Add SSO login support to MCR web UI
MCR can now redirect users to MCIAS for login instead of showing its own login form. This enables passkey/FIDO2 authentication since WebAuthn credentials are bound to MCIAS's domain. - Add optional [sso] config section with redirect_uri - Add handleSSOLogin (redirects to MCIAS) and handleSSOCallback (exchanges code for JWT, validates roles, sets session cookie) - SSO is opt-in: when redirect_uri is empty, the existing login form is used (backward compatible) - Guest role check preserved in SSO callback path - Return-to URL preserved across the SSO redirect - Uses mcdsl/sso package (local replace for now) Security: - State cookie uses SameSite=Lax for cross-site redirect compatibility - Session cookie remains SameSite=Strict (same-site only after login) - Code exchange is server-to-server over TLS 1.3 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -213,6 +213,7 @@ func setupTestEnv(t *testing.T) *testEnv {
|
||||
loginFn,
|
||||
validateFn,
|
||||
csrfKey,
|
||||
nil, // SSO client (nil = use direct login form for tests)
|
||||
)
|
||||
if err != nil {
|
||||
_ = conn.Close()
|
||||
|
||||
Reference in New Issue
Block a user