Add SSO authorization code flow (Phase 1)

MCIAS now acts as an SSO provider for downstream services. Services
redirect users to /sso/authorize, MCIAS handles login (password, TOTP,
or passkey), then redirects back with an authorization code that the
service exchanges for a JWT via POST /v1/sso/token.

- Add SSO client registry to config (client_id, redirect_uri,
  service_name, tags) with validation
- Add internal/sso package: authorization code and session stores
  using sync.Map with TTL, single-use LoadAndDelete, cleanup goroutines
- Add GET /sso/authorize endpoint (validates client, creates session,
  redirects to /login?sso=<nonce>)
- Add POST /v1/sso/token endpoint (exchanges code for JWT with policy
  evaluation using client's service_name/tags from config)
- Thread SSO nonce through password→TOTP and WebAuthn login flows
- Update login.html, totp_step.html, and webauthn.js for SSO nonce
  passthrough

Security:
- Authorization codes are 256-bit random, single-use, 60-second TTL
- redirect_uri validated as exact match against registered config
- Policy context comes from MCIAS config, not the calling service
- SSO sessions are server-side only; nonce is the sole client-visible value
- WebAuthn SSO returns redirect URL as JSON (not HTTP redirect) for JS compat

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/ui/handlers_sso.go

@@ -0,0 +1,84 @@
+package ui
+
+import (
+	"net/http"
+	"net/url"
+
+	"git.wntrmute.dev/mc/mcias/internal/audit"
+	"git.wntrmute.dev/mc/mcias/internal/model"
+	"git.wntrmute.dev/mc/mcias/internal/sso"
+)
+
+// handleSSOAuthorize validates the SSO request parameters against registered
+// clients, creates an SSO session, and redirects to /login with the SSO nonce.
+//
+// Security: the client_id and redirect_uri are validated against the MCIAS
+// config (exact match). The state parameter is opaque and carried through
+// unchanged. An SSO session is created server-side so the nonce is the only
+// value embedded in the login form.
+func (u *UIServer) handleSSOAuthorize(w http.ResponseWriter, r *http.Request) {
+	clientID := r.URL.Query().Get("client_id")
+	redirectURI := r.URL.Query().Get("redirect_uri")
+	state := r.URL.Query().Get("state")
+
+	if clientID == "" || redirectURI == "" || state == "" {
+		http.Error(w, "missing required parameters: client_id, redirect_uri, state", http.StatusBadRequest)
+		return
+	}
+
+	// Security: validate client_id against registered SSO clients.
+	client := u.cfg.SSOClient(clientID)
+	if client == nil {
+		u.logger.Warn("sso: unknown client_id", "client_id", clientID)
+		http.Error(w, "unknown client_id", http.StatusBadRequest)
+		return
+	}
+
+	// Security: redirect_uri must exactly match the registered URI to prevent
+	// open-redirect attacks.
+	if redirectURI != client.RedirectURI {
+		u.logger.Warn("sso: redirect_uri mismatch",
+			"client_id", clientID,
+			"expected", client.RedirectURI,
+			"got", redirectURI)
+		http.Error(w, "redirect_uri does not match registered URI", http.StatusBadRequest)
+		return
+	}
+
+	nonce, err := sso.StoreSession(clientID, redirectURI, state)
+	if err != nil {
+		u.logger.Error("sso: store session", "error", err)
+		http.Error(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+
+	u.writeAudit(r, model.EventSSOAuthorize, nil, nil,
+		audit.JSON("client_id", clientID))
+
+	http.Redirect(w, r, "/login?sso="+url.QueryEscape(nonce), http.StatusFound)
+}
+
+// buildSSOCallback consumes the SSO session, generates an authorization code,
+// and returns the callback URL with code and state parameters. Returns ("", false)
+// if the SSO session is expired or already consumed.
+//
+// Security: the SSO session is consumed (single-use) and the authorization code
+// is stored server-side for exchange via POST /v1/sso/token. The state parameter
+// is carried through unchanged for the service to validate.
+func (u *UIServer) buildSSOCallback(r *http.Request, ssoNonce string, accountID int64) (string, bool) {
+	sess, ok := sso.ConsumeSession(ssoNonce)
+	if !ok {
+		return "", false
+	}
+
+	code, err := sso.Store(sess.ClientID, sess.RedirectURI, sess.State, accountID)
+	if err != nil {
+		u.logger.Error("sso: store auth code", "error", err)
+		return "", false
+	}
+
+	u.writeAudit(r, model.EventSSOLoginOK, &accountID, nil,
+		audit.JSON("client_id", sess.ClientID))
+
+	return sess.RedirectURI + "?code=" + url.QueryEscape(code) + "&state=" + url.QueryEscape(sess.State), true
+}