feat(auth): add option to disable built-in login when using OIDC (#1908)

* feat(auth): disable built-in login by config * cleanup config * fix(web): prevent login form flash by waiting for OIDC config * refactor(config): standardize OIDC TOML format - Adds camelCase TOML tags to OIDC config struct while keeping mapstructure tags for backward compatibility - Updates config template to use camelCase format * refactor: kyles changes * refactor: prefix disablebuiltinlogin with oidc * docs: revert format change --------- Co-authored-by: ze0s <43699394+zze0s@users.noreply.github.com>
2025-07-23 16:59:12 +00:00 · 2025-01-26 15:25:34 +01:00 · 2025-01-26 15:25:34 +01:00 · 024371e4eb
commit 024371e4eb
parent 9eff694a5f
7 changed files with 192 additions and 172 deletions
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@ -21,12 +21,13 @@ import (
 )

 type OIDCConfig struct {
-	Enabled      bool
-	Issuer       string
-	ClientID     string
-	ClientSecret string
-	RedirectURL  string
-	Scopes       []string
+	Enabled             bool
+	Issuer              string
+	ClientID            string
+	ClientSecret        string
+	RedirectURL         string
+	DisableBuiltInLogin bool
+	Scopes              []string
 }

 type OIDCHandler struct {
@ -124,12 +125,13 @@ func NewOIDCHandler(cfg *domain.Config, log zerolog.Logger) (*OIDCHandler, error
 	handler := &OIDCHandler{
 		log: log,
 		config: &OIDCConfig{
-			Enabled:      cfg.OIDCEnabled,
-			Issuer:       cfg.OIDCIssuer,
-			ClientID:     cfg.OIDCClientID,
-			ClientSecret: cfg.OIDCClientSecret,
-			RedirectURL:  cfg.OIDCRedirectURL,
-			Scopes:       scopes,
+			Enabled:             cfg.OIDCEnabled,
+			Issuer:              cfg.OIDCIssuer,
+			ClientID:            cfg.OIDCClientID,
+			ClientSecret:        cfg.OIDCClientSecret,
+			RedirectURL:         cfg.OIDCRedirectURL,
+			DisableBuiltInLogin: cfg.OIDCDisableBuiltInLogin,
+			Scopes:              scopes,
 		},
 		provider: provider,
 		verifier: provider.Verifier(oidcConfig),
@ -282,27 +284,30 @@ func (h *OIDCHandler) GetAuthorizationURL() string {
 }

 type GetConfigResponse struct {
-	Enabled          bool   `json:"enabled"`
-	AuthorizationURL string `json:"authorizationUrl"`
-	State            string `json:"state"`
+	Enabled             bool   `json:"enabled"`
+	AuthorizationURL    string `json:"authorizationUrl"`
+	State               string `json:"state"`
+	DisableBuiltInLogin bool   `json:"disableBuiltInLogin"`
 }

 func (h *OIDCHandler) GetConfigResponse() GetConfigResponse {
 	if h == nil {
 		return GetConfigResponse{
-			Enabled: false,
+			Enabled:             false,
+			DisableBuiltInLogin: false,
 		}
 	}

 	state := generateRandomState()
 	authURL := h.oauthConfig.AuthCodeURL(state)

-	h.log.Debug().Bool("enabled", h.config.Enabled).Str("authorization_url", authURL).Str("state", state).Msg("returning OIDC config response")
+	h.log.Debug().Bool("enabled", h.config.Enabled).Str("authorization_url", authURL).Str("state", state).Bool("disable_built_in_login", h.config.DisableBuiltInLogin).Msg("returning OIDC config response")

 	return GetConfigResponse{
-		Enabled:          h.config.Enabled,
-		AuthorizationURL: authURL,
-		State:            state,
+		Enabled:             h.config.Enabled,
+		AuthorizationURL:    authURL,
+		State:               state,
+		DisableBuiltInLogin: h.config.DisableBuiltInLogin,
 	}
 }