OIDC enabled

[waynehuang13]

OIDC enabled

Summary by CodeRabbit

• New Features
  • Added OpenID Connect (OIDC) authentication support for admin configuration and user login
  • Admins can configure OIDC provider settings including client ID, secret, and issuer URL
  • Users can now sign in via OIDC as an alternative authentication method
  • New admin panel for managing OIDC authentication settings with enable/disable toggle

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR adds comprehensive OpenID Connect (OIDC) authentication support to the platform. It includes a new OIDC provider implementation, admin configuration interface, user-facing login button, backend endpoints with state and nonce validation, and configuration management across frontend and backend services.

Changes

Cohort / File(s)	Summary
Admin OIDC Pages & Components apps/admin/app/(all)/(dashboard)/authentication/oidc/form.tsx, apps/admin/app/(all)/(dashboard)/authentication/oidc/page.tsx	Introduces InstanceOIDCConfigForm component for managing OIDC credentials (client ID, secret, issuer URL) with form validation, success/error toasts, and unsaved-changes modal. Adds InstanceOIDCAuthenticationPage to toggle IS_OIDC_ENABLED and conditionally render the configuration form.
Admin OIDC Component apps/admin/core/components/authentication/oidc-config.tsx	New OIDCConfiguration component that displays OIDC status, toggles enable/disable, and provides links to configure OIDC settings via Settings2 icon or Edit button.
Admin Component Updates apps/admin/ce/components/authentication/authentication-modes.tsx	Replaces UpgradeButton with OIDCConfiguration component for OIDC authentication mode, removing the unavailable flag.
Admin Routing apps/admin/app/routes.ts	Adds new route entry for OIDC authentication page at authentication/oidc.
Backend OIDC Provider apps/api/plane/authentication/provider/oauth/oidc.py	Implements OidcProvider class extending OauthAdapter with OIDC discovery, nonce generation/validation, ID token verification via JWKS, and user data extraction from ID token or userinfo endpoint.
Backend OIDC Endpoints apps/api/plane/authentication/views/app/oidc.py	Adds OidcInitiateEndpoint (redirects to OIDC provider with state/nonce) and OidcCallbackEndpoint (validates authorization code and state, logs in user, handles safe redirects).
Backend Error Handling & OAuth Updates apps/api/plane/authentication/adapter/error.py, apps/api/plane/authentication/adapter/oauth.py, apps/api/plane/authentication/urls.py, apps/api/plane/authentication/views/__init__.py	Adds OIDC error codes (OIDC_NOT_CONFIGURED, OIDC_PROVIDER_ERROR, OIDC_DISCOVERY_FAILED, OIDC_INVALID_ID_TOKEN); routes OIDC provider to correct error code; exports new OIDC endpoints and reorganizes authentication view imports.
Backend Instance Configuration apps/api/plane/license/api/views/instance.py, apps/api/plane/license/management/commands/configure_instance.py	Exposes IS_OIDC_ENABLED in instance config API response; adds configuration command support to derive and persist IS_OIDC_ENABLED from environment variables (OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_ISSUER_URL).
Backend Settings & Cache apps/api/plane/settings/common.py, apps/api/plane/utils/instance_config_variables/core.py	Adds Redis-backed CACHES configuration and SESSION_COOKIE_SAMESITE="Lax"; introduces oidc_config_variables block with four OIDC environment-backed settings and encryption flags.
Type Definitions packages/types/src/instance/auth.ts, packages/types/src/instance/base.ts	Adds IS_OIDC_ENABLED to TInstanceAuthenticationMethodKeys; introduces TInstanceOidcAuthenticationConfigurationKeys; extends TCoreLoginMediums to include "oidc"; adds is_oidc_enabled field to IInstanceConfig.
Web Authentication apps/web/core/components/account/auth-forms/auth-root.tsx	Imports OIDCLogo; extends isOAuthEnabled to include is_oidc_enabled; adds OIDC button configuration to OAuthConfig list with redirect to /auth/oidc.
Tooling eslint.config.mjs	Extends ESLint import resolution to ignore unresolved imports starting with "@plane/".

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant WebApp as Web App
    participant Backend as Backend
    participant OIDCProvider as OIDC Provider
    participant Redis

    User->>WebApp: Click OIDC Login Button
    WebApp->>Backend: GET /auth/oidc (with optional next_path)
    Backend->>Backend: Generate state & nonce
    Backend->>Redis: Store nonce (state-scoped)
    Backend->>Backend: Store nonce in session
    Backend->>WebApp: Redirect to OIDC authorization URL
    WebApp->>OIDCProvider: GET authorization endpoint
    OIDCProvider->>User: Display login & consent screen
    User->>OIDCProvider: Authenticate & grant consent
    OIDCProvider->>WebApp: Redirect to callback with code & state
    WebApp->>Backend: GET /auth/oidc/callback?code=X&state=Y
    Backend->>Backend: Validate state vs session
    Backend->>OIDCProvider: POST token endpoint (code, client_id, secret)
    OIDCProvider->>Backend: Return access_token, id_token, refresh_token
    Backend->>Backend: Validate ID token (JWKS, audience, issuer, nonce)
    Backend->>Backend: Extract user info from ID token claims
    Backend->>Backend: Create/update user account
    Backend->>Backend: Log in user (is_app=True)
    Backend->>WebApp: Redirect to final destination
    WebApp->>User: Display authenticated app

Loading

sequenceDiagram
    participant Admin as Admin User
    participant AdminUI as Admin UI
    participant Backend as Backend
    participant Database as Database

    Admin->>AdminUI: Navigate to OIDC settings page
    AdminUI->>Backend: GET instance config (SWR)
    Backend->>Database: Query instance configurations
    Database->>Backend: Return OIDC config state
    Backend->>AdminUI: Return formatted config
    AdminUI->>Admin: Render form with current values
    Admin->>AdminUI: Toggle IS_OIDC_ENABLED or enter credentials
    AdminUI->>Backend: POST updateInstanceConfigurations
    Backend->>Database: Update instance configuration
    Database->>Backend: Confirm update
    Backend->>AdminUI: Return success + updated config
    AdminUI->>Admin: Show success toast & reset form

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 Hop hop! We've unlocked a new door,
OIDC flows in, trust at its core.
Nonces and tokens dance through the air,
State stays safe, no secrets laid bare!
One more path for users to explore. 🔐

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}