SSO using OpenID Connect (#3899)

* Add SSO functionality using OpenID Connect

Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>

* Improvements and error handling

* Stop rolling device token

* Add playwright tests

* Activate PKCE by default

* Ensure result order when searching for sso_user

* add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION

* Toggle SSO button in scss

* Base64 encode state before sending it to providers

* Prevent disabled User from SSO login

* Review fixes

* Remove unused UserOrganization.invited_by_email

* Split SsoUser::find_by_identifier_or_email

* api::Accounts::verify_password add the policy even if it's ignored

* Disable signups if SSO_ONLY is activated

* Add verifiedDate to organizations::get_org_domain_sso_details

* Review fixes

* Remove OrganizationId guard from get_master_password_policy

* Add wrapper type OIDCCode OIDCState OIDCIdentifier

* Membership::confirm_user_invitations fix and tests

* Allow set-password only if account is unitialized

* Review fixes

* Prevent accepting another user invitation

* Log password change event on SSO account creation

* Unify master password policy resolution

* Upgrade openidconnect to 4.0.0

* Revert "Remove unused UserOrganization.invited_by_email"

This reverts commit 548e19995e141314af98a10d170ea7371f02fab4.

* Process org enrollment in accounts::post_set_password

* Improve tests

* Pass the claim invited_by_email in case it was not in db

* Add Slack configuration hints

* Fix playwright tests

* Skip broken tests

* Add sso identifier in admin user panel

* Remove duplicate expiration check, add a log

* Augment mobile refresh_token validity

* Rauthy configuration hints

* Fix playwright tests

* Playwright upgrade and conf improvement

* Playwright tests improvements

* 2FA email and device creation change

* Fix and improve Playwright tests

* Minor improvements

* Fix enforceOnLogin org policies

* Run playwright sso tests against correct db

* PKCE should now work with Zitadel

* Playwright upgrade maildev to use MailBuffer.expect

* Upgrades playwright tests deps

* Check email_verified in id_token and user_info

* Add sso verified endpoint for v2025.6.0

* Fix playwright tests

* Create a separate sso_client

* Upgrade openidconnect to 4.0.1

* Server settings for login fields toggle

* Use only css for login fields

* Fix playwright test

* Review fix

* More review fix

* Perform same checks when setting kdf

---------

Co-authored-by: Felix Eckhofer <felix@eckhofer.com>
Co-authored-by: Pablo Ovelleiro Corral <mail@pablo.tools>
Co-authored-by: Stuart Heap <sheap13@gmail.com>
Co-authored-by: Alex Moore <skiepp@my-dockerfarm.cloud>
Co-authored-by: Brian Munro <brian.alexander.munro@gmail.com>
Co-authored-by: Jacques B. <timshel@github.com>
Co-authored-by: Timshel <timshel@480s>

.env.template

@@ -174,6 +174,10 @@
 ## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
 ## Defaults to every minute. Set blank to disable this job.
 # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
+#
+## Cron schedule of the job that cleans sso nonce from incomplete flow
+## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
+# PURGE_INCOMPLETE_SSO_NONCE="0 20 0 * * *"
 
 ########################
 ### General settings ###
@@ -459,6 +463,55 @@
 ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
 # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
 
+#####################################
+### SSO settings (OpenID Connect) ###
+#####################################
+
+## Controls whether users can login using an OpenID Connect identity provider
+# SSO_ENABLED=false
+
+## Prevent users from logging in directly without going through SSO
+# SSO_ONLY=false
+
+## On SSO Signup if a user with a matching email already exists make the association
+# SSO_SIGNUPS_MATCH_EMAIL=true
+
+## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
+# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
+
+## Base URL of the OIDC server (auto-discovery is used)
+##  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+##  - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+# SSO_AUTHORITY=https://auth.example.com
+
+## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
+#SSO_SCOPES="email profile"
+
+## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
+# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
+
+## Activate PKCE for the Auth Code flow.
+# SSO_PKCE=true
+
+## Regex for additional trusted Id token audience (by default only the client_id is trusted).
+# SSO_AUDIENCE_TRUSTED='^$'
+
+## Set your Client ID and Client Key
+# SSO_CLIENT_ID=11111
+# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
+
+## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
+# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+
+## Use sso only for authentication not the session lifecycle
+# SSO_AUTH_ONLY_NOT_SESSION=false
+
+## Client cache for discovery endpoint. Duration in seconds (0 to disable).
+# SSO_CLIENT_CACHE_EXPIRATION=0
+
+## Log all the tokens, LOG_LEVEL=debug is required
+# SSO_DEBUG_TOKENS=false
+
 ########################
 ### MFA/2FA settings ###
 ########################