Implement Single Sign-On (SSO) Feature: Add SSO settings page, integrate OIDC provider registration dialog, and update dependencies for better-auth to version 1.4.18. Enhance user interface with new SSO menu item and improve database schema for SSO providers.

This commit is contained in:
Mauricio Siu
2026-01-29 22:01:48 -06:00
parent 2e7f4dc1a2
commit 7f27601f7f
18 changed files with 9691 additions and 281 deletions

View File

@@ -30,6 +30,7 @@ import {
Trash2,
User,
Users,
LogIn,
} from "lucide-react";
import Link from "next/link";
import { usePathname } from "next/navigation";
@@ -406,6 +407,15 @@ const MENU: Menu = {
isEnabled: ({ auth, isCloud }) =>
!!((auth?.role === "owner" || auth?.role === "admin") && !isCloud),
},
{
isSingle: true,
title: "SSO",
url: "/dashboard/settings/sso",
icon: LogIn,
// Only enabled for admins in non-cloud environments (enterprise)
isEnabled: ({ auth, isCloud }) =>
!!((auth?.role === "owner" || auth?.role === "admin") && !isCloud),
},
],
help: [

View File

@@ -0,0 +1,206 @@
"use client";
import { Loader2 } from "lucide-react";
import { useState } from "react";
import { toast } from "sonner";
import { authClient } from "@/lib/auth-client";
import { Button } from "@/components/ui/button";
import {
Dialog,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
DialogTrigger,
} from "@/components/ui/dialog";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
const DEFAULT_SCOPES = ["openid", "email", "profile"];
interface RegisterOidcDialogProps {
children: React.ReactNode;
onSuccess?: () => void;
}
export function RegisterOidcDialog({ children, onSuccess }: RegisterOidcDialogProps) {
const [open, setOpen] = useState(false);
const [isSubmitting, setIsSubmitting] = useState(false);
const [form, setForm] = useState({
providerId: "",
issuer: "",
domain: "",
clientId: "",
clientSecret: "",
scopes: DEFAULT_SCOPES.join(" "),
});
const handleSubmit = async (e: React.FormEvent) => {
e.preventDefault();
if (
!form.providerId.trim() ||
!form.issuer.trim() ||
!form.domain.trim() ||
!form.clientId.trim() ||
!form.clientSecret.trim()
) {
toast.error("Please fill in all required fields");
return;
}
setIsSubmitting(true);
try {
const scopes = form.scopes
.trim()
.split(/\s+/)
.filter(Boolean);
const { data, error } = await authClient.sso.register({
providerId: form.providerId.trim(),
issuer: form.issuer.trim(),
domain: form.domain.trim(),
oidcConfig: {
clientId: form.clientId.trim(),
clientSecret: form.clientSecret.trim(),
scopes: scopes.length > 0 ? scopes : DEFAULT_SCOPES,
pkce: true,
},
});
if (error) {
toast.error(error.message ?? "Failed to register SSO provider");
return;
}
toast.success("OIDC provider registered successfully");
setForm({
providerId: "",
issuer: "",
domain: "",
clientId: "",
clientSecret: "",
scopes: DEFAULT_SCOPES.join(" "),
});
setOpen(false);
onSuccess?.();
} catch (err) {
toast.error(
err instanceof Error ? err.message : "Failed to register SSO provider",
);
} finally {
setIsSubmitting(false);
}
};
return (
<Dialog open={open} onOpenChange={setOpen}>
<DialogTrigger asChild>{children}</DialogTrigger>
<DialogContent className="sm:max-w-[500px]">
<DialogHeader>
<DialogTitle>Register OIDC provider</DialogTitle>
<DialogDescription>
Add an OpenID Connect (OIDC) identity provider. Discovery will
fill endpoints from the issuer URL when possible.
</DialogDescription>
</DialogHeader>
<form onSubmit={handleSubmit} className="space-y-4">
<div className="grid gap-2">
<Label htmlFor="providerId">Provider ID</Label>
<Input
id="providerId"
placeholder="e.g. okta or my-idp"
value={form.providerId}
onChange={(e) =>
setForm((f) => ({ ...f, providerId: e.target.value }))
}
/>
<p className="text-xs text-muted-foreground">
Unique identifier; used in callback URL path.
</p>
</div>
<div className="grid gap-2">
<Label htmlFor="issuer">Issuer URL</Label>
<Input
id="issuer"
placeholder="https://idp.example.com"
value={form.issuer}
onChange={(e) =>
setForm((f) => ({ ...f, issuer: e.target.value }))
}
/>
<p className="text-xs text-muted-foreground">
Discovery document is fetched from{" "}
<code className="rounded bg-muted px-1">
{"{issuer}"}/.well-known/openid-configuration
</code>
</p>
</div>
<div className="grid gap-2">
<Label htmlFor="domain">Domain</Label>
<Input
id="domain"
placeholder="example.com"
value={form.domain}
onChange={(e) =>
setForm((f) => ({ ...f, domain: e.target.value }))
}
/>
<p className="text-xs text-muted-foreground">
Email domain(s) that use this provider (e.g. for sign-in by email).
</p>
</div>
<div className="grid gap-2">
<Label htmlFor="clientId">Client ID</Label>
<Input
id="clientId"
placeholder="Client ID from IdP"
value={form.clientId}
onChange={(e) =>
setForm((f) => ({ ...f, clientId: e.target.value }))
}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="clientSecret">Client secret</Label>
<Input
id="clientSecret"
type="password"
placeholder="Client secret from IdP"
value={form.clientSecret}
onChange={(e) =>
setForm((f) => ({ ...f, clientSecret: e.target.value }))
}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="scopes">Scopes (optional)</Label>
<Input
id="scopes"
placeholder="openid email profile"
value={form.scopes}
onChange={(e) =>
setForm((f) => ({ ...f, scopes: e.target.value }))
}
/>
</div>
<DialogFooter>
<Button
type="button"
variant="outline"
onClick={() => setOpen(false)}
disabled={isSubmitting}
>
Cancel
</Button>
<Button type="submit" disabled={isSubmitting}>
{isSubmitting && (
<Loader2 className="mr-2 size-4 animate-spin" />
)}
Register provider
</Button>
</DialogFooter>
</form>
</DialogContent>
</Dialog>
);
}

View File

@@ -0,0 +1,263 @@
"use client";
import { Loader2, LogIn, ShieldCheck, Trash2 } from "lucide-react";
import { useState } from "react";
import { toast } from "sonner";
import { DialogAction } from "@/components/shared/dialog-action";
import { Badge } from "@/components/ui/badge";
import { Button } from "@/components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "@/components/ui/card";
import { authClient } from "@/lib/auth-client";
import { api } from "@/utils/api";
import { RegisterOidcDialog } from "./register-oidc-dialog";
export function SSOSettings() {
const utils = api.useUtils();
const { data: providers, isLoading } = api.sso.listProviders.useQuery();
const { mutateAsync: deleteProvider, isLoading: isDeleting } =
api.sso.deleteProvider.useMutation();
const [verifyingId, setVerifyingId] = useState<string | null>(null);
const [requestingVerificationId, setRequestingVerificationId] = useState<
string | null
>(null);
const handleVerifyDomain = async (providerId: string) => {
setVerifyingId(providerId);
try {
const { data, error } = await authClient.sso.verifyDomain({
providerId,
});
if (error) {
toast.error(error.message ?? "Domain verification failed");
return;
}
toast.success("Domain verified successfully");
await utils.sso.listProviders.invalidate();
} catch (err) {
toast.error(
err instanceof Error ? err.message : "Domain verification failed",
);
} finally {
setVerifyingId(null);
}
};
const handleRequestDomainVerification = async (providerId: string) => {
setRequestingVerificationId(providerId);
try {
const { data, error } = await authClient.sso.requestDomainVerification({
providerId,
});
if (error) {
toast.error(error.message ?? "Failed to request domain verification");
return;
}
toast.success(
"Verification token created. Add the TXT DNS record and verify.",
);
await utils.sso.listProviders.invalidate();
} catch (err) {
toast.error(
err instanceof Error
? err.message
: "Failed to request domain verification",
);
} finally {
setRequestingVerificationId(null);
}
};
return (
<div className="flex flex-col gap-4 rounded-lg border p-4">
<div className="flex flex-col gap-2">
<div className="flex items-center gap-2">
<LogIn className="size-6 text-muted-foreground" />
<CardTitle className="text-xl">Single Sign-On (SSO)</CardTitle>
</div>
<CardDescription>
Configure OIDC or SAML identity providers for enterprise sign-in.
Users can sign in with their organization&apos;s IdP.
</CardDescription>
</div>
{isLoading ? (
<div className="flex items-center gap-2 justify-center min-h-[25vh]">
<Loader2 className="size-6 text-muted-foreground animate-spin" />
<span className="text-sm text-muted-foreground">
Loading providers...
</span>
</div>
) : (
<>
{providers && providers.length > 0 && (
<div className="flex flex-wrap items-center gap-2">
<RegisterOidcDialog
onSuccess={() => utils.sso.listProviders.invalidate()}
>
<Button variant="secondary" size="sm">
<LogIn className="mr-2 size-4" />
Add OIDC provider
</Button>
</RegisterOidcDialog>
<span className="text-xs text-muted-foreground">
SAML support can be added via API or future UI.
</span>
</div>
)}
{providers && providers.length > 0 ? (
<div className="space-y-3">
<span className="text-sm font-medium">Registered providers</span>
<div className="grid gap-3 sm:grid-cols-2">
{providers.map((provider) => {
const isOidc = !!provider.oidcConfig;
const isSaml = !!provider.samlConfig;
const verified = !!provider.domainVerified;
return (
<Card key={provider.id} className="overflow-hidden">
<CardHeader className="pb-2">
<div className="flex items-start justify-between gap-2">
<div className="flex flex-col gap-1">
<CardTitle className="text-base font-medium">
{provider.providerId}
</CardTitle>
<CardDescription className="text-xs">
{provider.issuer}
</CardDescription>
<div className="flex flex-wrap gap-1 mt-1">
<Badge variant="secondary" className="text-xs">
{provider.domain}
</Badge>
{isOidc && (
<Badge variant="outline" className="text-xs">
OIDC
</Badge>
)}
{isSaml && (
<Badge variant="outline" className="text-xs">
SAML
</Badge>
)}
{verified && (
<Badge
variant="default"
className="text-xs bg-green-600"
>
Verified
</Badge>
)}
</div>
</div>
</div>
</CardHeader>
<CardContent className="flex flex-wrap gap-2 pt-0">
{!verified && (
<>
<Button
variant="outline"
size="sm"
disabled={verifyingId === provider.providerId}
onClick={() =>
handleVerifyDomain(provider.providerId)
}
>
{verifyingId === provider.providerId ? (
<Loader2 className="mr-1 size-3 animate-spin" />
) : (
<ShieldCheck className="mr-1 size-3" />
)}
Verify domain
</Button>
<Button
variant="ghost"
size="sm"
disabled={
requestingVerificationId === provider.providerId
}
onClick={() =>
handleRequestDomainVerification(
provider.providerId,
)
}
>
{requestingVerificationId ===
provider.providerId ? (
<Loader2 className="mr-1 size-3 animate-spin" />
) : null}
New verification token
</Button>
</>
)}
<DialogAction
title="Remove SSO provider"
description={`Remove provider "${provider.providerId}"? Users will no longer be able to sign in with this IdP.`}
type="destructive"
onClick={async () => {
try {
await deleteProvider({
providerId: provider.providerId,
});
toast.success("Provider removed");
await utils.sso.listProviders.invalidate();
} catch (err) {
toast.error(
err instanceof Error
? err.message
: "Failed to remove provider",
);
}
}}
>
<Button
variant="ghost"
size="sm"
className="text-destructive hover:text-destructive"
disabled={isDeleting}
>
<Trash2 className="mr-1 size-3" />
Remove
</Button>
</DialogAction>
</CardContent>
</Card>
);
})}
</div>
</div>
) : (
<div className="flex flex-col items-center gap-4 justify-center min-h-[30vh] text-center">
<div className="flex flex-col items-center gap-2 max-w-[400px]">
<div className="rounded-full bg-muted p-4">
<LogIn className="size-8 text-muted-foreground" />
</div>
<div className="space-y-1">
<h3 className="text-lg font-semibold">No SSO providers</h3>
<p className="text-sm text-muted-foreground">
Add an OIDC provider to allow users to sign in with their
organization&apos;s identity provider (e.g. Okta, Azure AD).
</p>
</div>
</div>
<RegisterOidcDialog
onSuccess={() => utils.sso.listProviders.invalidate()}
>
<Button variant="secondary">
<LogIn className="mr-2 size-4" />
Add OIDC provider
</Button>
</RegisterOidcDialog>
</div>
)}
</>
)}
</div>
);
}

View File

@@ -0,0 +1,13 @@
CREATE TABLE "sso_provider" (
"id" text PRIMARY KEY NOT NULL,
"issuer" text NOT NULL,
"oidc_config" text,
"saml_config" text,
"user_id" text,
"provider_id" text NOT NULL,
"organization_id" text,
"domain" text NOT NULL,
CONSTRAINT "sso_provider_provider_id_unique" UNIQUE("provider_id")
);
--> statement-breakpoint
ALTER TABLE "sso_provider" ADD CONSTRAINT "sso_provider_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;

File diff suppressed because it is too large Load Diff

View File

@@ -967,6 +967,13 @@
"when": 1769616589728,
"tag": "0137_naive_power_pack",
"breakpoints": true
},
{
"idx": 138,
"version": "7",
"when": 1769745328628,
"tag": "0138_common_mathemanic",
"breakpoints": true
}
]
}

View File

@@ -1,3 +1,4 @@
import { ssoClient } from "@better-auth/sso/client";
import {
adminClient,
apiKeyClient,
@@ -13,6 +14,7 @@ export const authClient = createAuthClient({
organizationClient(),
twoFactorClient(),
apiKeyClient(),
ssoClient(),
adminClient(),
inferAdditionalFields({
user: {

View File

@@ -37,6 +37,7 @@
"generate:openapi": "tsx -r dotenv/config scripts/generate-openapi.ts"
},
"dependencies": {
"@better-auth/sso": "1.4.18",
"@ai-sdk/anthropic": "^2.0.5",
"@ai-sdk/azure": "^2.0.16",
"@ai-sdk/cohere": "^2.0.4",
@@ -94,7 +95,7 @@
"ai": "^5.0.17",
"ai-sdk-ollama": "^0.5.1",
"bcrypt": "5.1.1",
"better-auth": "v1.2.8",
"better-auth": "1.4.18",
"bl": "6.0.11",
"boxen": "^7.1.1",
"bullmq": "5.4.2",

View File

@@ -0,0 +1,84 @@
import { IS_CLOUD, validateRequest } from "@dokploy/server";
import { createServerSideHelpers } from "@trpc/react-query/server";
import type { GetServerSidePropsContext } from "next";
import type { ReactElement } from "react";
import superjson from "superjson";
import { DashboardLayout } from "@/components/layouts/dashboard-layout";
import { SSOSettings } from "@/components/proprietary/sso/sso-settings";
import { Card } from "@/components/ui/card";
import { appRouter } from "@/server/api/root";
import { getLocale, serverSideTranslations } from "@/utils/i18n";
const Page = () => {
return (
<div className="w-full">
<div className="h-full rounded-xl max-w-5xl mx-auto flex flex-col gap-4">
<Card className="h-full bg-sidebar p-2.5 rounded-xl mx-auto w-full">
<div className="rounded-xl bg-background shadow-md">
<div className="p-6">
<SSOSettings />
</div>
</div>
</Card>
</div>
</div>
);
};
export default Page;
Page.getLayout = (page: ReactElement) => {
return <DashboardLayout metaName="SSO">{page}</DashboardLayout>;
};
export async function getServerSideProps(
ctx: GetServerSidePropsContext<Record<string, unknown>>,
) {
const { req, res } = ctx;
const locale = await getLocale(req.cookies);
if (IS_CLOUD) {
return {
redirect: {
permanent: true,
destination: "/dashboard/projects",
},
};
}
const { user, session } = await validateRequest(ctx.req);
if (!user) {
return {
redirect: {
permanent: true,
destination: "/",
},
};
}
if (user.role === "member") {
return {
redirect: {
permanent: true,
destination: "/dashboard/settings/profile",
},
};
}
const helpers = createServerSideHelpers({
router: appRouter,
ctx: {
req: req as any,
res: res as any,
db: null as any,
session: session as any,
user: user as any,
},
transformer: superjson,
});
await helpers.user.get.prefetch();
return {
props: {
trpcState: helpers.dehydrate(),
...(await serverSideTranslations(locale, ["settings"])),
},
};
}

View File

@@ -23,6 +23,7 @@ import { mysqlRouter } from "./routers/mysql";
import { notificationRouter } from "./routers/notification";
import { organizationRouter } from "./routers/organization";
import { licenseKeyRouter } from "./routers/proprietary/license-key";
import { ssoRouter } from "./routers/proprietary/sso";
import { portRouter } from "./routers/port";
import { postgresRouter } from "./routers/postgres";
import { previewDeploymentRouter } from "./routers/preview-deployment";
@@ -84,6 +85,7 @@ export const appRouter = createTRPCRouter({
ai: aiRouter,
organization: organizationRouter,
licenseKey: licenseKeyRouter,
sso: ssoRouter,
schedule: scheduleRouter,
rollback: rollbackRouter,
volumeBackups: volumeBackupsRouter,

View File

@@ -0,0 +1,48 @@
import { ssoProvider } from "@dokploy/server/db/schema";
import { TRPCError } from "@trpc/server";
import { and, eq } from "drizzle-orm";
import { z } from "zod";
import { adminProcedure, createTRPCRouter } from "@/server/api/trpc";
import { db } from "@/server/db";
export const ssoRouter = createTRPCRouter({
listProviders: adminProcedure.query(async ({ ctx }) => {
const providers = await db.query.ssoProvider.findMany({
where: eq(ssoProvider.userId, ctx.user.id),
columns: {
id: true,
providerId: true,
issuer: true,
domain: true,
oidcConfig: true,
samlConfig: true,
organizationId: true,
},
});
return providers;
}),
deleteProvider: adminProcedure
.input(z.object({ providerId: z.string().min(1) }))
.mutation(async ({ ctx, input }) => {
const [deleted] = await db
.delete(ssoProvider)
.where(
and(
eq(ssoProvider.providerId, input.providerId),
eq(ssoProvider.userId, ctx.user.id),
),
)
.returning({ id: ssoProvider.id });
if (!deleted) {
throw new TRPCError({
code: "NOT_FOUND",
message:
"SSO provider not found or you do not have permission to delete it",
});
}
return { success: true };
}),
});