zhi/HarborForge.Frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature/oidc-login #12

Merged
hzhang merged 5 commits from feature/oidc-login into main 2026-05-17 21:27:55 +00:00
Conversation 0 Commits 5 Files Changed 13 +612 -43

5 Commits

Author SHA1 Message Date
hzhang
73da3926e7 feat(auth): admin_role config; drop manual admin-subject from wizard 
OIDC settings page + setup wizard now configure the bootstrap admin
role instead of a hand-typed OIDC subject. The OIDC-only admin link is
handled automatically by the backend admin-role auto-connect on first
sign-in (explained inline in both the wizard and settings page).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 21:05:40 +01:00
hzhang
782e42ac64 feat(setup): OIDC step in setup wizard + runtime OIDC_ONLY flag 
Solves the OIDC-only bootstrap lockout (admin can't reach the in-app
OIDC settings page when password login is disabled and OIDC is unset).

- Frontend image entrypoint injects /runtime-config.js from the
  deploy-time HARBORFORGE_OIDC_ONLY env so the SPA knows the mode
  before the backend exists.
- Setup wizard gains an "OIDC" step (between Admin and Backend):
  required when OIDC-only (incl. admin's OIDC subject so the bootstrap
  admin can sign in), optional otherwise; written into harborforge.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:50:58 +01:00
hzhang
ba55fee9d5 fix(auth): register /settings/oidc route for admins only 
Non-admins fall through to the catch-all redirect instead of seeing
the OIDC settings page shell. Sidebar link, in-page guard and the
admin-only backend API remain as defense in depth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:33:28 +01:00
hzhang
8cac6951d7 feat(auth): admin OIDC settings page 
New admin page /settings/oidc to configure the OIDC provider (issuer,
client id/secret, redirect/callback URL, scopes, post-login redirect).
Prominently shows the callback URL to register at the IdP, current
status/source, and the read-only deploy-level OIDC-only flag. Secret
is write-only (blank = keep). Sidebar entry for admins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:29:22 +01:00
hzhang
8f8d6d5465 feat(auth): OIDC login UI + binding management + OIDC-only mode 
- useAuthConfig fetches public /auth/config; LoginPage hides the
  password form when oidc_only and shows an SSO button when enabled.
- /oidc/callback route applies the returned JWT (sign-in) or shows the
  link result; oidc_error surfaced on LoginPage.
- UsersPage: hides password fields in OIDC-only mode; admin OIDC
  bind/unbind UI per user. Sidebar self-service "Link OIDC account"
  (non-OIDC_ONLY).
- Dockerfile ARG/ENV HARBORFORGE_OIDC_ONLY.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 20:22:14 +01:00