Add OpenID Connect login support (#77)

* Add OpenID Connect login support * Add docs for OIDC config with Google Auth * Use Google styles for log in - Add support for linking existing account - Force users to sign-in with passoword first, when linking existing accounts - Add support to create new user when using OIDC - Add identities to user to prevent account take-ver - Make tests mocking instead of being integration tests - Manage session handling correctly - use OmniAuth.config.mock_auth instead of passing auth data via request env * Conditionally render Oauth button - Set a config item `configuration.x.auth.oidc_enabled` - Hide button if disabled --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Signed-off-by: soky srm <sokysrm@gmail.com> Co-authored-by: sokie <sokysrm@gmail.com>
2026-04-19 03:54:08 +00:00 · 2025-10-24 16:07:45 +02:00
parent d51ba515c9
commit 768e85ce08
29 changed files with 997 additions and 25 deletions
--- a/docs/hosting/oidc.md
+++ b/docs/hosting/oidc.md
@@ -0,0 +1,43 @@
+# Configuring OpenID Connect with Google
+
+This guide shows how to enable OpenID Connect (OIDC) logins for Sure using Google as the identity provider.
+
+## 1. Create a Google Cloud project
+
+1. Visit [https://console.cloud.google.com](https://console.cloud.google.com) and sign in.
+2. Create a new project or select an existing one.
+
+## 2. Configure the OAuth consent screen
+
+1. Navigate to **APIs & Services > OAuth consent screen**.
+2. Choose **External** and follow the prompts to configure the consent screen.
+3. Add your Google account as a test user.
+
+## 3. Create OAuth client credentials
+
+1. Go to **APIs & Services > Credentials** and click **Create Credentials > OAuth client ID**.
+2. Select **Web application** as the application type.
+3. Add an authorized redirect URI. For local development use:
+   ```
+   http://localhost:3000/auth/openid_connect/callback
+   ```
+   Replace with your domain for production, e.g.:
+   ```
+   https://yourdomain.com/auth/openid_connect/callback
+   ```
+4. After creating the credentials, copy the **Client ID** and **Client Secret**.
+
+## 4. Configure Sure
+
+Set the following environment variables in your deployment (e.g. `.env`, `docker-compose`, or hosting platform):
+
+```bash
+OIDC_ISSUER="https://accounts.google.com"
+OIDC_CLIENT_ID="your-google-client-id"
+OIDC_CLIENT_SECRET="your-google-client-secret"
+OIDC_REDIRECT_URI="https://yourdomain.com/auth/openid_connect/callback"
+```
+
+Restart the application after saving the variables.
+
+The user can now sign in from the login page using the **Sign in with OpenID Connect** link. Google must report the user's email as verified and it must match the email on the account.