steve/check-printing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add OIDC login with account linking

Browse Source 
Add OpenID Connect as an alternative login method. Users can sign in
via an external identity provider (e.g., Authentik, Keycloak, Google).

- OIDC settings configured in admin UI (discovery URL, client ID/secret,
  redirect URI, button label, enable/disable toggle)
- PKCE-based authorization code flow with state and nonce validation
- Admin can manually link any user's OIDC identity (sub/issuer fields)
- Self-service linking: logged-in users can link/unlink their own account
- SSO button conditionally shown on login page when OIDC is enabled
- Username in header now clickable to open profile for all users
- Callback errors/success communicated via URL hash fragments
This commit is contained in:
Steve Dogiakos
2026-04-09 14:48:50 -06:00
parent 8587fb9378
commit 3b1a35b7f2
9 changed files with 517 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+4
View File
@@ -5,3 +5,7 @@ SESSION_SECRET=replace-with-a-random-64-character-hex-string
SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days)
PORT=3000
DB_PATH=/app/data/check-printing.db
# OIDC settings are configured in the admin UI (Manage Users > Single Sign-On).
# No environment variables needed — discovery URL, client ID/secret, and
# redirect URI are stored in the database settings table.