Implement Single Sign-On (SSO) Feature: Add SSO settings page, integrate OIDC provider registration dialog, and update dependencies for better-auth to version 1.4.18. Enhance user interface with new SSO menu item and improve database schema for SSO providers.

This commit is contained in:
Mauricio Siu
2026-01-29 22:01:48 -06:00
parent 2e7f4dc1a2
commit 7f27601f7f
18 changed files with 9691 additions and 281 deletions

View File

@@ -30,6 +30,7 @@ import {
Trash2,
User,
Users,
LogIn,
} from "lucide-react";
import Link from "next/link";
import { usePathname } from "next/navigation";
@@ -406,6 +407,15 @@ const MENU: Menu = {
isEnabled: ({ auth, isCloud }) =>
!!((auth?.role === "owner" || auth?.role === "admin") && !isCloud),
},
{
isSingle: true,
title: "SSO",
url: "/dashboard/settings/sso",
icon: LogIn,
// Only enabled for admins in non-cloud environments (enterprise)
isEnabled: ({ auth, isCloud }) =>
!!((auth?.role === "owner" || auth?.role === "admin") && !isCloud),
},
],
help: [

View File

@@ -0,0 +1,206 @@
"use client";
import { Loader2 } from "lucide-react";
import { useState } from "react";
import { toast } from "sonner";
import { authClient } from "@/lib/auth-client";
import { Button } from "@/components/ui/button";
import {
Dialog,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
DialogTrigger,
} from "@/components/ui/dialog";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
const DEFAULT_SCOPES = ["openid", "email", "profile"];
interface RegisterOidcDialogProps {
children: React.ReactNode;
onSuccess?: () => void;
}
export function RegisterOidcDialog({ children, onSuccess }: RegisterOidcDialogProps) {
const [open, setOpen] = useState(false);
const [isSubmitting, setIsSubmitting] = useState(false);
const [form, setForm] = useState({
providerId: "",
issuer: "",
domain: "",
clientId: "",
clientSecret: "",
scopes: DEFAULT_SCOPES.join(" "),
});
const handleSubmit = async (e: React.FormEvent) => {
e.preventDefault();
if (
!form.providerId.trim() ||
!form.issuer.trim() ||
!form.domain.trim() ||
!form.clientId.trim() ||
!form.clientSecret.trim()
) {
toast.error("Please fill in all required fields");
return;
}
setIsSubmitting(true);
try {
const scopes = form.scopes
.trim()
.split(/\s+/)
.filter(Boolean);
const { data, error } = await authClient.sso.register({
providerId: form.providerId.trim(),
issuer: form.issuer.trim(),
domain: form.domain.trim(),
oidcConfig: {
clientId: form.clientId.trim(),
clientSecret: form.clientSecret.trim(),
scopes: scopes.length > 0 ? scopes : DEFAULT_SCOPES,
pkce: true,
},
});
if (error) {
toast.error(error.message ?? "Failed to register SSO provider");
return;
}
toast.success("OIDC provider registered successfully");
setForm({
providerId: "",
issuer: "",
domain: "",
clientId: "",
clientSecret: "",
scopes: DEFAULT_SCOPES.join(" "),
});
setOpen(false);
onSuccess?.();
} catch (err) {
toast.error(
err instanceof Error ? err.message : "Failed to register SSO provider",
);
} finally {
setIsSubmitting(false);
}
};
return (
<Dialog open={open} onOpenChange={setOpen}>
<DialogTrigger asChild>{children}</DialogTrigger>
<DialogContent className="sm:max-w-[500px]">
<DialogHeader>
<DialogTitle>Register OIDC provider</DialogTitle>
<DialogDescription>
Add an OpenID Connect (OIDC) identity provider. Discovery will
fill endpoints from the issuer URL when possible.
</DialogDescription>
</DialogHeader>
<form onSubmit={handleSubmit} className="space-y-4">
<div className="grid gap-2">
<Label htmlFor="providerId">Provider ID</Label>
<Input
id="providerId"
placeholder="e.g. okta or my-idp"
value={form.providerId}
onChange={(e) =>
setForm((f) => ({ ...f, providerId: e.target.value }))
}
/>
<p className="text-xs text-muted-foreground">
Unique identifier; used in callback URL path.
</p>
</div>
<div className="grid gap-2">
<Label htmlFor="issuer">Issuer URL</Label>
<Input
id="issuer"
placeholder="https://idp.example.com"
value={form.issuer}
onChange={(e) =>
setForm((f) => ({ ...f, issuer: e.target.value }))
}
/>
<p className="text-xs text-muted-foreground">
Discovery document is fetched from{" "}
<code className="rounded bg-muted px-1">
{"{issuer}"}/.well-known/openid-configuration
</code>
</p>
</div>
<div className="grid gap-2">
<Label htmlFor="domain">Domain</Label>
<Input
id="domain"
placeholder="example.com"
value={form.domain}
onChange={(e) =>
setForm((f) => ({ ...f, domain: e.target.value }))
}
/>
<p className="text-xs text-muted-foreground">
Email domain(s) that use this provider (e.g. for sign-in by email).
</p>
</div>
<div className="grid gap-2">
<Label htmlFor="clientId">Client ID</Label>
<Input
id="clientId"
placeholder="Client ID from IdP"
value={form.clientId}
onChange={(e) =>
setForm((f) => ({ ...f, clientId: e.target.value }))
}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="clientSecret">Client secret</Label>
<Input
id="clientSecret"
type="password"
placeholder="Client secret from IdP"
value={form.clientSecret}
onChange={(e) =>
setForm((f) => ({ ...f, clientSecret: e.target.value }))
}
/>
</div>
<div className="grid gap-2">
<Label htmlFor="scopes">Scopes (optional)</Label>
<Input
id="scopes"
placeholder="openid email profile"
value={form.scopes}
onChange={(e) =>
setForm((f) => ({ ...f, scopes: e.target.value }))
}
/>
</div>
<DialogFooter>
<Button
type="button"
variant="outline"
onClick={() => setOpen(false)}
disabled={isSubmitting}
>
Cancel
</Button>
<Button type="submit" disabled={isSubmitting}>
{isSubmitting && (
<Loader2 className="mr-2 size-4 animate-spin" />
)}
Register provider
</Button>
</DialogFooter>
</form>
</DialogContent>
</Dialog>
);
}

View File

@@ -0,0 +1,263 @@
"use client";
import { Loader2, LogIn, ShieldCheck, Trash2 } from "lucide-react";
import { useState } from "react";
import { toast } from "sonner";
import { DialogAction } from "@/components/shared/dialog-action";
import { Badge } from "@/components/ui/badge";
import { Button } from "@/components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "@/components/ui/card";
import { authClient } from "@/lib/auth-client";
import { api } from "@/utils/api";
import { RegisterOidcDialog } from "./register-oidc-dialog";
export function SSOSettings() {
const utils = api.useUtils();
const { data: providers, isLoading } = api.sso.listProviders.useQuery();
const { mutateAsync: deleteProvider, isLoading: isDeleting } =
api.sso.deleteProvider.useMutation();
const [verifyingId, setVerifyingId] = useState<string | null>(null);
const [requestingVerificationId, setRequestingVerificationId] = useState<
string | null
>(null);
const handleVerifyDomain = async (providerId: string) => {
setVerifyingId(providerId);
try {
const { data, error } = await authClient.sso.verifyDomain({
providerId,
});
if (error) {
toast.error(error.message ?? "Domain verification failed");
return;
}
toast.success("Domain verified successfully");
await utils.sso.listProviders.invalidate();
} catch (err) {
toast.error(
err instanceof Error ? err.message : "Domain verification failed",
);
} finally {
setVerifyingId(null);
}
};
const handleRequestDomainVerification = async (providerId: string) => {
setRequestingVerificationId(providerId);
try {
const { data, error } = await authClient.sso.requestDomainVerification({
providerId,
});
if (error) {
toast.error(error.message ?? "Failed to request domain verification");
return;
}
toast.success(
"Verification token created. Add the TXT DNS record and verify.",
);
await utils.sso.listProviders.invalidate();
} catch (err) {
toast.error(
err instanceof Error
? err.message
: "Failed to request domain verification",
);
} finally {
setRequestingVerificationId(null);
}
};
return (
<div className="flex flex-col gap-4 rounded-lg border p-4">
<div className="flex flex-col gap-2">
<div className="flex items-center gap-2">
<LogIn className="size-6 text-muted-foreground" />
<CardTitle className="text-xl">Single Sign-On (SSO)</CardTitle>
</div>
<CardDescription>
Configure OIDC or SAML identity providers for enterprise sign-in.
Users can sign in with their organization&apos;s IdP.
</CardDescription>
</div>
{isLoading ? (
<div className="flex items-center gap-2 justify-center min-h-[25vh]">
<Loader2 className="size-6 text-muted-foreground animate-spin" />
<span className="text-sm text-muted-foreground">
Loading providers...
</span>
</div>
) : (
<>
{providers && providers.length > 0 && (
<div className="flex flex-wrap items-center gap-2">
<RegisterOidcDialog
onSuccess={() => utils.sso.listProviders.invalidate()}
>
<Button variant="secondary" size="sm">
<LogIn className="mr-2 size-4" />
Add OIDC provider
</Button>
</RegisterOidcDialog>
<span className="text-xs text-muted-foreground">
SAML support can be added via API or future UI.
</span>
</div>
)}
{providers && providers.length > 0 ? (
<div className="space-y-3">
<span className="text-sm font-medium">Registered providers</span>
<div className="grid gap-3 sm:grid-cols-2">
{providers.map((provider) => {
const isOidc = !!provider.oidcConfig;
const isSaml = !!provider.samlConfig;
const verified = !!provider.domainVerified;
return (
<Card key={provider.id} className="overflow-hidden">
<CardHeader className="pb-2">
<div className="flex items-start justify-between gap-2">
<div className="flex flex-col gap-1">
<CardTitle className="text-base font-medium">
{provider.providerId}
</CardTitle>
<CardDescription className="text-xs">
{provider.issuer}
</CardDescription>
<div className="flex flex-wrap gap-1 mt-1">
<Badge variant="secondary" className="text-xs">
{provider.domain}
</Badge>
{isOidc && (
<Badge variant="outline" className="text-xs">
OIDC
</Badge>
)}
{isSaml && (
<Badge variant="outline" className="text-xs">
SAML
</Badge>
)}
{verified && (
<Badge
variant="default"
className="text-xs bg-green-600"
>
Verified
</Badge>
)}
</div>
</div>
</div>
</CardHeader>
<CardContent className="flex flex-wrap gap-2 pt-0">
{!verified && (
<>
<Button
variant="outline"
size="sm"
disabled={verifyingId === provider.providerId}
onClick={() =>
handleVerifyDomain(provider.providerId)
}
>
{verifyingId === provider.providerId ? (
<Loader2 className="mr-1 size-3 animate-spin" />
) : (
<ShieldCheck className="mr-1 size-3" />
)}
Verify domain
</Button>
<Button
variant="ghost"
size="sm"
disabled={
requestingVerificationId === provider.providerId
}
onClick={() =>
handleRequestDomainVerification(
provider.providerId,
)
}
>
{requestingVerificationId ===
provider.providerId ? (
<Loader2 className="mr-1 size-3 animate-spin" />
) : null}
New verification token
</Button>
</>
)}
<DialogAction
title="Remove SSO provider"
description={`Remove provider "${provider.providerId}"? Users will no longer be able to sign in with this IdP.`}
type="destructive"
onClick={async () => {
try {
await deleteProvider({
providerId: provider.providerId,
});
toast.success("Provider removed");
await utils.sso.listProviders.invalidate();
} catch (err) {
toast.error(
err instanceof Error
? err.message
: "Failed to remove provider",
);
}
}}
>
<Button
variant="ghost"
size="sm"
className="text-destructive hover:text-destructive"
disabled={isDeleting}
>
<Trash2 className="mr-1 size-3" />
Remove
</Button>
</DialogAction>
</CardContent>
</Card>
);
})}
</div>
</div>
) : (
<div className="flex flex-col items-center gap-4 justify-center min-h-[30vh] text-center">
<div className="flex flex-col items-center gap-2 max-w-[400px]">
<div className="rounded-full bg-muted p-4">
<LogIn className="size-8 text-muted-foreground" />
</div>
<div className="space-y-1">
<h3 className="text-lg font-semibold">No SSO providers</h3>
<p className="text-sm text-muted-foreground">
Add an OIDC provider to allow users to sign in with their
organization&apos;s identity provider (e.g. Okta, Azure AD).
</p>
</div>
</div>
<RegisterOidcDialog
onSuccess={() => utils.sso.listProviders.invalidate()}
>
<Button variant="secondary">
<LogIn className="mr-2 size-4" />
Add OIDC provider
</Button>
</RegisterOidcDialog>
</div>
)}
</>
)}
</div>
);
}