Add SSO login support

MCAT can now redirect users to MCIAS for SSO login (including passkey support) instead of showing its own login form. SSO is opt-in via the [sso] config section. - Add SSO landing page with "Sign in with MCIAS" button - Add /sso/redirect and /sso/callback routes - Update mcdsl to v1.5.0 (sso package) - Fix .gitignore: /mcat ignores only the root binary, not cmd/mcat/ - Track cmd/mcat/ source files (previously gitignored by accident) Security: - State cookie uses SameSite=Lax for cross-site redirect compatibility - Session cookie remains SameSite=Strict after login Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 17:19:24 -07:00
parent 7761a5c5a4
commit 190368290b
7 changed files with 216 additions and 18 deletions
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -8,6 +8,12 @@
 <div class="card">
    <div class="card-title">Sign In</div>
    {{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+    {{if .SSO}}
+    <p>Sign in to test MCIAS login policies.</p>
+    <div class="form-actions">
+        <a href="/sso/redirect" class="btn">Sign in with MCIAS</a>
+    </div>
+    {{else}}
    <form method="POST" action="/login">
        {{csrfField}}
        <div class="form-group">
@@ -26,5 +32,6 @@
            <button type="submit">Login</button>
        </div>
    </form>
+    {{end}}
 </div>
 {{end}}