tracewayapp
diff --git a/‎backend/app/config/config.go‎
Lines changed: 30 additions & 0 deletions b/‎backend/app/config/config.go‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎backend/app/controllers/auth.controller.go‎
Lines changed: 10 additions & 0 deletions b/‎backend/app/controllers/auth.controller.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎backend/app/controllers/oauth.controller.go‎
Lines changed: 78 additions & 6 deletions b/‎backend/app/controllers/oauth.controller.go‎
Lines changed: 78 additions & 6 deletions
diff --git a/‎backend/app/repositories/organization.repository.go‎
Lines changed: 15 additions & 0 deletions b/‎backend/app/repositories/organization.repository.go‎
Lines changed: 15 additions & 0 deletions
@@ -52,6 +52,21 @@ type Cfg struct {
 	GitHubClientID     string
 	GitHubClientSecret string
 	OAuthSessionSecret string
+
+	OIDCClientID        string
+	OIDCClientSecret    string
+	OIDCDiscoveryURL    string
+	OIDCDisplayName     string
+	OIDCAutoCreateUsers string
+	OIDCOrgClaim        string
+	OIDCExtraScopes     string
+	OIDCRoleClaim       string
+	OIDCRoleMap         string
+	OIDCAuthURL         string
+	OIDCTokenURL        string
+	OIDCUserInfoURL     string
+
+	DisablePasswordLogin string
 }
 
 var Config *Cfg
@@ -109,5 +124,20 @@ func LoadFromEnv() *Cfg {
 		GitHubClientID:     os.Getenv("GITHUB_CLIENT_ID"),
 		GitHubClientSecret: os.Getenv("GITHUB_CLIENT_SECRET"),
 		OAuthSessionSecret: os.Getenv("OAUTH_SESSION_SECRET"),
+
+		OIDCClientID:        os.Getenv("OIDC_CLIENT_ID"),
+		OIDCClientSecret:    os.Getenv("OIDC_CLIENT_SECRET"),
+		OIDCDiscoveryURL:    os.Getenv("OIDC_DISCOVERY_URL"),
+		OIDCDisplayName:     os.Getenv("OIDC_DISPLAY_NAME"),
+		OIDCAutoCreateUsers: os.Getenv("OIDC_AUTO_CREATE_USERS"),
+		OIDCOrgClaim:        os.Getenv("OIDC_ORG_CLAIM"),
+		OIDCExtraScopes:     os.Getenv("OIDC_EXTRA_SCOPES"),
+		OIDCRoleClaim:       os.Getenv("OIDC_ROLE_CLAIM"),
+		OIDCRoleMap:         os.Getenv("OIDC_ROLE_MAP"),
+		OIDCAuthURL:         os.Getenv("OIDC_AUTH_URL"),
+		OIDCTokenURL:        os.Getenv("OIDC_TOKEN_URL"),
+		OIDCUserInfoURL:     os.Getenv("OIDC_USER_INFO_URL"),
+
+		DisablePasswordLogin: os.Getenv("DISABLE_PASSWORD_LOGIN"),
 	}
 }
@@ -31,6 +31,11 @@ func (a authController) HasOrganizations(c *gin.Context) {
 }
 
 func (a authController) Login(c *gin.Context) {
+	if config.Config.DisablePasswordLogin == "true" {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Password login is disabled. Please use SSO to sign in."})
+		return
+	}
+
 	var request models.LoginRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid email or password"})
@@ -81,6 +86,11 @@ func (a authController) Login(c *gin.Context) {
 }
 
 func (a authController) Register(c *gin.Context) {
+	if config.Config.DisablePasswordLogin == "true" {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Password login is disabled. Please use SSO to sign in."})
+		return
+	}
+
 	var request models.RegisterRequest
 	if err := c.ShouldBindJSON(&request); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
 
@@ -2,6 +2,7 @@ package controllers
 
 import (
 	"context"
+	"database/sql"
 	"errors"
 	"fmt"
 	"net/http"
@@ -24,7 +25,9 @@ import (
 type oauthController struct{}
 
 type oauthProvidersResponse struct {
-	Providers []string `json:"providers"`
+	Providers            []string          `json:"providers"`
+	ProviderLabels       map[string]string `json:"providerLabels"`
+	PasswordLoginEnabled bool              `json:"passwordLoginEnabled"`
 }
 
 type finishOAuthSetupRequest struct {
@@ -35,11 +38,20 @@ type finishOAuthSetupRequest struct {
 }
 
 func (a oauthController) ListProviders(c *gin.Context) {
+	passwordEnabled := config.Config.DisablePasswordLogin != "true"
 	if services.OAuthService == nil {
-		c.JSON(http.StatusOK, oauthProvidersResponse{Providers: []string{}})
+		c.JSON(http.StatusOK, oauthProvidersResponse{Providers: []string{}, ProviderLabels: map[string]string{}, PasswordLoginEnabled: passwordEnabled})
 		return
 	}
-	c.JSON(http.StatusOK, oauthProvidersResponse{Providers: services.OAuthService.EnabledProviders()})
+	labels := map[string]string{}
+	if name := services.OAuthService.OIDCDisplayName(); name != "" {
+		labels["oidc"] = name
+	}
+	c.JSON(http.StatusOK, oauthProvidersResponse{
+		Providers:            services.OAuthService.EnabledProviders(),
+		ProviderLabels:       labels,
+		PasswordLoginEnabled: passwordEnabled,
+	})
 }
 
 func (a oauthController) Begin(c *gin.Context) {
@@ -49,7 +61,7 @@ func (a oauthController) Begin(c *gin.Context) {
 		return
 	}
 
-	req := c.Request.WithContext(context.WithValue(c.Request.Context(), gothic.ProviderParamKey, provider))
+	req := c.Request.WithContext(context.WithValue(c.Request.Context(), gothic.ProviderParamKey, externalToGothProvider(provider)))
 	gothic.BeginAuthHandler(c.Writer, req)
 }
 
@@ -60,7 +72,7 @@ func (a oauthController) Callback(c *gin.Context) {
 		return
 	}
 
-	req := c.Request.WithContext(context.WithValue(c.Request.Context(), gothic.ProviderParamKey, provider))
+	req := c.Request.WithContext(context.WithValue(c.Request.Context(), gothic.ProviderParamKey, externalToGothProvider(provider)))
 	gothUser, err := gothic.CompleteUserAuth(c.Writer, req)
 	if err != nil {
 		traceway.CaptureException(fmt.Errorf("OAuth complete failed (provider=%s): %w", provider, err))
@@ -80,13 +92,47 @@ func (a oauthController) Callback(c *gin.Context) {
 
 	tx := middleware.GetTx(c)
 
+	var mappedRole string
+	if provider == "oidc" && services.OAuthService.OIDCRoleClaimEnabled() {
+		mappedRole = services.OAuthService.ResolveRole(gothUser.RawData)
+	}
+
 	memberships, err := repositories.OrganizationRepository.FindByUserIdWithRoles(tx, user.Id)
 	if err != nil {
 		c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: load memberships: %w", err))
 		return
 	}
 	needsSetup := len(memberships) == 0
 
+	if needsSetup && config.Config.CloudMode != "true" && provider == "oidc" && services.OAuthService.OIDCAutoCreateEnabled() {
+		org, err := a.resolveOIDCOrg(tx, gothUser.RawData)
+		if err != nil {
+			c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: resolve org for auto-join: %w", err))
+			return
+		}
+		if org != nil {
+			role := "user"
+			if mappedRole != "" {
+				role = mappedRole
+			}
+			if _, err := repositories.OrganizationRepository.AddUser(tx, org.Id, user.Id, role); err != nil {
+				c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: auto-join org: %w", err))
+				return
+			}
+			needsSetup = false
+		}
+	} else if mappedRole != "" && !needsSetup {
+		for _, m := range memberships {
+			if m.Role == "owner" {
+				continue
+			}
+			if err := repositories.OrganizationRepository.UpdateUserRole(tx, m.Id, user.Id, mappedRole); err != nil {
+				c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: sync mapped role: %w", err))
+				return
+			}
+		}
+	}
+
 	jwt, err := services.GenerateToken(user.Id, user.Email)
 	if err != nil {
 		c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: generate JWT: %w", err))
@@ -127,7 +173,8 @@ func (a oauthController) findOrCreateUser(c *gin.Context, provider string, gothU
 		return existing, nil
 	}
 
-	if config.Config.CloudMode != "true" {
+	oidcAutoCreate := provider == "oidc" && services.OAuthService.OIDCAutoCreateEnabled()
+	if config.Config.CloudMode != "true" && !oidcAutoCreate {
 		hasOrg, err := repositories.OrganizationRepository.HasOrganizations(tracewayTx)
 		if err != nil {
 			c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: count orgs: %w", err))
@@ -152,6 +199,7 @@ func (a oauthController) findOrCreateUser(c *gin.Context, provider string, gothU
 		c.AbortWithError(http.StatusInternalServerError, traceway.NewStackTraceErrorf("OAuth callback: create user: %w", err))
 		return nil, err
 	}
+
 	return created, nil
 }
 
@@ -271,4 +319,28 @@ func (a oauthController) redirectError(c *gin.Context, code string) {
 	c.Redirect(http.StatusSeeOther, target)
 }
 
+func (a oauthController) resolveOIDCOrg(tx *sql.Tx, rawData map[string]interface{}) (*models.Organization, error) {
+	if claim := services.OAuthService.OIDCOrgClaim(); claim != "" {
+		if val, ok := rawData[claim]; ok {
+			if orgName, ok := val.(string); ok && orgName != "" {
+				org, err := repositories.OrganizationRepository.FindByName(tx, orgName)
+				if err != nil {
+					return nil, err
+				}
+				if org != nil {
+					return org, nil
+				}
+			}
+		}
+	}
+	return repositories.OrganizationRepository.FindFirst(tx)
+}
+
+func externalToGothProvider(provider string) string {
+	if provider == "oidc" {
+		return "openid-connect"
+	}
+	return provider
+}
+
 var OAuthController = oauthController{}
@@ -44,6 +44,21 @@ func (r *organizationRepository) HasOrganizations(tx *sql.Tx) (bool, error) {
 	return result.Count > 0, nil
 }
 
+func (r *organizationRepository) FindFirst(tx *sql.Tx) (*models.Organization, error) {
+	return lit.SelectSingle[models.Organization](
+		tx,
+		"SELECT id, name, timezone, created_at FROM organizations ORDER BY created_at ASC LIMIT 1",
+	)
+}
+
+func (r *organizationRepository) FindByName(tx *sql.Tx, name string) (*models.Organization, error) {
+	return lit.SelectSingleNamed[models.Organization](
+		tx,
+		"SELECT id, name, timezone, created_at FROM organizations WHERE name = :name LIMIT 1",
+		lit.P{"name": name},
+	)
+}
+
 func (r *organizationRepository) FindById(tx *sql.Tx, id int) (*models.Organization, error) {
 	return lit.SelectSingleNamed[models.Organization](
 		tx,