zhi/HarborForge.Frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature/oidc-login #12

Merged
hzhang merged 5 commits from feature/oidc-login into main 2026-05-17 21:27:55 +00:00
Conversation 0 Commits 5 Files Changed 13 +612 -43
hzhang commented 2026-05-17 21:27:49 +00:00
Contributor
Copy Link
No description provided.
hzhang added 5 commits 2026-05-17 21:27:50 +00:00
feat(auth): OIDC login UI + binding management + OIDC-only mode 8f8d6d5465 
- useAuthConfig fetches public /auth/config; LoginPage hides the
  password form when oidc_only and shows an SSO button when enabled.
- /oidc/callback route applies the returned JWT (sign-in) or shows the
  link result; oidc_error surfaced on LoginPage.
- UsersPage: hides password fields in OIDC-only mode; admin OIDC
  bind/unbind UI per user. Sidebar self-service "Link OIDC account"
  (non-OIDC_ONLY).
- Dockerfile ARG/ENV HARBORFORGE_OIDC_ONLY.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(auth): admin OIDC settings page 8cac6951d7 
New admin page /settings/oidc to configure the OIDC provider (issuer,
client id/secret, redirect/callback URL, scopes, post-login redirect).
Prominently shows the callback URL to register at the IdP, current
status/source, and the read-only deploy-level OIDC-only flag. Secret
is write-only (blank = keep). Sidebar entry for admins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(auth): register /settings/oidc route for admins only ba55fee9d5 
Non-admins fall through to the catch-all redirect instead of seeing
the OIDC settings page shell. Sidebar link, in-page guard and the
admin-only backend API remain as defense in depth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(setup): OIDC step in setup wizard + runtime OIDC_ONLY flag 782e42ac64 
Solves the OIDC-only bootstrap lockout (admin can't reach the in-app
OIDC settings page when password login is disabled and OIDC is unset).

- Frontend image entrypoint injects /runtime-config.js from the
  deploy-time HARBORFORGE_OIDC_ONLY env so the SPA knows the mode
  before the backend exists.
- Setup wizard gains an "OIDC" step (between Admin and Backend):
  required when OIDC-only (incl. admin's OIDC subject so the bootstrap
  admin can sign in), optional otherwise; written into harborforge.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(auth): admin_role config; drop manual admin-subject from wizard 73da3926e7 
OIDC settings page + setup wizard now configure the bootstrap admin
role instead of a hand-typed OIDC subject. The OIDC-only admin link is
handled automatically by the backend admin-role auto-connect on first
sign-in (explained inline in both the wizard and settings page).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hzhang merged commit 4d0575291d into main 2026-05-17 21:27:55 +00:00
hzhang deleted branch feature/oidc-login 2026-05-17 21:27:56 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
nav orion river zhi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: zhi/HarborForge.Frontend#12
Delete Branch "feature/oidc-login"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?