[feature] add generic OIDC authentication (Okta, Auth0, Keycloak, OneLogin, ...)

[d-axel-b]

Summary

Adds SSO login via any OIDC-compliant identity provider using better-auth's genericOAuth plugin. One integration that works with Okta, Auth0, Keycloak, OneLogin, and any provider that exposes a standard OIDC discovery document.

Configuration

Set the following environment variables to enable:

• OIDC_DISCOVERY_URL (required) — provider's .well-known/openid-configuration URL
• OIDC_CLIENT_ID (required)
• OIDC_CLIENT_SECRET (required)
• OIDC_PROVIDER_ID — defaults to oidc, used in callback URL and button logic
• OIDC_PROVIDER_NAME — defaults to SSO, shown on the login button
• OIDC_SCOPES — defaults to openid,profile,email
• OIDC_AUTH_DOMAINS — optional comma-separated email domain allowlist
• OIDC_PKCE — defaults to true

When unset, the SSO button is hidden.

Redirect URI to register in your IdP: https://<your-nao-host>/api/auth/oauth2/callback/{OIDC_PROVIDER_ID}

What's included

• Backend: genericOAuth plugin registration, env schema (8 vars), domain allowlist enforcement in databaseHooks.user.create.before, OIDC users included in isSocial check for auto-provisioning, tRPC authConfig.oidc.getConfig endpoint
• Frontend: genericOAuthClient plugin, dynamic handleOidcSignIn via signIn.oauth2, conditional "Continue with {providerName}" button with LockKeyholeIcon
• Docs: setup guide at apps/backend/docs/auth-oidc.md with walkthroughs for Okta, Auth0, Keycloak, and OneLogin
• Tests: 15 Vitest unit tests — 10 for domain allowlist edge cases, 5 for tRPC endpoint

Test plan

• npm run lint passes (no new errors — pre-existing drizzle-orm type issues unrelated)
• npm test passes (15/15 new tests pass)
• Manual smoke against an OIDC provider:
  • New user with allowed domain → user + account rows created, session set, redirected to /
  • Returning user → no new user row, existing session restored
  • Domain not in allowlist → generic auth error, no user row created
  • SSO button visible when env vars set, hidden when unset
  • Custom provider name displayed on button
  • Coexistence with Google/GitHub auth

[github-actions]

This issue was auto-closed. All issues from new contributors are auto-closed by default.

Maintainers review auto-closed issues daily and reopen worthwhile ones. Issues that do not meet the quality bar in CONTRIBUTING.md will not be reopened or receive a reply.

If a maintainer replies lgtmi on one of your issues, your future issues will stay open. If a maintainer replies lgtm, your future issues and PRs will stay open.

See CONTRIBUTING.md.

[d-axel-b]

Attached PR:

#683

[Bl3f]

Hello @d-axel-b thank you so much for the PR + issue. Sorry that you got closed, this is a new contribution process we are testing to be able to govern better what comes in the repo.

Nonetheless, OIDC and Enterprise login will be an Enterprise feature requiring a license to be able to use it, currently the ee code lives in a private repo and as you're the first one contributing to something EE we have to decide how to do it.

Maybe we should move the EE code to the public repo instead and just have different licenses files on it.

Coming back asap on this.

(lgtm)

[github-actions]

@d-axel-b approved for issues and PRs. Your future issues and PRs will not be auto-closed.

See CONTRIBUTING.md.

[d-axel-b]

@Bl3f - No Worries

I was working on it few days ago, and just saw your EE move after rebasing today.

I still need to perform some tests on the PR, so no worries.

[d-axel-b]

@Bl3f - I was also working on a pre-authenticated/header-based auth from JWT.

Do you think this one is a also an EE or open feature ?

[Bl3f]

Hey @d-axel-b the ee code gonna be in public actually so it will be easier to contribute, the PR will land soon, but the license will be different for ee related files.

When it comes for pre-authenticated/header-base auth from JWT i'd also say it's an Enterprise feature in the end because large enterprises are mostly using this. But the main caveat that I think of JWT forwarding is all the decision regarding should it create an user, with what role, in what project, etc.

By default I'd say Enterprise and we could have a simplified version in the open in the future.