Revamp OIDC auth: remove Passport wrapper, add schema-driven settings UI

- Remove Passport.js wrapper from OIDC auth, use openid-client directly - Add schema-driven OIDC settings UI (OidcSettingsSchema.js drives form rendering) - Add group mapping with KeyValueEditor (explicit mapping or legacy direct name match) - Add scopes configuration (authOpenIDScopes) - Add verified email enforcement option (authOpenIDRequireVerifiedEmail) - Fix group claim validation rejecting URN-style claims (#4744) - Add auto-discover endpoint for OIDC provider configuration - Store oidcIdToken in sessions table instead of cookie - Add AuthError class for structured error handling in auth flows - Migration v2.33.0 adds oidcIdToken column and new settings fields
2026-03-01 13:39:41 +00:00 · 2026-02-05 17:54:59 +01:00 · 2026-02-05 17:54:59 +01:00 · 33bee70a12
commit 33bee70a12
parent fe13456a2b
16 changed files with 1554 additions and 571 deletions
--- a/server/models/Session.js
+++ b/server/models/Session.js
@ -18,6 +18,8 @@ class Session extends Model {
    this.userId
    /** @type {Date} */
    this.expiresAt
+    /** @type {string} */
+    this.oidcIdToken

    // Expanded properties

@ -25,8 +27,8 @@ class Session extends Model {
    this.user
  }

-  static async createSession(userId, ipAddress, userAgent, refreshToken, expiresAt) {
-    const session = await Session.create({ userId, ipAddress, userAgent, refreshToken, expiresAt })
+  static async createSession(userId, ipAddress, userAgent, refreshToken, expiresAt, oidcIdToken = null) {
+    const session = await Session.create({ userId, ipAddress, userAgent, refreshToken, expiresAt, oidcIdToken })
    return session
  }

@ -66,7 +68,8 @@ class Session extends Model {
        expiresAt: {
          type: DataTypes.DATE,
          allowNull: false
-        }
+        },
+        oidcIdToken: DataTypes.TEXT
      },
      {
        sequelize,