POC for Oidc

[halkeye]

Mostly want to know if its worth cleaning up and continuing

• Created a new table to store temporary session/validation storage
  [ ] TODO - need to implement cleanup
• Does oidc against an oidc server with discovery (most modern ones have .well-known/openid-configuration urls)
• Matches user based on username
  [ ] TODO - Add config for matching other criteria, or just add oidc subs => username table
• creates user if none are found
  [ ] TODO - Add config to disable creating new users
• Sets frontend user once auth is completed successfully

[vercel]

@halkeye is attempting to deploy a commit to the umami-software Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR implements a proof-of-concept for OIDC (OpenID Connect) authentication in Umami. The implementation adds a complete OAuth2/OIDC authorization code flow with PKCE support, allowing users to authenticate via external identity providers.

The key changes include:

• Database Schema: Adds a new OidcState table across PostgreSQL and MySQL schemas to store temporary authentication state and PKCE code verifiers during the OAuth flow
• Authentication Logic: Creates a new API route (/api/auth/login/oidc) that handles both authorization initiation and callback processing, integrating with the existing token generation system
• User Interface: Implements frontend components for OIDC login entry point and callback handling, with automatic redirection to the dashboard upon successful authentication
• Database Queries: Adds Prisma queries for managing OIDC state with creation and retrieval functions
• Dependencies: Integrates the openid-client library (v6.6.4) for OIDC protocol handling and provider discovery
• Security Enhancement: Strengthens password validation to prevent authentication bypass with empty strings
• Type Safety: Improves TypeScript support in the Prisma client configuration

The implementation supports OIDC discovery via .well-known/openid-configuration, matches users by username, creates new users automatically when none exist, and integrates with Umami's existing authentication token system. The PR includes several TODO items for cleanup mechanisms, configuration options for user creation control, and alternative user matching strategies.

Confidence score: 2/5

• This PR requires significant review and improvements before merging due to multiple security and reliability concerns
• Score reflects missing error handling, security vulnerabilities, database inconsistencies, and incomplete implementation of critical features
• Pay close attention to src/app/api/auth/login/oidc/route.ts, db/mysql/schema.prisma, and src/app/login/oidc/callback/page.tsx

_{10 files reviewed, 8 comments}

_{Edit Code Review Bot Settings | Greptile}

[greptile-apps]

logic: Database type inconsistency: MySQL schema uses @db.Uuid but MySQL doesn't have native UUID type. This should be @db.VarChar(36) to match other ID fields in the MySQL schema.

Suggested change

	state String @id() @unique() @db.Uuid
	state String @id() @unique() @db.VarChar(36)

[halkeye]

neither of these are db.uuid, so note to self, change to varchar

[greptile-apps]

style: Consider naming this function for better debugging and stack traces

[greptile-apps]

logic: Module-level async OIDC discovery will cause startup failures if environment variables are missing or OIDC server is unreachable

[tpendragon]

Would love OIDC, great work

[reyemb]

@mikecao @franciscao633 Could you take a look at this or leave some instructions what needs to be done to keep going?