SSO using OpenID Connect (#3899)

* Add SSO functionality using OpenID Connect

Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>

* Improvements and error handling

* Stop rolling device token

* Add playwright tests

* Activate PKCE by default

* Ensure result order when searching for sso_user

* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION

* Toggle SSO button in scss

* Base64 encode state before sending it to providers

* Prevent disabled User from SSO login

* Review fixes

* Remove unused UserOrganization.invited_by_email

* Split SsoUser::find_by_identifier_or_email

* api::Accounts::verify_password add the policy even if it's ignored

* Disable signups if SSO_ONLY is activated

* Add verifiedDate to organizations::get_org_domain_sso_details

* Review fixes

* Remove OrganizationId guard from get_master_password_policy

* Add wrapper type OIDCCode OIDCState OIDCIdentifier

* Membership::confirm_user_invitations fix and tests

* Allow set-password only if account is unitialized

* Review fixes

* Prevent accepting another user invitation

* Log password change event on SSO account creation

* Unify master password policy resolution

* Upgrade openidconnect to 4.0.0

* Revert "Remove unused UserOrganization.invited_by_email"

This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.

* Process org enrollment in accounts::post_set_password

* Improve tests

* Pass the claim invited_by_email in case it was not in db

* Add Slack configuration hints

* Fix playwright tests

* Skip broken tests

* Add sso identifier in admin user panel

* Remove duplicate expiration check, add a log

* Augment mobile refresh_token validity

* Rauthy configuration hints

* Fix playwright tests

* Playwright upgrade and conf improvement

* Playwright tests improvements

* 2FA email and device creation change

* Fix and improve Playwright tests

* Minor improvements

* Fix enforceOnLogin org policies

* Run playwright sso tests against correct db

* PKCE should now work with Zitadel

* Playwright upgrade maildev to use MailBuffer.expect

* Upgrades playwright tests deps

* Check email_verified in id_token and user_info

* Add sso verified endpoint for v2025.6.0

* Fix playwright tests

* Create a separate sso_client

* Upgrade openidconnect to 4.0.1

* Server settings for login fields toggle

* Use only css for login fields

* Fix playwright test

* Review fix

* More review fix

* Perform same checks when setting kdf

---------

Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>

src/db/models/sso_nonce.rs

@@ -0,0 +1,89 @@
+use chrono::{NaiveDateTime, Utc};
+
+use crate::api::EmptyResult;
+use crate::db::{DbConn, DbPool};
+use crate::error::MapResult;
+use crate::sso::{OIDCState, NONCE_EXPIRATION};
+
+db_object! {
+    #[derive(Identifiable, Queryable, Insertable)]
+    #[diesel(table_name = sso_nonce)]
+    #[diesel(primary_key(state))]
+    pub struct SsoNonce {
+        pub state: OIDCState,
+        pub nonce: String,
+        pub verifier: Option<String>,
+        pub redirect_uri: String,
+        pub created_at: NaiveDateTime,
+    }
+}
+
+/// Local methods
+impl SsoNonce {
+    pub fn new(state: OIDCState, nonce: String, verifier: Option<String>, redirect_uri: String) -> Self {
+        let now = Utc::now().naive_utc();
+
+        SsoNonce {
+            state,
+            nonce,
+            verifier,
+            redirect_uri,
+            created_at: now,
+        }
+    }
+}
+
+/// Database methods
+impl SsoNonce {
+    pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn:
+            sqlite, mysql {
+                diesel::replace_into(sso_nonce::table)
+                    .values(SsoNonceDb::to_db(self))
+                    .execute(conn)
+                    .map_res("Error saving SSO nonce")
+            }
+            postgresql {
+                let value = SsoNonceDb::to_db(self);
+                diesel::insert_into(sso_nonce::table)
+                    .values(&value)
+                    .execute(conn)
+                    .map_res("Error saving SSO nonce")
+            }
+        }
+    }
+
+    pub async fn delete(state: &OIDCState, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn: {
+            diesel::delete(sso_nonce::table.filter(sso_nonce::state.eq(state)))
+                .execute(conn)
+                .map_res("Error deleting SSO nonce")
+        }}
+    }
+
+    pub async fn find(state: &OIDCState, conn: &DbConn) -> Option<Self> {
+        let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
+        db_run! { conn: {
+            sso_nonce::table
+                .filter(sso_nonce::state.eq(state))
+                .filter(sso_nonce::created_at.ge(oldest))
+                .first::<SsoNonceDb>(conn)
+                .ok()
+                .from_db()
+        }}
+    }
+
+    pub async fn delete_expired(pool: DbPool) -> EmptyResult {
+        debug!("Purging expired sso_nonce");
+        if let Ok(conn) = pool.get().await {
+            let oldest = Utc::now().naive_utc() - *NONCE_EXPIRATION;
+            db_run! { conn: {
+                diesel::delete(sso_nonce::table.filter(sso_nonce::created_at.lt(oldest)))
+                    .execute(conn)
+                    .map_res("Error deleting expired SSO nonce")
+            }}
+        } else {
+            err!("Failed to get DB connection while purging expired sso_nonce")
+        }
+    }
+}