feat(auth): OIDC login + identity binding + HARBORFORGE_OIDC_ONLY

- Generic OIDC (Authlib discovery) Authorization Code flow; backend issues the existing HS256 JWT on success. Unbound identities are rejected (no auto-provisioning). - User.oidc_issuer/oidc_subject (unique together) + startup migration. - PUT/DELETE /users/{id}/oidc-binding (admin or account-manager; JWT or API key; 409 on conflict). Self-link /auth/oidc/link (non-OIDC_ONLY only). Public GET /auth/config. - HARBORFORGE_OIDC_ONLY: /auth/token rejected, create/update ignore password (passwordless users; API keys + OIDC still work). - Dockerfile ARG/ENV HARBORFORGE_OIDC_ONLY; authlib+itsdangerous deps; SessionMiddleware for OIDC state. Fixed _user_response to expose the new binding fields. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 20:22:04 +01:00
parent 90b494f097
commit 94155614f5
9 changed files with 280 additions and 5 deletions
--- a/6
+++ b/6
@@ -42,5 +42,11 @@ COPY requirements.txt ./
 COPY entrypoint.sh .
 RUN chmod +x entrypoint.sh

+# OIDC-only mode: when "true", password login is rejected, user creation
+# ignores passwords (passwordless users that sign in via a bound OIDC
+# identity / API keys). Overridable at runtime via the same env var.
+ARG HARBORFORGE_OIDC_ONLY=false
+ENV HARBORFORGE_OIDC_ONLY=${HARBORFORGE_OIDC_ONLY}
+
 EXPOSE 8000
 ENTRYPOINT ["./entrypoint.sh"]