feat: add oidc support

[tankerkiller125]

---

name: Pull Request
about: Submit changes to the project for review and inclusion

Description

This PR adds generic OIDC as an authentication provider. This allows personal users and companies potentially to define whatever IdP they want as long as it supports the OIDC well known format. (Azure, Zitadel, Authentik, KeyCloak, Google, etc. all support it)

Related Issue

Fixes #1090

Changes Made

• Adds OIDC buttons to the signin and registration pages
• Adds appropriate environment variables
• Adds migration to add OIDC to the IdentityProvider Enum

Testing Performed

Zitadel

• Created application in Zitadel as an web app, with Client auth
• Enabled User Info inside ID Token in Token settings
• Copied client id and client secret to the new .ENV variables
• Copied the well-known URL from the URLs section to .ENV
• Created new account with OIDC provider button
• Verified email manually
• Signed into account with OIDC provider
• Logged out
• Signed into accounting again with OIDC provider

Authentik

• Created application in Authentik
• Copied client id and client secret to the new .ENV variables
• Copied the well-known URL from the URLs section to .ENV
• Created new account with OIDC provider button
• Verified email manually
• Signed into account with OIDC provider
• Logged out
• Signed into accounting again with OIDC provider

Azure AD

• Created application in Azure AD using OAuth2
• Copied client id and client secret to the new .ENV variables
• Copied the well-known URL from the URLs section to .ENV
• Created new account with OIDC provider button
• Verified email manually
• Signed into account with OIDC provider
• Logged out
• Signed into accounting again with OIDC provider

Checklist

• I have tested these changes locally and they work as expected.
• I have added/updated tests that prove the effectiveness of these changes.
• I have updated the documentation to reflect these changes, if applicable.
• I have followed the project's coding style guidelines.
• I have addressed the code review feedback from the previous submission, if applicable.

Additional Notes

Summary by CodeRabbit

• New Features
  • Introduced OIDC Single Sign-On (SSO) capabilities for both sign-in and sign-up processes, enhancing authentication options alongside existing Google SSO.
• Enhancements
  • Updated sign-in and sign-up forms to support OIDC SSO, including new OIDC sign-in/sign-up buttons.
• Documentation
  • Added necessary environment variables for OIDC configuration to the example file for clarity and setup guidance.

[vercel]

@tankerkiller125 is attempting to deploy a commit to the Documenso Team Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

The code changes introduce OpenID Connect (OIDC) as a generic OAuth option for Single Sign-On (SSO) throughout the application. These updates encompass setting up environmental configurations for OIDC, adjusting TypeScript declarations, and modifying sign-in and sign-up components to accommodate OIDC alongside Google SSO. Furthermore, the database schema and migrations are revised to include OIDC as an identity provider option.

Changes

Files	Change Summary
.env.example, turbo.json	Added OIDC configuration variables: client ID, client secret, well-known endpoint
.../process-env.d.ts	Declared new OIDC-related environment variables
.../signin/page.tsx, .../signup/page.tsx	Integrated OIDC SSO alongside Google SSO
.../forms/signin.tsx, .../forms/signup.tsx, .../forms/v2/signup.tsx	Enhanced forms to handle OIDC sign-in and sign-up; added OIDC sign-in button
packages/lib/constants/auth.ts, packages/lib/next-auth/auth-options.ts	Added OIDC support in constants and authentication options
packages/prisma/.../migration.sql, schema.prisma	Updated database schema and migrations to include OIDC as an identity provider

Assessment against linked issues

Objective	Addressed	Explanation
Support standard OpenID Connect (OIDC) for SSO [#1090]	✅
Collect OIDC config values from ENV variables [#1090]	✅
Simplify configuration by supporting "well-known" autoconfig path [#1090]	✅
Default checks for state & pkce, and scopes openid email profile [#1090]	❓	The PR does not explicitly mention the implementation of these security checks and scopes.
Update UI components to include OIDC option alongside Google SSO [#1090]	✅

The changes effectively address the integration of OIDC as a generic OAuth option for SSO, aligning closely with the objectives specified in the linked issue. However, details regarding the implementation of default security checks and scopes need clarification.

---

Recent Review Details

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between bd4a1c4 and 788c626.

Files selected for processing (1)

• apps/web/src/components/forms/signup.tsx (3 hunks)

Files skipped from review as they are similar to previous changes (1)

• apps/web/src/components/forms/signup.tsx

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

[coderabbitai]

The implementation of the OIDC sign-up button is correct. However, consider adding an aria-label to the button for better accessibility.

- <Button type="button" size="lg" variant={'outline'} className="bg-background text-muted-foreground border" disabled={isSubmitting} onClick={onSignUpWithOIDCClick}>
+ <Button type="button" size="lg" variant={'outline'} className="bg-background text-muted-foreground border" disabled={isSubmitting} onClick={onSignUpWithOIDCClick} aria-label="Sign up with OIDC">

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	{isOIDCSSOEnabled && (
	<>
	<Button
	type="button"
	size="lg"
	variant={'outline'}
	className="bg-background text-muted-foreground border"
	disabled={isSubmitting}
	onClick={onSignUpWithOIDCClick}
	>
	<FaIdCardClip className="mr-2 h-5 w-5" />
	Sign Up with OIDC
	</Button>
	</>
	)}
	{isOIDCSSOEnabled && (
	<>
	<Button
	type="button"
	size="lg"
	variant={'outline'}
	className="bg-background text-muted-foreground border"
	disabled={isSubmitting}
	onClick={onSignUpWithOIDCClick}
	aria-label="Sign up with OIDC"
	>
	<FaIdCardClip className="mr-2 h-5 w-5" />
	Sign Up with OIDC
	</Button>
	</>
	)}

[coderabbitai]

Replace the incorrect provider key in signIn function.

- await signIn('google', { callbackUrl: SIGN_UP_REDIRECT_PATH });
+ await signIn('oidc', { callbackUrl: SIGN_UP_REDIRECT_PATH });

The onSignUpWithOIDCClick function incorrectly uses 'google' as the provider key for the OIDC sign-in. This should be 'oidc' to match the intended authentication method.

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	const onSignUpWithOIDCClick = async () => {
	try {
	await signIn('google', { callbackUrl: SIGN_UP_REDIRECT_PATH });
	} catch (err) {
	toast({
	title: 'An unknown error occurred',
	description:
	'We encountered an unknown error while attempting to sign you Up. Please try again later.',
	variant: 'destructive',
	});
	}
	};
	const onSignUpWithOIDCClick = async () => {
	try {
	await signIn('oidc', { callbackUrl: SIGN_UP_REDIRECT_PATH });
	} catch (err) {
	toast({
	title: 'An unknown error occurred',
	description:
	'We encountered an unknown error while attempting to sign you Up. Please try again later.',
	variant: 'destructive',
	});
	}
	};

[tankerkiller125]

This has been fixed

[coderabbitai]

@tankerkiller125, thank you for the update and for fixing the issue with the OIDC sign-in provider key. If there's anything else you need help with, feel free to ask!

---

If you found this review helpful, would you consider giving us a shout-out on X?
Thank you for using CodeRabbit!

[coderabbitai]

Correct the provider key in the signIn function for OIDC.

- await signIn('oidc', { callbackUrl: LOGIN_REDIRECT_PATH });
+ await signIn('oidc', { callbackUrl: LOGIN_REDIRECT_PATH });

The onSignInWithOIDCClick function should use 'oidc' as the provider key for the OIDC sign-in to match the intended authentication method.

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	const onSignInWithOIDCClick = async () => {
	try {
	await signIn('oidc', { callbackUrl: LOGIN_REDIRECT_PATH });
	} catch (err) {
	toast({
	title: 'An unknown error occurred',
	description:
	'We encountered an unknown error while attempting to sign you In. Please try again later.',
	variant: 'destructive',
	});
	}
	};
	const onSignInWithOIDCClick = async () => {
	try {
	await signIn('oidc', { callbackUrl: LOGIN_REDIRECT_PATH });
	} catch (err) {
	toast({
	title: 'An unknown error occurred',
	description:
	'We encountered an unknown error while attempting to sign you In. Please try again later.',
	variant: 'destructive',
	});
	}
	};

[ElTimuro]

@tankerkiller125 this looks pretty neat 👀 Please give us some time to review this :)

[tankerkiller125]

@ElTimuro No problem, one thing that we might want to do before merging (that I didn't do) is add an environment variable to allow custom naming of the Buttons (so instead of saying Sign up with OIDC it could say something like "Sign up with Example Company" or something. I simply wasn't sure how to best handle exposing environment variables to the UI as I was initially making the PR.

[ElTimuro]

• Good point with the label
• though the default should be the current imo

[tankerkiller125]

I agree that the default should indeed be OIDC, but a customization option would be good.

[celevra]

any progress on this?

[ElTimuro]

• @celevra sadly not yet, since we are swamped
• But I'll bring it up again, since this is pretty encapsulated