feat(sso): OSS gated surface for enterprise SSO (OIDC) (#32)#1303
Open
dolho wants to merge 2 commits into
Open
feat(sso): OSS gated surface for enterprise SSO (OIDC) (#32)#1303dolho wants to merge 2 commits into
dolho wants to merge 2 commits into
Conversation
Companion to trinity-enterprise#36. OSS carries only the entitlement-gated
surface; all SSO logic lives in the private submodule.
- Login.vue: "Sign in with <IdP>" buttons (shown only when the `sso` feature is
entitled and a provider is enabled), plus OIDC callback-fragment handling
(`/login#sso=ok|mfa|error`) — reuses the existing 2FA challenge UI when the
IdP login still requires a local second factor.
- stores/auth.js: completeSsoLogin() (reuses _finalizeLogin / _setMfaChallenge)
+ fetchSsoProviders() (empty in OSS-only builds — endpoint 404s).
- Settings.vue: admin-gated "SSO" tab → SsoPanel.vue (provider CRUD + test +
policy). Gated by enterpriseStore.isEntitled('sso'), same as the 2FA tab.
- Bump enterprise submodule to the SSO module commit.
- docs: architecture enterprise-modules row + requirements §40 (SSO/OIDC).
No new backend dependency (python-jose + httpx already in the image) and no
OSS Python changes — the mint/whitelist/mfa seams already exist.
Stacked on feat/5-2fa-totp (reuses the OSS mfa_gate + 2FA challenge surface).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pulls in the email_verified / issuer-pinning / login-CSRF fixes (trinity-enterprise 87c8f97). OSS gated surface unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
OSS-side, entitlement-gated surface for enterprise SSO via OIDC. All SSO logic lives in the private submodule (companion: trinity-enterprise#36); OSS carries only the gated UI + the submodule bump.
Related to trinity-enterprise#32.
Changes
<IdP>" buttons, shown only when thessofeature is entitled and a provider is enabled; handles the OIDC callback fragment (/login#sso=ok|mfa|error) and reuses the existing 2FA challenge UI when the IdP login still needs a local second factor.completeSsoLogin()(reuses_finalizeLogin/_setMfaChallenge) +fetchSsoProviders()(empty in OSS-only builds — endpoint 404s).SsoPanel.vue(provider CRUD + connectivity test + policy). Gated byenterpriseStore.isEntitled('sso'), same pattern as the 2FA tab.Why no backend/dep changes
python-jose+httpxare already in the backend image, and the mint (create_access_token), whitelist/default_role(#314), andmfa_gateseams already exist — so OSS needs no Python or Dockerfile change.Notes
feat/5-2fa-totp(reuses the OSSmfa_gate+ 2FA challenge surface) — base is the 2FA branch so the diff is SSO-only. Retarget todevonce 2FA lands; the submodule pointer also settles once both 2FA branches merge.uilabel).🤖 Generated with Claude Code