Added SSO and OIDC

2025-12-17 03:43:46 +03:00 · 2025-07-11 01:04:50 +05:30
parent 7cb414c7cb
commit fad78516ef
26 changed files with 5598 additions and 244 deletions
--- a/src/lib/auth-client.ts
+++ b/src/lib/auth-client.ts
@@ -1,8 +1,14 @@
 import { createAuthClient } from "better-auth/react";
+import { oidcClient } from "better-auth/client/plugins";
+import { ssoClient } from "better-auth/client/plugins";

 export const authClient = createAuthClient({
  // The base URL is optional when running on the same domain
  // Better Auth will use the current domain by default
+  plugins: [
+    oidcClient(),
+    ssoClient(),
+  ],
 });

 // Export commonly used methods for convenience
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,5 +1,7 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
+import { oidcProvider } from "better-auth/plugins";
+import { sso } from "better-auth/plugins/sso";
 import { db, users } from "./db";
 import * as schema from "./db/schema";
 import { eq } from "drizzle-orm";
@@ -50,8 +52,42 @@ export const auth = betterAuth({
    },
  },

-  // TODO: Add plugins for SSO and OIDC support in the future
-  // plugins: [],
+  // Plugins configuration
+  plugins: [
+    // OIDC Provider plugin - allows this app to act as an OIDC provider
+    oidcProvider({
+      loginPage: "/login",
+      consentPage: "/oauth/consent",
+      // Allow dynamic client registration for flexibility
+      allowDynamicClientRegistration: true,
+      // Customize user info claims based on scopes
+      getAdditionalUserInfoClaim: (user, scopes) => {
+        const claims: Record<string, any> = {};
+        if (scopes.includes("profile")) {
+          claims.username = user.username;
+        }
+        return claims;
+      },
+    }),
+    
+    // SSO plugin - allows users to authenticate with external OIDC providers
+    sso({
+      // Provision new users when they sign in with SSO
+      provisionUser: async (user) => {
+        // Derive username from email if not provided
+        const username = user.name || user.email?.split('@')[0] || 'user';
+        return {
+          ...user,
+          username,
+        };
+      },
+      // Organization provisioning settings
+      organizationProvisioning: {
+        disabled: false,
+        defaultRole: "member",
+      },
+    }),
+  ],

  // Trusted origins for CORS
  trustedOrigins: [
--- a/src/lib/db/index.ts
+++ b/src/lib/db/index.ts
@@ -70,5 +70,9 @@ export {
  organizations,
  sessions,
  accounts,
-  verificationTokens 
+  verificationTokens,
+  oauthApplications,
+  oauthAccessTokens,
+  oauthConsent,
+  ssoProviders
 } from "./schema";
--- a/src/lib/db/schema.ts
+++ b/src/lib/db/schema.ts
@@ -504,6 +504,102 @@ export const verificationTokens = sqliteTable("verification_tokens", {
  };
 });

+// ===== OIDC Provider Tables =====
+
+// OAuth Applications table
+export const oauthApplications = sqliteTable("oauth_applications", {
+  id: text("id").primaryKey(),
+  clientId: text("client_id").notNull().unique(),
+  clientSecret: text("client_secret").notNull(),
+  name: text("name").notNull(),
+  redirectURLs: text("redirect_urls").notNull(), // Comma-separated list
+  metadata: text("metadata"), // JSON string
+  type: text("type").notNull(), // web, mobile, etc
+  disabled: integer("disabled", { mode: "boolean" }).notNull().default(false),
+  userId: text("user_id"), // Optional - owner of the application
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+  updatedAt: integer("updated_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+}, (table) => {
+  return {
+    clientIdIdx: index("idx_oauth_applications_client_id").on(table.clientId),
+    userIdIdx: index("idx_oauth_applications_user_id").on(table.userId),
+  };
+});
+
+// OAuth Access Tokens table
+export const oauthAccessTokens = sqliteTable("oauth_access_tokens", {
+  id: text("id").primaryKey(),
+  accessToken: text("access_token").notNull(),
+  refreshToken: text("refresh_token"),
+  accessTokenExpiresAt: integer("access_token_expires_at", { mode: "timestamp" }).notNull(),
+  refreshTokenExpiresAt: integer("refresh_token_expires_at", { mode: "timestamp" }),
+  clientId: text("client_id").notNull(),
+  userId: text("user_id").notNull().references(() => users.id),
+  scopes: text("scopes").notNull(), // Comma-separated list
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+  updatedAt: integer("updated_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+}, (table) => {
+  return {
+    accessTokenIdx: index("idx_oauth_access_tokens_access_token").on(table.accessToken),
+    userIdIdx: index("idx_oauth_access_tokens_user_id").on(table.userId),
+    clientIdIdx: index("idx_oauth_access_tokens_client_id").on(table.clientId),
+  };
+});
+
+// OAuth Consent table
+export const oauthConsent = sqliteTable("oauth_consent", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id),
+  clientId: text("client_id").notNull(),
+  scopes: text("scopes").notNull(), // Comma-separated list
+  consentGiven: integer("consent_given", { mode: "boolean" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+  updatedAt: integer("updated_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+}, (table) => {
+  return {
+    userIdIdx: index("idx_oauth_consent_user_id").on(table.userId),
+    clientIdIdx: index("idx_oauth_consent_client_id").on(table.clientId),
+    userClientIdx: index("idx_oauth_consent_user_client").on(table.userId, table.clientId),
+  };
+});
+
+// ===== SSO Provider Tables =====
+
+// SSO Providers table
+export const ssoProviders = sqliteTable("sso_providers", {
+  id: text("id").primaryKey(),
+  issuer: text("issuer").notNull(),
+  domain: text("domain").notNull(),
+  oidcConfig: text("oidc_config").notNull(), // JSON string with OIDC configuration
+  userId: text("user_id").notNull(), // Admin who created this provider
+  providerId: text("provider_id").notNull().unique(), // Unique identifier for the provider
+  organizationId: text("organization_id"), // Optional - if provider is linked to an organization
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+  updatedAt: integer("updated_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+}, (table) => {
+  return {
+    providerIdIdx: index("idx_sso_providers_provider_id").on(table.providerId),
+    domainIdx: index("idx_sso_providers_domain").on(table.domain),
+    issuerIdx: index("idx_sso_providers_issuer").on(table.issuer),
+  };
+});
+
 // Export type definitions
 export type User = z.infer<typeof userSchema>;
 export type Config = z.infer<typeof configSchema>;
--- a/src/lib/utils.ts
+++ b/src/lib/utils.ts
@@ -9,6 +9,15 @@ export function cn(...inputs: ClassValue[]) {
  return twMerge(clsx(inputs));
 }

+export function generateRandomString(length: number): string {
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+  let result = '';
+  for (let i = 0; i < length; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return result;
+}
+
 export function formatDate(date?: Date | string | null): string {
  if (!date) return "Never";
  return new Intl.DateTimeFormat("en-US", {