fix(frontend): drop localStorage HF_BACKEND_BASE_URL; env-only

api.ts + useAuthConfig kept the old wizard-era localStorage path for the
backend URL, which is why fresh browsers saw blank pages on MonitorPage
and any other api-using page after the v0.4.0 wizard removal — without
the wizard pre-seeding localStorage, getApiBase() returned undefined and
axios called same-origin (frontend nginx, 404).

App.tsx getApiBase() partially worked because I had only refactored that
one path; api.ts (used by everything else) still had its own duplicate
getApiBase that I missed.

This commit removes the localStorage path entirely from all 3 read sites
(api.ts / App.tsx / useAuthConfig.ts) — single source of truth is now
the build-time env baked in by the Dockerfile ARG.

- src/services/api.ts:    const API_BASE = import.meta.env.VITE_HF_BACKEND_BASE_URL
- src/App.tsx:            const API_BASE = ... (replaces getApiBase())
- src/hooks/useAuthConfig.ts: const BACKEND_BASE = ...
- src/test/setup.ts: stub import.meta.env instead of localStorage key

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -1,6 +1,14 @@
 # Build stage
 FROM node:20-alpine AS build
 WORKDIR /app
+
+# Build-time backend URL — Vite inlines this into the bundle. Passed as
+# `--build-arg VITE_HF_BACKEND_BASE_URL=https://hf-api.example.com` in
+# the compose file. Without it the bundle calls relative paths (only
+# works in dev with the Vite proxy).
+ARG VITE_HF_BACKEND_BASE_URL=""
+ENV VITE_HF_BACKEND_BASE_URL=${VITE_HF_BACKEND_BASE_URL}
+
 COPY package.json package-lock.json* ./
 RUN npm install
 COPY . .
@@ -12,5 +20,19 @@ RUN npm install -g serve@14
 WORKDIR /app
 COPY --from=build /app ./
 ENV FRONTEND_DEV_MODE=0
+# OIDC-only mode flag. Injected into the SPA at container start as
+# /runtime-config.js so the setup wizard knows it before the backend
+# exists; /auth/config remains authoritative once the backend is up.
+ARG HARBORFORGE_OIDC_ONLY=false
+ENV HARBORFORGE_OIDC_ONLY=${HARBORFORGE_OIDC_ONLY}
+# Optional deploy-time branding override: a URL the SPA uses for the
+# logo + favicon. Empty → bundled /logo.svg default.
+ARG HARBORFORGE_LOGO_URL=
+ENV HARBORFORGE_LOGO_URL=${HARBORFORGE_LOGO_URL}
 EXPOSE 3000
-CMD ["sh", "-c", "if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]
+CMD ["sh", "-c", "\
+  if [ \"$HARBORFORGE_OIDC_ONLY\" = \"true\" ]; then OO=true; else OO=false; fi; \
+  CFG=\"window.__HF_RUNTIME__={\\\"oidc_only\\\":$OO,\\\"logo_url\\\":\\\"$HARBORFORGE_LOGO_URL\\\"};\"; \
+  mkdir -p public; printf '%s' \"$CFG\" > public/runtime-config.js; \
+  [ -d dist ] && printf '%s' \"$CFG\" > dist/runtime-config.js; \
+  if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]

index.html

@@ -2,12 +2,22 @@
 <html lang="en">
   <head>
     <meta charset="UTF-8" />
-    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <link id="hf-favicon" rel="icon" type="image/svg+xml" href="/logo.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>HarborForge</title>
   </head>
   <body>
     <div id="root"></div>
+    <!-- Runtime config injected by the container entrypoint (deploy-time
+         HARBORFORGE_OIDC_ONLY). Absent in dev → app falls back to /auth/config. -->
+    <script src="/runtime-config.js"></script>
+    <script>
+      // Optional deploy-time branding override (HARBORFORGE_LOGO_URL).
+      try {
+        var u = window.__HF_RUNTIME__ && window.__HF_RUNTIME__.logo_url;
+        if (u) document.getElementById('hf-favicon').href = u;
+      } catch (e) {}
+    </script>
     <script type="module" src="/src/main.tsx"></script>
   </body>
 </html>

public/logo.svg

@@ -0,0 +1,44 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 733.000000 733.000000" role="img" aria-label="Hangman Lab">
+<g transform="translate(0.000000,733.000000) scale(0.100000,-0.100000)"
+fill="#ff6a1a" stroke="none">
+<path d="M812 6860 c-66 -40 -73 -66 -70 -242 3 -141 5 -159 24 -185 43 -58
+63 -63 262 -64 l182 -1 0 -2694 0 -2694 -290 0 c-314 0 -332 -3 -380 -54 -24
+-27 -25 -32 -28 -199 -3 -195 4 -218 71 -250 32 -16 257 -17 3084 -17 2955 0
+3049 1 3083 19 65 34 75 66 75 236 0 186 -16 224 -104 254 -25 8 -682 11
+-2512 11 l-2479 0 0 1998 0 1997 698 697 697 697 670 -3 c369 -2 680 -4 693
+-5 22 -1 22 -1 22 -269 l0 -268 84 -12 c47 -7 103 -19 125 -27 41 -14 41 -14
+43 283 l3 297 631 1 c698 2 673 -1 714 67 18 28 20 51 20 187 0 173 -8 201
+-72 240 -33 20 -56 20 -2623 20 -2567 0 -2590 0 -2623 -20z m1725 -500 c-1 -3
+-183 -185 -404 -404 l-403 -399 0 405 0 406 405 -1 c223 -1 404 -4 402 -7z
+M4283 5701 c-459 -125 -690 -624 -483 -1046 67 -138 196 -266 335 -335 281
+-139 612 -93 837 118 235 219 297 575 152 870 -85 174 -235 306 -427 375 -111
+40 -302 48 -414 18z m267 -211 c95 -15 201 -70 274 -144 273 -274 173 -723
+-189 -851 -93 -33 -236 -35 -326 -5 -202 68 -340 249 -356 465 -18 242 153
+471 394 529 71 18 119 19 203 6z M5945 4716 c-56 -25 -80 -61 -80 -122 0 -48
+4 -57 36 -90 88 -88 219 -29 219 98 0 45 -34 96 -75 114 -42 17 -61 17 -100 0z
+M5675 4466 c-60 -26 -73 -109 -26 -157 62 -61 161 -19 161 70 0 74 -68 118
+-135 87z M3747 4397 c-10 -7 -226 -223 -479 -482 -307 -313 -467 -483 -479
+-510 -35 -75 -17 -177 38 -227 39 -35 114 -61 160 -54 100 13 104 17 583 554
+l145 162 3 -404 c3 -455 15 -342 -137 -1186 -76 -423 -101 -587 -101 -664 0
+-190 182 -307 377 -242 62 21 136 95 152 152 6 22 29 188 52 369 57 466 109
+839 118 848 4 4 52 6 106 5 l99 -3 67 -210 c38 -115 68 -220 69 -232 0 -12
+-38 -152 -85 -311 -47 -159 -85 -302 -85 -317 0 -128 109 -225 255 -225 109 1
+185 42 228 125 26 51 237 683 237 710 0 11 -54 182 -121 380 -121 360 -121
+360 -134 605 -8 135 -14 292 -14 350 l0 105 152 -158 c84 -87 166 -167 182
+-177 44 -29 98 -26 135 8 38 35 187 379 173 401 -5 8 -34 20 -64 26 -59 11
+-38 -8 -393 362 -89 93 -100 97 -174 59 -59 -30 -161 -62 -229 -71 -52 -7 -53
+-7 -53 -41 0 -44 -21 -84 -61 -118 -38 -32 -41 0 32 -455 l52 -325 -82 -78
+c-45 -43 -85 -78 -89 -78 -4 0 -42 35 -84 78 l-77 77 34 215 c19 118 46 289
+61 379 26 164 26 164 -5 188 -42 33 -54 58 -61 121 -5 54 -5 54 -92 87 -98 38
+-184 89 -243 145 -76 70 -123 87 -168 57z M5504 4170 c-74 -30 -69 -170 6
+-170 19 0 20 -7 20 -123 0 -122 0 -122 -54 -262 -30 -77 -97 -243 -150 -369
+-106 -252 -113 -287 -73 -347 46 -70 38 -69 560 -69 327 0 475 3 490 11 69 35
+107 109 88 172 -5 17 -62 142 -126 277 -225 470 -215 443 -215 586 0 114 2
+124 18 124 57 0 72 101 23 151 -29 29 -29 29 -298 28 -147 0 -278 -4 -289 -9z
+m376 -307 c1 -148 1 -148 81 -333 101 -231 98 -222 68 -216 -13 3 -116 22
+-229 42 -112 19 -208 37 -212 40 -4 2 18 75 48 160 54 156 54 156 54 305 l0
+149 95 0 95 0 0 -147z m-219 -593 c22 0 49 -42 49 -75 0 -46 -29 -75 -74 -75
+-37 0 -76 36 -76 71 0 46 45 94 78 83 8 -2 18 -4 23 -4z m327 -126 c53 -59 -7
+-144 -80 -113 -54 22 -65 83 -22 125 30 31 67 27 102 -12z"/>
+</g>
+</svg>

src/App.tsx

@@ -3,7 +3,6 @@ import { BrowserRouter, Routes, Route, Navigate } from 'react-router-dom'
 import { useAuth } from '@/hooks/useAuth'
 import Sidebar from '@/components/Sidebar'
 import LoginPage from '@/pages/LoginPage'
-import SetupWizardPage from '@/pages/SetupWizardPage'
 import DashboardPage from '@/pages/DashboardPage'
 import TasksPage from '@/pages/TasksPage'
 import TaskDetailPage from '@/pages/TaskDetailPage'
@@ -20,71 +19,82 @@ import UsersPage from '@/pages/UsersPage'
 import CalendarPage from '@/pages/CalendarPage'
 import SupportDetailPage from '@/pages/SupportDetailPage'
 import MeetingDetailPage from '@/pages/MeetingDetailPage'
+import OidcCallbackPage from '@/pages/OidcCallbackPage'
+import OidcSettingsPage from '@/pages/OidcSettingsPage'
 import axios from 'axios'
 
-const getStoredWizardPort = (): number | null => {
+// Backend URL is baked in at build time via VITE_HF_BACKEND_BASE_URL
-  const stored = Number(localStorage.getItem('HF_WIZARD_PORT'))
+// (docker build --build-arg). Empty string → same-origin call (only
-  return stored && stored > 0 ? stored : null
+// works in dev with the Vite proxy).
-}
+const API_BASE = import.meta.env.VITE_HF_BACKEND_BASE_URL || ''
 
-const getApiBase = () => {
+type AppState = 'checking' | 'no-admin' | 'ready'
-  return localStorage.getItem('HF_BACKEND_BASE_URL') ?? undefined
-}
-
-type AppState = 'checking' | 'setup' | 'ready'
 
 export default function App() {
   const [appState, setAppState] = useState<AppState>('checking')
-  const { user, loading, login, logout } = useAuth()
+  const [errorMessage, setErrorMessage] = useState<string>('')
+  const { user, loading, login, loginWithToken, logout } = useAuth()
 
   useEffect(() => {
     checkInitialized()
   }, [])
 
   const checkInitialized = async () => {
-    // First try the backend /config/status endpoint (reads from config volume directly)
     try {
-      const res = await axios.get(`${getApiBase()}/config/status`, { timeout: 5000 })
+      const res = await axios.get(`${API_BASE}/config/status`, { timeout: 5000 })
       const cfg = res.data || {}
-      if (cfg.backend_url) {
-        localStorage.setItem('HF_BACKEND_BASE_URL', cfg.backend_url)
-      }
       if (cfg.initialized === true) {
         setAppState('ready')
         return
       }
-    } catch {
+      setAppState('no-admin')
-      // Backend unreachable — fall through to wizard check
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err)
+      setErrorMessage(`Backend unreachable at ${API_BASE || '<same origin>'} — ${msg}`)
+      setAppState('no-admin')
     }
-
-    // Fallback: if a wizard port was previously saved during setup, try it directly
-    const storedPort = getStoredWizardPort()
-    if (storedPort) {
-      try {
-        const res = await axios.get(`http://127.0.0.1:${storedPort}/api/v1/config/harborforge.json`, {
-          timeout: 5000,
-        })
-        const cfg = res.data || {}
-        if (cfg.backend_url) {
-          localStorage.setItem('HF_BACKEND_BASE_URL', cfg.backend_url)
-        }
-        if (cfg.initialized === true) {
-          setAppState('ready')
-          return
-        }
-      } catch {
-        // ignore — fall through to setup
-      }
-    }
-    setAppState('setup')
   }
 
   if (appState === 'checking') {
-    return <div className="loading">Checking configuration status...</div>
+    return <div className="loading">Checking deployment status…</div>
   }
 
-  if (appState === 'setup') {
+  if (appState === 'no-admin') {
-    return <SetupWizardPage initialWizardPort={getStoredWizardPort()} onComplete={checkInitialized} />
+    return (
+      <div className="login-page">
+        <div className="login-card">
+          <h1>⚓ HarborForge</h1>
+          {errorMessage ? (
+            <>
+              <p className="text-dim">Cannot reach the backend.</p>
+              <pre style={{ whiteSpace: 'pre-wrap', fontSize: '0.85em' }}>{errorMessage}</pre>
+              <p className="text-dim">
+                Set <code>VITE_HF_BACKEND_BASE_URL</code> at build time
+                (e.g. <code>https://hf-api.example.com</code>) in the
+                frontend container's compose entry.
+              </p>
+            </>
+          ) : (
+            <>
+              <p className="text-dim">
+                No admin user found. Bootstrap the deployment by running, on the host:
+              </p>
+              <pre style={{ whiteSpace: 'pre-wrap', fontSize: '0.85em' }}>
+{`docker exec hf-backend hf-cli admin create-user \\
+  --email you@example.com \\
+  --password '...' \\
+  # ...or in OIDC_ONLY mode:
+  --oidc-issuer https://login.example.com/realms/your-realm \\
+  --oidc-subject <sub-from-idp>`}
+              </pre>
+              <button className="btn-primary" onClick={checkInitialized}>
+                Recheck
+              </button>
+            </>
+          )}
+        </div>
+      </div>
+    )
   }
 
   if (loading) return <div className="loading">Loading...</div>
@@ -100,6 +110,7 @@ export default function App() {
               <Route path="/users" element={<UsersPage />} />
               <Route path="/monitor" element={<MonitorPage />} />
               <Route path="/login" element={<LoginPage onLogin={login} />} />
+              <Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
               <Route path="*" element={<Navigate to="/monitor" />} />
             </Routes>
           </main>
@@ -133,6 +144,8 @@ export default function App() {
             <Route path="/roles" element={<RoleEditorPage />} />
             <Route path="/users" element={<UsersPage />} />
             <Route path="/monitor" element={<MonitorPage />} />
+            {user?.is_admin && <Route path="/settings/oidc" element={<OidcSettingsPage />} />}
+            <Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
             <Route path="*" element={<Navigate to="/" />} />
           </Routes>
         </main>

src/components/Sidebar.tsx

@@ -1,6 +1,8 @@
 import { useState, useEffect } from 'react'
 import { Link, useLocation, useNavigate } from 'react-router-dom'
 import api from '@/services/api'
+import { useAuthConfig, oidcLinkHref } from '@/hooks/useAuthConfig'
+import { getLogoUrl } from '@/runtime'
 import type { User } from '@/types'
 
 interface Props {
@@ -11,6 +13,7 @@ interface Props {
 export default function Sidebar({ user, onLogout }: Props) {
   const { pathname } = useLocation()
   const navigate = useNavigate()
+  const { config: authCfg } = useAuthConfig()
   const [unreadCount, setUnreadCount] = useState(0)
 
   useEffect(() => {
@@ -39,6 +42,7 @@ export default function Sidebar({ user, onLogout }: Props) {
     ...(user.is_admin ? [
       { to: '/users', icon: '👥', label: 'Users' },
       { to: '/roles', icon: '🔐', label: 'Roles' },
+      { to: '/settings/oidc', icon: '🪪', label: 'OIDC' },
     ] : []),
   ] : [
     { to: '/monitor', icon: '📡', label: 'Monitor' },
@@ -47,7 +51,7 @@ export default function Sidebar({ user, onLogout }: Props) {
   return (
     <nav className="sidebar">
       <div className="sidebar-header">
-        <h1>⚓ HarborForge</h1>
+        <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
       </div>
       <ul className="nav-links">
         {links.map((l) => (
@@ -64,6 +68,11 @@ export default function Sidebar({ user, onLogout }: Props) {
           <button onClick={() => navigate('/login')}>Log in</button>
         )}
       </div>
+      {user && authCfg.oidcEnabled && !authCfg.oidcOnly && (
+        <div className="sidebar-footer" style={{ borderTop: 'none', paddingTop: 0 }}>
+          <a href={oidcLinkHref()} title="Link your account to an OIDC identity">🔗 Link OIDC account</a>
+        </div>
+      )}
     </nav>
   )
 }

src/hooks/useAuth.ts

@@ -44,10 +44,16 @@ export function useAuth() {
     await fetchUser()
   }
 
+  const loginWithToken = async (token: string) => {
+    localStorage.setItem('token', token)
+    setState((s) => ({ ...s, token }))
+    await fetchUser()
+  }
+
   const logout = () => {
     localStorage.removeItem('token')
     setState({ user: null, token: null, loading: false })
   }
 
-  return { ...state, login, logout }
+  return { ...state, login, loginWithToken, logout }
 }

src/hooks/useAuthConfig.ts

@@ -0,0 +1,76 @@
+import { useState, useEffect } from 'react'
+import api from '@/services/api'
+
+export interface AuthConfig {
+  oidcEnabled: boolean
+  oidcOnly: boolean
+  passwordLogin: boolean
+  oidcLoginUrl: string
+}
+
+const DEFAULT: AuthConfig = {
+  oidcEnabled: false,
+  oidcOnly: false,
+  passwordLogin: true,
+  oidcLoginUrl: '/auth/oidc/login',
+}
+
+let cache: AuthConfig | null = null
+let inflight: Promise<AuthConfig> | null = null
+
+async function load(): Promise<AuthConfig> {
+  if (cache) return cache
+  if (inflight) return inflight
+  inflight = api
+    .get('/auth/config')
+    .then(({ data }) => {
+      cache = {
+        oidcEnabled: !!data.oidc_enabled,
+        oidcOnly: !!data.oidc_only,
+        passwordLogin: data.password_login !== false,
+        oidcLoginUrl: data.oidc_login_url || '/auth/oidc/login',
+      }
+      return cache
+    })
+    .catch(() => {
+      // Backend unreachable / old backend without /auth/config:
+      // fall back to password-only so login is never fully blocked.
+      cache = { ...DEFAULT }
+      return cache
+    })
+    .finally(() => {
+      inflight = null
+    })
+  return inflight
+}
+
+/** Absolute backend URL for full-page OIDC redirects. */
+const BACKEND_BASE = import.meta.env.VITE_HF_BACKEND_BASE_URL || ''
+
+export function oidcLoginHref(cfg: AuthConfig): string {
+  return `${BACKEND_BASE}${cfg.oidcLoginUrl}`
+}
+
+export function oidcLinkHref(): string {
+  return `${BACKEND_BASE}/auth/oidc/link`
+}
+
+export function useAuthConfig() {
+  const [config, setConfig] = useState<AuthConfig | null>(cache)
+  const [loading, setLoading] = useState(!cache)
+
+  useEffect(() => {
+    let alive = true
+    load().then((c) => {
+      if (alive) {
+        setConfig(c)
+        setLoading(false)
+      }
+    })
+    return () => {
+      alive = false
+    }
+  }, [])
+
+  return { config: config ?? DEFAULT, loading }
+}

src/index.css

@@ -144,7 +144,12 @@ input, textarea, select, button { font-family: inherit; }
   font-size: 1.3rem; letter-spacing: .12em;
   display: flex; align-items: center; gap: 8px;
 }
-.sidebar-header h1::first-letter { color: var(--accent); }
+/* Brand logo (overridable via HARBORFORGE_LOGO_URL / public/logo.svg) */
+.brand-logo {
+  height: 1.15em; width: auto; vertical-align: -0.18em;
+  display: inline-block; flex: 0 0 auto;
+}
+.login-card h1 .brand-logo, .setup-header h1 .brand-logo { height: 1.4em; }
 .nav-links { list-style: none; flex: 1; padding: 14px 12px; display: flex; flex-direction: column; gap: 2px; }
 .nav-links li a {
   display: flex; align-items: center; gap: 10px;
@@ -175,7 +180,7 @@ input, textarea, select, button { font-family: inherit; }
 .sidebar-footer button:hover { border-color: var(--accent); color: var(--accent); }
 
 /* ---- Login -------------------------------------------------------------- */
-.login-page, .setup-wizard {
+.login-page {
   display: flex; align-items: center; justify-content: center;
   min-height: 100vh; padding: 24px;
 }
@@ -464,43 +469,6 @@ dd { font-size: .92rem; font-family: 'JetBrains Mono', monospace; }
 .empty::after  { content: ' —'; color: var(--accent); }
 .text-dim { color: var(--text-dim); font-size: .82rem; }
 
-/* ---- Setup Wizard ------------------------------------------------------- */
-.setup-container {
-  position: relative; background: var(--bg-card); border: var(--hair);
-  border-radius: 6px; padding: 44px; max-width: 620px; width: 100%;
-  box-shadow: 0 40px 80px -30px rgba(0,0,0,.8);
-  animation: deck-in .55s cubic-bezier(.16,1,.3,1) both;
-}
-.setup-container::before { content: ''; position: absolute; left: 0; right: 0; top: 0; height: 3px; background: var(--ember); border-radius: 6px 6px 0 0; }
-.setup-header { text-align: center; margin-bottom: 34px; }
-.setup-header h1 { font-size: 1.6rem; margin-bottom: 22px; letter-spacing: .1em; }
-.setup-steps { display: flex; justify-content: center; gap: 8px; flex-wrap: wrap; }
-.setup-step {
-  font-size: .68rem; color: var(--text-dim); padding: 5px 12px; border-radius: 2px;
-  border: var(--hair); text-transform: uppercase; letter-spacing: .1em;
-  font-family: 'JetBrains Mono', monospace;
-}
-.setup-step.active { color: var(--accent); border-color: var(--accent); background: var(--ember-soft); }
-.setup-step.done { color: var(--success); border-color: var(--success); }
-.setup-step-content { animation: fadeIn .25s ease; }
-.setup-step-content h2 { margin-bottom: 10px; font-size: 1.3rem; }
-.setup-form { margin: 22px 0; }
-.setup-nav { display: flex; justify-content: space-between; margin-top: 28px; }
-.setup-nav button:disabled { opacity: .5; cursor: default; }
-.setup-error {
-  background: rgba(226,85,60,.12); border: 1px solid var(--danger); color: var(--danger);
-  padding: 13px 16px; border-radius: var(--radius); margin-bottom: 18px;
-  font-size: .85rem; white-space: pre-line; font-family: 'JetBrains Mono', monospace;
-}
-.setup-info { background: rgba(86,198,214,.07); border: 1px solid rgba(86,198,214,.25); padding: 18px; border-radius: var(--radius); margin: 18px 0; }
-.setup-info code {
-  display: block; background: var(--bg-sink); padding: 10px 13px; border-radius: 2px;
-  margin-top: 10px; font-size: .82rem; color: var(--steel); word-break: break-all;
-}
-.setup-hint { color: var(--warning); font-size: .82rem; margin-top: 8px; }
-.setup-done { text-align: center; }
-.setup-done h2 { color: var(--success); margin-bottom: 14px; }
-
 /* ---- Monitor ------------------------------------------------------------ */
 .monitor-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(270px, 1fr)); gap: 18px; margin-top: 14px; }
 .monitor-card {

src/pages/LoginPage.tsx

@@ -1,15 +1,31 @@
 import React, { useState } from 'react'
+import { useAuthConfig, oidcLoginHref } from '@/hooks/useAuthConfig'
+import { getLogoUrl } from '@/runtime'
 
 interface Props {
   onLogin: (username: string, password: string) => Promise<void>
 }
 
+const OIDC_ERRORS: Record<string, string> = {
+  not_linked: 'This OIDC account is not linked to any HarborForge user. Ask an administrator to bind it first.',
+  exchange_failed: 'OIDC sign-in failed during token exchange. Please try again.',
+  no_subject: 'The identity provider did not return a subject. Sign-in aborted.',
+  token_rejected: 'The issued session token was rejected. Please try again.',
+  missing_token: 'No session token was returned. Please try again.',
+  link_not_allowed: 'Account linking is not allowed in this mode.',
+  already_bound: 'That OIDC identity is already bound to another user.',
+}
+
 export default function LoginPage({ onLogin }: Props) {
+  const { config, loading: cfgLoading } = useAuthConfig()
   const [username, setUsername] = useState('')
   const [password, setPassword] = useState('')
   const [error, setError] = useState('')
   const [loading, setLoading] = useState(false)
 
+  const urlError = new URLSearchParams(window.location.search).get('oidc_error')
+  const oidcError = urlError ? (OIDC_ERRORS[urlError] || `OIDC error: ${urlError}`) : ''
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
     setError('')
@@ -23,31 +39,58 @@ export default function LoginPage({ onLogin }: Props) {
     }
   }
 
+  const showPassword = !cfgLoading && config.passwordLogin && !config.oidcOnly
+  const showOidc = !cfgLoading && config.oidcEnabled
+
   return (
     <div className="login-page">
       <div className="login-card">
-        <h1>⚓ HarborForge</h1>
+        <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
         <p className="subtitle">Agent/Human collaborative task management platform</p>
-        <form onSubmit={handleSubmit}>
+
-          <input
+        {oidcError && <p className="error" style={{ marginBottom: 14 }}>{oidcError}</p>}
-            type="text"
+
-            placeholder="Username"
+        {showPassword && (
-            value={username}
+          <form onSubmit={handleSubmit}>
-            onChange={(e) => setUsername(e.target.value)}
+            <input
-            required
+              type="text"
-          />
+              placeholder="Username"
-          <input
+              value={username}
-            type="password"
+              onChange={(e) => setUsername(e.target.value)}
-            placeholder="Password"
+              required
-            value={password}
+            />
-            onChange={(e) => setPassword(e.target.value)}
+            <input
-            required
+              type="password"
-          />
+              placeholder="Password"
-          {error && <p className="error">{error}</p>}
+              value={password}
-          <button type="submit" disabled={loading}>
+              onChange={(e) => setPassword(e.target.value)}
-            {loading ? 'Signing in...' : 'Sign in'}
+              required
-          </button>
+            />
-        </form>
+            {error && <p className="error">{error}</p>}
+            <button type="submit" disabled={loading}>
+              {loading ? 'Signing in...' : 'Sign in'}
+            </button>
+          </form>
+        )}
+
+        {showPassword && showOidc && (
+          <p className="text-dim" style={{ textAlign: 'center', margin: '14px 0' }}>— or —</p>
+        )}
+
+        {showOidc && (
+          <a
+            className="btn-primary"
+            style={{ display: 'block', textAlign: 'center', textDecoration: 'none' }}
+            href={oidcLoginHref(config)}
+          >
+            Sign in with SSO
+          </a>
+        )}
+
+        {cfgLoading && <p className="subtitle">Loading sign-in options…</p>}
+        {!cfgLoading && !showPassword && !showOidc && (
+          <p className="error">No sign-in method is available. Check server configuration.</p>
+        )}
       </div>
     </div>
   )

src/pages/OidcCallbackPage.tsx

@@ -0,0 +1,56 @@
+import { useEffect, useRef, useState } from 'react'
+import { useNavigate } from 'react-router-dom'
+import { getLogoUrl } from '@/runtime'
+
+interface Props {
+  onToken: (token: string) => Promise<void>
+}
+
+/**
+ * Lands here after the backend OIDC callback redirect.
+ * - sign-in:  URL fragment `#token=<jwt>`  → apply token, go to dashboard
+ * - self-link: query `?oidc_linked=1`        → success notice, go to /users
+ * - failure:  query `?oidc_error=<code>`     → back to /login with the code
+ */
+export default function OidcCallbackPage({ onToken }: Props) {
+  const navigate = useNavigate()
+  const [msg, setMsg] = useState('Completing sign-in…')
+  const ran = useRef(false)
+
+  useEffect(() => {
+    if (ran.current) return
+    ran.current = true
+
+    const hash = new URLSearchParams(window.location.hash.replace(/^#/, ''))
+    const query = new URLSearchParams(window.location.search)
+    const token = hash.get('token')
+    const oidcError = query.get('oidc_error')
+    const linked = query.get('oidc_linked')
+
+    if (oidcError) {
+      navigate(`/login?oidc_error=${encodeURIComponent(oidcError)}`, { replace: true })
+      return
+    }
+    if (linked) {
+      setMsg('OIDC account linked. Redirecting…')
+      const t = setTimeout(() => navigate('/users', { replace: true }), 1200)
+      return () => clearTimeout(t)
+    }
+    if (token) {
+      onToken(token)
+        .then(() => navigate('/', { replace: true }))
+        .catch(() => navigate('/login?oidc_error=token_rejected', { replace: true }))
+      return
+    }
+    navigate('/login?oidc_error=missing_token', { replace: true })
+  }, [navigate, onToken])
+
+  return (
+    <div className="login-page">
+      <div className="login-card">
+        <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
+        <p className="subtitle">{msg}</p>
+      </div>
+    </div>
+  )
+}

src/pages/OidcSettingsPage.tsx

@@ -0,0 +1,171 @@
+import { useEffect, useState } from 'react'
+import api from '@/services/api'
+import { useAuth } from '@/hooks/useAuth'
+
+interface Settings {
+  enabled: boolean
+  issuer: string | null
+  client_id: string | null
+  has_client_secret: boolean
+  redirect_uri: string | null
+  scopes: string | null
+  post_login_redirect: string | null
+  admin_role: string
+  oidc_only: boolean
+  effective_enabled: boolean
+  source: string
+}
+
+export default function OidcSettingsPage() {
+  const { user } = useAuth()
+  const isAdmin = user?.is_admin === true
+
+  const [loaded, setLoaded] = useState<Settings | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [saving, setSaving] = useState(false)
+  const [message, setMessage] = useState('')
+  const [form, setForm] = useState({
+    enabled: false,
+    issuer: '',
+    client_id: '',
+    client_secret: '',
+    redirect_uri: '',
+    scopes: 'openid email profile',
+    post_login_redirect: '',
+    admin_role: 'admin',
+  })
+
+  useEffect(() => {
+    if (!isAdmin) { setLoading(false); return }
+    api.get<Settings>('/auth/oidc/settings')
+      .then(({ data }) => {
+        setLoaded(data)
+        setForm({
+          enabled: data.enabled,
+          issuer: data.issuer || '',
+          client_id: data.client_id || '',
+          client_secret: '',
+          redirect_uri: data.redirect_uri || '',
+          scopes: data.scopes || 'openid email profile',
+          post_login_redirect: data.post_login_redirect || '',
+          admin_role: data.admin_role || 'admin',
+        })
+      })
+      .catch((e) => setMessage(e.response?.data?.detail || 'Failed to load OIDC settings'))
+      .finally(() => setLoading(false))
+  }, [isAdmin])
+
+  const save = async () => {
+    setSaving(true)
+    setMessage('')
+    try {
+      const payload: Record<string, any> = {
+        enabled: form.enabled,
+        issuer: form.issuer.trim(),
+        client_id: form.client_id.trim(),
+        redirect_uri: form.redirect_uri.trim(),
+        scopes: form.scopes.trim(),
+        post_login_redirect: form.post_login_redirect.trim(),
+        admin_role: form.admin_role.trim() || 'admin',
+      }
+      if (form.client_secret) payload.client_secret = form.client_secret
+      const { data } = await api.put<Settings>('/auth/oidc/settings', payload)
+      setLoaded(data)
+      setForm((f) => ({ ...f, client_secret: '' }))
+      setMessage('OIDC settings saved successfully')
+    } catch (e: any) {
+      setMessage(e.response?.data?.detail || 'Failed to save OIDC settings')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  if (loading) return <div className="loading">Loading OIDC settings...</div>
+  if (!isAdmin) {
+    return (
+      <div className="section">
+        <h2>🔐 OIDC Settings</h2>
+        <p className="empty">Admin access required.</p>
+      </div>
+    )
+  }
+
+  const callbackHint = form.redirect_uri.trim() || loaded?.redirect_uri || '(set the Redirect / Callback URL below)'
+
+  return (
+    <div className="section">
+      <div className="page-header">
+        <div>
+          <h2>🔐 OIDC Settings</h2>
+          <div className="text-dim">Configure the OpenID Connect provider. Saved values override environment defaults.</div>
+        </div>
+      </div>
+
+      {message && (
+        <div style={{
+          padding: '10px 12px', marginBottom: 16, borderRadius: 8,
+          background: message.includes('success') ? 'rgba(70,180,135,.14)' : 'rgba(226,85,60,.14)',
+          border: `1px solid ${message.includes('success') ? 'rgba(70,180,135,.4)' : 'rgba(226,85,60,.4)'}`,
+        }}>{message}</div>
+      )}
+
+      <div className="monitor-card" style={{ marginBottom: 16 }}>
+        <div className="monitor-card-header">
+          <div style={{ fontWeight: 600 }}>Status</div>
+          <span className={'badge ' + (loaded?.effective_enabled ? 'status-online' : 'status-offline')}>
+            {loaded?.effective_enabled ? 'OIDC active' : 'OIDC inactive'}
+          </span>
+        </div>
+        <div className="monitor-metrics">
+          config source: <b>{loaded?.source}</b> · OIDC-only mode (deploy env): <b>{loaded?.oidc_only ? 'on' : 'off'}</b>
+        </div>
+        <div style={{ marginTop: 8 }}>
+          <div className="text-dim">Register this Redirect / Callback URL at your identity provider:</div>
+          <code style={{ display: 'block', marginTop: 6, wordBreak: 'break-all' }}>{callbackHint}</code>
+        </div>
+      </div>
+
+      <div className="task-create-form" style={{ maxWidth: 640 }}>
+        <label className="filter-check">
+          <input type="checkbox" checked={form.enabled} onChange={(e) => setForm({ ...form, enabled: e.target.checked })} />
+          Enable OIDC sign-in
+        </label>
+        <label>
+          Issuer (OIDC source)
+          <input placeholder="https://idp.example.com" value={form.issuer} onChange={(e) => setForm({ ...form, issuer: e.target.value })} />
+        </label>
+        <label>
+          Client ID
+          <input value={form.client_id} onChange={(e) => setForm({ ...form, client_id: e.target.value })} />
+        </label>
+        <label>
+          Client Secret
+          <input type="password" placeholder={loaded?.has_client_secret ? '•••••• (leave blank to keep current)' : 'client secret'} value={form.client_secret} onChange={(e) => setForm({ ...form, client_secret: e.target.value })} />
+        </label>
+        <label>
+          Redirect / Callback URL
+          <input placeholder="https://hf-api.example.com/auth/oidc/callback" value={form.redirect_uri} onChange={(e) => setForm({ ...form, redirect_uri: e.target.value })} />
+        </label>
+        <label>
+          Scopes
+          <input value={form.scopes} onChange={(e) => setForm({ ...form, scopes: e.target.value })} />
+        </label>
+        <label>
+          Post-login redirect (frontend)
+          <input placeholder="https://hf.example.com/oidc/callback" value={form.post_login_redirect} onChange={(e) => setForm({ ...form, post_login_redirect: e.target.value })} />
+        </label>
+        <label>
+          Admin role (bootstrap)
+          <input placeholder="admin" value={form.admin_role} onChange={(e) => setForm({ ...form, admin_role: e.target.value })} />
+        </label>
+        <p className="text-dim">
+          OIDC-only bootstrap: before any admin is linked, an IdP user whose token carries this role
+          auto-connects to the HarborForge admin account on first sign-in. Disables itself once an admin is bound.
+        </p>
+        <button className="btn-primary" disabled={saving} onClick={save}>
+          {saving ? 'Saving...' : 'Save OIDC Settings'}
+        </button>
+      </div>
+    </div>
+  )
+}

src/pages/SetupWizardPage.tsx

@@ -1,202 +0,0 @@
-import { useState } from 'react'
-import axios from 'axios'
-
-interface Props {
-  initialWizardPort: number | null
-  onComplete: () => void
-}
-
-interface SetupForm {
-  admin_username: string
-  admin_password: string
-  admin_email: string
-  admin_full_name: string
-  backend_base_url: string
-  project_name: string
-  project_description: string
-}
-
-const STEPS = ['Wizard', 'Admin', 'Backend', 'Finish']
-
-export default function SetupWizardPage({ initialWizardPort, onComplete }: Props) {
-  const [step, setStep] = useState(0)
-  const [error, setError] = useState('')
-  const [saving, setSaving] = useState(false)
-  const [connecting, setConnecting] = useState(false)
-  const [wizardPortInput, setWizardPortInput] = useState<string>(
-    initialWizardPort ? String(initialWizardPort) : ''
-  )
-  const [wizardBase, setWizardBase] = useState<string>('')
-  const [form, setForm] = useState<SetupForm>({
-    admin_username: 'admin',
-    admin_password: '',
-    admin_email: '',
-    admin_full_name: 'Admin',
-    backend_base_url: '',
-    project_name: '',
-    project_description: '',
-  })
-
-  const set = (key: keyof SetupForm, value: string | number) =>
-    setForm((f) => ({ ...f, [key]: value }))
-
-  const checkWizard = async () => {
-    setError('')
-    const port = Number(wizardPortInput)
-    if (!port || port <= 0 || port > 65535) {
-      setError('Please enter a valid wizard port (1-65535).')
-      return
-    }
-    const base = `http://127.0.0.1:${port}`
-    setConnecting(true)
-    try {
-      await axios.get(`${base}/health`, { timeout: 5000 })
-      setWizardBase(base)
-      localStorage.setItem('HF_WIZARD_PORT', String(port))
-      setStep(1)
-    } catch {
-      setError(`Unable to connect to AbstractWizard at ${base}.\nMake sure the SSH tunnel is up:\nssh -L ${port}:127.0.0.1:${port} user@server`)
-    } finally {
-      setConnecting(false)
-    }
-  }
-
-  const saveConfig = async () => {
-    setError('')
-    setSaving(true)
-    try {
-      const config = {
-        initialized: true,
-        admin: {
-          username: form.admin_username,
-          password: form.admin_password,
-          email: form.admin_email,
-          full_name: form.admin_full_name,
-        },
-        backend_url: form.backend_base_url || undefined,
-      }
-
-      await axios.put(`${wizardBase}/api/v1/config/harborforge.json`, config, {
-        headers: { 'Content-Type': 'application/json' },
-        timeout: 5000,
-      })
-
-      if (form.backend_base_url) {
-        localStorage.setItem('HF_BACKEND_BASE_URL', form.backend_base_url)
-      }
-
-      setStep(3)
-    } catch (err: any) {
-      setError(`Failed to save configuration: ${err.message}`)
-    } finally {
-      setSaving(false)
-    }
-  }
-
-  return (
-    <div className="setup-wizard">
-      <div className="setup-container">
-        <div className="setup-header">
-          <h1>⚓ HarborForge Setup Wizard</h1>
-          <div className="setup-steps">
-            {STEPS.map((s, i) => (
-              <span key={i} className={`setup-step ${i === step ? 'active' : i < step ? 'done' : ''}`}>
-                {i < step ? '✓' : i + 1}. {s}
-              </span>
-            ))}
-          </div>
-        </div>
-
-        {error && <div className="setup-error">{error}</div>}
-
-        {/* Step 0: Wizard connection */}
-        {step === 0 && (
-          <div className="setup-step-content">
-            <h2>Connect to AbstractWizard</h2>
-            <p className="text-dim">Enter the local port that forwards to AbstractWizard, then test the connection.</p>
-            <div className="setup-info">
-              <p>⚠️ AbstractWizard is reached over an SSH tunnel. Forward the port first:</p>
-              <code>ssh -L &lt;wizard_port&gt;:127.0.0.1:&lt;wizard_port&gt; user@your-server</code>
-            </div>
-            <div className="setup-form">
-              <label>
-                Wizard port
-                <input
-                  type="number"
-                  value={wizardPortInput}
-                  min={1}
-                  max={65535}
-                  onChange={(e) => setWizardPortInput(e.target.value)}
-                  placeholder="e.g. 8080"
-                />
-              </label>
-            </div>
-            <div className="setup-nav">
-              <button className="btn-primary" onClick={checkWizard} disabled={connecting}>
-                {connecting ? 'Connecting...' : 'Test connection & continue'}
-              </button>
-            </div>
-          </div>
-        )}
-
-        {/* Step 1: Admin */}
-        {step === 1 && (
-          <div className="setup-step-content">
-            <h2>Admin account</h2>
-            <p className="text-dim">Create the first admin user</p>
-            <div className="setup-form">
-              <label>Username <input value={form.admin_username} onChange={(e) => set('admin_username', e.target.value)} required /></label>
-              <label>Password <input type="password" value={form.admin_password} onChange={(e) => set('admin_password', e.target.value)} required placeholder="Set admin password" /></label>
-              <label>Email <input type="email" value={form.admin_email} onChange={(e) => set('admin_email', e.target.value)} placeholder="admin@example.com" /></label>
-              <label>Full name <input value={form.admin_full_name} onChange={(e) => set('admin_full_name', e.target.value)} /></label>
-            </div>
-            <div className="setup-nav">
-              <button className="btn-back" onClick={() => setStep(0)}>Back</button>
-              <button className="btn-primary" onClick={() => {
-                if (!form.admin_password) { setError('Please set an admin password'); return }
-                setError('')
-                setStep(2)
-              }}>Next</button>
-            </div>
-          </div>
-        )}
-
-        {/* Step 2: Backend */}
-        {step === 2 && (
-          <div className="setup-step-content">
-            <h2>Backend URL</h2>
-            <p className="text-dim">Configure the HarborForge backend API URL (leave blank to use the frontend default).</p>
-            <div className="setup-form">
-              <label>Backend Base URL <input value={form.backend_base_url} onChange={(e) => set('backend_base_url', e.target.value)} placeholder="http://backend:8000" /></label>
-            </div>
-            <div className="setup-nav">
-              <button className="btn-back" onClick={() => setStep(1)}>Back</button>
-              <button className="btn-primary" onClick={saveConfig} disabled={saving}>
-                {saving ? 'Saving...' : 'Finish setup'}
-              </button>
-            </div>
-          </div>
-        )}
-
-        {/* Step 3: Done */}
-        {step === 3 && (
-          <div className="setup-step-content">
-            <div className="setup-done">
-              <h2>✅ Setup complete!</h2>
-              <p>Configuration saved to AbstractWizard.</p>
-              <div className="setup-info">
-                <p>Restart services on the server:</p>
-                <code>docker compose restart</code>
-                <p style={{ marginTop: '1rem' }}>After the backend starts, refresh this page to go to login.</p>
-                <p>Admin account: <strong>{form.admin_username}</strong></p>
-              </div>
-              <button className="btn-primary" onClick={onComplete}>
-                Refresh to check
-              </button>
-            </div>
-          </div>
-        )}
-      </div>
-    </div>
-  )
-}

src/pages/UsersPage.tsx

@@ -1,6 +1,7 @@
 import { useEffect, useMemo, useState } from 'react'
 import api from '@/services/api'
 import { useAuth } from '@/hooks/useAuth'
+import { useAuthConfig } from '@/hooks/useAuthConfig'
 import type { User } from '@/types'
 
 interface RoleOption {
@@ -16,8 +17,13 @@ interface ApiKeyPerms {
 
 export default function UsersPage() {
   const { user } = useAuth()
+  const { config: authCfg } = useAuthConfig()
+  const oidcOnly = authCfg.oidcOnly
+  const oidcEnabled = authCfg.oidcEnabled
   const isAdmin = user?.is_admin === true
 
+  const [bindForm, setBindForm] = useState({ issuer: '', subject: '' })
+
   const [users, setUsers] = useState<User[]>([])
   const [roles, setRoles] = useState<RoleOption[]>([])
   const [loading, setLoading] = useState(true)
@@ -105,17 +111,20 @@ export default function UsersPage() {
   }
 
   const handleCreateUser = async () => {
-    if (!createForm.username.trim() || !createForm.email.trim() || !createForm.password.trim()) return
+    if (!createForm.username.trim() || !createForm.email.trim()) return
+    if (!oidcOnly && !createForm.password.trim()) return
     setSaving(true)
     setMessage('')
     try {
-      const payload = {
+      const payload: Record<string, any> = {
         username: createForm.username.trim(),
         email: createForm.email.trim(),
         full_name: createForm.full_name.trim() || null,
-        password: createForm.password,
         role_id: createForm.role_id ? Number(createForm.role_id) : undefined,
       }
+      if (!oidcOnly) {
+        payload.password = createForm.password
+      }
       const { data } = await api.post<User>('/users', payload)
       const guestRole = roles.find((r) => r.name === 'guest') ?? roles[0]
       setCreateForm({
@@ -201,6 +210,42 @@ export default function UsersPage() {
     }
   }
 
+  const handleBindOidc = async () => {
+    if (!selectedUser) return
+    if (!bindForm.issuer.trim() || !bindForm.subject.trim()) return
+    setSaving(true)
+    setMessage('')
+    try {
+      await api.put(`/users/${selectedUser.id}/oidc-binding`, {
+        issuer: bindForm.issuer.trim(),
+        subject: bindForm.subject.trim(),
+      })
+      setBindForm({ issuer: '', subject: '' })
+      setMessage('OIDC identity bound successfully')
+      await fetchData()
+    } catch (err: any) {
+      setMessage(err.response?.data?.detail || 'Failed to bind OIDC identity')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  const handleUnbindOidc = async () => {
+    if (!selectedUser) return
+    if (!confirm(`Remove the OIDC binding for ${selectedUser.username}?`)) return
+    setSaving(true)
+    setMessage('')
+    try {
+      await api.delete(`/users/${selectedUser.id}/oidc-binding`)
+      setMessage('OIDC binding removed')
+      await fetchData()
+    } catch (err: any) {
+      setMessage(err.response?.data?.detail || 'Failed to remove OIDC binding')
+    } finally {
+      setSaving(false)
+    }
+  }
+
   if (loading) return <div className="loading">Loading users...</div>
 
   if (!isAdmin) {
@@ -251,10 +296,15 @@ export default function UsersPage() {
               Full Name
               <input value={createForm.full_name} onChange={(e) => setCreateForm({ ...createForm, full_name: e.target.value })} />
             </label>
-            <label>
+            {!oidcOnly && (
-              Password
+              <label>
-              <input type="password" value={createForm.password} onChange={(e) => setCreateForm({ ...createForm, password: e.target.value })} />
+                Password
-            </label>
+                <input type="password" value={createForm.password} onChange={(e) => setCreateForm({ ...createForm, password: e.target.value })} />
+              </label>
+            )}
+            {oidcOnly && (
+              <p className="text-dim">OIDC-only mode: users are created without a password and sign in via a bound OIDC identity.</p>
+            )}
             <label>
               Role
               <select value={createForm.role_id} onChange={(e) => setCreateForm({ ...createForm, role_id: e.target.value })}>
@@ -264,7 +314,7 @@ export default function UsersPage() {
                 ))}
               </select>
             </label>
-            <button className="btn-primary" disabled={saving || !createForm.username.trim() || !createForm.email.trim() || !createForm.password.trim() || !createForm.role_id} onClick={handleCreateUser}>
+            <button className="btn-primary" disabled={saving || !createForm.username.trim() || !createForm.email.trim() || (!oidcOnly && !createForm.password.trim()) || !createForm.role_id} onClick={handleCreateUser}>
               {saving ? 'Saving...' : 'Create User'}
             </button>
           </div>
@@ -326,10 +376,12 @@ export default function UsersPage() {
                   Full Name
                   <input value={editForm.full_name} onChange={(e) => setEditForm({ ...editForm, full_name: e.target.value })} />
                 </label>
-                <label>
+                {!oidcOnly && (
-                  Reset Password
+                  <label>
-                  <input type="password" placeholder="Leave blank to keep current password" value={editForm.password} onChange={(e) => setEditForm({ ...editForm, password: e.target.value })} />
+                    Reset Password
-                </label>
+                    <input type="password" placeholder="Leave blank to keep current password" value={editForm.password} onChange={(e) => setEditForm({ ...editForm, password: e.target.value })} />
+                  </label>
+                )}
 
                 <div style={{ marginTop: '8px', padding: '12px', border: '1px solid var(--border)', borderRadius: '8px' }}>
                   <div style={{ fontWeight: 600, marginBottom: '10px' }}>Role</div>
@@ -381,6 +433,36 @@ export default function UsersPage() {
                     )}
                   </div>
                 )}
+
+                {oidcEnabled && (
+                  <div style={{ marginTop: '8px', padding: '12px', border: '1px solid var(--border)', borderRadius: '8px' }}>
+                    <div style={{ fontWeight: 600, marginBottom: '10px' }}>OIDC Binding</div>
+                    {selectedUser.oidc_subject ? (
+                      <div style={{ marginBottom: 10 }}>
+                        <div className="text-dim" style={{ fontFamily: 'monospace', wordBreak: 'break-all' }}>
+                          issuer: {selectedUser.oidc_issuer || '—'}<br />
+                          subject: {selectedUser.oidc_subject}
+                        </div>
+                        <button className="btn-danger" style={{ marginTop: 10 }} disabled={saving} onClick={handleUnbindOidc}>
+                          Unbind OIDC identity
+                        </button>
+                      </div>
+                    ) : (
+                      <div className="text-dim" style={{ marginBottom: 10 }}>No OIDC identity bound.</div>
+                    )}
+                    <label>
+                      Issuer
+                      <input value={bindForm.issuer} placeholder="https://idp.example.com" onChange={(e) => setBindForm({ ...bindForm, issuer: e.target.value })} />
+                    </label>
+                    <label>
+                      Subject (sub)
+                      <input value={bindForm.subject} placeholder="OIDC subject claim" onChange={(e) => setBindForm({ ...bindForm, subject: e.target.value })} />
+                    </label>
+                    <button className="btn-secondary" style={{ marginTop: 10 }} disabled={saving || !bindForm.issuer.trim() || !bindForm.subject.trim()} onClick={handleBindOidc}>
+                      {selectedUser.oidc_subject ? 'Rebind OIDC identity' : 'Bind OIDC identity'}
+                    </button>
+                  </div>
+                )}
               </div>
             </>
           ) : (

src/runtime.ts

@@ -0,0 +1,23 @@
+// Runtime config injected by the container entrypoint into
+// /runtime-config.js (from the deploy-time HARBORFORGE_OIDC_ONLY env).
+// Available before the backend exists — used by the setup wizard.
+declare global {
+  interface Window {
+    __HF_RUNTIME__?: { oidc_only?: boolean; logo_url?: string }
+  }
+}
+
+/** true/false from the injected runtime config, or null when unknown. */
+export function getRuntimeOidcOnly(): boolean | null {
+  const v = typeof window !== 'undefined' ? window.__HF_RUNTIME__?.oidc_only : undefined
+  return typeof v === 'boolean' ? v : null
+}
+
+/** Brand logo URL: deploy-time override (HARBORFORGE_LOGO_URL) or the
+ *  bundled default at /logo.svg. */
+export function getLogoUrl(): string {
+  const u = typeof window !== 'undefined' ? window.__HF_RUNTIME__?.logo_url : undefined
+  return (typeof u === 'string' && u) ? u : '/logo.svg'
+}
+
+export {}

src/services/api.ts

@@ -1,15 +1,15 @@
 import axios from 'axios'
 
-const getApiBase = (): string | undefined => {
+// Backend URL is the build-time VITE_HF_BACKEND_BASE_URL baked into the
-  return localStorage.getItem('HF_BACKEND_BASE_URL') ?? undefined
+// bundle by docker build --build-arg. Empty → axios uses same-origin
-}
+// (only works in dev with the Vite proxy).
+const API_BASE = import.meta.env.VITE_HF_BACKEND_BASE_URL || undefined
 
 const api = axios.create({
-  baseURL: getApiBase(),
+  baseURL: API_BASE,
 })
 
 api.interceptors.request.use((config) => {
-  config.baseURL = getApiBase()
   const token = localStorage.getItem('token')
   if (token) {
     config.headers.Authorization = `Bearer ${token}`

src/test/setup.ts

@@ -1,11 +1,17 @@
 import '@testing-library/jest-dom'
 import { vi } from 'vitest'
 
+// VITE_HF_BACKEND_BASE_URL is the build-time backend URL; in tests we
+// stub it via import.meta.env (api.ts + useAuthConfig + App read it).
+;(import.meta as any).env = {
+  ...(import.meta as any).env,
+  VITE_HF_BACKEND_BASE_URL: 'http://localhost:8000',
+}
+
 // Mock localStorage
 const localStorageMock = {
   getItem: vi.fn((key: string) => {
     if (key === 'token') return 'mock-token'
-    if (key === 'HF_BACKEND_BASE_URL') return 'http://localhost:8000'
     return null
   }),
   setItem: vi.fn(),

src/types/index.ts

@@ -7,6 +7,8 @@ export interface User {
   is_active: boolean
   role_id: number | null
   role_name: string | null
+  oidc_issuer?: string | null
+  oidc_subject?: string | null
   created_at: string
 }
 

src/vite-env.d.ts

@@ -2,6 +2,14 @@
 
 interface ImportMetaEnv {
   readonly VITE_API_BASE: string
+  /**
+   * Backend base URL baked in at build time (e.g.
+   * https://hf-api.example.com). Frontend uses this for all API calls.
+   * Passed to the Dockerfile as an ARG and forwarded to `npm run build`.
+   * Empty string falls back to same-origin (only useful in dev with the
+   * Vite proxy).
+   */
+  readonly VITE_HF_BACKEND_BASE_URL: string
 }
 
 interface ImportMeta {