feat: add generic OIDC authentication (Okta, Auth0, Keycloak, OneLogin, ...)

[d-axel-b]

Summary

Adds SSO login via any OIDC-compliant identity provider using better-auth's genericOAuth plugin. One integration that works with Okta, Auth0, Keycloak, OneLogin, and any provider that exposes a standard OIDC discovery document.

Configuration

Set the following environment variables to enable:

• OIDC_DISCOVERY_URL (required) — provider's .well-known/openid-configuration URL
• OIDC_CLIENT_ID (required)
• OIDC_CLIENT_SECRET (required)
• OIDC_PROVIDER_ID — defaults to oidc, used in callback URL and button logic
• OIDC_PROVIDER_NAME — defaults to SSO, shown on the login button
• OIDC_SCOPES — defaults to openid,profile,email
• OIDC_AUTH_DOMAINS — optional comma-separated email domain allowlist
• OIDC_PKCE — defaults to true

When unset, the SSO button is hidden.

Redirect URI to register in your IdP: https://<your-nao-host>/api/auth/oauth2/callback/{OIDC_PROVIDER_ID}

What's included

• Backend: genericOAuth plugin registration, env schema (8 vars), domain allowlist enforcement in databaseHooks.user.create.before, OIDC users included in isSocial check for auto-provisioning, tRPC authConfig.oidc.getConfig endpoint
• Frontend: genericOAuthClient plugin, dynamic handleOidcSignIn via signIn.oauth2, conditional "Continue with {providerName}" button with LockKeyholeIcon
• Docs: setup guide at apps/backend/docs/auth-oidc.md with walkthroughs for Okta, Auth0, Keycloak, and OneLogin
• Tests: 15 Vitest unit tests — 10 for domain allowlist edge cases, 5 for tRPC endpoint

Test plan

• npm run lint passes (no new errors — pre-existing drizzle-orm type issues unrelated)

• npm test passes (15/15 new tests pass)

• Manual smoke against an OIDC provider:

  • New user with allowed domain → user + account rows created, session set, redirected to /
  • Returning user → no new user row, existing session restored
  • Domain not in allowlist → generic auth error, no user row created
  • SSO button visible when env vars set, hidden when unset
  • Custom provider name displayed on button
  • Coexistence with Google/GitHub auth

  Some manual test remains

[github-actions]

This PR was auto-closed. Only contributors approved with lgtm can open PRs. Open an issue first.

Maintainers review auto-closed issues daily. Issues that do not meet the quality bar in CONTRIBUTING.md will not be reopened or receive a reply.

If a maintainer replies lgtmi, your future issues will stay open. If a maintainer replies lgtm, your future issues and PRs will stay open.

See CONTRIBUTING.md.

[github-actions]

🚀 Preview Deployment

URL	https://pr-683-70182a3.preview.getnao.io
Commit	70182a3

⚠️ No LLM API keys configured - you'll see the API key setup flow when trying to chat.

---

_{Preview will be automatically removed when this PR is closed.}

[radcheb]

Related: #591 and #657

[wgenchi-mwb]

@Bl3f do you have some timeline when this will be available? okta integration is a critical feature for adoption in our case.. talked also with @ClaireGz about this during a call