mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-12 06:30:53 -06:00
5c11010095
- Add AUTH_METHOD switch (local | oidc | both); default remains local - Update login UI to conditionally show SSO button and/or local form - Add Authlib and initialize OAuth client (discovery-based) in app factory - Implement OIDC Authorization Code flow with PKCE: - GET /login/oidc → starts auth flow, preserves `next` - GET /auth/oidc/callback → exchanges code, parses ID token, fetches userinfo - Maps claims to username/full_name/email; admin mapping via group/email - Logs user in and redirects to intended page - Add optional OIDC end-session on logout (falls back gracefully if unsupported) - Extend User model with `email`, `oidc_issuer`, `oidc_sub` and unique constraint - Add Alembic migration 015 (adds columns, index, unique constraint) - Update env.example with OIDC variables and AUTH_METHOD - Add docs/OIDC_SETUP.md with provider-agnostic setup guide and examples - fix: remove invalid walrus usage in OIDC client registration Migration: - Run database migrations (e.g., `flask db upgrade`) to apply revision 015 Config: - AUTH_METHOD=local|oidc|both - OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URI - OIDC_SCOPES (default: "openid profile email") - OIDC_USERNAME_CLAIM, OIDC_FULL_NAME_CLAIM, OIDC_EMAIL_CLAIM, OIDC_GROUPS_CLAIM - OIDC_ADMIN_GROUP (optional), OIDC_ADMIN_EMAILS (optional) - OIDC_POST_LOGOUT_REDIRECT_URI (optional) Routes: - /login (respects AUTH_METHOD), /login/oidc, /auth/oidc/callback, /logout Docs: - See docs/OIDC_SETUP.md for full setup, provider notes, and troubleshooting