings/SSOSettings.tsx
@@ -1,4 +1,13 @@
+import { Badge } from '@/coop-ui/Badge';
 import { Button } from '@/coop-ui/Button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@/coop-ui/Dialog';
 import { Input } from '@/coop-ui/Input';
 import { Label } from '@/coop-ui/Label';
 import { Textarea } from '@/coop-ui/Textarea';
@@ -15,9 +24,13 @@ import { useNavigate } from 'react-router-dom';
 import FullScreenLoading from '@/components/common/FullScreenLoading';
 
 import {
+  GQLSsoMethod,
   GQLUserPermission,
   useGQLGetSsoCredentialsQuery,
-  useGQLUpdateSsoCredentialsMutation,
+  useGQLGetSsoOidcCallbackUrlQuery,
+  useGQLSwitchSsoMethodMutation,
+  useGQLUpdateSsoOidcCredentialsMutation,
+  useGQLUpdateSsoSamlCredentialsMutation,
 } from '../../graphql/generated';
 
 gql`
@@ -27,58 +40,197 @@ gql`
     }
     myOrg {
       id
+      samlEnabled
+      oidcEnabled
       ssoUrl
       ssoCert
+      issuerUrl
+      clientId
+      clientSecret
     }
   }
 
-  mutation UpdateSSOCredentials($input: UpdateSSOCredentialsInput!) {
-    updateSSOCredentials(input: $input)
+  query GetSSOOidcCallbackUrl {
+    getSSOOidcCallbackUrl
+  }
+
+  mutation UpdateSSOSamlCredentials($input: UpdateSSOSamlCredentialsInput!) {
+    updateSSOSamlCredentials(input: $input)
+  }
+
+  mutation UpdateSSOOidcCredentials($input: UpdateSSOOidcCredentialsInput!) {
+    updateSSOOidcCredentials(input: $input)
+  }
+
+  mutation SwitchSSOMethod($input: SwitchSSOMethodInput!) {
+    switchSSOMethod(input: $input) {
+        id
+        samlEnabled
+        oidcEnabled
+        ssoUrl
+        ssoCert
+        issuerUrl
+        clientId
+        clientSecret
+    }
   }
 `;
 
+type Tab = 'SAML' | 'OIDC';
+
 export default function SSOSettings() {
-  const [ssoUrl, setSsoUrl] = useState<string | undefined>(undefined);
-  const [ssoCert, setSsoCert] = useState<string | undefined>(undefined);
+  const [activeTab, setActiveTab] = useState<Tab>('SAML');
+  const [ssoUrl, setSsoUrl] = useState('');
+  const [ssoCert, setSsoCert] = useState('');
+  const [issuerUrl, setIssuerUrl] = useState('');
+  const [clientId, setClientId] = useState('');
+  const [clientSecret, setClientSecret] = useState('');
+  const [showSwitchDialog, setShowSwitchDialog] = useState(false);
   const navigate = useNavigate();
 
   const { data, loading, error } = useGQLGetSsoCredentialsQuery();
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  const [updateSSOCredentials, { loading: updateLoading, error: updateError }] =
-    useGQLUpdateSsoCredentialsMutation();
+  const { data: callbackData } = useGQLGetSsoOidcCallbackUrlQuery();
+  const [updateSSOSamlCredentials, { loading: samlUpdateLoading }] =
+    useGQLUpdateSsoSamlCredentialsMutation();
+  const [updateSSOOidcCredentials, { loading: oidcUpdateLoading }] =
+    useGQLUpdateSsoOidcCredentialsMutation();
+  const [switchSSOMethod, { loading: switchLoading }] = useGQLSwitchSsoMethodMutation();
 
   useEffect(() => {
-    if (data?.myOrg == null) {
-      return;
-    }
+    if (data?.myOrg == null) return;
+    const org = data.myOrg;
+    if (org.ssoUrl != null) setSsoUrl(org.ssoUrl);
+    if (org.ssoCert != null) setSsoCert(org.ssoCert);
+    if (org.issuerUrl != null) setIssuerUrl(org.issuerUrl);
+    if (org.clientId != null) setClientId(org.clientId);
+    if (org.clientSecret != null) setClientSecret(org.clientSecret);
+    if (org.oidcEnabled) setActiveTab('OIDC');
+  }, [data]);
+
+  if (loading) return <FullScreenLoading />;
+  if (error) return <div />;
+
+  if (!userHasPermissions(data?.me?.permissions, [GQLUserPermission.ManageOrg])) {
+    navigate('/settings');
+    return;
+  }
 
-    if (data.myOrg.ssoUrl != null) {
-      setSsoUrl(data.myOrg.ssoUrl);
+  const copyText = async (text: string) => navigator.clipboard.writeText(text);
+
+  const samlEnabled = data?.myOrg?.samlEnabled ?? false;
+  const oidcEnabled = data?.myOrg?.oidcEnabled ?? false;
+  const currentMethod = samlEnabled ? 'SAML' : oidcEnabled ? 'OIDC' : 'Password';
+  const isCurrentTabActive = activeTab === currentMethod;
+  const isSwitching = !isCurrentTabActive && currentMethod !== 'Password';
+
+  const samlCallbackUri = `https://getcoop.com/api/v1/saml/login/${data?.myOrg?.id}/callback`;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const oidcCallbackUri = (callbackData as any)?.getSSOOidcCallbackUrl ?? '';
+
+  const stringIsAValidUrl = (s: string) => {
+    try {
+      // eslint-disable-next-line no-new
+      new URL(s);
+      return true;
+    } catch (_) {
+      return false;
     }
+  };
 
-    if (data.myOrg.ssoCert != null) {
-      setSsoCert(data.myOrg.ssoCert);
+  const isValidDomain = (s: string) =>
+    s.trim().length > 0 && s.includes('.') && !/\s/.test(s);
+
+  const isSamlFormValid = ssoUrl.length > 0 && ssoCert.length > 0;
+  const isOidcFormValid =
+    issuerUrl.length > 0 && clientId.length > 0 && clientSecret.length > 0;
+  const isFormValid = activeTab === 'SAML' ? isSamlFormValid : isOidcFormValid;
+
+  const updateLoading = samlUpdateLoading || oidcUpdateLoading || switchLoading;
+
+  const handleSaveSaml = () => {
+    if (!stringIsAValidUrl(ssoUrl)) {
+      toast.error('SSO URL is not a valid URL');
+      return;
     }
-  }, [data]);
+    updateSSOSamlCredentials({
+      variables: { input: { samlEnabled: true, ssoUrl, ssoCert } },
+      refetchQueries: ['GetSSOCredentials'],
+      onCompleted: () => toast.success('SAML credentials updated'),
+      onError: (e) => toast.error(`Error updating SAML credentials: ${e.message}`),
+    });
+  };
 
-  if (loading) {
-    return <FullScreenLoading />;
-  }
+  const handleSaveOidc = () => {
+    if (!isValidDomain(issuerUrl)) {
+      toast.error('Domain is not valid (e.g. your-tenant.auth0.com)');
+      return;
+    }
+    updateSSOOidcCredentials({
+      variables: { input: { oidcEnabled: true, issuerUrl, clientId, clientSecret } },
+      refetchQueries: ['GetSSOCredentials'],
+      onCompleted: () => toast.success('OIDC credentials updated'),
+      onError: (e) => toast.error(`Error updating OIDC credentials: ${e.message}`),
+    });
+  };
 
-  if (error) {
-    return <div />;
-  }
+  const isEnablingFromPassword = currentMethod === 'Password';
 
-  const requiredPermissions = [GQLUserPermission.ManageOrg];
-  const permissions = data?.me?.permissions;
-  if (!userHasPermissions(permissions, requiredPermissions)) {
-    navigate('/settings');
-  }
+  const handleSwitch = () => {
+    if (isEnablingFromPassword) {
+      if (activeTab === 'SAML') handleSaveSaml();
+      else handleSaveOidc();
+      setShowSwitchDialog(false);
+      return;
+    }
+    if (activeTab === 'SAML') {
+      if (!stringIsAValidUrl(ssoUrl)) {
+        toast.error('SSO URL is not a valid URL');
+        setShowSwitchDialog(false);
+        return;
+      }
+      switchSSOMethod({
+        variables: { input: { method: GQLSsoMethod.Saml, ssoUrl, ssoCert } },
+        refetchQueries: ['GetSSOCredentials'],
+        onCompleted: () => {
+          toast.success('Switched to SAML');
+          setShowSwitchDialog(false);
+        },
+        onError: (e) => {
+          toast.error(`Error switching SSO method: ${e.message}`);
+          setShowSwitchDialog(false);
+        },
+      });
+    } else {
+      if (!isValidDomain(issuerUrl)) {
+        toast.error('Domain is not valid (e.g. your-tenant.auth0.com)');
+        setShowSwitchDialog(false);
+        return;
+      }
+      switchSSOMethod({
+        variables: {
+          input: { method: GQLSsoMethod.Oidc, issuerUrl, clientId, clientSecret },
+        },
+        refetchQueries: ['GetSSOCredentials'],
+        onCompleted: () => {
+          toast.success('Switched to OIDC');
+          setShowSwitchDialog(false);
+        },
+        onError: (e) => {
+          toast.error(`Error switching SSO method: ${e.message}`);
+          setShowSwitchDialog(false);
+        },
+      });
+    }
+  };
 
-  const copyText = (text: string) => {
-    navigator.clipboard.writeText(text);
+  const handleSave = () => {
+    if (isSwitching || isEnablingFromPassword) {
+      setShowSwitchDialog(true);
+      return;
+    }
+    if (activeTab === 'SAML') handleSaveSaml();
+    else handleSaveOidc();
   };
-  const callbackUri = `https://getcoop.com/api/v1/saml/login/${data?.myOrg?.id}/callback`;
 
   return (
     <div className="flex flex-col w-3/5 gap-4 text-start">
@@ -88,138 +240,232 @@ export default function SSOSettings() {
       <Heading size="2XL" className="mb-2">
         SSO Settings
       </Heading>
-      <Heading>SSO Configuration</Heading>
-      <Text size="SM">
-        Enter this information into your identity provider's "Service Provider
-        Details" setup.
-      </Text>
-      <div className="flex flex-col	gap-2 mb-8">
-        <Label htmlFor="AcsUrl">ACS URL</Label>
-        <Input
-          id="AcsUrl"
-          type={'text'}
-          className={'tracking-widest'}
-          value={callbackUri}
-          disabled
-          endSlot={
-            <div className="flex">
-              <Tooltip delayDuration={0}>
-                <TooltipTrigger asChild>
-                  <Button
-                    variant="white"
-                    size="icon"
-                    className="h-[2.875rem] rounded-none rounded-r-lg border-l-0"
-                    onClick={() => copyText(callbackUri)}
-                  >
-                    <Clipboard />
-                  </Button>
-                </TooltipTrigger>
-                <TooltipContent side="top">Copy to clipboard</TooltipContent>
-              </Tooltip>
-            </div>
-          }
-        />
-        <Label htmlFor="SpEntityId">Entity ID / Issuer </Label>
-        <Input
-          id="SpEntityId"
-          type={'text'}
-          className={'tracking-widest'}
-          value={'https://getcoop.com'}
-          disabled
-          endSlot={
-            <div className="flex">
+
+      <div className="flex items-center gap-2">
+        <Text size="SM">Current method:</Text>
+        <Badge variant={currentMethod === 'Password' ? 'secondary' : 'default'}>
+          {currentMethod}
+        </Badge>
+      </div>
+
+      {/* Tabs */}
+      <div className="flex border-b border-gray-200">
+        {(['SAML', 'OIDC'] as Tab[]).map((tab) => (
+          <button
+            key={tab}
+            type="button"
+            className={[
+              'px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors',
+              activeTab === tab
+                ? 'border-primary text-primary'
+                : 'border-transparent text-gray-500 hover:text-gray-700',
+            ].join(' ')}
+            onClick={() => setActiveTab(tab)}
+          >
+            {tab}
+            {currentMethod === tab && (
+              <span className="ml-2 text-xs text-green-600 font-semibold">Active</span>
+            )}
+          </button>
+        ))}
+      </div>
+
+      {/* SAML tab */}
+      {activeTab === 'SAML' && (
+        <>
+          <Heading>SSO Configuration</Heading>
+          <Text size="SM">
+            Enter this information into your identity provider's "Service Provider Details" setup.
+          </Text>
+          <div className="flex flex-col gap-2 mb-8">
+            <Label htmlFor="AcsUrl">ACS URL</Label>
+            <Input
+              id="AcsUrl"
+              type="text"
+              className="tracking-widest"
+              value={samlCallbackUri}
+              disabled
+              endSlot={
+                <div className="flex">
+                  <Tooltip delayDuration={0}>
+                    <TooltipTrigger asChild>
+                      <Button
+                        variant="white"
+                        size="icon"
+                        className="h-[2.875rem] rounded-none rounded-r-lg border-l-0"
+                        onClick={async () => copyText(samlCallbackUri)}
+                      >
+                        <Clipboard />
+                      </Button>
+                    </TooltipTrigger>
+                    <TooltipContent side="top">Copy to clipboard</TooltipContent>
+                  </Tooltip>
+                </div>
+              }
+            />
+            <Label htmlFor="SpEntityId">Entity ID / Issuer</Label>
+            <Input
+              id="SpEntityId"
+              type="text"
+              className="tracking-widest"
+              value="https://getcoop.com"
+              disabled
+              endSlot={
+                <div className="flex">
+                  <Tooltip delayDuration={0}>
+                    <TooltipTrigger asChild>
+                      <Button
+                        variant="white"
+                        size="icon"
+                        className="h-[2.875rem] rounded-none rounded-r-lg border-l-0"
+                        onClick={async () => copyText('https://getcoop.com')}
+                      >
+                        <Clipboard />
+                      </Button>
+                    </TooltipTrigger>
+                    <TooltipContent side="top">Copy to clipboard</TooltipContent>
+                  </Tooltip>
+                </div>
+              }
+            />
+          </div>
+          <Heading>Identity Provider Metadata</Heading>
+          <div className="flex flex-col gap-2">
+            <Label htmlFor="ssoUrl">SSO URL</Label>
+            <Input id="ssoUrl" value={ssoUrl} onChange={(e) => setSsoUrl(e.target.value)} disabled={isSwitching} />
+          </div>
+          <div className="flex flex-col gap-2">
+            <Label htmlFor="SsoCert">SSO Certificate</Label>
+            <Text id="SsoCert" size="SM">
+              This is the certificate used to verify the identity of your organization when users
+              attempt to log in via SSO. Please ensure this certificate matches the one provided by
+              your identity provider.
+            </Text>
+          </div>
+          <Textarea
+            id="ssoCert"
+            className="h-44"
+            value={ssoCert}
+            onChange={(e) => setSsoCert(e.target.value)}
+            disabled={isSwitching}
+            endSlot={
               <Tooltip delayDuration={0}>
                 <TooltipTrigger asChild>
                   <Button
                     variant="white"
                     size="icon"
-                    className="h-[2.875rem] rounded-none rounded-r-lg border-l-0"
-                    onClick={() => copyText('https://getcoop.com')}
+                    className="border-l-0 rounded-none rounded-r-lg"
+                    onClick={async () => copyText(ssoCert)}
                   >
                     <Clipboard />
                   </Button>
                 </TooltipTrigger>
                 <TooltipContent side="top">Copy to clipboard</TooltipContent>
               </Tooltip>
-            </div>
-          }
-        />
-      </div>
-      <Heading>Identity Provider Metadata</Heading>
-      <div className="flex flex-col gap-2">
-        <Label htmlFor="ssoUrl">SSO URL</Label>
-        <Input
-          id="ssoUrl"
-          value={ssoUrl}
-          onChange={(e) => setSsoUrl(e.target.value)}
-        />
-      </div>
-      <div className="flex flex-col gap-2">
-        <Label htmlFor="SsoCert">SSO Certificate</Label>
-        <Text id="SsoCert" size="SM">
-          This is the certificate used to verify the identity of your
-          organization when users attempt to log in via SSO. Please ensure this
-          certificate matches the one provided by your identity provider.
-        </Text>
-      </div>
-      <Textarea
-        id="ssoCert"
-        className="h-44"
-        value={ssoCert}
-        onChange={(e) => setSsoCert(e.target.value)}
-        endSlot={
-          <Tooltip delayDuration={0}>
-            <TooltipTrigger asChild>
-              <Button
-                variant="white"
-                size="icon"
-                className="border-l-0 rounded-none rounded-r-lg"
-                onClick={() => copyText(ssoCert ?? '')}
-              >
-                <Clipboard />
-              </Button>
-            </TooltipTrigger>
-            <TooltipContent side="top">Copy to clipboard</TooltipContent>
-          </Tooltip>
-        }
-      />
+            }
+          />
+        </>
+      )}
+
+      {/* OIDC tab */}
+      {activeTab === 'OIDC' && (
+        <>
+          <Heading>SSO Configuration</Heading>
+          <Text size="SM">
+            Enter this information into your identity provider's application setup.
+          </Text>
+          <div className="flex flex-col gap-2 mb-8">
+            <Label htmlFor="RedirectUri">Redirect URI</Label>
+            <Input
+              id="RedirectUri"
+              type="text"
+              className="tracking-widest"
+              value={oidcCallbackUri}
+              disabled
+              endSlot={
+                <div className="flex">
+                  <Tooltip delayDuration={0}>
+                    <TooltipTrigger asChild>
+                      <Button
+                        variant="white"
+                        size="icon"
+                        className="h-[2.875rem] rounded-none rounded-r-lg border-l-0"
+                        onClick={async () => copyText(oidcCallbackUri)}
+                      >
+                        <Clipboard />
+                      </Button>
+                    </TooltipTrigger>
+                    <TooltipContent side="top">Copy to clipboard</TooltipContent>
+                  </Tooltip>
+                </div>
+              }
+            />
+          </div>
+          <Heading>Identity Provider Configuration</Heading>
+          <div className="flex flex-col gap-2">
+            <Label htmlFor="issuerUrl">Domain</Label>
+            <Input
+              id="issuerUrl"
+              placeholder="your-tenant.auth0.com"
+              value={issuerUrl}
+              onChange={(e) => setIssuerUrl(e.target.value)}
+              disabled={isSwitching}
+            />
+          </div>
+          <div className="flex flex-col gap-2">
+            <Label htmlFor="clientId">Client ID</Label>
+            <Input id="clientId" value={clientId} onChange={(e) => setClientId(e.target.value)} disabled={isSwitching} />
+          </div>
+          <div className="flex flex-col gap-2">
+            <Label htmlFor="clientSecret">Client Secret</Label>
+            <Input
+              id="clientSecret"
+              type="password"
+              value={clientSecret}
+              onChange={(e) => setClientSecret(e.target.value)}
+              disabled={isSwitching}
+            />
+          </div>
+        </>
+      )}
+
       <Button
         className="w-fit"
         loading={updateLoading}
-        disabled={
-          updateLoading ||
-          ssoUrl == null ||
-          ssoCert == null ||
-          ssoUrl.length === 0 ||
-          ssoCert.length === 0
-        }
-        onClick={() => {
-          const stringIsAValidUrl = (s: string) => {
-            try {
-              // eslint-disable-next-line no-new
-              new URL(s);
-              return true;
-            } catch (_) {
-              return false;
-            }
-          };
-
-          if (!stringIsAValidUrl(ssoUrl!)) {
-            toast.error('SSO URL is not a valid URL');
-            return;
-          }
-
-          updateSSOCredentials({
-            // Assertion is safe because of disabled check above
-            variables: { input: { ssoUrl: ssoUrl!, ssoCert: ssoCert! } },
-            onCompleted: () => toast.success('SSO credentials updated'),
-            onError: (error) =>
-              toast.error(`Error updating SSO credentials: ${error.message}`),
-          });
-        }}
+        disabled={updateLoading || !isFormValid}
+        onClick={handleSave}
       >
-        Save Changes
+        {isSwitching
+          ? `Switch to ${activeTab}`
+          : isCurrentTabActive
+            ? 'Save Changes'
+            : `Enable ${activeTab}`}
       </Button>
+
+      <Dialog open={showSwitchDialog} onOpenChange={setShowSwitchDialog}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>
+              {isEnablingFromPassword
+                ? `Enable ${activeTab} authentication?`
+                : `Switch SSO method to ${activeTab}?`}
+            </DialogTitle>
+          </DialogHeader>
+          <DialogDescription>
+            {isEnablingFromPassword
+              ? `Enabling ${activeTab} is irreversible. All org users will be required to authenticate through the new provider immediately.`
+              : `This will disable ${currentMethod} and enable ${activeTab}. Your ${currentMethod} credentials will be preserved in case you switch back, but users will need to authenticate through the new provider immediately.`}
+          </DialogDescription>
+          <DialogFooter>
+            <Button variant="outline" onClick={() => setShowSwitchDialog(false)}>
+              Cancel
+            </Button>
+            <Button loading={isEnablingFromPassword ? updateLoading : switchLoading} onClick={handleSwitch}>
+              {isEnablingFromPassword ? `Enable ${activeTab}` : `Switch to ${activeTab}`}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }
diff --git a/server/.env.example b/server/.env.example
index ff552794..dfcc64e0 100644
--- a/server/.env.example
+++ b/server/.env.example
@@ -82,3 +82,5 @@ GROQ_SECRET_KEY=
 ITEM_QUEUE_TRAFFIC_PERCENTAGE='0.05'
 UI_URL=http://localhost:3000
 GRAPHQL_MAX_DEPTH=10
+
+API_BASE_URL=http://localhost:8080
diff --git a/server/api.ts b/server/api.ts
index 920601ca..c02d3646 100644
--- a/server/api.ts
+++ b/server/api.ts
@@ -28,7 +28,7 @@ import depthLimit from 'graphql-depth-limit';
 import helmet from 'helmet';
 import passport from 'passport';
 import { MultiSamlStrategy } from '@node-saml/passport-saml';
-
+import * as oidcClient from 'openid-client'
 import {
   makeLoginIncorrectPasswordError,
   makeLoginSsoRequiredError,
@@ -77,6 +77,17 @@ function getCPUInfo() {
   };
 }
 
+declare module "express-session" {
+  interface SessionData {
+    oidc: {
+      code_verifier: string;
+      state: string;
+      org_id: string;
+    };
+  }
+}
+
+
 async function getCPUUsage() {
   const stats1 = getCPUInfo();
   const startIdle = stats1.idle;
@@ -269,6 +280,128 @@ export default async function makeApiServer(deps: Dependencies) {
     },
   );
 
+  app.get('/oidc/login/callback', async (req, res, next) => {
+    if (req.query.error) {
+      return res.redirect(`${deps.ConfigService.uiUrl}/login/sso?error=${req.query.error}`);
+    }
+    try {
+      const sessionData = req.session['oidc'] as
+        | { code_verifier: string; state?: string; org_id: string }
+        | undefined;
+
+      if (!sessionData || !sessionData.code_verifier || !sessionData.org_id) {
+        return res.redirect('/');
+      }
+
+      const { code_verifier: codeVerifier, state, org_id: orgId } = sessionData;
+      // Clear session OIDC state immediately (one-time use)
+      delete req.session.oidc;
+
+      const oidcSettings = await deps.OrgSettingsService.getOidcSettings(orgId);
+      if (!oidcSettings || !oidcSettings.client_id || !oidcSettings.client_secret || !oidcSettings.issuer_url) {
+        return res.redirect('/');
+      }
+
+      const issuerUrl = `https://${oidcSettings.issuer_url.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
+
+      const { API_BASE_URL } = process.env;
+      const config = await oidcClient.discovery(
+        new URL(issuerUrl),
+        oidcSettings.client_id,
+        oidcSettings.client_secret,
+        oidcClient.ClientSecretBasic(oidcSettings.client_secret),
+      );
+
+      // Reconstruct callback URL with code/state from IdP redirect.
+      // authorizationCodeGrant needs: base = registered redirect_uri, query = code+state from IdP.
+      const currentUrl = new URL(`${API_BASE_URL}/api/v1/oidc/login/callback`);
+      for (const [k, v] of new URLSearchParams(req.url.includes('?') ? req.url.split('?')[1] : '')) {
+        currentUrl.searchParams.set(k, v);
+      }
+
+      const checks: { pkceCodeVerifier: string; expectedState?: string } = { pkceCodeVerifier: codeVerifier };
+      if (state) checks.expectedState = state;
+
+      const tokens = await oidcClient.authorizationCodeGrant(config, currentUrl, checks);
+
+      const claims = tokens.claims();
+      let email: string | undefined = claims?.email as string | undefined;
+
+      if (!email) {
+        const userinfo = await oidcClient.fetchUserInfo(config, tokens.access_token, claims!.sub);
+        email = userinfo.email;
+      }
+
+      if (!email) {
+        return res.redirect('/');
+      }
+
+      const user = await User.findOne({ where: { email: String(email) } });
+
+      if (!user || user.orgId !== orgId) {
+        return res.redirect('/');
+      }
+
+      req.login(user as any, (err) => {
+        if (err) return next(err);
+        res.redirect(`${deps.ConfigService.uiUrl}/dashboard`);
+      });
+    } catch (e) {
+      next(e);
+    }
+  });
+
+  app.get('/oidc/login/:orgId', async (req, res, next) => {
+    try {
+      const { orgId } = req.params;
+      const oidcSettings = await deps.OrgSettingsService.getOidcSettings(orgId);
+      
+      if (!oidcSettings || oidcSettings.oidc_enabled !== true) {
+        return next(makeBadRequestError('OIDC not enabled for this organization.', { shouldErrorSpan: true }));
+      }
+      if (!oidcSettings.client_id || !oidcSettings.client_secret || !oidcSettings.issuer_url) {
+        return next(makeInternalServerError('Missing OIDC credentials for org.', { shouldErrorSpan: true }));
+      }
+
+      const { API_BASE_URL } = process.env;
+      if (!API_BASE_URL) {
+        return next(makeInternalServerError('API_BASE_URL not configured.', { shouldErrorSpan: true }));
+      }
+      const callbackUrl = deps.SSOService.getSSOOidcCallbackUrl();
+      const issuerUrl = `https://${oidcSettings.issuer_url.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
+      
+      const config = await oidcClient.discovery(
+        new URL(issuerUrl),
+        oidcSettings.client_id,
+        oidcSettings.client_secret,
+        oidcClient.ClientSecretBasic(oidcSettings.client_secret),
+      );
+
+      const codeVerifier = oidcClient.randomPKCECodeVerifier();
+      const codeChallenge = await oidcClient.calculatePKCECodeChallenge(codeVerifier);
+
+      const params: Record<string, string> = {
+        redirect_uri: callbackUrl,
+        scope: 'openid email',
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+      };
+
+      const redirectTo = oidcClient.buildAuthorizationUrl(config, params);
+
+      const state = oidcClient.randomState();
+      redirectTo.searchParams.set('state', state);
+
+      // Store PKCE data + orgId in session for callback
+      req.session.oidc = { code_verifier: codeVerifier, state, org_id: orgId };
+
+      res.redirect(redirectTo.href);
+    } catch (e) {
+      next(e);
+    }
+  });
+
+
   passport.use(
     new GraphQLLocalStrategy(async (email, password, done) => {
       try {
@@ -282,17 +415,15 @@ export default async function makeApiServer(deps: Dependencies) {
           user.orgId,
         );
 
-        if (
-          samlSettings?.saml_enabled &&
-          // We allow Coop users to log in with email/password even if SSO is
-          // enabled
-          // so Coop employees can manage user accounts
-          String(email).split('@')[1] !== 'getcoop.com'
-        ) {
+        const oidcSettings = await deps.OrgSettingsService.getOidcSettings(
+          user.orgId,
+        );
+
+        if (samlSettings?.saml_enabled === true || oidcSettings?.oidc_enabled === true) {
           return done(
             makeLoginSsoRequiredError({
               detail:
-                'SAML is enabled for this organization. Password login is disabled.',
+                'SSO is enabled for this organization. Password login is disabled.',
               shouldErrorSpan: true,
             }),
           );
diff --git a/server/graphql/generated.ts b/server/graphql/generated.ts
index 27af5245..9a242452 100644
--- a/server/graphql/generated.ts
+++ b/server/graphql/generated.ts
@@ -1468,6 +1468,7 @@ export type GQLInviteUserInput = {
 export type GQLInviteUserToken = {
   readonly __typename?: 'InviteUserToken';
   readonly email: Scalars['String'];
+  readonly oidcEnabled: Scalars['Boolean'];
   readonly orgId: Scalars['String'];
   readonly role: GQLUserRole;
   readonly samlEnabled: Scalars['Boolean'];
@@ -2004,6 +2005,7 @@ export type GQLLoginInput = {
 };
 
 export const GQLLoginMethod = {
+  Oidc: 'OIDC',
   Password: 'PASSWORD',
   Saml: 'SAML',
 } as const;
@@ -2437,6 +2439,7 @@ export type GQLMutation = {
   readonly setPluginIntegrationConfig: GQLSetIntegrationConfigResponse;
   readonly signUp: GQLSignUpResponse;
   readonly submitManualReviewDecision: GQLSubmitDecisionResponse;
+  readonly switchSSOMethod: GQLOrg;
   readonly updateAccountInfo?: Maybe<Scalars['Boolean']>;
   readonly updateAction: GQLMutateActionResponse;
   readonly updateAppealSettings: GQLAppealSettings;
@@ -2452,7 +2455,8 @@ export type GQLMutation = {
   readonly updateReportingRule: GQLUpdateReportingRuleResponse;
   readonly updateRole?: Maybe<Scalars['Boolean']>;
   readonly updateRoutingRule: GQLUpdateRoutingRuleResponse;
-  readonly updateSSOCredentials: Scalars['Boolean'];
+  readonly updateSSOOidcCredentials: Scalars['Boolean'];
+  readonly updateSSOSamlCredentials: Scalars['Boolean'];
   readonly updateTextBank: GQLMutateBankResponse;
   readonly updateThreadItemType: GQLMutateThreadItemTypeResponse;
   readonly updateUserItemType: GQLMutateUserItemTypeResponse;
@@ -2700,6 +2704,10 @@ export type GQLMutationSubmitManualReviewDecisionArgs = {
   input: GQLSubmitDecisionInput;
 };
 
+export type GQLMutationSwitchSsoMethodArgs = {
+  input: GQLSwitchSsoMethodInput;
+};
+
 export type GQLMutationUpdateAccountInfoArgs = {
   firstName?: InputMaybe<Scalars['String']>;
   lastName?: InputMaybe<Scalars['String']>;
@@ -2762,8 +2770,12 @@ export type GQLMutationUpdateRoutingRuleArgs = {
   input: GQLUpdateRoutingRuleInput;
 };
 
-export type GQLMutationUpdateSsoCredentialsArgs = {
-  input: GQLUpdateSsoCredentialsInput;
+export type GQLMutationUpdateSsoOidcCredentialsArgs = {
+  input: GQLUpdateSsoOidcCredentialsInput;
+};
+
+export type GQLMutationUpdateSsoSamlCredentialsArgs = {
+  input: GQLUpdateSsoSamlCredentialsInput;
 };
 
 export type GQLMutationUpdateTextBankArgs = {
@@ -3014,6 +3026,8 @@ export type GQLOrg = {
   readonly apiKey: Scalars['String'];
   readonly appealsRoutingRules: ReadonlyArray<GQLRoutingRule>;
   readonly banks?: Maybe<GQLMatchingBanks>;
+  readonly clientId?: Maybe<Scalars['String']>;
+  readonly clientSecret?: Maybe<Scalars['String']>;
   readonly contentTypes: ReadonlyArray<GQLContentType>;
   readonly defaultInterfacePreferences: GQLUserInterfacePreferences;
   readonly email: Scalars['String'];
@@ -3025,10 +3039,13 @@ export type GQLOrg = {
   readonly id: Scalars['ID'];
   readonly integrationConfigs: ReadonlyArray<GQLIntegrationConfig>;
   readonly isDemoOrg: Scalars['Boolean'];
+  readonly issuerUrl?: Maybe<Scalars['String']>;
   readonly itemTypes: ReadonlyArray<GQLItemType>;
   readonly mrtQueues: ReadonlyArray<GQLManualReviewQueue>;
   readonly name: Scalars['String'];
   readonly ncmecReports: ReadonlyArray<GQLNcmecReport>;
+  readonly oidcCallbackUrl?: Maybe<Scalars['String']>;
+  readonly oidcEnabled: Scalars['Boolean'];
   readonly onCallAlertEmail?: Maybe<Scalars['String']>;
   readonly pendingInvites: ReadonlyArray<GQLPendingInvite>;
   readonly policies: ReadonlyArray<GQLPolicy>;
@@ -3039,6 +3056,7 @@ export type GQLOrg = {
   readonly requiresPolicyForDecisionsInMrt: Scalars['Boolean'];
   readonly routingRules: ReadonlyArray<GQLRoutingRule>;
   readonly rules: ReadonlyArray<GQLRule>;
+  readonly samlEnabled: Scalars['Boolean'];
   readonly signals: ReadonlyArray<GQLSignal>;
   readonly ssoCert?: Maybe<Scalars['String']>;
   readonly ssoUrl?: Maybe<Scalars['String']>;
@@ -3234,6 +3252,7 @@ export type GQLQuery = {
   readonly getRecentDecisions: ReadonlyArray<GQLManualReviewDecision>;
   readonly getResolvedJobCounts: ReadonlyArray<GQLResolvedJobCount>;
   readonly getResolvedJobsForUser: Scalars['Int'];
+  readonly getSSOOidcCallbackUrl?: Maybe<Scalars['String']>;
   readonly getSSORedirectUrl?: Maybe<Scalars['String']>;
   readonly getSkippedJobCounts: ReadonlyArray<GQLSkippedJobCount>;
   readonly getSkippedJobsForUser: Scalars['Int'];
@@ -3979,6 +3998,12 @@ export type GQLRunRetroactionSuccessResponse = {
   readonly _?: Maybe<Scalars['Boolean']>;
 };
 
+export const GQLSsoMethod = {
+  Oidc: 'OIDC',
+  Saml: 'SAML',
+} as const;
+
+export type GQLSsoMethod = (typeof GQLSsoMethod)[keyof typeof GQLSsoMethod];
 export type GQLScalarSignalOutputType = {
   readonly __typename?: 'ScalarSignalOutputType';
   readonly scalarType: GQLScalarType;
@@ -4311,6 +4336,15 @@ export type GQLSubmittedJobActionNotFoundError = GQLError & {
 
 export type GQLSupportedLanguages = GQLAllLanguages | GQLLanguages;
 
+export type GQLSwitchSsoMethodInput = {
+  readonly clientId?: InputMaybe<Scalars['String']>;
+  readonly clientSecret?: InputMaybe<Scalars['String']>;
+  readonly issuerUrl?: InputMaybe<Scalars['String']>;
+  readonly method: GQLSsoMethod;
+  readonly ssoCert?: InputMaybe<Scalars['String']>;
+  readonly ssoUrl?: InputMaybe<Scalars['String']>;
+};
+
 export type GQLTableDecisionCount = {
   readonly __typename?: 'TableDecisionCount';
   readonly action_id?: Maybe<Scalars['String']>;
@@ -4599,7 +4633,15 @@ export type GQLUpdateRoutingRuleResponse =
   | GQLQueueDoesNotExistError
   | GQLRoutingRuleNameExistsError;
 
-export type GQLUpdateSsoCredentialsInput = {
+export type GQLUpdateSsoOidcCredentialsInput = {
+  readonly clientId: Scalars['String'];
+  readonly clientSecret: Scalars['String'];
+  readonly issuerUrl: Scalars['String'];
+  readonly oidcEnabled: Scalars['Boolean'];
+};
+
+export type GQLUpdateSsoSamlCredentialsInput = {
+  readonly samlEnabled: Scalars['Boolean'];
   readonly ssoCert: Scalars['String'];
   readonly ssoUrl: Scalars['String'];
 };
@@ -5748,6 +5790,7 @@ export type GQLResolversTypes = {
   RunRetroactionInput: GQLRunRetroactionInput;
   RunRetroactionResponse: GQLResolversTypes['RunRetroactionSuccessResponse'];
   RunRetroactionSuccessResponse: ResolverTypeWrapper<GQLRunRetroactionSuccessResponse>;
+  SSOMethod: GQLSsoMethod;
   ScalarSignalOutputType: ResolverTypeWrapper<GQLScalarSignalOutputType>;
   ScalarType: GQLScalarType;
   SchemaFieldRoles:
@@ -5816,6 +5859,7 @@ export type GQLResolversTypes = {
   SupportedLanguages:
     | GQLResolversTypes['AllLanguages']
     | GQLResolversTypes['Languages'];
+  SwitchSSOMethodInput: GQLSwitchSsoMethodInput;
   TableDecisionCount: ResolverTypeWrapper<GQLTableDecisionCount>;
   TextBank: ResolverTypeWrapper<GQLTextBank>;
   TextBankType: GQLTextBankType;
@@ -5878,7 +5922,8 @@ export type GQLResolversTypes = {
     | GQLResolversTypes['NotFoundError']
     | GQLResolversTypes['QueueDoesNotExistError']
     | GQLResolversTypes['RoutingRuleNameExistsError'];
-  UpdateSSOCredentialsInput: GQLUpdateSsoCredentialsInput;
+  UpdateSSOOidcCredentialsInput: GQLUpdateSsoOidcCredentialsInput;
+  UpdateSSOSamlCredentialsInput: GQLUpdateSsoSamlCredentialsInput;
   UpdateTextBankInput: GQLUpdateTextBankInput;
   UpdateThreadItemTypeInput: GQLUpdateThreadItemTypeInput;
   UpdateUserItemTypeInput: GQLUpdateUserItemTypeInput;
@@ -6611,6 +6656,7 @@ export type GQLResolversParentTypes = {
   SupportedLanguages:
     | GQLResolversParentTypes['AllLanguages']
     | GQLResolversParentTypes['Languages'];
+  SwitchSSOMethodInput: GQLSwitchSsoMethodInput;
   TableDecisionCount: GQLTableDecisionCount;
   TextBank: GQLTextBank;
   ThreadAppealManualReviewJobPayload: ThreadAppealReviewJobPayload;
@@ -6670,7 +6716,8 @@ export type GQLResolversParentTypes = {
     | GQLResolversParentTypes['NotFoundError']
     | GQLResolversParentTypes['QueueDoesNotExistError']
     | GQLResolversParentTypes['RoutingRuleNameExistsError'];
-  UpdateSSOCredentialsInput: GQLUpdateSsoCredentialsInput;
+  UpdateSSOOidcCredentialsInput: GQLUpdateSsoOidcCredentialsInput;
+  UpdateSSOSamlCredentialsInput: GQLUpdateSsoSamlCredentialsInput;
   UpdateTextBankInput: GQLUpdateTextBankInput;
   UpdateThreadItemTypeInput: GQLUpdateThreadItemTypeInput;
   UpdateUserItemTypeInput: GQLUpdateUserItemTypeInput;
@@ -8947,6 +8994,7 @@ export type GQLInviteUserTokenResolvers<
     GQLResolversParentTypes['InviteUserToken'] = GQLResolversParentTypes['InviteUserToken'],
 > = {
   email?: Resolver<GQLResolversTypes['String'], ParentType, ContextType>;
+  oidcEnabled?: Resolver<GQLResolversTypes['Boolean'], ParentType, ContextType>;
   orgId?: Resolver<GQLResolversTypes['String'], ParentType, ContextType>;
   role?: Resolver<GQLResolversTypes['UserRole'], ParentType, ContextType>;
   samlEnabled?: Resolver<GQLResolversTypes['Boolean'], ParentType, ContextType>;
@@ -10763,6 +10811,12 @@ export type GQLMutationResolvers<
     ContextType,
     RequireFields<GQLMutationSubmitManualReviewDecisionArgs, 'input'>
   >;
+  switchSSOMethod?: Resolver<
+    GQLResolversTypes['Org'],
+    ParentType,
+    ContextType,
+    RequireFields<GQLMutationSwitchSsoMethodArgs, 'input'>
+  >;
   updateAccountInfo?: Resolver<
     Maybe<GQLResolversTypes['Boolean']>,
     ParentType,
@@ -10856,11 +10910,17 @@ export type GQLMutationResolvers<
     ContextType,
     RequireFields<GQLMutationUpdateRoutingRuleArgs, 'input'>
   >;
-  updateSSOCredentials?: Resolver<
+  updateSSOOidcCredentials?: Resolver<
     GQLResolversTypes['Boolean'],
     ParentType,
     ContextType,
-    RequireFields<GQLMutationUpdateSsoCredentialsArgs, 'input'>
+    RequireFields<GQLMutationUpdateSsoOidcCredentialsArgs, 'input'>
+  >;
+  updateSSOSamlCredentials?: Resolver<
+    GQLResolversTypes['Boolean'],
+    ParentType,
+    ContextType,
+    RequireFields<GQLMutationUpdateSsoSamlCredentialsArgs, 'input'>
   >;
   updateTextBank?: Resolver<
     GQLResolversTypes['MutateBankResponse'],
@@ -11229,6 +11289,16 @@ export type GQLOrgResolvers<
     ParentType,
     ContextType
   >;
+  clientId?: Resolver<
+    Maybe<GQLResolversTypes['String']>,
+    ParentType,
+    ContextType
+  >;
+  clientSecret?: Resolver<
+    Maybe<GQLResolversTypes['String']>,
+    ParentType,
+    ContextType
+  >;
   contentTypes?: Resolver<
     ReadonlyArray<GQLResolversTypes['ContentType']>,
     ParentType,
@@ -11272,6 +11342,11 @@ export type GQLOrgResolvers<
     ContextType
   >;
   isDemoOrg?: Resolver<GQLResolversTypes['Boolean'], ParentType, ContextType>;
+  issuerUrl?: Resolver<
+    Maybe<GQLResolversTypes['String']>,
+    ParentType,
+    ContextType
+  >;
   itemTypes?: Resolver<
     ReadonlyArray<GQLResolversTypes['ItemType']>,
     ParentType,
@@ -11288,6 +11363,12 @@ export type GQLOrgResolvers<
     ParentType,
     ContextType
   >;
+  oidcCallbackUrl?: Resolver<
+    Maybe<GQLResolversTypes['String']>,
+    ParentType,
+    ContextType
+  >;
+  oidcEnabled?: Resolver<GQLResolversTypes['Boolean'], ParentType, ContextType>;
   onCallAlertEmail?: Resolver<
     Maybe<GQLResolversTypes['String']>,
     ParentType,
@@ -11338,6 +11419,7 @@ export type GQLOrgResolvers<
     ParentType,
     ContextType
   >;
+  samlEnabled?: Resolver<GQLResolversTypes['Boolean'], ParentType, ContextType>;
   signals?: Resolver<
     ReadonlyArray<GQLResolversTypes['Signal']>,
     ParentType,
@@ -11846,6 +11928,11 @@ export type GQLQueryResolvers<
     ContextType,
     RequireFields<GQLQueryGetResolvedJobsForUserArgs, 'timeZone'>
   >;
+  getSSOOidcCallbackUrl?: Resolver<
+    Maybe<GQLResolversTypes['String']>,
+    ParentType,
+    ContextType
+  >;
   getSSORedirectUrl?: Resolver<
     Maybe<GQLResolversTypes['String']>,
     ParentType,
diff --git a/server/graphql/modules/authentication.ts b/server/graphql/modules/authentication.ts
index 1503afa0..f75a5a2d 100644
--- a/server/graphql/modules/authentication.ts
+++ b/server/graphql/modules/authentication.ts
@@ -6,8 +6,8 @@ import { gqlErrorResult, gqlSuccessResult } from '../utils/gqlResult.js';
 const typeDefs = /* GraphQL */ `
   type Query {
     me: User @publicResolver
-    getSSORedirectUrl(emailAddress: String!): String
-      @publicResolver
+    getSSORedirectUrl(emailAddress: String!): String @publicResolver
+    getSSOOidcCallbackUrl: String @publicResolver
   }
 
   type Mutation {
@@ -68,6 +68,9 @@ const Query: ResolverMap = {
       emailAddress,
     );
   },
+  async getSSOOidcCallbackUrl(_: unknown, __: unknown, context) {
+    return context.services.SSOService.getSSOOidcCallbackUrl();
+  },
 };
 
 const Mutation: ResolverMap = {
diff --git a/server/graphql/modules/org.ts b/server/graphql/modules/org.ts
index 196e96e5..90075e81 100644
--- a/server/graphql/modules/org.ts
+++ b/server/graphql/modules/org.ts
@@ -52,8 +52,14 @@ const typeDefs = /* GraphQL */ `
     userStrikeThresholds: [UserStrikeThreshold!]!
     userStrikeTTL: Int!
     isDemoOrg: Boolean!
+    samlEnabled: Boolean!
     ssoUrl: String
     ssoCert: String
+    oidcEnabled: Boolean!
+    issuerUrl: String
+    clientId: String
+    clientSecret: String
+    oidcCallbackUrl: String
     hasPartialItemsEndpoint: Boolean!
   }
 
@@ -135,10 +141,34 @@ const typeDefs = /* GraphQL */ `
     _: Boolean
   }
 
-  input UpdateSSOCredentialsInput {
+  input UpdateSSOSamlCredentialsInput {
+    samlEnabled: Boolean!
     ssoUrl: String!
     ssoCert: String!
   }
+  
+  input UpdateSSOOidcCredentialsInput {
+    oidcEnabled: Boolean!
+    issuerUrl: String!
+    clientId: String!
+    clientSecret: String!
+  }
+
+  enum SSOMethod {
+    SAML
+    OIDC
+  }
+
+  input SwitchSSOMethodInput {
+    method: SSOMethod!
+    # SAML fields (required when method = SAML)
+    ssoUrl: String
+    ssoCert: String
+    # OIDC fields (required when method = OIDC)
+    issuerUrl: String
+    clientId: String
+    clientSecret: String
+  }
 
   input UpdateOrgInfoInput {
     name: String
@@ -151,6 +181,7 @@ const typeDefs = /* GraphQL */ `
     _: Boolean
   }
 
+
   type Mutation {
     createOrg(input: CreateOrgInput!): CreateOrgResponse! @publicResolver
     updateAppealSettings(input: AppealSettingsInput!): AppealSettings!
@@ -163,7 +194,9 @@ const typeDefs = /* GraphQL */ `
     setOrgDefaultSafetySettings(
       orgDefaultSafetySettings: ModeratorSafetySettingsInput!
     ): SetModeratorSafetySettingsSuccessResponse
-    updateSSOCredentials(input: UpdateSSOCredentialsInput!): Boolean!
+    updateSSOSamlCredentials(input: UpdateSSOSamlCredentialsInput!): Boolean!
+    updateSSOOidcCredentials(input: UpdateSSOOidcCredentialsInput!): Boolean!
+    switchSSOMethod(input: SwitchSSOMethodInput!): Org!
     updateOrgInfo(input: UpdateOrgInfoInput!): UpdateOrgInfoSuccessResponse!
   }
 `;
@@ -530,6 +563,81 @@ const Org: GQLOrgResolvers = {
 
     return settings.cert;
   },
+  
+  async clientSecret(org, _, context) {
+    const user = context.getUser();
+    if (user == null || user.orgId !== org.id) {
+      throw new AuthenticationError('Authenticated user required');
+    }
+
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw new AuthenticationError(
+        'User does not have permission to manage SSO settings',
+      );
+    }
+
+    const settings = await context.services.OrgSettingsService.getOidcSettings(
+      org.id,
+    );
+
+    if (!settings) {
+      return null;
+    }
+
+    return settings.client_secret;
+  },
+  async issuerUrl(org, _, context) {
+    const user = context.getUser();
+    if (user == null || user.orgId !== org.id) {
+      throw new AuthenticationError('Authenticated user required');
+    }
+
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw new AuthenticationError(
+        'User does not have permission to manage SSO settings',
+      );
+    }
+
+    const settings = await context.services.OrgSettingsService.getOidcSettings(
+      org.id,
+    );
+
+    if (!settings) {
+      return null;
+    }
+
+    return settings.issuer_url;
+  },
+  async clientId(org, _, context) {
+    const user = context.getUser();
+    if (user == null || user.orgId !== org.id) {
+      throw new AuthenticationError('Authenticated user required');
+    }
+
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw new AuthenticationError(
+        'User does not have permission to manage SSO settings',
+      );
+    }
+
+    const settings = await context.services.OrgSettingsService.getOidcSettings(
+      org.id,
+    );
+
+    if (!settings) {
+      return null;
+    }
+
+    return settings.client_id;
+  },
+  async samlEnabled(org, _, context) {
+    const settings = await context.services.OrgSettingsService.getSamlSettings(org.id);
+    return settings?.saml_enabled ?? false;
+  },
+  async oidcEnabled(org, _, context) {
+    const settings = await context.services.OrgSettingsService.getOidcSettings(org.id);
+    return settings?.oidc_enabled ?? false;
+  },
   async hasPartialItemsEndpoint(org, _, context) {
     const partialItemsInfo =
       await context.services.OrgSettingsService.partialItemsInfo(org.id);
@@ -638,18 +746,71 @@ const Mutation: GQLMutationResolvers = {
     });
     return gqlSuccessResult({}, 'UpdateUserStrikeTTLSuccessResponse');
   },
-  async updateSSOCredentials(_, { input }, context) {
+  async updateSSOSamlCredentials(_, { input }, context) {
     const user = context.getUser();
     if (!user) {
       throw new AuthenticationError('User required.');
     }
+    const oidcSettings = await context.services.OrgSettingsService.getOidcSettings(user.orgId); 
+    if (oidcSettings?.oidc_enabled && input.samlEnabled) {
+      throw new Error('SAML cannot enabled as OIDC is enabled.');
+    }
 
     return context.services.OrgSettingsService.updateSamlSettings({
       orgId: user.orgId,
+      samlEnabled: input.samlEnabled,
       ssoUrl: input.ssoUrl,
       cert: input.ssoCert,
     });
   },
+  async updateSSOOidcCredentials(_, { input }, context) {
+    const user = context.getUser();
+    if (!user) {
+      throw new AuthenticationError('User required.');
+    }
+    
+    const samlSettings = await context.services.OrgSettingsService.getSamlSettings(user.orgId); 
+    if (samlSettings?.saml_enabled && input.oidcEnabled) {
+      throw new Error('OIDC cannot enabled as SAML is enabled.');
+    }
+
+    return context.services.OrgSettingsService.updateOidcSettings({
+      orgId: user.orgId,
+      oidcEnabled: input.oidcEnabled,
+      issuerUrl: input.issuerUrl,
+      clientId: input.clientId,
+      clientSecret: input.clientSecret,
+    });
+  },
+  async switchSSOMethod(_, { input }, context) {
+    const user = context.getUser();
+    if (!user) {
+      throw new AuthenticationError('User required.');
+    }
+    if (input.method === 'SAML') {
+      if (!input.ssoUrl || !input.ssoCert) {
+        throw new Error('ssoUrl and ssoCert are required when switching to SAML.');
+      }
+      await context.services.OrgSettingsService.switchSSOMethod({
+        orgId: user.orgId,
+        method: 'saml',
+        ssoUrl: input.ssoUrl,
+        cert: input.ssoCert,
+      });
+    } else {
+      if (!input.issuerUrl || !input.clientId || !input.clientSecret) {
+        throw new Error('issuerUrl, clientId, and clientSecret are required when switching to OIDC.');
+      }
+      await context.services.OrgSettingsService.switchSSOMethod({
+        orgId: user.orgId,
+        method: 'oidc',
+        issuerUrl: input.issuerUrl,
+        clientId: input.clientId,
+        clientSecret: input.clientSecret,
+      });
+    }
+    return context.dataSources.orgAPI.getGraphQLOrgFromId(user.orgId);
+  },
   async updateOrgInfo(_, { input }, context) {
     const user = context.getUser();
     if (!user) {
diff --git a/server/graphql/schema.ts b/server/graphql/schema.ts
index 7834c395..0de7c24b 100644
--- a/server/graphql/schema.ts
+++ b/server/graphql/schema.ts
@@ -306,6 +306,7 @@ const typeDefs = /* GraphQL */ `
     role: UserRole!
     orgId: String!
     samlEnabled: Boolean!
+    oidcEnabled: Boolean!
   }
 
   type InviteUserTokenSuccessResponse {
@@ -344,6 +345,7 @@ const typeDefs = /* GraphQL */ `
   enum LoginMethod {
     PASSWORD
     SAML
+    OIDC
   }
 
   input SignUpInput {
diff --git a/server/package-lock.json b/server/package-lock.json
index fed8e019..46c261a4 100644
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -79,6 +79,7 @@
         "node-worker-threads-pool": "^1.5.1",
         "normalize-text": "^2.4.1",
         "openai": "^4.24.0",
+        "openid-client": "^6.8.2",
         "p-limit": "^4.0.0",
         "passport": "^0.7.0",
         "pg": "^8.8.0",
@@ -17287,6 +17288,15 @@
         "url": "https://github.com/chalk/supports-color?sponsor=1"
       }
     },
+    "node_modules/jose": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.2.tgz",
+      "integrity": "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/js-tokens": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
@@ -18132,6 +18142,15 @@
         "node": ">=8"
       }
     },
+    "node_modules/oauth4webapi": {
+      "version": "3.8.5",
+      "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.8.5.tgz",
+      "integrity": "sha512-A8jmyUckVhRJj5lspguklcl90Ydqk61H3dcU0oLhH3Yv13KpAliKTt5hknpGGPZSSfOwGyraNEFmofDYH+1kSg==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/object-assign": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
@@ -18340,6 +18359,19 @@
         "node": ">= 14"
       }
     },
+    "node_modules/openid-client": {
+      "version": "6.8.2",
+      "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-6.8.2.tgz",
+      "integrity": "sha512-uOvTCndr4udZsKihJ68H9bUICrriHdUVJ6Az+4Ns6cW55rwM5h0bjVIzDz2SxgOI84LKjFyjOFvERLzdTUROGA==",
+      "license": "MIT",
+      "dependencies": {
+        "jose": "^6.1.3",
+        "oauth4webapi": "^3.8.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/optionator": {
       "version": "0.9.3",
       "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz",
diff --git a/server/package.json b/server/package.json
index 04075171..011ceea3 100644
--- a/server/package.json
+++ b/server/package.json
@@ -93,6 +93,7 @@
     "node-worker-threads-pool": "^1.5.1",
     "normalize-text": "^2.4.1",
     "openai": "^4.24.0",
+    "openid-client": "^6.8.2",
     "p-limit": "^4.0.0",
     "passport": "^0.7.0",
     "pg": "^8.8.0",
diff --git a/server/services/SSOService/SSOService.ts b/server/services/SSOService/SSOService.ts
index 3824ef62..ff160325 100644
--- a/server/services/SSOService/SSOService.ts
+++ b/server/services/SSOService/SSOService.ts
@@ -8,14 +8,34 @@ export class SSOService {
 
   // Throws is SSO is not enabled for an org
   async getSSORedirectUrlForUserEmail(email: string) {
-    const { org_id: orgId } = await this.pgQuery
+    const { org_id: orgId, saml_enabled: samlEnabled } = await this.pgQuery
       .selectFrom('users')
       .innerJoin('org_settings', 'users.org_id', 'org_settings.org_id')
       .where('users.email', '=', email)
-      .where('org_settings.saml_enabled', '=', true)
-      .select('users.org_id')
+      .where((eb) => eb.or([
+        eb('org_settings.saml_enabled', '=', true),
+        eb('org_settings.oidc_enabled', '=', true),
+      ]))
+      .select(['users.org_id', 'org_settings.saml_enabled'])
       .executeTakeFirstOrThrow();
-    return `/api/v1/saml/login/${orgId}`;
+
+    if (samlEnabled) {
+      return `/api/v1/saml/login/${orgId}`
+    } else {
+      const { API_BASE_URL } = process.env;
+      if (!API_BASE_URL) {
+        throw new Error("API_BASE_URL not configured")
+      }
+      return `${API_BASE_URL}/api/v1/oidc/login/${orgId}`
+    }
+  }
+  
+  getSSOOidcCallbackUrl(): string {
+    const { API_BASE_URL } = process.env;
+      if (!API_BASE_URL) {
+        return "";
+      }
+      return `${API_BASE_URL}/api/v1/oidc/login/callback`;
   }
 }
 
diff --git a/server/services/SSOService/dbTypes.ts b/server/services/SSOService/dbTypes.ts
index 80e3d3dc..8425d229 100644
--- a/server/services/SSOService/dbTypes.ts
+++ b/server/services/SSOService/dbTypes.ts
@@ -6,6 +6,6 @@ export type SSOServicePg = {
   orgs: { id: string };
   org_settings: Pick<
     OrgSettingsPg['public.org_settings'],
-    'saml_enabled' | 'org_id'
+    'saml_enabled' | 'oidc_enabled' | 'org_id'
   >;
 };
diff --git a/server/services/orgSettingsService/orgSettingsService.ts b/server/services/orgSettingsService/orgSettingsService.ts
index 630eadc2..07ef76a9 100644
--- a/server/services/orgSettingsService/orgSettingsService.ts
+++ b/server/services/orgSettingsService/orgSettingsService.ts
@@ -19,19 +19,15 @@ export type OrgSettingsPg = {
     allow_multiple_policies_per_action: boolean;
     user_strike_ttl_days: number;
     is_demo_org: boolean;
-  } & (
-    | {
-        saml_enabled: true;
-        sso_url: string;
-        // TODO: rename this to something more descriptive like sso_cert
-        cert: string;
-      }
-    | {
-        saml_enabled: false;
-        sso_url: string | null;
-        cert: string | null;
-      }
-  );
+    saml_enabled: boolean;
+    sso_url: string | null;
+    // TODO: rename this to something more descriptive like sso_cert
+    cert: string | null;
+    oidc_enabled: boolean;
+    client_id: string | null;
+    client_secret: string | null;
+    issuer_url: string | null;
+  }
 };
 type PartialItemsInfo = {
   partialItemsEndpoint?: string;
@@ -70,6 +66,10 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
           appeal_callback_url: null,
           appeal_callback_headers: null,
           appeal_callback_body: null,
+          oidc_enabled: false,
+          client_id: null,
+          client_secret: null,
+          issuer_url: null,
         })
         .onConflict((oc) => oc.column('org_id').doNothing())
         .execute();
@@ -175,6 +175,7 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
     },
     async updateSamlSettings(input: {
       orgId: string;
+      samlEnabled: boolean;
       ssoUrl: string;
       cert: string;
     }) {
@@ -182,13 +183,66 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
         await pgQuery
           .updateTable('public.org_settings')
           .where('org_id', '=', input.orgId)
-          .set({ sso_url: input.ssoUrl, cert: input.cert })
+          .set({ saml_enabled: input.samlEnabled, sso_url: input.ssoUrl, cert: input.cert })
           .executeTakeFirst();
         return true;
       } catch (e) {
         return false;
       }
     },
+    async getOidcSettings(orgId: string) {
+      return pgQuery
+        .selectFrom('public.org_settings')
+        .select(['oidc_enabled', 'client_id', 'client_secret', 'issuer_url'])
+        .where('org_id', '=', orgId)
+        .executeTakeFirst();
+    },
+    async updateOidcSettings(input: {
+      orgId: string;
+      oidcEnabled: boolean;
+      issuerUrl: string;
+      clientId: string;
+      clientSecret: string;
+    }) {
+      try {
+        await pgQuery
+          .updateTable('public.org_settings')
+          .where('org_id', '=', input.orgId)
+          .set({ oidc_enabled: input.oidcEnabled, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
+          .executeTakeFirst();
+        return true;
+      } catch (e) {
+        return false;
+      }
+    },
+    async switchSSOMethod(input: {
+      orgId: string;
+      method: 'saml' | 'oidc';
+      ssoUrl?: string;
+      cert?: string;
+      issuerUrl?: string;
+      clientId?: string;
+      clientSecret?: string;
+    }) {
+      try {
+        if (input.method === 'saml') {
+          await pgQuery
+            .updateTable('public.org_settings')
+            .where('org_id', '=', input.orgId)
+            .set({ saml_enabled: true, oidc_enabled: false, sso_url: input.ssoUrl, cert: input.cert })
+            .executeTakeFirst();
+        } else {
+          await pgQuery
+            .updateTable('public.org_settings')
+            .where('org_id', '=', input.orgId)
+            .set({ saml_enabled: false, oidc_enabled: true, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
+            .executeTakeFirst();
+        }
+        return true;
+      } catch (e) {
+        return false;
+      }
+    },
     async isDemoOrg(orgId: string) {
       const rows = await pgQuery
         .selectFrom('public.org_settings')
diff --git a/server/services/userManagementService/dbTypes.ts b/server/services/userManagementService/dbTypes.ts
index b6e4478f..84c60878 100644
--- a/server/services/userManagementService/dbTypes.ts
+++ b/server/services/userManagementService/dbTypes.ts
@@ -80,6 +80,6 @@ export type UserManagementPg = {
   };
   'public.org_settings': Pick<
     OrgSettingsPg['public.org_settings'],
-    'org_id' | 'saml_enabled'
+    'org_id' | 'saml_enabled' | 'oidc_enabled'
   >;
 };
diff --git a/server/services/userManagementService/userManagementService.ts b/server/services/userManagementService/userManagementService.ts
index cb8d681a..c5f66a78 100644
--- a/server/services/userManagementService/userManagementService.ts
+++ b/server/services/userManagementService/userManagementService.ts
@@ -79,7 +79,7 @@ class UserManagementService {
 
     const orgSettings = await this.pgQuery
       .selectFrom('public.org_settings')
-      .select('saml_enabled')
+      .select(['saml_enabled', 'oidc_enabled'])
       .where('org_id', '=', tokenRow.org_id)
       .executeTakeFirst();
 
@@ -88,6 +88,7 @@ class UserManagementService {
       orgId: tokenRow.org_id,
       createdAt: tokenRow.created_at,
       samlEnabled: orgSettings?.saml_enabled ?? false,
+      oidcEnabled: orgSettings?.oidc_enabled ?? false,
     };
   }
 

From 85a11237781f03289c8f71e6e9407fff9f78c3d7 Mon Sep 17 00:00:00 2001
From: Shalabh Agarwal <shalabhagarwal1024@gmail.com>
Date: Sat, 21 Mar 2026 14:38:04 +0530
Subject: [PATCH 2/5] code review changes

---
 .../2026.03.02T00.00.00.add-oidc-sso.sql      |   4 +-
 client/src/graphql/generated.ts               |   4 -
 client/src/webpages/settings/SSOSettings.tsx  |  30 ++---
 server/api.ts                                 |  10 +-
 server/graphql/modules/authentication.ts      |   2 +-
 server/graphql/modules/org.ts                 | 109 ++++++++----------
 .../orgSettingsService/orgSettingsService.ts  |  46 +++-----
 7 files changed, 90 insertions(+), 115 deletions(-)

diff --git a/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql b/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql
index 99ae0b42..7c699d74 100644
--- a/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql
+++ b/.devops/migrator/src/scripts/api-server-pg/2026.03.02T00.00.00.add-oidc-sso.sql
@@ -15,9 +15,7 @@ ADD CONSTRAINT oidc_settings_constraint CHECK (
 -- Add mutual exclusivity: SAML and OIDC cannot both be enabled
 ALTER TABLE public.org_settings
 ADD CONSTRAINT sso_saml_oidc_constraint CHECK (
-    ((saml_enabled = false) AND (oidc_enabled = true)) OR
-    ((saml_enabled = true) AND (oidc_enabled = false)) OR
-    ((saml_enabled = false) AND (oidc_enabled = false))
+    NOT (saml_enabled AND oidc_enabled)
 );
 
 ALTER TYPE public.login_method_enum ADD VALUE IF NOT EXISTS 'oidc';
\ No newline at end of file
diff --git a/client/src/graphql/generated.ts b/client/src/graphql/generated.ts
index 9491fc8e..8d4f7e40 100644
--- a/client/src/graphql/generated.ts
+++ b/client/src/graphql/generated.ts
@@ -24149,7 +24149,6 @@ export type GQLGetSsoCredentialsQuery = {
     readonly ssoCert?: string | null;
     readonly issuerUrl?: string | null;
     readonly clientId?: string | null;
-    readonly clientSecret?: string | null;
   } | null;
 };
 
@@ -24195,7 +24194,6 @@ export type GQLSwitchSsoMethodMutation = {
     readonly ssoCert?: string | null;
     readonly issuerUrl?: string | null;
     readonly clientId?: string | null;
-    readonly clientSecret?: string | null;
   };
 };
 
@@ -37863,7 +37861,6 @@ export const GQLGetSsoCredentialsDocument = gql`
       ssoCert
       issuerUrl
       clientId
-      clientSecret
     }
   }
 `;
@@ -38080,7 +38077,6 @@ export const GQLSwitchSsoMethodDocument = gql`
       ssoCert
       issuerUrl
       clientId
-      clientSecret
     }
   }
 `;
diff --git a/client/src/webpages/settings/SSOSettings.tsx b/client/src/webpages/settings/SSOSettings.tsx
index 378d13a3..f9eacaf6 100644
--- a/client/src/webpages/settings/SSOSettings.tsx
+++ b/client/src/webpages/settings/SSOSettings.tsx
@@ -46,7 +46,6 @@ gql`
       ssoCert
       issuerUrl
       clientId
-      clientSecret
     }
   }
 
@@ -71,7 +70,6 @@ gql`
         ssoCert
         issuerUrl
         clientId
-        clientSecret
     }
   }
 `;
@@ -103,7 +101,6 @@ export default function SSOSettings() {
     if (org.ssoCert != null) setSsoCert(org.ssoCert);
     if (org.issuerUrl != null) setIssuerUrl(org.issuerUrl);
     if (org.clientId != null) setClientId(org.clientId);
-    if (org.clientSecret != null) setClientSecret(org.clientSecret);
     if (org.oidcEnabled) setActiveTab('OIDC');
   }, [data]);
 
@@ -124,8 +121,7 @@ export default function SSOSettings() {
   const isSwitching = !isCurrentTabActive && currentMethod !== 'Password';
 
   const samlCallbackUri = `https://getcoop.com/api/v1/saml/login/${data?.myOrg?.id}/callback`;
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const oidcCallbackUri = (callbackData as any)?.getSSOOidcCallbackUrl ?? '';
+  const oidcCallbackUri = callbackData?.getSSOOidcCallbackUrl ?? '';
 
   const stringIsAValidUrl = (s: string) => {
     try {
@@ -137,12 +133,18 @@ export default function SSOSettings() {
     }
   };
 
-  const isValidDomain = (s: string) =>
-    s.trim().length > 0 && s.includes('.') && !/\s/.test(s);
+  const isValidDomain = (s: string) => {
+    try {
+      const url = new URL(`https://${s.replace(/^https?:\/\//, '')}`);
+      return url.hostname.includes('.') && url.hostname === s.replace(/^https?:\/\//, '').replace(/\/$/, '');
+    } catch (_) {
+      return false;
+    }
+  };
 
   const isSamlFormValid = ssoUrl.length > 0 && ssoCert.length > 0;
   const isOidcFormValid =
-    issuerUrl.length > 0 && clientId.length > 0 && clientSecret.length > 0;
+    issuerUrl.length > 0 && clientId.length > 0 && (clientSecret.length > 0 || oidcEnabled);
   const isFormValid = activeTab === 'SAML' ? isSamlFormValid : isOidcFormValid;
 
   const updateLoading = samlUpdateLoading || oidcUpdateLoading || switchLoading;
@@ -332,7 +334,7 @@ export default function SSOSettings() {
           <Heading>Identity Provider Metadata</Heading>
           <div className="flex flex-col gap-2">
             <Label htmlFor="ssoUrl">SSO URL</Label>
-            <Input id="ssoUrl" value={ssoUrl} onChange={(e) => setSsoUrl(e.target.value)} disabled={isSwitching} />
+            <Input id="ssoUrl" value={ssoUrl} onChange={(e) => setSsoUrl(e.target.value)} />
           </div>
           <div className="flex flex-col gap-2">
             <Label htmlFor="SsoCert">SSO Certificate</Label>
@@ -347,8 +349,7 @@ export default function SSOSettings() {
             className="h-44"
             value={ssoCert}
             onChange={(e) => setSsoCert(e.target.value)}
-            disabled={isSwitching}
-            endSlot={
+                       endSlot={
               <Tooltip delayDuration={0}>
                 <TooltipTrigger asChild>
                   <Button
@@ -409,12 +410,12 @@ export default function SSOSettings() {
               placeholder="your-tenant.auth0.com"
               value={issuerUrl}
               onChange={(e) => setIssuerUrl(e.target.value)}
-              disabled={isSwitching}
+
             />
           </div>
           <div className="flex flex-col gap-2">
             <Label htmlFor="clientId">Client ID</Label>
-            <Input id="clientId" value={clientId} onChange={(e) => setClientId(e.target.value)} disabled={isSwitching} />
+            <Input id="clientId" value={clientId} onChange={(e) => setClientId(e.target.value)} />
           </div>
           <div className="flex flex-col gap-2">
             <Label htmlFor="clientSecret">Client Secret</Label>
@@ -422,8 +423,9 @@ export default function SSOSettings() {
               id="clientSecret"
               type="password"
               value={clientSecret}
+              placeholder={oidcEnabled ? '••••••••  (enter new value to change)' : ''}
               onChange={(e) => setClientSecret(e.target.value)}
-              disabled={isSwitching}
+
             />
           </div>
         </>
diff --git a/server/api.ts b/server/api.ts
index c02d3646..488d2c04 100644
--- a/server/api.ts
+++ b/server/api.ts
@@ -28,7 +28,11 @@ import depthLimit from 'graphql-depth-limit';
 import helmet from 'helmet';
 import passport from 'passport';
 import { MultiSamlStrategy } from '@node-saml/passport-saml';
-import * as oidcClient from 'openid-client'
+import * as oidcClient from 'openid-client';
+
+function normalizeIssuerUrl(raw: string): string {
+  return `https://${raw.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
+}
 import {
   makeLoginIncorrectPasswordError,
   makeLoginSsoRequiredError,
@@ -302,7 +306,7 @@ export default async function makeApiServer(deps: Dependencies) {
         return res.redirect('/');
       }
 
-      const issuerUrl = `https://${oidcSettings.issuer_url.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
+      const issuerUrl = normalizeIssuerUrl(oidcSettings.issuer_url);
 
       const { API_BASE_URL } = process.env;
       const config = await oidcClient.discovery(
@@ -368,7 +372,7 @@ export default async function makeApiServer(deps: Dependencies) {
         return next(makeInternalServerError('API_BASE_URL not configured.', { shouldErrorSpan: true }));
       }
       const callbackUrl = deps.SSOService.getSSOOidcCallbackUrl();
-      const issuerUrl = `https://${oidcSettings.issuer_url.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
+      const issuerUrl = normalizeIssuerUrl(oidcSettings.issuer_url);
       
       const config = await oidcClient.discovery(
         new URL(issuerUrl),
diff --git a/server/graphql/modules/authentication.ts b/server/graphql/modules/authentication.ts
index f75a5a2d..d59e7534 100644
--- a/server/graphql/modules/authentication.ts
+++ b/server/graphql/modules/authentication.ts
@@ -7,7 +7,7 @@ const typeDefs = /* GraphQL */ `
   type Query {
     me: User @publicResolver
     getSSORedirectUrl(emailAddress: String!): String @publicResolver
-    getSSOOidcCallbackUrl: String @publicResolver
+    getSSOOidcCallbackUrl: String
   }
 
   type Mutation {
diff --git a/server/graphql/modules/org.ts b/server/graphql/modules/org.ts
index 90075e81..3f627678 100644
--- a/server/graphql/modules/org.ts
+++ b/server/graphql/modules/org.ts
@@ -13,6 +13,29 @@ import {
 } from '../generated.js';
 import { gqlErrorResult, gqlSuccessResult } from '../utils/gqlResult.js';
 
+async function resolveOidcField(
+  org: { id: string },
+  context: { getUser: () => any; services: any },
+  field: 'client_id' | 'client_secret' | 'issuer_url',
+) {
+  const user = context.getUser();
+  if (user == null || user.orgId !== org.id) {
+    throw new AuthenticationError('Authenticated user required');
+  }
+  if (!user.getPermissions().includes('MANAGE_ORG')) {
+    throw new AuthenticationError(
+      'User does not have permission to manage SSO settings',
+    );
+  }
+  const settings = await context.services.OrgSettingsService.getOidcSettings(
+    org.id,
+  );
+  if (!settings) {
+    return null;
+  }
+  return settings[field];
+}
+
 const typeDefs = /* GraphQL */ `
   type Org {
     id: ID!
@@ -565,70 +588,15 @@ const Org: GQLOrgResolvers = {
   },
   
   async clientSecret(org, _, context) {
-    const user = context.getUser();
-    if (user == null || user.orgId !== org.id) {
-      throw new AuthenticationError('Authenticated user required');
-    }
-
-    if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw new AuthenticationError(
-        'User does not have permission to manage SSO settings',
-      );
-    }
-
-    const settings = await context.services.OrgSettingsService.getOidcSettings(
-      org.id,
-    );
-
-    if (!settings) {
-      return null;
-    }
-
-    return settings.client_secret;
+    // Never expose the real client secret — return masked value if set
+    const value = await resolveOidcField(org, context, 'client_secret');
+    return value ? '••••••••' : null;
   },
   async issuerUrl(org, _, context) {
-    const user = context.getUser();
-    if (user == null || user.orgId !== org.id) {
-      throw new AuthenticationError('Authenticated user required');
-    }
-
-    if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw new AuthenticationError(
-        'User does not have permission to manage SSO settings',
-      );
-    }
-
-    const settings = await context.services.OrgSettingsService.getOidcSettings(
-      org.id,
-    );
-
-    if (!settings) {
-      return null;
-    }
-
-    return settings.issuer_url;
+    return resolveOidcField(org, context, 'issuer_url');
   },
   async clientId(org, _, context) {
-    const user = context.getUser();
-    if (user == null || user.orgId !== org.id) {
-      throw new AuthenticationError('Authenticated user required');
-    }
-
-    if (!user.getPermissions().includes('MANAGE_ORG')) {
-      throw new AuthenticationError(
-        'User does not have permission to manage SSO settings',
-      );
-    }
-
-    const settings = await context.services.OrgSettingsService.getOidcSettings(
-      org.id,
-    );
-
-    if (!settings) {
-      return null;
-    }
-
-    return settings.client_id;
+    return resolveOidcField(org, context, 'client_id');
   },
   async samlEnabled(org, _, context) {
     const settings = await context.services.OrgSettingsService.getSamlSettings(org.id);
@@ -751,7 +719,12 @@ const Mutation: GQLMutationResolvers = {
     if (!user) {
       throw new AuthenticationError('User required.');
     }
-    const oidcSettings = await context.services.OrgSettingsService.getOidcSettings(user.orgId); 
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw new AuthenticationError(
+        'User does not have permission to manage SSO settings',
+      );
+    }
+    const oidcSettings = await context.services.OrgSettingsService.getOidcSettings(user.orgId);
     if (oidcSettings?.oidc_enabled && input.samlEnabled) {
       throw new Error('SAML cannot enabled as OIDC is enabled.');
     }
@@ -768,8 +741,13 @@ const Mutation: GQLMutationResolvers = {
     if (!user) {
       throw new AuthenticationError('User required.');
     }
-    
-    const samlSettings = await context.services.OrgSettingsService.getSamlSettings(user.orgId); 
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw new AuthenticationError(
+        'User does not have permission to manage SSO settings',
+      );
+    }
+
+    const samlSettings = await context.services.OrgSettingsService.getSamlSettings(user.orgId);
     if (samlSettings?.saml_enabled && input.oidcEnabled) {
       throw new Error('OIDC cannot enabled as SAML is enabled.');
     }
@@ -787,6 +765,11 @@ const Mutation: GQLMutationResolvers = {
     if (!user) {
       throw new AuthenticationError('User required.');
     }
+    if (!user.getPermissions().includes('MANAGE_ORG')) {
+      throw new AuthenticationError(
+        'User does not have permission to manage SSO settings',
+      );
+    }
     if (input.method === 'SAML') {
       if (!input.ssoUrl || !input.ssoCert) {
         throw new Error('ssoUrl and ssoCert are required when switching to SAML.');
diff --git a/server/services/orgSettingsService/orgSettingsService.ts b/server/services/orgSettingsService/orgSettingsService.ts
index 07ef76a9..c2a83e85 100644
--- a/server/services/orgSettingsService/orgSettingsService.ts
+++ b/server/services/orgSettingsService/orgSettingsService.ts
@@ -204,16 +204,12 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
       clientId: string;
       clientSecret: string;
     }) {
-      try {
-        await pgQuery
-          .updateTable('public.org_settings')
-          .where('org_id', '=', input.orgId)
-          .set({ oidc_enabled: input.oidcEnabled, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
-          .executeTakeFirst();
-        return true;
-      } catch (e) {
-        return false;
-      }
+      await pgQuery
+        .updateTable('public.org_settings')
+        .where('org_id', '=', input.orgId)
+        .set({ oidc_enabled: input.oidcEnabled, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
+        .executeTakeFirst();
+      return true;
     },
     async switchSSOMethod(input: {
       orgId: string;
@@ -224,24 +220,20 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
       clientId?: string;
       clientSecret?: string;
     }) {
-      try {
-        if (input.method === 'saml') {
-          await pgQuery
-            .updateTable('public.org_settings')
-            .where('org_id', '=', input.orgId)
-            .set({ saml_enabled: true, oidc_enabled: false, sso_url: input.ssoUrl, cert: input.cert })
-            .executeTakeFirst();
-        } else {
-          await pgQuery
-            .updateTable('public.org_settings')
-            .where('org_id', '=', input.orgId)
-            .set({ saml_enabled: false, oidc_enabled: true, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
-            .executeTakeFirst();
-        }
-        return true;
-      } catch (e) {
-        return false;
+      if (input.method === 'saml') {
+        await pgQuery
+          .updateTable('public.org_settings')
+          .where('org_id', '=', input.orgId)
+          .set({ saml_enabled: true, oidc_enabled: false, sso_url: input.ssoUrl, cert: input.cert })
+          .executeTakeFirst();
+      } else {
+        await pgQuery
+          .updateTable('public.org_settings')
+          .where('org_id', '=', input.orgId)
+          .set({ saml_enabled: false, oidc_enabled: true, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
+          .executeTakeFirst();
       }
+      return true;
     },
     async isDemoOrg(orgId: string) {
       const rows = await pgQuery

From b77a0344437ba3831bd6fb7b82657b94fbb3fe21 Mon Sep 17 00:00:00 2001
From: Shalabh Agarwal <shalabhagarwal1024@gmail.com>
Date: Sat, 21 Mar 2026 15:39:47 +0530
Subject: [PATCH 3/5] client secret encryption

---
 client/src/webpages/App.tsx                   |  8 ---
 client/src/webpages/auth/LoginSSO.tsx         |  5 +-
 client/src/webpages/settings/SSOSettings.tsx  | 35 +++++++----
 server/.env.example                           |  1 +
 server/api.ts                                 |  2 +-
 .../orgSettingsService/orgSettingsService.ts  | 22 ++++++-
 server/utils/crypto.ts                        | 60 +++++++++++++++++++
 7 files changed, 108 insertions(+), 25 deletions(-)
 create mode 100644 server/utils/crypto.ts

diff --git a/client/src/webpages/App.tsx b/client/src/webpages/App.tsx
index 97e56abf..cc1d5472 100644
--- a/client/src/webpages/App.tsx
+++ b/client/src/webpages/App.tsx
@@ -76,14 +76,6 @@ export default function App() {
             // just redirect them to login.
             element: <Navigate replace to="/login" />,
           },
-          {
-            path: 'login/sso_saml',
-            element: (
-              <RequireLoggedOut>
-                <LoginSSO />
-              </RequireLoggedOut>
-            ),
-          },
           {
             path: 'login/sso',
             element: (
diff --git a/client/src/webpages/auth/LoginSSO.tsx b/client/src/webpages/auth/LoginSSO.tsx
index 4281f86c..75a53b16 100644
--- a/client/src/webpages/auth/LoginSSO.tsx
+++ b/client/src/webpages/auth/LoginSSO.tsx
@@ -32,8 +32,11 @@ export default function LoginSSO() {
 
   useEffect(() => {
     const params = new URLSearchParams(window.location.search);
-    if (params.get('error') === 'access_denied') {
+    const error = params.get('error');
+    if (error === 'access_denied') {
       toast.error('SSO login was cancelled. Please try again.');
+    } else if (error) {
+      toast.error('SSO login failed. Please try again or contact your administrator.');
     }
   }, []);
   const errorModal = (
diff --git a/client/src/webpages/settings/SSOSettings.tsx b/client/src/webpages/settings/SSOSettings.tsx
index f9eacaf6..2606c04f 100644
--- a/client/src/webpages/settings/SSOSettings.tsx
+++ b/client/src/webpages/settings/SSOSettings.tsx
@@ -149,7 +149,7 @@ export default function SSOSettings() {
 
   const updateLoading = samlUpdateLoading || oidcUpdateLoading || switchLoading;
 
-  const handleSaveSaml = () => {
+  const handleSaveSaml = (closeDialog = false) => {
     if (!stringIsAValidUrl(ssoUrl)) {
       toast.error('SSO URL is not a valid URL');
       return;
@@ -157,12 +157,18 @@ export default function SSOSettings() {
     updateSSOSamlCredentials({
       variables: { input: { samlEnabled: true, ssoUrl, ssoCert } },
       refetchQueries: ['GetSSOCredentials'],
-      onCompleted: () => toast.success('SAML credentials updated'),
-      onError: (e) => toast.error(`Error updating SAML credentials: ${e.message}`),
+      onCompleted: () => {
+        toast.success('SAML credentials updated');
+        if (closeDialog) setShowSwitchDialog(false);
+      },
+      onError: (e) => {
+        toast.error(`Error updating SAML credentials: ${e.message}`);
+        if (closeDialog) setShowSwitchDialog(false);
+      },
     });
   };
 
-  const handleSaveOidc = () => {
+  const handleSaveOidc = (closeDialog = false) => {
     if (!isValidDomain(issuerUrl)) {
       toast.error('Domain is not valid (e.g. your-tenant.auth0.com)');
       return;
@@ -170,8 +176,14 @@ export default function SSOSettings() {
     updateSSOOidcCredentials({
       variables: { input: { oidcEnabled: true, issuerUrl, clientId, clientSecret } },
       refetchQueries: ['GetSSOCredentials'],
-      onCompleted: () => toast.success('OIDC credentials updated'),
-      onError: (e) => toast.error(`Error updating OIDC credentials: ${e.message}`),
+      onCompleted: () => {
+        toast.success('OIDC credentials updated');
+        if (closeDialog) setShowSwitchDialog(false);
+      },
+      onError: (e) => {
+        toast.error(`Error updating OIDC credentials: ${e.message}`);
+        if (closeDialog) setShowSwitchDialog(false);
+      },
     });
   };
 
@@ -179,9 +191,8 @@ export default function SSOSettings() {
 
   const handleSwitch = () => {
     if (isEnablingFromPassword) {
-      if (activeTab === 'SAML') handleSaveSaml();
-      else handleSaveOidc();
-      setShowSwitchDialog(false);
+      if (activeTab === 'SAML') handleSaveSaml(true);
+      else handleSaveOidc(true);
       return;
     }
     if (activeTab === 'SAML') {
@@ -444,8 +455,8 @@ export default function SSOSettings() {
             : `Enable ${activeTab}`}
       </Button>
 
-      <Dialog open={showSwitchDialog} onOpenChange={setShowSwitchDialog}>
-        <DialogContent>
+      {showSwitchDialog && <Dialog open onOpenChange={setShowSwitchDialog}>
+        <DialogContent className="z-[51]">
           <DialogHeader>
             <DialogTitle>
               {isEnablingFromPassword
@@ -467,7 +478,7 @@ export default function SSOSettings() {
             </Button>
           </DialogFooter>
         </DialogContent>
-      </Dialog>
+      </Dialog>}
     </div>
   );
 }
diff --git a/server/.env.example b/server/.env.example
index dfcc64e0..3d91c0e6 100644
--- a/server/.env.example
+++ b/server/.env.example
@@ -84,3 +84,4 @@ UI_URL=http://localhost:3000
 GRAPHQL_MAX_DEPTH=10
 
 API_BASE_URL=http://localhost:8080
+SSO_ENCRYPTION_KEY=
\ No newline at end of file
diff --git a/server/api.ts b/server/api.ts
index 488d2c04..8b5ec9fe 100644
--- a/server/api.ts
+++ b/server/api.ts
@@ -351,7 +351,7 @@ export default async function makeApiServer(deps: Dependencies) {
         res.redirect(`${deps.ConfigService.uiUrl}/dashboard`);
       });
     } catch (e) {
-      next(e);
+      return res.redirect(`${deps.ConfigService.uiUrl}/login/sso?error=sso_login_failed`);
     }
   });
 
diff --git a/server/services/orgSettingsService/orgSettingsService.ts b/server/services/orgSettingsService/orgSettingsService.ts
index c2a83e85..844ba0ce 100644
--- a/server/services/orgSettingsService/orgSettingsService.ts
+++ b/server/services/orgSettingsService/orgSettingsService.ts
@@ -4,6 +4,7 @@ import { type ReadonlyObjectDeep } from 'type-fest/source/readonly-deep.js';
 
 import { inject } from '../../iocContainer/index.js';
 import { cached } from '../../utils/caching.js';
+import { encrypt, decrypt } from '../../utils/crypto.js';
 import { MINUTE_MS } from '../../utils/time.js';
 
 export type OrgSettingsPg = {
@@ -191,11 +192,15 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
       }
     },
     async getOidcSettings(orgId: string) {
-      return pgQuery
+      const row = await pgQuery
         .selectFrom('public.org_settings')
         .select(['oidc_enabled', 'client_id', 'client_secret', 'issuer_url'])
         .where('org_id', '=', orgId)
         .executeTakeFirst();
+      if (row?.client_secret) {
+        return { ...row, client_secret: decrypt(row.client_secret) };
+      }
+      return row;
     },
     async updateOidcSettings(input: {
       orgId: string;
@@ -207,7 +212,12 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
       await pgQuery
         .updateTable('public.org_settings')
         .where('org_id', '=', input.orgId)
-        .set({ oidc_enabled: input.oidcEnabled, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
+        .set({
+          oidc_enabled: input.oidcEnabled,
+          issuer_url: input.issuerUrl,
+          client_id: input.clientId,
+          client_secret: encrypt(input.clientSecret),
+        })
         .executeTakeFirst();
       return true;
     },
@@ -230,7 +240,13 @@ function makeOrgSettingsService(pgQuery: Kysely<OrgSettingsPg>) {
         await pgQuery
           .updateTable('public.org_settings')
           .where('org_id', '=', input.orgId)
-          .set({ saml_enabled: false, oidc_enabled: true, issuer_url: input.issuerUrl, client_id: input.clientId, client_secret: input.clientSecret })
+          .set({
+            saml_enabled: false,
+            oidc_enabled: true,
+            issuer_url: input.issuerUrl,
+            client_id: input.clientId,
+            client_secret: input.clientSecret ? encrypt(input.clientSecret) : undefined,
+          })
           .executeTakeFirst();
       }
       return true;
diff --git a/server/utils/crypto.ts b/server/utils/crypto.ts
new file mode 100644
index 00000000..49f3745b
--- /dev/null
+++ b/server/utils/crypto.ts
@@ -0,0 +1,60 @@
+import { type CipherKey, createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+
+// openssl rand -base64 32
+// node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
+function getEncryptionKey(): CipherKey {
+  const key = process.env.SSO_ENCRYPTION_KEY;
+  if (!key) {
+    throw new Error('SSO_ENCRYPTION_KEY environment variable is not set');
+  }
+  
+  const buf = Buffer.from(key, 'base64');
+  if (buf.length !== 32) {
+    throw new Error(
+      'SSO_ENCRYPTION_KEY must be a base64-encoded 32-byte key',
+    );
+  }
+  return buf as CipherKey;
+}
+
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Returns a base64 string in the format: iv:ciphertext:authTag
+ */
+export function encrypt(plaintext: string): string {
+  const key = getEncryptionKey();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, new Uint8Array(iv), {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  const encrypted = Buffer.concat([new Uint8Array(cipher.update(plaintext, 'utf8')), new Uint8Array(cipher.final())]);
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString('base64')}:${encrypted.toString('base64')}:${authTag.toString('base64')}`;
+}
+
+/**
+ * Decrypts a string previously encrypted with encrypt().
+ * Returns null if the value doesn't look like an encrypted string (for
+ * backwards compatibility with pre-encryption plaintext values).
+ */
+export function decrypt(encryptedValue: string): string {
+  const parts = encryptedValue.split(':');
+  if (parts.length !== 3) {
+    // Not in encrypted format — return as-is for backwards compatibility
+    // with secrets stored before encryption was enabled
+    return encryptedValue;
+  }
+  const key = getEncryptionKey();
+  const iv = Buffer.from(parts[0], 'base64');
+  const encrypted = Buffer.from(parts[1], 'base64');
+  const authTag = Buffer.from(parts[2], 'base64');
+  const decipher = createDecipheriv(ALGORITHM, key, new Uint8Array(iv), {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(new Uint8Array(authTag));
+  return decipher.update(new Uint8Array(encrypted), undefined, 'utf8') + decipher.final('utf8');
+}

From 70f0da484c1c58568164c6bbbd18fa2a18287afd Mon Sep 17 00:00:00 2001
From: Shalabh Agarwal <shalabhagarwal1024@gmail.com>
Date: Wed, 25 Mar 2026 14:26:09 +0530
Subject: [PATCH 4/5] add docs

---
 docs/ARCHITECTURE.md | 33 +++++++++++++++++++++++++++++----
 docs/USER_GUIDE.md   | 37 +++++++++++++++++++++++++++++++++++--
 2 files changed, 64 insertions(+), 6 deletions(-)

diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index d4ca620e..0b982171 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -24,7 +24,7 @@ Coop is built as a monorepo with a React frontend, Node.js backend, and multi-da
 | **Databases** | PostgreSQL, Scylla(5.2), ClickHouse, Redis |
 | **Messaging** | BullMQ (Redis) |
 | **ORM** | Sequelize, Kysely |
-| **Auth** | Passport.js, express-session, SAML (SSO) |
+| **Auth** | Passport.js, express-session, SSO |
 | **Observability** | OpenTelemetry |
 
 ## **Directory Structure**
@@ -583,9 +583,11 @@ Session configuration:
 * Session secret: process.env.SESSION_SECRET                                                                                                                                                  
   Files: `/server/api.ts`   
 
-### SAML/SSO Authentication                                                                                         
+### SSO Authentication  
 
-Enterprise SSO uses SAML with per-organization configuration.                                                     
+#### SAML
+
+Enterprise SSO can use SAML with per-organization configuration.
                                                                                                       
   1. User navigates to /saml/login/{orgId}
   2. Passport's MultiSamlStrategy retrieves org-specific SAML settings                                              
@@ -600,6 +602,29 @@ Configuration (per org in org\_settings table):
 * cert: Certificate for validation                                                                              
                                                                                                                     
   Files:                                                                                                            
-`/server/api.ts (lines 142-227)`                                                                                  
+`/server/api.ts (lines 176-283)`                                                                                  
 `/server/services/SSOService/SSOService.ts`
 
+
+#### OIDC
+
+Enterprise SSO can use OIDC with per-organization configuration. Uses Authorization Code + PKCE flow via the `openid-client` library.
+
+  1. User navigates to /oidc/login/{orgId}
+  2. Coop retrieves org-specific OIDC settings and discovers provider endpoints via OIDC Discovery
+  3. Coop generates PKCE code verifier/challenge and redirects user to provider's authorization endpoint (scopes: `openid email`)
+  4. Provider authenticates user and redirects back to Coop's callback URL with an authorization code
+  5. Coop exchanges the code for tokens using PKCE verification
+  6. User email extracted from ID token claims (or UserInfo endpoint)
+  7. User record looked up and session created
+
+Configuration (per org in org\_settings table):
+
+* oidc\_enabled: Boolean flag (mutually exclusive with saml\_enabled)
+* issuer\_url: OIDC provider's issuer domain (e.g., `your-tenant.auth0.com`)
+* client\_id: OIDC application client ID
+* client\_secret: OIDC application client secret (encrypted with AES-256-GCM)
+                                                                                  
+  Files:
+`/server/api.ts (lines 285-404)`
+`/server/services/SSOService/SSOService.ts`
diff --git a/docs/USER_GUIDE.md b/docs/USER_GUIDE.md
index 54c8ad0d..f344dee5 100644
--- a/docs/USER_GUIDE.md
+++ b/docs/USER_GUIDE.md
@@ -117,9 +117,11 @@ Once you invite a new user to Coop, you can either configure an email service to
 
 ### SSO
 
-Learn how to configure SSO using Okta SAML.
+Learn how to configure SSO using SAML or OIDC.
 
-Coop only supports SSO through Okta SAML.
+Coop supports SSO through SAML and OIDC. Only one method can be active at a time.
+
+#### SAML
 
 **Prerequisites**
 
@@ -146,6 +148,37 @@ To configure Okta SAML SSO, you must:
 5. On the same page, enter `email` in the **Attributes** section.
 6. In your Okta app under **Assignments**, assign users or groups to your app.
 
+#### OIDC
+
+**Prerequisites**
+
+To configure OIDC SSO, you must:
+
+* Have admin permissions in Coop.
+* Have an OIDC-compliant identity provider (e.g., Okta, Auth0, Azure AD, Google Workspace).
+* Be able to create an application (or "client") in your identity provider and obtain a Client ID and Client Secret.
+
+**Configuration**
+
+1. In Coop, go to **Settings → SSO** and select the **OIDC** tab. Copy the **Redirect URI** displayed on the page (format: `<your-api-base-url>/api/v1/oidc/login/callback`).
+2. In your identity provider, create a new OIDC/OAuth 2.0 application (sometimes called a "Web Application" or "Regular Web App"). Use the following settings:
+
+   | Setting | Value |
+   | :------ | :---- |
+   | Application type | Web application |
+   | Grant type | Authorization Code |
+   | Redirect / Callback URI | The Redirect URI you copied from Coop in step 1 |
+   | Scopes | `openid email` |
+
+3. After creating the application, copy the **Client ID** and **Client Secret** from your identity provider.
+4. Back in Coop under **Settings → SSO → OIDC**, fill in the following fields:
+   - **Domain:** Your identity provider's issuer domain (e.g., `your-tenant.auth0.com`). Do not include `https://`.
+   - **Client ID:** The Client ID from step 3.
+   - **Client Secret:** The Client Secret from step 3. This value is stored encrypted and will be masked after saving.
+5. Click **Save** to enable OIDC.
+
+> **Note:** SAML and OIDC cannot be enabled at the same time. Enabling OIDC will disable SAML (and vice versa). Your previous credentials are preserved if you switch back.
+
 ### Wellness and Safety
 
 Reviewer safety and well-being is critical. Trust & Safety is an incredibly difficult field of work, and it can take a severe mental toll, especially for the moderators who are on the front line, reviewing disturbing content for hours on end every day.

From 87e92bda51fa4b68381b83bceb96d514eac04e3a Mon Sep 17 00:00:00 2001
From: Shalabh Agarwal <shalabhagarwal1024@gmail.com>
Date: Wed, 25 Mar 2026 18:10:03 +0530
Subject: [PATCH 5/5] pick OIDC authentication dynamically

---
 client/src/webpages/settings/SSOSettings.tsx |  2 +-
 docs/ARCHITECTURE.md                         |  2 +-
 docs/DEVELOPMENT.md                          |  2 +-
 server/.env.example                          |  4 ++
 server/api.ts                                | 49 ++++++++++++++------
 server/utils/crypto.ts                       |  2 -
 6 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/client/src/webpages/settings/SSOSettings.tsx b/client/src/webpages/settings/SSOSettings.tsx
index 2606c04f..a290a718 100644
--- a/client/src/webpages/settings/SSOSettings.tsx
+++ b/client/src/webpages/settings/SSOSettings.tsx
@@ -255,7 +255,7 @@ export default function SSOSettings() {
       </Heading>
 
       <div className="flex items-center gap-2">
-        <Text size="SM">Current method:</Text>
+        <Text as="span" size="SM">Current method:</Text>
         <Badge variant={currentMethod === 'Password' ? 'secondary' : 'default'}>
           {currentMethod}
         </Badge>
diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index 0b982171..c13325fc 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -623,7 +623,7 @@ Configuration (per org in org\_settings table):
 * oidc\_enabled: Boolean flag (mutually exclusive with saml\_enabled)
 * issuer\_url: OIDC provider's issuer domain (e.g., `your-tenant.auth0.com`)
 * client\_id: OIDC application client ID
-* client\_secret: OIDC application client secret (encrypted with AES-256-GCM)
+* client\_secret: OIDC application client secret (encrypted with AES-256-GCM using `SSO_ENCRYPTION_KEY`)
                                                                                   
   Files:
 `/server/api.ts (lines 285-404)`
diff --git a/docs/DEVELOPMENT.md b/docs/DEVELOPMENT.md
index 74fa7c4a..b54787b4 100644
--- a/docs/DEVELOPMENT.md
+++ b/docs/DEVELOPMENT.md
@@ -18,7 +18,7 @@ Copy `server/.env.example` to `server/.env`. The example file contains all avail
 
 - **Database connections**: PostgreSQL, ClickHouse, ScyllaDB, Redis
 - **External APIs**: OpenAI, SendGrid, Google APIs (optional)
-- **Security**: Session secrets, JWT signing keys
+- **Security**: Session secrets, JWT signing keys, SSO encryption key (`SSO_ENCRYPTION_KEY`)
 
 The default values work with Docker Compose services out of the box.
 
diff --git a/server/.env.example b/server/.env.example
index 3d91c0e6..9da19467 100644
--- a/server/.env.example
+++ b/server/.env.example
@@ -84,4 +84,8 @@ UI_URL=http://localhost:3000
 GRAPHQL_MAX_DEPTH=10
 
 API_BASE_URL=http://localhost:8080
+
+# generate by running any of the below commands
+# openssl rand -base64 32
+# node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
 SSO_ENCRYPTION_KEY=
\ No newline at end of file
diff --git a/server/api.ts b/server/api.ts
index 8b5ec9fe..2d34a27a 100644
--- a/server/api.ts
+++ b/server/api.ts
@@ -30,9 +30,6 @@ import passport from 'passport';
 import { MultiSamlStrategy } from '@node-saml/passport-saml';
 import * as oidcClient from 'openid-client';
 
-function normalizeIssuerUrl(raw: string): string {
-  return `https://${raw.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
-}
 import {
   makeLoginIncorrectPasswordError,
   makeLoginSsoRequiredError,
@@ -104,6 +101,38 @@ async function getCPUUsage() {
   return 1 - (endIdle - startIdle) / (endTotal - startTotal);
 }
 
+function normalizeIssuerUrl(raw: string): string {
+  return `https://${raw.replace(/^https?:\/\//, '').replace(/\/$/, '')}`;
+}
+
+async function discoverOidcConfig(
+  issuerUrl: string,
+  clientId: string,
+  clientSecret: string,
+) {
+  const config = await oidcClient.discovery(
+    new URL(issuerUrl),
+    clientId,
+    clientSecret,
+  );
+
+  const supported = config.serverMetadata().token_endpoint_auth_methods_supported;
+
+  // Per OIDC spec, if token_endpoint_auth_methods_supported is absent the
+  // default is ["client_secret_basic"]. If the server explicitly lists methods
+  // and does NOT include client_secret_post, re-discover with ClientSecretBasic.
+  if (supported && !supported.includes('client_secret_post')) {
+    return oidcClient.discovery(
+      new URL(issuerUrl),
+      clientId,
+      clientSecret,
+      oidcClient.ClientSecretBasic(clientSecret),
+    );
+  }
+
+  return config;
+}
+
 // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
 const env = process.env.NODE_ENV || 'development';
 const sessionStore = connectPgSimple(session);
@@ -309,12 +338,7 @@ export default async function makeApiServer(deps: Dependencies) {
       const issuerUrl = normalizeIssuerUrl(oidcSettings.issuer_url);
 
       const { API_BASE_URL } = process.env;
-      const config = await oidcClient.discovery(
-        new URL(issuerUrl),
-        oidcSettings.client_id,
-        oidcSettings.client_secret,
-        oidcClient.ClientSecretBasic(oidcSettings.client_secret),
-      );
+      const config = await discoverOidcConfig(issuerUrl, oidcSettings.client_id, oidcSettings.client_secret);
 
       // Reconstruct callback URL with code/state from IdP redirect.
       // authorizationCodeGrant needs: base = registered redirect_uri, query = code+state from IdP.
@@ -374,12 +398,7 @@ export default async function makeApiServer(deps: Dependencies) {
       const callbackUrl = deps.SSOService.getSSOOidcCallbackUrl();
       const issuerUrl = normalizeIssuerUrl(oidcSettings.issuer_url);
       
-      const config = await oidcClient.discovery(
-        new URL(issuerUrl),
-        oidcSettings.client_id,
-        oidcSettings.client_secret,
-        oidcClient.ClientSecretBasic(oidcSettings.client_secret),
-      );
+      const config = await discoverOidcConfig(issuerUrl, oidcSettings.client_id, oidcSettings.client_secret);
 
       const codeVerifier = oidcClient.randomPKCECodeVerifier();
       const codeChallenge = await oidcClient.calculatePKCECodeChallenge(codeVerifier);
diff --git a/server/utils/crypto.ts b/server/utils/crypto.ts
index 49f3745b..8eac6092 100644
--- a/server/utils/crypto.ts
+++ b/server/utils/crypto.ts
@@ -4,8 +4,6 @@ const ALGORITHM = 'aes-256-gcm';
 const IV_LENGTH = 12;
 const AUTH_TAG_LENGTH = 16;
 
-// openssl rand -base64 32
-// node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
 function getEncryptionKey(): CipherKey {
   const key = process.env.SSO_ENCRYPTION_KEY;
   if (!key) {