feat(web): add OIDC SSO login support (#1943)

2026-05-07 02:09:06 +00:00 · 2026-03-03 18:23:31 +08:00
parent d4ff0b1767
commit ff24332e23
16 changed files with 1300 additions and 156 deletions
@@ -126,12 +126,22 @@ struct Cli {
    )]
    api_host: Option<url::Url>,

-    #[arg(
-        long,
-        default_value = "false",
-        help = t!("cli.disable_registration").to_string(),
-    )]
-    disable_registration: bool,
+    #[command(flatten)]
+    feature_flags: FeatureFlags,
+
+    #[command(flatten)]
+    oidc: restful::oidc::OidcOptions,
+}
+
+#[derive(Debug, Clone, Default, clap::Args)]
+pub struct FeatureFlags {
+    /// Whether user registration via the web UI is disabled.
+    #[arg(long, default_value = "false", help = t!("cli.disable_registration").to_string())]
+    pub disable_registration: bool,
+
+    /// Whether to auto-create users when they connect via heartbeat with an unknown token.
+    #[arg(long, default_value = "false", help = t!("cli.allow_auto_create_user").to_string())]
+    pub allow_auto_create_user: bool,
 }

 impl LoggingConfigLoader for &Cli {
@@ -197,9 +207,37 @@ async fn main() {
    let cli = Cli::parse();
    init_logger(&cli, false).unwrap();

+    // Validate OIDC configuration: check split-deploy specific requirements
+    // Basic OIDC parameter validation is handled in OidcConfig::from_params
+    if cli.oidc.any_param_provided() {
+        let is_split_deploy = {
+            #[cfg(feature = "embed")]
+            {
+                let embed_split_by_port = cli.web_server_port.is_some()
+                    && cli.web_server_port != Some(cli.api_server_port);
+                cli.no_web || embed_split_by_port
+            }
+            #[cfg(not(feature = "embed"))]
+            {
+                true
+            }
+        };
+
+        if is_split_deploy && cli.oidc.oidc_frontend_base_url.is_none() {
+            eprintln!("Error: --oidc-frontend-base-url is required in split-deploy mode");
+            eprintln!(
+                "When frontend and API are deployed separately, you must specify the frontend URL"
+            );
+            eprintln!("Example: --oidc-frontend-base-url http://your-frontend-domain.com");
+            std::process::exit(1);
+        }
+    }
+
    // let db = db::Db::new(":memory:").await.unwrap();
    let db = db::Db::new(cli.db).await.unwrap();
-    let mut mgr = client_manager::ClientManager::new(db.clone(), cli.geoip_db);
+    let feature_flags = Arc::new(cli.feature_flags);
+    let mut mgr =
+        client_manager::ClientManager::new(db.clone(), cli.geoip_db, feature_flags.clone());
    let (v6_listener, v4_listener) =
        get_dual_stack_listener(&cli.config_server_protocol, cli.config_server_port)
            .await
@@ -233,12 +271,26 @@ async fn main() {
    #[cfg(not(feature = "embed"))]
    let web_router_restful = None;

+    let oidc_config = if cli.oidc.oidc_issuer_url.is_some() {
+        match restful::oidc::OidcConfig::from_params(cli.oidc).await {
+            Ok(config) => config,
+            Err(e) => {
+                eprintln!("Failed to initialize OIDC: {:?}", e);
+                eprintln!("Please check your OIDC configuration (issuer URL, client ID, etc.)");
+                std::process::exit(1);
+            }
+        }
+    } else {
+        restful::oidc::OidcConfig::disabled()
+    };
+
    let _restful_server_tasks = restful::RestfulServer::new(
        std::net::SocketAddr::new(cli.api_server_addr, cli.api_server_port),
        mgr.clone(),
        db,
        web_router_restful,
-        cli.disable_registration,
+        feature_flags,
+        oidc_config,
    )
    .await
    .unwrap()