SSO using OpenID Connect (#3899)

* Add SSO functionality using OpenID Connect

Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>

* Improvements and error handling

* Stop rolling device token

* Add playwright tests

* Activate PKCE by default

* Ensure result order when searching for sso_user

* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION

* Toggle SSO button in scss

* Base64 encode state before sending it to providers

* Prevent disabled User from SSO login

* Review fixes

* Remove unused UserOrganization.invited_by_email

* Split SsoUser::find_by_identifier_or_email

* api::Accounts::verify_password add the policy even if it's ignored

* Disable signups if SSO_ONLY is activated

* Add verifiedDate to organizations::get_org_domain_sso_details

* Review fixes

* Remove OrganizationId guard from get_master_password_policy

* Add wrapper type OIDCCode OIDCState OIDCIdentifier

* Membership::confirm_user_invitations fix and tests

* Allow set-password only if account is unitialized

* Review fixes

* Prevent accepting another user invitation

* Log password change event on SSO account creation

* Unify master password policy resolution

* Upgrade openidconnect to 4.0.0

* Revert "Remove unused UserOrganization.invited_by_email"

This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.

* Process org enrollment in accounts::post_set_password

* Improve tests

* Pass the claim invited_by_email in case it was not in db

* Add Slack configuration hints

* Fix playwright tests

* Skip broken tests

* Add sso identifier in admin user panel

* Remove duplicate expiration check, add a log

* Augment mobile refresh_token validity

* Rauthy configuration hints

* Fix playwright tests

* Playwright upgrade and conf improvement

* Playwright tests improvements

* 2FA email and device creation change

* Fix and improve Playwright tests

* Minor improvements

* Fix enforceOnLogin org policies

* Run playwright sso tests against correct db

* PKCE should now work with Zitadel

* Playwright upgrade maildev to use MailBuffer.expect

* Upgrades playwright tests deps

* Check email_verified in id_token and user_info

* Add sso verified endpoint for v2025.6.0

* Fix playwright tests

* Create a separate sso_client

* Upgrade openidconnect to 4.0.1

* Server settings for login fields toggle

* Use only css for login fields

* Fix playwright test

* Review fix

* More review fix

* Perform same checks when setting kdf

---------

Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>

src/db/models/user.rs

@@ -8,15 +8,17 @@ use super::{
 use crate::{
     api::EmptyResult,
     crypto,
+    db::models::DeviceId,
     db::DbConn,
     error::MapResult,
+    sso::OIDCIdentifier,
     util::{format_date, get_uuid, retry},
     CONFIG,
 };
 use macros::UuidFromParam;
 
 db_object! {
-    #[derive(Identifiable, Queryable, Insertable, AsChangeset)]
+    #[derive(Identifiable, Queryable, Insertable, AsChangeset, Selectable)]
     #[diesel(table_name = users)]
     #[diesel(treat_none_as_null = true)]
     #[diesel(primary_key(uuid))]
@@ -71,6 +73,14 @@ db_object! {
     pub struct Invitation {
         pub email: String,
     }
+
+    #[derive(Identifiable, Queryable, Insertable, Selectable)]
+    #[diesel(table_name = sso_users)]
+    #[diesel(primary_key(user_uuid))]
+    pub struct SsoUser {
+        pub user_uuid: UserId,
+        pub identifier: OIDCIdentifier,
+    }
 }
 
 pub enum UserKdfType {
@@ -96,7 +106,7 @@ impl User {
     pub const CLIENT_KDF_TYPE_DEFAULT: i32 = UserKdfType::Pbkdf2 as i32;
     pub const CLIENT_KDF_ITER_DEFAULT: i32 = 600_000;
 
-    pub fn new(email: String) -> Self {
+    pub fn new(email: String, name: Option<String>) -> Self {
         let now = Utc::now().naive_utc();
         let email = email.to_lowercase();
 
@@ -108,7 +118,7 @@ impl User {
             verified_at: None,
             last_verifying_at: None,
             login_verify_count: 0,
-            name: email.clone(),
+            name: name.unwrap_or(email.clone()),
             email,
             akey: String::new(),
             email_new: None,
@@ -384,9 +394,28 @@ impl User {
         }}
     }
 
-    pub async fn get_all(conn: &mut DbConn) -> Vec<Self> {
+    pub async fn find_by_device_id(device_uuid: &DeviceId, conn: &mut DbConn) -> Option<Self> {
+        db_run! { conn: {
+            users::table
+                .inner_join(devices::table.on(devices::user_uuid.eq(users::uuid)))
+                .filter(devices::uuid.eq(device_uuid))
+                .select(users::all_columns)
+                .first::<UserDb>(conn)
+                .ok()
+                .from_db()
+        }}
+    }
+
+    pub async fn get_all(conn: &mut DbConn) -> Vec<(User, Option<SsoUser>)> {
         db_run! {conn: {
-            users::table.load::<UserDb>(conn).expect("Error loading users").from_db()
+            users::table
+                .left_join(sso_users::table)
+                .select(<(UserDb, Option<SsoUserDb>)>::as_select())
+                .load(conn)
+                .expect("Error loading groups for user")
+                .into_iter()
+                .map(|(user, sso_user)| { (user.from_db(), sso_user.from_db()) })
+                .collect()
         }}
     }
 
@@ -477,3 +506,57 @@ impl Invitation {
 #[deref(forward)]
 #[from(forward)]
 pub struct UserId(String);
+
+impl SsoUser {
+    pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
+        db_run! { conn:
+            sqlite, mysql {
+                diesel::replace_into(sso_users::table)
+                    .values(SsoUserDb::to_db(self))
+                    .execute(conn)
+                    .map_res("Error saving SSO user")
+            }
+            postgresql {
+                let value = SsoUserDb::to_db(self);
+                diesel::insert_into(sso_users::table)
+                    .values(&value)
+                    .execute(conn)
+                    .map_res("Error saving SSO user")
+            }
+        }
+    }
+
+    pub async fn find_by_identifier(identifier: &str, conn: &DbConn) -> Option<(User, SsoUser)> {
+        db_run! {conn: {
+            users::table
+                .inner_join(sso_users::table)
+                .select(<(UserDb, SsoUserDb)>::as_select())
+                .filter(sso_users::identifier.eq(identifier))
+                .first::<(UserDb, SsoUserDb)>(conn)
+                .ok()
+                .map(|(user, sso_user)| { (user.from_db(), sso_user.from_db()) })
+        }}
+    }
+
+    pub async fn find_by_mail(mail: &str, conn: &DbConn) -> Option<(User, Option<SsoUser>)> {
+        let lower_mail = mail.to_lowercase();
+
+        db_run! {conn: {
+            users::table
+                .left_join(sso_users::table)
+                .select(<(UserDb, Option<SsoUserDb>)>::as_select())
+                .filter(users::email.eq(lower_mail))
+                .first::<(UserDb, Option<SsoUserDb>)>(conn)
+                .ok()
+                .map(|(user, sso_user)| { (user.from_db(), sso_user.from_db()) })
+        }}
+    }
+
+    pub async fn delete(user_uuid: &UserId, conn: &mut DbConn) -> EmptyResult {
+        db_run! {conn: {
+            diesel::delete(sso_users::table.filter(sso_users::user_uuid.eq(user_uuid)))
+                .execute(conn)
+                .map_res("Error deleting sso user")
+        }}
+    }
+}