From 8a494b663b2f0c35496546d89370a1003795ec2c Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Thu, 14 May 2026 08:18:25 +0000
Subject: [PATCH 01/17] feat: support github sso

---
 lib/lightning/auth_providers/cache_warmer.ex  | 28 ++++++++++---
 .../auth_providers/github_handler.ex          | 42 +++++++++++++++++++
 lib/lightning/auth_providers/handler.ex       | 20 ++++++---
 lib/lightning/config.ex                       | 11 +++++
 lib/lightning/config/bootstrap.ex             | 17 ++++++++
 .../controllers/oidc_controller.ex            | 40 ++++++++++++++++--
 .../user_registration_controller.ex           | 10 ++++-
 .../user_registration_html/new.html.heex      | 31 ++++++++++++++
 .../controllers/user_session_controller.ex    | 21 ++++++----
 .../user_session_html/new.html.heex           | 41 +++++++++++-------
 .../controllers/oidc_controller_test.exs      | 21 ++++++----
 .../user_session_controller_test.exs          |  4 +-
 12 files changed, 235 insertions(+), 51 deletions(-)
 create mode 100644 lib/lightning/auth_providers/github_handler.ex

diff --git a/lib/lightning/auth_providers/cache_warmer.ex b/lib/lightning/auth_providers/cache_warmer.ex
index 21881a7796f..e55327adb83 100644
--- a/lib/lightning/auth_providers/cache_warmer.ex
+++ b/lib/lightning/auth_providers/cache_warmer.ex
@@ -20,12 +20,28 @@ defmodule Lightning.AuthProviders.CacheWarmer do
   Executes this cache warmer with a connection.
   """
   def execute(_state) do
-    with %AuthProviders.AuthConfig{name: name} = config <-
-           AuthProviders.get_existing() || :ignore,
-         {:ok, handler} <- AuthProviders.Handler.from_model(config) do
-      {:ok, [{name, handler}]}
-    else
-      _error -> :ignore
+    db_entries =
+      try do
+        with %AuthProviders.AuthConfig{name: name} = config <-
+               AuthProviders.get_existing() || :not_found,
+             {:ok, handler} <- AuthProviders.Handler.from_model(config) do
+          [{name, handler}]
+        else
+          _ -> []
+        end
+      rescue
+        _ -> []
+      end
+
+    github_entries =
+      case Lightning.AuthProviders.GithubHandler.build() do
+        {:ok, handler} -> [{handler.name, handler}]
+        _ -> []
+      end
+
+    case db_entries ++ github_entries do
+      [] -> :ignore
+      entries -> {:ok, entries}
     end
   end
 end
diff --git a/lib/lightning/auth_providers/github_handler.ex b/lib/lightning/auth_providers/github_handler.ex
new file mode 100644
index 00000000000..6b891152e40
--- /dev/null
+++ b/lib/lightning/auth_providers/github_handler.ex
@@ -0,0 +1,42 @@
+defmodule Lightning.AuthProviders.GithubHandler do
+  @moduledoc """
+  Builds a Handler for GitHub OAuth2 SSO login from environment configuration.
+
+  Set GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET to enable GitHub login.
+  """
+
+  alias Lightning.AuthProviders.Handler
+  alias Lightning.AuthProviders.WellKnown
+
+  @name "github"
+  @authorization_endpoint "https://github.com/login/oauth/authorize"
+  @token_endpoint "https://github.com/login/oauth/access_token"
+  @userinfo_endpoint "https://api.github.com/user/emails"
+
+  def handler_name, do: @name
+
+  @spec build() :: {:ok, Handler.t()} | {:error, :not_configured}
+  def build do
+    client_id = Lightning.Config.github_oauth(:client_id)
+    client_secret = Lightning.Config.github_oauth(:client_secret)
+    redirect_uri = Lightning.Config.github_oauth(:redirect_uri)
+
+    if client_id && client_secret && redirect_uri do
+      wellknown = %WellKnown{
+        authorization_endpoint: @authorization_endpoint,
+        token_endpoint: @token_endpoint,
+        userinfo_endpoint: @userinfo_endpoint
+      }
+
+      Handler.new(@name,
+        client_id: client_id,
+        client_secret: client_secret,
+        redirect_uri: redirect_uri,
+        wellknown: wellknown,
+        scope: "user:email"
+      )
+    else
+      {:error, :not_configured}
+    end
+  end
+end
diff --git a/lib/lightning/auth_providers/handler.ex b/lib/lightning/auth_providers/handler.ex
index 9e814bec24f..c3757180518 100644
--- a/lib/lightning/auth_providers/handler.ex
+++ b/lib/lightning/auth_providers/handler.ex
@@ -10,17 +10,19 @@ defmodule Lightning.AuthProviders.Handler do
   @type t :: %__MODULE__{
           name: String.t(),
           client: OAuth2.Client.t(),
-          wellknown: WellKnown.t()
+          wellknown: WellKnown.t(),
+          scope: String.t()
         }
 
   @type opts :: [
           client_id: String.t(),
           client_secret: String.t(),
           redirect_uri: String.t(),
-          wellknown: WellKnown.t()
+          wellknown: WellKnown.t(),
+          scope: String.t()
         ]
 
-  defstruct [:name, :client, :wellknown]
+  defstruct [:name, :client, :wellknown, scope: "openid email profile"]
 
   @doc """
   Create a new Provider struct, expects a name and opts:
@@ -41,6 +43,7 @@ defmodule Lightning.AuthProviders.Handler do
 
       :ok ->
         wellknown = opts[:wellknown]
+        scope = opts[:scope] || "openid email profile"
 
         client =
           OAuth2.Client.new(
@@ -54,7 +57,12 @@ defmodule Lightning.AuthProviders.Handler do
           |> OAuth2.Client.put_serializer("application/json", Jason)
 
         {:ok,
-         struct!(__MODULE__, name: name, client: client, wellknown: wellknown)}
+         struct!(__MODULE__,
+           name: name,
+           client: client,
+           wellknown: wellknown,
+           scope: scope
+         )}
     end
   end
 
@@ -80,7 +88,7 @@ defmodule Lightning.AuthProviders.Handler do
 
   @spec authorize_url(handler :: __MODULE__.t()) :: String.t()
   def authorize_url(handler) do
-    OAuth2.Client.authorize_url!(handler.client, scope: "openid email profile")
+    OAuth2.Client.authorize_url!(handler.client, scope: handler.scope)
   end
 
   @spec get_token(handler :: __MODULE__.t(), code :: String.t()) ::
@@ -88,7 +96,7 @@ defmodule Lightning.AuthProviders.Handler do
   def get_token(handler, code) when is_binary(code) do
     case OAuth2.Client.get_token(handler.client,
            code: code,
-           scope: "openid email profile"
+           scope: handler.scope
          ) do
       {:ok, client} -> {:ok, client.token}
       {:error, %OAuth2.Response{body: body}} -> {:error, body}
diff --git a/lib/lightning/config.ex b/lib/lightning/config.ex
index d359aca0982..04f8e6a826a 100644
--- a/lib/lightning/config.ex
+++ b/lib/lightning/config.ex
@@ -113,6 +113,12 @@ defmodule Lightning.Config do
       |> Keyword.get(key)
     end
 
+    @impl true
+    def github_oauth(key) do
+      Application.get_env(:lightning, :github_oauth, [])
+      |> Keyword.get(key)
+    end
+
     @impl true
     def check_flag?(flag) do
       Application.get_env(:lightning, flag)
@@ -454,6 +460,7 @@ defmodule Lightning.Config do
   @callback env() :: :dev | :test | :prod
   @callback get_extension_mod(key :: atom()) :: any()
   @callback google(key :: atom()) :: any()
+  @callback github_oauth(key :: atom()) :: any()
   @callback grace_period() :: integer()
   @callback instance_admin_email() :: String.t()
   @callback kafka_alternate_storage_enabled?() :: boolean()
@@ -607,6 +614,10 @@ defmodule Lightning.Config do
     impl().google(key)
   end
 
+  def github_oauth(key) do
+    impl().github_oauth(key)
+  end
+
   def cors_origin do
     impl().cors_origin()
   end
diff --git a/lib/lightning/config/bootstrap.ex b/lib/lightning/config/bootstrap.ex
index 058437332d3..534c936564a 100644
--- a/lib/lightning/config/bootstrap.ex
+++ b/lib/lightning/config/bootstrap.ex
@@ -507,6 +507,23 @@ defmodule Lightning.Config.Bootstrap do
       cors_origin:
         env!("CORS_ORIGIN", :string, "*") |> String.split(",") |> List.wrap()
 
+    github_client_id = env!("GITHUB_CLIENT_ID", :string, nil)
+    github_client_secret = env!("GITHUB_CLIENT_SECRET", :string, nil)
+
+    if github_client_id && github_client_secret do
+      github_redirect_uri =
+        if url_port in [80, 443] do
+          "#{url_scheme}://#{host}/authenticate/github/callback"
+        else
+          "#{url_scheme}://#{host}:#{url_port}/authenticate/github/callback"
+        end
+
+      config :lightning, :github_oauth,
+        client_id: github_client_id,
+        client_secret: github_client_secret,
+        redirect_uri: github_redirect_uri
+    end
+
     if config_env() == :prod do
       unless database_url do
         raise """
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index 42f04da94a5..a72f9a75334 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -31,10 +31,8 @@ defmodule LightningWeb.OidcController do
   """
   def new(conn, %{"provider" => provider, "code" => code}) do
     with {:ok, handler} <- AuthProviders.get_handler(provider),
-         {:ok, token} <- Handler.get_token(handler, code) do
-      userinfo = Handler.get_userinfo(handler, token)
-      email = Map.fetch!(userinfo, "email")
-
+         {:ok, token} <- Handler.get_token(handler, code),
+         {:ok, email} <- fetch_email(handler, token) do
       case Accounts.get_user_by_email(email) do
         nil ->
           conn
@@ -57,6 +55,19 @@ defmodule LightningWeb.OidcController do
             "remember_me" => "true"
           })
       end
+    else
+      {:error, :no_email} ->
+        conn
+        |> put_flash(
+          :error,
+          "Could not retrieve your email from the provider. Please ensure your email address is accessible."
+        )
+        |> redirect(to: Routes.user_session_path(conn, :new))
+
+      {:error, _reason} ->
+        conn
+        |> put_flash(:error, "Authentication failed")
+        |> redirect(to: Routes.user_session_path(conn, :new))
     end
   end
 
@@ -70,6 +81,27 @@ defmodule LightningWeb.OidcController do
     close_browser_window(conn)
   end
 
+  defp fetch_email(handler, token) do
+    userinfo = Handler.get_userinfo(handler, token)
+
+    case extract_email(userinfo) do
+      nil -> {:error, :no_email}
+      email -> {:ok, email}
+    end
+  end
+
+  defp extract_email(userinfo) when is_list(userinfo) do
+    userinfo
+    |> Enum.find(& &1["primary"])
+    |> case do
+      %{"email" => email} when is_binary(email) -> email
+      _ -> nil
+    end
+  end
+
+  defp extract_email(%{"email" => email}) when is_binary(email), do: email
+  defp extract_email(_), do: nil
+
   defp broadcast_message(state, data) do
     [subscription_id, mod, component_id, current_tab] =
       OauthCredentialHelper.decode_state(state)
diff --git a/lib/lightning_web/controllers/user_registration_controller.ex b/lib/lightning_web/controllers/user_registration_controller.ex
index eb5508f4618..77e50c08357 100644
--- a/lib/lightning_web/controllers/user_registration_controller.ex
+++ b/lib/lightning_web/controllers/user_registration_controller.ex
@@ -7,7 +7,10 @@ defmodule LightningWeb.UserRegistrationController do
   def new(conn, _params) do
     changeset = Accounts.change_user_registration()
 
-    render(conn, "new.html", changeset: changeset)
+    render(conn, "new.html",
+      changeset: changeset,
+      auth_providers: LightningWeb.UserSessionController.auth_providers()
+    )
   end
 
   def create(conn, %{"user" => user_params}) do
@@ -21,7 +24,10 @@ defmodule LightningWeb.UserRegistrationController do
         |> redirect_user(user)
 
       {:error, %Ecto.Changeset{} = changeset} ->
-        render(conn, "new.html", changeset: changeset)
+        render(conn, "new.html",
+          changeset: changeset,
+          auth_providers: LightningWeb.UserSessionController.auth_providers()
+        )
     end
   end
 
diff --git a/lib/lightning_web/controllers/user_registration_html/new.html.heex b/lib/lightning_web/controllers/user_registration_html/new.html.heex
index 46591056c66..d1b56e9f2e4 100644
--- a/lib/lightning_web/controllers/user_registration_html/new.html.heex
+++ b/lib/lightning_web/controllers/user_registration_html/new.html.heex
@@ -89,6 +89,37 @@
               <.button type="submit" theme="primary">
                 Register
               </.button>
+              <%= if @auth_providers != [] do %>
+                <div class="text-xs text-secondary-700 border-b text-center leading-[0]">
+                  <span class="px-2 bg-white">or</span>
+                </div>
+                <%= for provider <- @auth_providers do %>
+                  <.button theme="secondary">
+                    <a href={provider.url} class="w-full">
+                      <div class="-ml-1 inline-flex items-center">
+                        <%= if provider.name == "github" do %>
+                          <svg
+                            class="h-4 w-4 inline-block"
+                            viewBox="0 0 16 16"
+                            fill="currentColor"
+                            aria-hidden="true"
+                          >
+                            <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
+                          </svg>
+                        <% else %>
+                          <.icon
+                            name="hero-identification"
+                            class="h-4 w-4 inline-block"
+                          />
+                        <% end %>
+                        <span class="ml-1 inline-block align-middle">
+                          Sign up with {String.capitalize(provider.name)}
+                        </span>
+                      </div>
+                    </a>
+                  </.button>
+                <% end %>
+              <% end %>
             </div>
 
             <LightningWeb.Components.Form.divider />
diff --git a/lib/lightning_web/controllers/user_session_controller.ex b/lib/lightning_web/controllers/user_session_controller.ex
index 138a048d51e..1888d7bfde8 100644
--- a/lib/lightning_web/controllers/user_session_controller.ex
+++ b/lib/lightning_web/controllers/user_session_controller.ex
@@ -8,7 +8,7 @@ defmodule LightningWeb.UserSessionController do
   def new(conn, _params) do
     render(conn, "new.html",
       error_message: nil,
-      auth_handler_url: auth_handler_url()
+      auth_providers: auth_providers()
     )
   end
 
@@ -21,7 +21,7 @@ defmodule LightningWeb.UserSessionController do
         conn
         |> put_flash(:error, "This user account is disabled")
         |> render("new.html",
-          auth_handler_url: auth_handler_url()
+          auth_providers: auth_providers()
         )
 
       %User{scheduled_deletion: x} when x != nil ->
@@ -31,7 +31,7 @@ defmodule LightningWeb.UserSessionController do
           "This user account is scheduled for deletion"
         )
         |> render("new.html",
-          auth_handler_url: auth_handler_url()
+          auth_providers: auth_providers()
         )
 
       %User{mfa_enabled: true} = user ->
@@ -51,7 +51,7 @@ defmodule LightningWeb.UserSessionController do
         conn
         |> put_flash(:error, "Invalid email or password")
         |> render("new.html",
-          auth_handler_url: auth_handler_url()
+          auth_providers: auth_providers()
         )
     end
   end
@@ -76,13 +76,18 @@ defmodule LightningWeb.UserSessionController do
     |> UserAuth.log_out_user()
   end
 
-  def auth_handler_url do
+  def auth_providers do
     case Lightning.AuthProviders.get_handlers() do
       {:ok, []} ->
-        nil
+        []
 
-      {:ok, [handler | _rest]} ->
-        Lightning.AuthProviders.get_authorize_url(handler)
+      {:ok, handlers} ->
+        Enum.map(handlers, fn handler ->
+          %{
+            name: handler.name,
+            url: Lightning.AuthProviders.get_authorize_url(handler)
+          }
+        end)
     end
   end
 end
diff --git a/lib/lightning_web/controllers/user_session_html/new.html.heex b/lib/lightning_web/controllers/user_session_html/new.html.heex
index 8e2949b9f8c..168d2f27c7f 100644
--- a/lib/lightning_web/controllers/user_session_html/new.html.heex
+++ b/lib/lightning_web/controllers/user_session_html/new.html.heex
@@ -53,23 +53,36 @@
               <.button type="submit" theme="primary">
                 Log in
               </.button>
-              <%= if @auth_handler_url do %>
+              <%= if @auth_providers != [] do %>
                 <div class="text-xs text-secondary-700 border-b text-center leading-[0]">
                   <span class="px-2 bg-white">or</span>
                 </div>
-                <.button theme="secondary">
-                  <a href={@auth_handler_url} class="w-full">
-                    <div class="-ml-1 inline-flex items-center">
-                      <.icon
-                        name="hero-identification"
-                        class="h-4 w-4 inline-block"
-                      />
-                      <span class="ml-1 inline-block align-middle">
-                        via external provider
-                      </span>
-                    </div>
-                  </a>
-                </.button>
+                <%= for provider <- @auth_providers do %>
+                  <.button theme="secondary">
+                    <a href={provider.url} class="w-full">
+                      <div class="-ml-1 inline-flex items-center">
+                        <%= if provider.name == "github" do %>
+                          <svg
+                            class="h-4 w-4 inline-block"
+                            viewBox="0 0 16 16"
+                            fill="currentColor"
+                            aria-hidden="true"
+                          >
+                            <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
+                          </svg>
+                        <% else %>
+                          <.icon
+                            name="hero-identification"
+                            class="h-4 w-4 inline-block"
+                          />
+                        <% end %>
+                        <span class="ml-1 inline-block align-middle">
+                          Sign in with {String.capitalize(provider.name)}
+                        </span>
+                      </div>
+                    </a>
+                  </.button>
+                <% end %>
               <% end %>
             </div>
             <div class="hidden sm:block" aria-hidden="true">
diff --git a/test/lightning_web/controllers/oidc_controller_test.exs b/test/lightning_web/controllers/oidc_controller_test.exs
index 4d7ca5828e3..5b788cf1d03 100644
--- a/test/lightning_web/controllers/oidc_controller_test.exs
+++ b/test/lightning_web/controllers/oidc_controller_test.exs
@@ -130,16 +130,18 @@ defmodule LightningWeb.OidcControllerTest do
       assert redirected_to(conn) == Routes.user_session_path(conn, :new)
     end
 
-    test "renders a 404 when a provider is missing", %{conn: conn} do
-      response =
+    test "redirects to login when a provider is missing", %{conn: conn} do
+      conn =
         conn
         |> get(Routes.oidc_path(conn, :new, "bar", %{"code" => "callback_code"}))
 
-      assert response.resp_body =~ "Not Found"
-      assert response.status == 404
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "Authentication failed"
     end
 
-    test "renders an error when a handler returns an error", %{
+    test "redirects to login when a handler returns an error", %{
       conn: conn,
       handler: handler,
       bypass: bypass
@@ -155,15 +157,16 @@ defmodule LightningWeb.OidcControllerTest do
          |> Jason.encode!()}
       )
 
-      response =
+      conn =
         conn
         |> get(
           Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
         )
 
-      assert response.resp_body =~ "invalid_client"
-      assert response.resp_body =~ "No client credentials found"
-      assert response.status == 401
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "Authentication failed"
     end
   end
 
diff --git a/test/lightning_web/controllers/user_session_controller_test.exs b/test/lightning_web/controllers/user_session_controller_test.exs
index 0b15ba792f2..2148bdde203 100644
--- a/test/lightning_web/controllers/user_session_controller_test.exs
+++ b/test/lightning_web/controllers/user_session_controller_test.exs
@@ -74,12 +74,12 @@ defmodule LightningWeb.UserSessionControllerTest do
       assert redirected_to(conn) == "/projects"
     end
 
-    test "shows a 'via external provider' button", %{conn: conn} do
+    test "shows a 'Sign in with' button for external providers", %{conn: conn} do
       create_handler("foo")
 
       conn = get(conn, Routes.user_session_path(conn, :new))
       response = html_response(conn, 200)
-      assert response =~ "via external provider"
+      assert response =~ "Sign in with"
     end
   end
 

From 5c4de29c8bf9c53454e1b5c2669e507cc885836f Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 15 May 2026 15:47:21 +0000
Subject: [PATCH 02/17] feat: sso register

---
 lib/lightning/accounts.ex                     |  66 +++++++++++-
 lib/lightning/accounts/user.ex                |  18 ++++
 lib/lightning/accounts/user_identity.ex       |  25 +++++
 .../auth_providers/github_handler.ex          |   4 +-
 .../controllers/oidc_controller.ex            | 102 +++++++++++++-----
 .../controllers/user_session_controller.ex    |  10 ++
 .../20260515133932_create_user_identities.exs |  16 +++
 ...60515133933_allow_null_hashed_password.exs |   9 ++
 8 files changed, 222 insertions(+), 28 deletions(-)
 create mode 100644 lib/lightning/accounts/user_identity.ex
 create mode 100644 priv/repo/migrations/20260515133932_create_user_identities.exs
 create mode 100644 priv/repo/migrations/20260515133933_allow_null_hashed_password.exs

diff --git a/lib/lightning/accounts.ex b/lib/lightning/accounts.ex
index 4787db4be93..2fa39e5fe61 100644
--- a/lib/lightning/accounts.ex
+++ b/lib/lightning/accounts.ex
@@ -14,6 +14,7 @@ defmodule Lightning.Accounts do
   alias Lightning.Accounts.Events
   alias Lightning.Accounts.User
   alias Lightning.Accounts.UserBackupCode
+  alias Lightning.Accounts.UserIdentity
   alias Lightning.Accounts.UserNotifier
   alias Lightning.Accounts.UserToken
   alias Lightning.Accounts.UserTOTP
@@ -172,7 +173,70 @@ defmodule Lightning.Accounts do
   def get_user_by_email_and_password(email, password)
       when is_binary(email) and is_binary(password) do
     user = Repo.get_by(User, email: email)
-    if User.valid_password?(user, password), do: user
+
+    cond do
+      is_nil(user) ->
+        User.valid_password?(user, password)
+        nil
+
+      is_nil(user.hashed_password) ->
+        User.valid_password?(user, password)
+        {:error, :sso_account}
+
+      User.valid_password?(user, password) ->
+        user
+
+      true ->
+        nil
+    end
+  end
+
+  @doc """
+  Looks up a user by their SSO provider identity.
+
+  Returns the `%User{}` if found, otherwise `nil`.
+  """
+  def get_user_by_identity(provider, uid) do
+    from(u in User,
+      join: i in UserIdentity,
+      on: i.user_id == u.id,
+      where: i.provider == ^provider and i.uid == ^uid
+    )
+    |> Repo.one()
+  end
+
+  @doc """
+  Links an SSO provider identity to an existing user account.
+
+  Silently succeeds if the identity already exists (on_conflict: :nothing).
+  """
+  def link_user_identity(%User{id: user_id}, provider, uid) do
+    %UserIdentity{}
+    |> UserIdentity.changeset(%{user_id: user_id, provider: provider, uid: uid})
+    |> Repo.insert(on_conflict: :nothing, conflict_target: [:provider, :uid])
+  end
+
+  @doc """
+  Registers a brand-new user via SSO.
+
+  The user is created without a password and confirmed immediately.
+  A `user_registered` event is broadcast on success.
+  """
+  def register_user_from_sso(attrs, provider, uid) do
+    Repo.transact(fn ->
+      with {:ok, user} <-
+             %User{}
+             |> User.sso_registration_changeset(attrs)
+             |> Repo.insert(),
+           {:ok, _identity} <- link_user_identity(user, provider, uid) do
+        {:ok, user}
+      end
+    end)
+    |> tap(fn result ->
+      with {:ok, user} <- result do
+        Events.user_registered(user)
+      end
+    end)
   end
 
   @doc """
diff --git a/lib/lightning/accounts/user.ex b/lib/lightning/accounts/user.ex
index 98a964f69db..79e6b11f363 100644
--- a/lib/lightning/accounts/user.ex
+++ b/lib/lightning/accounts/user.ex
@@ -50,6 +50,8 @@ defmodule Lightning.Accounts.User do
     has_many :backup_codes, Lightning.Accounts.UserBackupCode,
       on_replace: :delete
 
+    has_many :user_identities, Lightning.Accounts.UserIdentity
+
     timestamps()
   end
 
@@ -314,6 +316,22 @@ defmodule Lightning.Accounts.User do
     change(user, confirmed_at: now)
   end
 
+  @doc """
+  A changeset for registering a user via SSO. No password is required;
+  the account is confirmed immediately at registration time.
+  """
+  def sso_registration_changeset(user, attrs) do
+    user
+    |> cast(attrs, [:first_name, :last_name, :email])
+    |> validate_required([:first_name, :last_name, :email])
+    |> validate_email_format()
+    |> validate_email_exists()
+    |> put_change(
+      :confirmed_at,
+      DateTime.utc_now() |> DateTime.truncate(:second)
+    )
+  end
+
   @spec remove_github_token_changeset(t()) :: Ecto.Changeset.t()
   def remove_github_token_changeset(user) do
     change(user, github_oauth_token: nil)
diff --git a/lib/lightning/accounts/user_identity.ex b/lib/lightning/accounts/user_identity.ex
new file mode 100644
index 00000000000..1514e1f3b22
--- /dev/null
+++ b/lib/lightning/accounts/user_identity.ex
@@ -0,0 +1,25 @@
+defmodule Lightning.Accounts.UserIdentity do
+  @moduledoc """
+  Schema for tracking SSO provider identities linked to user accounts.
+
+  A user may have multiple identities (one per SSO provider). The combination
+  of provider and uid is globally unique.
+  """
+  use Lightning.Schema
+
+  alias Lightning.Accounts.User
+
+  schema "user_identities" do
+    field :provider, :string
+    field :uid, :string
+    belongs_to :user, User
+    timestamps()
+  end
+
+  def changeset(identity, attrs) do
+    identity
+    |> cast(attrs, [:provider, :uid, :user_id])
+    |> validate_required([:provider, :uid, :user_id])
+    |> unique_constraint([:provider, :uid])
+  end
+end
diff --git a/lib/lightning/auth_providers/github_handler.ex b/lib/lightning/auth_providers/github_handler.ex
index 6b891152e40..f43c308dbcd 100644
--- a/lib/lightning/auth_providers/github_handler.ex
+++ b/lib/lightning/auth_providers/github_handler.ex
@@ -11,7 +11,7 @@ defmodule Lightning.AuthProviders.GithubHandler do
   @name "github"
   @authorization_endpoint "https://github.com/login/oauth/authorize"
   @token_endpoint "https://github.com/login/oauth/access_token"
-  @userinfo_endpoint "https://api.github.com/user/emails"
+  @userinfo_endpoint "https://api.github.com/user"
 
   def handler_name, do: @name
 
@@ -33,7 +33,7 @@ defmodule Lightning.AuthProviders.GithubHandler do
         client_secret: client_secret,
         redirect_uri: redirect_uri,
         wellknown: wellknown,
-        scope: "user:email"
+        scope: "read:user user:email"
       )
     else
       {:error, :not_configured}
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index a72f9a75334..dd18575db08 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -2,6 +2,7 @@ defmodule LightningWeb.OidcController do
   use LightningWeb, :controller
 
   alias Lightning.Accounts
+  alias Lightning.Accounts.User
   alias Lightning.AuthProviders
   alias Lightning.AuthProviders.Handler
   alias LightningWeb.OauthCredentialHelper
@@ -32,29 +33,10 @@ defmodule LightningWeb.OidcController do
   def new(conn, %{"provider" => provider, "code" => code}) do
     with {:ok, handler} <- AuthProviders.get_handler(provider),
          {:ok, token} <- Handler.get_token(handler, code),
-         {:ok, email} <- fetch_email(handler, token) do
-      case Accounts.get_user_by_email(email) do
-        nil ->
-          conn
-          |> put_flash(:error, "Could not find user account")
-          |> redirect(to: Routes.user_session_path(conn, :new))
-
-        %{mfa_enabled: true} = user ->
-          conn
-          |> UserAuth.log_in_user(user)
-          |> UserAuth.mark_totp_pending()
-          |> redirect(
-            to:
-              Routes.user_totp_path(conn, :new, user: %{"remember_me" => "true"})
-          )
-
-        user ->
-          conn
-          |> UserAuth.log_in_user(user)
-          |> UserAuth.redirect_with_return_to(%{
-            "remember_me" => "true"
-          })
-      end
+         userinfo <- Handler.get_userinfo(handler, token),
+         {:ok, email} <- fetch_email(userinfo),
+         {:ok, uid} <- fetch_uid(userinfo) do
+      handle_sso_login(conn, provider, uid, email, userinfo)
     else
       {:error, :no_email} ->
         conn
@@ -81,15 +63,66 @@ defmodule LightningWeb.OidcController do
     close_browser_window(conn)
   end
 
-  defp fetch_email(handler, token) do
-    userinfo = Handler.get_userinfo(handler, token)
+  defp handle_sso_login(conn, provider, uid, email, userinfo) do
+    case Accounts.get_user_by_identity(provider, uid) do
+      %User{} = user ->
+        do_log_in(conn, user)
+
+      nil ->
+        case Accounts.get_user_by_email(email) do
+          %User{} = user ->
+            Accounts.link_user_identity(user, provider, uid)
+            do_log_in(conn, user)
+
+          nil ->
+            name = extract_name(userinfo)
+            attrs = Map.merge(name, %{email: email})
+
+            case Accounts.register_user_from_sso(attrs, provider, uid) do
+              {:ok, user} ->
+                do_log_in(conn, user)
+
+              {:error, _changeset} ->
+                conn
+                |> put_flash(
+                  :error,
+                  "Could not create your account. Please try again."
+                )
+                |> redirect(to: Routes.user_session_path(conn, :new))
+            end
+        end
+    end
+  end
 
+  defp do_log_in(conn, %{mfa_enabled: true} = user) do
+    conn
+    |> UserAuth.log_in_user(user)
+    |> UserAuth.mark_totp_pending()
+    |> redirect(
+      to: Routes.user_totp_path(conn, :new, user: %{"remember_me" => "true"})
+    )
+  end
+
+  defp do_log_in(conn, user) do
+    conn
+    |> UserAuth.log_in_user(user)
+    |> UserAuth.redirect_with_return_to(%{"remember_me" => "true"})
+  end
+
+  defp fetch_email(userinfo) do
     case extract_email(userinfo) do
       nil -> {:error, :no_email}
       email -> {:ok, email}
     end
   end
 
+  defp fetch_uid(userinfo) do
+    case extract_uid(userinfo) do
+      nil -> {:error, :no_uid}
+      uid -> {:ok, uid}
+    end
+  end
+
   defp extract_email(userinfo) when is_list(userinfo) do
     userinfo
     |> Enum.find(& &1["primary"])
@@ -102,6 +135,25 @@ defmodule LightningWeb.OidcController do
   defp extract_email(%{"email" => email}) when is_binary(email), do: email
   defp extract_email(_), do: nil
 
+  defp extract_uid(%{"sub" => sub}) when is_binary(sub), do: sub
+  defp extract_uid(%{"id" => id}) when is_integer(id), do: to_string(id)
+  defp extract_uid(%{"id" => id}) when is_binary(id), do: id
+  defp extract_uid(_), do: nil
+
+  defp extract_name(%{"given_name" => first, "family_name" => last})
+       when is_binary(first) and is_binary(last) do
+    %{first_name: first, last_name: last}
+  end
+
+  defp extract_name(%{"name" => name}) when is_binary(name) do
+    case String.split(name, " ", parts: 2) do
+      [first, last] -> %{first_name: first, last_name: last}
+      [first] -> %{first_name: first, last_name: ""}
+    end
+  end
+
+  defp extract_name(_), do: %{first_name: "", last_name: ""}
+
   defp broadcast_message(state, data) do
     [subscription_id, mod, component_id, current_tab] =
       OauthCredentialHelper.decode_state(state)
diff --git a/lib/lightning_web/controllers/user_session_controller.ex b/lib/lightning_web/controllers/user_session_controller.ex
index 1888d7bfde8..f8417d27969 100644
--- a/lib/lightning_web/controllers/user_session_controller.ex
+++ b/lib/lightning_web/controllers/user_session_controller.ex
@@ -47,6 +47,16 @@ defmodule LightningWeb.UserSessionController do
         |> UserAuth.log_in_user(user)
         |> UserAuth.redirect_with_return_to(user_params)
 
+      {:error, :sso_account} ->
+        conn
+        |> put_flash(
+          :error,
+          "This account uses single sign-on. Please log in with your SSO provider."
+        )
+        |> render("new.html",
+          auth_providers: auth_providers()
+        )
+
       _ ->
         conn
         |> put_flash(:error, "Invalid email or password")
diff --git a/priv/repo/migrations/20260515133932_create_user_identities.exs b/priv/repo/migrations/20260515133932_create_user_identities.exs
new file mode 100644
index 00000000000..e2e849e7b75
--- /dev/null
+++ b/priv/repo/migrations/20260515133932_create_user_identities.exs
@@ -0,0 +1,16 @@
+defmodule Lightning.Repo.Migrations.CreateUserIdentities do
+  use Ecto.Migration
+
+  def change do
+    create table(:user_identities, primary_key: false) do
+      add :id, :binary_id, primary_key: true
+      add :user_id, references(:users, type: :uuid, on_delete: :delete_all), null: false
+      add :provider, :string, null: false
+      add :uid, :string, null: false
+      timestamps()
+    end
+
+    create unique_index(:user_identities, [:provider, :uid])
+    create index(:user_identities, [:user_id])
+  end
+end
diff --git a/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs b/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs
new file mode 100644
index 00000000000..e72167253d9
--- /dev/null
+++ b/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs
@@ -0,0 +1,9 @@
+defmodule Lightning.Repo.Migrations.AllowNullHashedPassword do
+  use Ecto.Migration
+
+  def change do
+    alter table(:users) do
+      modify :hashed_password, :string, null: true
+    end
+  end
+end

From 6c618685608c673d497a391cc53cb30e8ccf3478 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Tue, 19 May 2026 05:39:06 +0000
Subject: [PATCH 03/17] feat: support linking & unlinking for identities

---
 lib/lightning/accounts.ex                     |  60 +++++
 .../controllers/oidc_controller.ex            |  88 ++++++-
 .../live/profile_live/components.ex           |   5 +
 .../live/profile_live/identities_component.ex | 181 ++++++++++++++
 lib/lightning_web/router.ex                   |   1 +
 test/lightning/accounts_test.exs              | 141 +++++++++++
 .../controllers/oidc_controller_test.exs      | 228 +++++++++++++++++-
 test/lightning_web/live/profile_live_test.exs | 100 ++++++++
 test/support/factories.ex                     |   7 +
 9 files changed, 805 insertions(+), 6 deletions(-)
 create mode 100644 lib/lightning_web/live/profile_live/identities_component.ex

diff --git a/lib/lightning/accounts.ex b/lib/lightning/accounts.ex
index 2fa39e5fe61..e6fc2bba1e3 100644
--- a/lib/lightning/accounts.ex
+++ b/lib/lightning/accounts.ex
@@ -216,6 +216,66 @@ defmodule Lightning.Accounts do
     |> Repo.insert(on_conflict: :nothing, conflict_target: [:provider, :uid])
   end
 
+  @doc """
+  Returns the SSO identities linked to a user, ordered by provider name.
+  """
+  def list_user_identities(%User{id: user_id}) do
+    from(i in UserIdentity,
+      where: i.user_id == ^user_id,
+      order_by: [asc: i.provider]
+    )
+    |> Repo.all()
+  end
+
+  @doc """
+  Gets a user's identity for a given provider, or `nil` if not linked.
+  """
+  def get_user_identity(%User{id: user_id}, provider) do
+    Repo.get_by(UserIdentity, user_id: user_id, provider: provider)
+  end
+
+  @doc """
+  Removes the SSO identity for the given user and provider.
+
+  Refuses to remove the last identity for an SSO-only user (no password set),
+  since that would lock them out. Such users can set a password by going
+  through the password reset flow first.
+
+  Returns:
+    * `{:ok, identity}` when the identity is removed
+    * `{:error, :not_linked}` when the user has no identity for the provider
+    * `{:error, :would_lock_out}` when removing would leave an SSO-only user
+      with no way to log in
+  """
+  def unlink_user_identity(%User{} = user, provider) do
+    case get_user_identity(user, provider) do
+      nil ->
+        {:error, :not_linked}
+
+      %UserIdentity{} = identity ->
+        if can_remove_identity?(user, identity) do
+          Repo.delete(identity)
+        else
+          {:error, :would_lock_out}
+        end
+    end
+  end
+
+  defp can_remove_identity?(%User{hashed_password: hp}, _identity)
+       when is_binary(hp),
+       do: true
+
+  defp can_remove_identity?(%User{} = user, %UserIdentity{id: identity_id}) do
+    other_count =
+      from(i in UserIdentity,
+        where: i.user_id == ^user.id and i.id != ^identity_id,
+        select: count(i.id)
+      )
+      |> Repo.one()
+
+    other_count > 0
+  end
+
   @doc """
   Registers a brand-new user via SSO.
 
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index dd18575db08..76de3aae66a 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -10,6 +10,8 @@ defmodule LightningWeb.OidcController do
 
   action_fallback LightningWeb.FallbackController
 
+  @link_intent_session_key :sso_link_intent_provider
+
   plug :fetch_current_user
 
   @doc """
@@ -26,17 +28,41 @@ defmodule LightningWeb.OidcController do
     end
   end
 
+  @doc """
+  Initiates an SSO link flow for an already-authenticated user. The
+  provider is recorded in the session and the user is redirected to the
+  provider's authorize URL. On callback the controller links the resulting
+  identity to the current account rather than logging in.
+  """
+  def link(conn, %{"provider" => provider}) do
+    with {:ok, handler} <- AuthProviders.get_handler(provider) do
+      if conn.assigns.current_user do
+        conn
+        |> put_session(@link_intent_session_key, provider)
+        |> redirect(external: Handler.authorize_url(handler))
+      else
+        redirect(conn, to: Routes.user_session_path(conn, :new))
+      end
+    end
+  end
+
   @doc """
   Once the user has completed the authorization flow from above, they are
   returned here, and the authorization code is used to log them in.
   """
   def new(conn, %{"provider" => provider, "code" => code}) do
+    {link_intent, conn} = pop_link_intent(conn)
+
     with {:ok, handler} <- AuthProviders.get_handler(provider),
          {:ok, token} <- Handler.get_token(handler, code),
          userinfo <- Handler.get_userinfo(handler, token),
          {:ok, email} <- fetch_email(userinfo),
          {:ok, uid} <- fetch_uid(userinfo) do
-      handle_sso_login(conn, provider, uid, email, userinfo)
+      if link_intent == provider && conn.assigns.current_user do
+        handle_sso_link(conn, conn.assigns.current_user, provider, uid)
+      else
+        handle_sso_login(conn, provider, uid, email, userinfo)
+      end
     else
       {:error, :no_email} ->
         conn
@@ -44,12 +70,12 @@ defmodule LightningWeb.OidcController do
           :error,
           "Could not retrieve your email from the provider. Please ensure your email address is accessible."
         )
-        |> redirect(to: Routes.user_session_path(conn, :new))
+        |> redirect(to: failure_redirect(conn, link_intent))
 
       {:error, _reason} ->
         conn
         |> put_flash(:error, "Authentication failed")
-        |> redirect(to: Routes.user_session_path(conn, :new))
+        |> redirect(to: failure_redirect(conn, link_intent))
     end
   end
 
@@ -63,6 +89,45 @@ defmodule LightningWeb.OidcController do
     close_browser_window(conn)
   end
 
+  defp handle_sso_link(conn, %User{} = current_user, provider, uid) do
+    case Accounts.get_user_by_identity(provider, uid) do
+      %User{id: id} when id == current_user.id ->
+        conn
+        |> put_flash(
+          :info,
+          "Your #{display_name(provider)} account is already linked."
+        )
+        |> redirect(to: ~p"/profile")
+
+      %User{} ->
+        conn
+        |> put_flash(
+          :error,
+          "This #{display_name(provider)} identity is already linked to a different account."
+        )
+        |> redirect(to: ~p"/profile")
+
+      nil ->
+        case Accounts.link_user_identity(current_user, provider, uid) do
+          {:ok, _identity} ->
+            conn
+            |> put_flash(
+              :info,
+              "Linked your #{display_name(provider)} account."
+            )
+            |> redirect(to: ~p"/profile")
+
+          {:error, _reason} ->
+            conn
+            |> put_flash(
+              :error,
+              "Could not link your #{display_name(provider)} account. Please try again."
+            )
+            |> redirect(to: ~p"/profile")
+        end
+    end
+  end
+
   defp handle_sso_login(conn, provider, uid, email, userinfo) do
     case Accounts.get_user_by_identity(provider, uid) do
       %User{} = user ->
@@ -154,6 +219,23 @@ defmodule LightningWeb.OidcController do
 
   defp extract_name(_), do: %{first_name: "", last_name: ""}
 
+  defp pop_link_intent(conn) do
+    case get_session(conn, @link_intent_session_key) do
+      nil -> {nil, conn}
+      provider -> {provider, delete_session(conn, @link_intent_session_key)}
+    end
+  end
+
+  defp failure_redirect(conn, link_intent) do
+    if link_intent && conn.assigns.current_user do
+      ~p"/profile"
+    else
+      Routes.user_session_path(conn, :new)
+    end
+  end
+
+  defp display_name(provider), do: String.capitalize(provider)
+
   defp broadcast_message(state, data) do
     [subscription_id, mod, component_id, current_tab] =
       OauthCredentialHelper.decode_state(state)
diff --git a/lib/lightning_web/live/profile_live/components.ex b/lib/lightning_web/live/profile_live/components.ex
index f13a397ce6c..b4d7840c7cd 100644
--- a/lib/lightning_web/live/profile_live/components.ex
+++ b/lib/lightning_web/live/profile_live/components.ex
@@ -64,6 +64,11 @@ defmodule LightningWeb.ProfileLive.Components do
         id={"#{@current_user.id}_github_section"}
         user={@current_user}
       />
+      <.live_component
+        module={LightningWeb.ProfileLive.IdentitiesComponent}
+        id={"#{@current_user.id}_identities_section"}
+        user={@current_user}
+      />
       <.live_component
         module={LightningWeb.ProfileLive.ExperimentalFeaturesComponent}
         id="experimental-features"
diff --git a/lib/lightning_web/live/profile_live/identities_component.ex b/lib/lightning_web/live/profile_live/identities_component.ex
new file mode 100644
index 00000000000..14b52aa320f
--- /dev/null
+++ b/lib/lightning_web/live/profile_live/identities_component.ex
@@ -0,0 +1,181 @@
+defmodule LightningWeb.ProfileLive.IdentitiesComponent do
+  @moduledoc """
+  Component to manage linked SSO identities on a User's profile.
+  """
+  use LightningWeb, :live_component
+
+  alias Lightning.Accounts
+  alias Lightning.AuthProviders
+
+  @impl true
+  def update(%{user: user} = assigns, socket) do
+    {:ok,
+     socket
+     |> assign(assigns)
+     |> assign_providers(user)}
+  end
+
+  @impl true
+  def handle_event("unlink-identity", %{"provider" => provider}, socket) do
+    case Accounts.unlink_user_identity(socket.assigns.user, provider) do
+      {:ok, _identity} ->
+        {:noreply,
+         socket
+         |> put_flash(
+           :info,
+           "Unlinked your #{display_name(provider)} account."
+         )
+         |> push_navigate(to: ~p"/profile")}
+
+      {:error, :would_lock_out} ->
+        {:noreply,
+         socket
+         |> put_flash(
+           :error,
+           "Set a password (via the password reset link) before unlinking your only sign-in method."
+         )}
+
+      {:error, :not_linked} ->
+        {:noreply,
+         socket
+         |> put_flash(:error, "That identity is not linked to your account.")
+         |> push_navigate(to: ~p"/profile")}
+
+      {:error, _reason} ->
+        {:noreply,
+         socket
+         |> put_flash(
+           :error,
+           "Could not unlink your #{display_name(provider)} account."
+         )}
+    end
+  end
+
+  defp assign_providers(socket, user) do
+    {:ok, handlers} = AuthProviders.get_handlers()
+    identities = Accounts.list_user_identities(user)
+
+    linked_by_provider =
+      Map.new(identities, fn identity -> {identity.provider, identity} end)
+
+    providers =
+      handlers
+      |> Enum.map(fn handler ->
+        %{
+          name: handler.name,
+          identity: Map.get(linked_by_provider, handler.name)
+        }
+      end)
+      |> Enum.sort_by(& &1.name)
+
+    assign(socket, providers: providers)
+  end
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <div class="bg-white shadow-xs ring-1 ring-gray-900/5 sm:rounded-xl md:col-span-2 mb-4">
+      <div class="px-4 py-6 sm:p-8">
+        <div class="mb-5">
+          <span
+            class="text-xl font-medium leading-6 text-gray-900"
+            id={"#{@id}-label"}
+          >
+            Single Sign-On
+          </span>
+          <p class="text-sm text-gray-500 mt-1" id={"#{@id}-description"}>
+            Link your account to an SSO provider so you can sign in without a password.
+          </p>
+        </div>
+
+        <%= if @providers == [] do %>
+          <p class="text-sm text-gray-500 italic">
+            No SSO providers are configured for this instance.
+          </p>
+        <% else %>
+          <ul role="list" class="divide-y divide-gray-200">
+            <%= for provider <- @providers do %>
+              <.provider_row id={@id} provider={provider} myself={@myself} />
+            <% end %>
+          </ul>
+        <% end %>
+      </div>
+    </div>
+    """
+  end
+
+  attr :id, :string, required: true
+  attr :provider, :map, required: true
+  attr :myself, :any, required: true
+
+  defp provider_row(assigns) do
+    ~H"""
+    <li
+      id={"#{@id}-#{@provider.name}"}
+      class="flex items-center justify-between py-4 gap-4"
+    >
+      <div class="flex items-center gap-3 min-w-0">
+        <.provider_icon name={@provider.name} />
+        <div class="min-w-0">
+          <p class="text-sm font-medium text-gray-900 capitalize">
+            {display_name(@provider.name)}
+          </p>
+          <%= if @provider.identity do %>
+            <p class="text-xs text-gray-500 truncate">
+              Linked · uid {@provider.identity.uid}
+            </p>
+          <% else %>
+            <p class="text-xs text-gray-500">Not linked</p>
+          <% end %>
+        </div>
+      </div>
+      <div class="shrink-0">
+        <%= if @provider.identity do %>
+          <.button
+            id={"unlink-#{@provider.name}-button"}
+            type="button"
+            theme="danger"
+            phx-click="unlink-identity"
+            phx-value-provider={@provider.name}
+            phx-target={@myself}
+            data-confirm={"Unlink #{display_name(@provider.name)} from your account?"}
+          >
+            Unlink
+          </.button>
+        <% else %>
+          <.button_link
+            id={"link-#{@provider.name}-button"}
+            theme="secondary"
+            href={~p"/authenticate/#{@provider.name}/link"}
+          >
+            Link
+          </.button_link>
+        <% end %>
+      </div>
+    </li>
+    """
+  end
+
+  attr :name, :string, required: true
+
+  defp provider_icon(%{name: "github"} = assigns) do
+    ~H"""
+    <svg
+      class="h-6 w-6 text-gray-700"
+      viewBox="0 0 16 16"
+      fill="currentColor"
+      aria-hidden="true"
+    >
+      <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
+    </svg>
+    """
+  end
+
+  defp provider_icon(assigns) do
+    ~H"""
+    <.icon name="hero-identification" class="h-6 w-6 text-gray-700" />
+    """
+  end
+
+  defp display_name(provider), do: String.capitalize(provider)
+end
diff --git a/lib/lightning_web/router.ex b/lib/lightning_web/router.ex
index e8f64c1fe53..dd6814a5dd6 100644
--- a/lib/lightning_web/router.ex
+++ b/lib/lightning_web/router.ex
@@ -65,6 +65,7 @@ defmodule LightningWeb.Router do
 
     get "/authenticate/callback", OidcController, :new
     get "/authenticate/:provider", OidcController, :show
+    get "/authenticate/:provider/link", OidcController, :link
     get "/authenticate/:provider/callback", OidcController, :new
 
     get "/oauth/:provider/callback", OauthController, :new
diff --git a/test/lightning/accounts_test.exs b/test/lightning/accounts_test.exs
index 533e805151d..3237fe9503b 100644
--- a/test/lightning/accounts_test.exs
+++ b/test/lightning/accounts_test.exs
@@ -142,6 +142,147 @@ defmodule Lightning.AccountsTest do
                  valid_user_password()
                )
     end
+
+    test "returns :sso_account error when the user has no password" do
+      user = insert(:user, hashed_password: nil, password: nil)
+
+      assert {:error, :sso_account} =
+               Accounts.get_user_by_email_and_password(user.email, "anything")
+    end
+  end
+
+  describe "get_user_by_identity/2" do
+    test "returns the user when an identity exists" do
+      user = insert(:user)
+
+      insert(:user_identity,
+        user: user,
+        provider: "github",
+        uid: "12345"
+      )
+
+      assert %User{id: id} = Accounts.get_user_by_identity("github", "12345")
+      assert id == user.id
+    end
+
+    test "returns nil when no identity matches" do
+      refute Accounts.get_user_by_identity("github", "nope")
+    end
+  end
+
+  describe "link_user_identity/3" do
+    test "creates a new identity for the user" do
+      user = insert(:user)
+
+      assert {:ok, identity} =
+               Accounts.link_user_identity(user, "github", "abc")
+
+      assert identity.user_id == user.id
+      assert identity.provider == "github"
+      assert identity.uid == "abc"
+    end
+
+    test "is idempotent on (provider, uid) conflicts" do
+      user = insert(:user)
+      insert(:user_identity, user: user, provider: "github", uid: "abc")
+
+      assert {:ok, _} = Accounts.link_user_identity(user, "github", "abc")
+    end
+  end
+
+  describe "register_user_from_sso/3" do
+    test "creates a confirmed user and linked identity in one transaction" do
+      Events.subscribe()
+      email = unique_user_email()
+
+      assert {:ok, user} =
+               Accounts.register_user_from_sso(
+                 %{
+                   email: email,
+                   first_name: "Sso",
+                   last_name: "User"
+                 },
+                 "github",
+                 "id-1"
+               )
+
+      assert user.email == email
+      assert user.first_name == "Sso"
+      assert user.last_name == "User"
+      assert is_nil(user.hashed_password)
+      refute is_nil(user.confirmed_at)
+      assert_receive %Events.UserRegistered{user: ^user}
+
+      assert %User{id: same_id} = Accounts.get_user_by_identity("github", "id-1")
+      assert same_id == user.id
+    end
+
+    test "fails when the email is already taken" do
+      existing = insert(:user)
+
+      assert {:error, changeset} =
+               Accounts.register_user_from_sso(
+                 %{
+                   email: existing.email,
+                   first_name: "Other",
+                   last_name: "User"
+                 },
+                 "github",
+                 "id-2"
+               )
+
+      assert "has already been taken" in errors_on(changeset).email
+    end
+  end
+
+  describe "list_user_identities/1" do
+    test "returns identities for the given user, ordered by provider" do
+      user = insert(:user)
+
+      insert(:user_identity, user: user, provider: "google", uid: "g1")
+      insert(:user_identity, user: user, provider: "github", uid: "h1")
+      insert(:user_identity, user: insert(:user), provider: "github", uid: "h2")
+
+      assert [a, b] = Accounts.list_user_identities(user)
+      assert a.provider == "github"
+      assert b.provider == "google"
+    end
+  end
+
+  describe "unlink_user_identity/2" do
+    test "removes the identity for a user with a password" do
+      user = insert(:user)
+      insert(:user_identity, user: user, provider: "github", uid: "h1")
+
+      assert {:ok, _} = Accounts.unlink_user_identity(user, "github")
+      assert [] = Accounts.list_user_identities(user)
+    end
+
+    test "returns :not_linked when the provider is not linked" do
+      user = insert(:user)
+
+      assert {:error, :not_linked} =
+               Accounts.unlink_user_identity(user, "github")
+    end
+
+    test "refuses to unlink the only identity of an SSO-only user" do
+      user = insert(:user, hashed_password: nil)
+      insert(:user_identity, user: user, provider: "github", uid: "h1")
+
+      assert {:error, :would_lock_out} =
+               Accounts.unlink_user_identity(user, "github")
+
+      assert [_] = Accounts.list_user_identities(user)
+    end
+
+    test "allows unlinking when an SSO-only user has another identity" do
+      user = insert(:user, hashed_password: nil)
+      insert(:user_identity, user: user, provider: "github", uid: "h1")
+      insert(:user_identity, user: user, provider: "google", uid: "g1")
+
+      assert {:ok, _} = Accounts.unlink_user_identity(user, "github")
+      assert [%{provider: "google"}] = Accounts.list_user_identities(user)
+    end
   end
 
   describe "get_user!/1" do
diff --git a/test/lightning_web/controllers/oidc_controller_test.exs b/test/lightning_web/controllers/oidc_controller_test.exs
index 5b788cf1d03..556d72a7b69 100644
--- a/test/lightning_web/controllers/oidc_controller_test.exs
+++ b/test/lightning_web/controllers/oidc_controller_test.exs
@@ -73,7 +73,58 @@ defmodule LightningWeb.OidcControllerTest do
       expect_token(bypass, handler.wellknown)
 
       user = Lightning.AccountsFixtures.user_fixture()
-      expect_userinfo(bypass, handler.wellknown, %{"email" => user.email})
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => user.email,
+        "sub" => "sub-#{user.id}"
+      })
+
+      conn =
+        conn
+        |> get(
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == "/projects"
+    end
+
+    test "auto-links an identity for an existing email-only user and logs them in",
+         %{conn: conn, bypass: bypass, handler: handler} do
+      expect_token(bypass, handler.wellknown)
+      user = Lightning.AccountsFixtures.user_fixture()
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => user.email,
+        "sub" => "github-uid-1"
+      })
+
+      conn =
+        conn
+        |> get(
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == "/projects"
+
+      assert %Lightning.Accounts.User{id: same_id} =
+               Lightning.Accounts.get_user_by_identity(
+                 handler.name,
+                 "github-uid-1"
+               )
+
+      assert same_id == user.id
+    end
+
+    test "auto-registers a new user when there is no existing email or identity",
+         %{conn: conn, bypass: bypass, handler: handler} do
+      expect_token(bypass, handler.wellknown)
+      email = "new-sso-user-#{System.unique_integer([:positive])}@example.com"
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => email,
+        "sub" => "fresh-uid-1",
+        "name" => "First Last"
+      })
 
       conn =
         conn
@@ -82,6 +133,36 @@ defmodule LightningWeb.OidcControllerTest do
         )
 
       assert redirected_to(conn) == "/projects"
+
+      user = Lightning.Accounts.get_user_by_email(email)
+      assert user
+      assert user.first_name == "First"
+      assert user.last_name == "Last"
+      assert is_nil(user.hashed_password)
+      refute is_nil(user.confirmed_at)
+
+      assert Lightning.Accounts.get_user_by_identity(handler.name, "fresh-uid-1")
+    end
+
+    test "redirects to login when userinfo has no email", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      expect_token(bypass, handler.wellknown)
+
+      expect_userinfo(bypass, handler.wellknown, %{"sub" => "abc"})
+
+      conn =
+        conn
+        |> get(
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "Could not retrieve your email"
     end
 
     test "logs the person in but marks totp as pending for users wth MFA enabled",
@@ -112,14 +193,14 @@ defmodule LightningWeb.OidcControllerTest do
       assert redirected_to(conn) == Routes.user_totp_path(conn, :new)
     end
 
-    test "shows an error when the person doesn't exist", %{
+    test "redirects to login when userinfo has no uid", %{
       conn: conn,
       bypass: bypass,
       handler: handler
     } do
       expect_token(bypass, handler.wellknown)
 
-      expect_userinfo(bypass, handler.wellknown, %{"email" => "invalid@user.com"})
+      expect_userinfo(bypass, handler.wellknown, %{"email" => "x@example.com"})
 
       conn =
         conn
@@ -170,6 +251,147 @@ defmodule LightningWeb.OidcControllerTest do
     end
   end
 
+  describe "GET /authenticate/:provider/link" do
+    setup :setup_handler
+
+    test "redirects to the provider authorize url for a logged-in user", %{
+      conn: conn,
+      handler: handler
+    } do
+      user = user_fixture()
+
+      conn =
+        conn
+        |> log_in_user(user)
+        |> get(Routes.oidc_path(conn, :link, handler.name))
+
+      assert redirected_to(conn) ==
+               AuthProviders.Handler.authorize_url(handler)
+
+      assert get_session(conn, :sso_link_intent_provider) == handler.name
+    end
+
+    test "redirects unauthenticated users to log in", %{
+      conn: conn,
+      handler: handler
+    } do
+      conn = get(conn, Routes.oidc_path(conn, :link, handler.name))
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+    end
+  end
+
+  describe "GET /authenticate/:provider/callback (link flow)" do
+    setup :setup_handler
+
+    test "links the identity to the current user", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      user = user_fixture()
+      expect_token(bypass, handler.wellknown)
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => "anything@example.com",
+        "sub" => "new-link-uid"
+      })
+
+      conn =
+        conn
+        |> log_in_user(user)
+        |> put_session(:sso_link_intent_provider, handler.name)
+        |> get(
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == ~p"/profile"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Linked your"
+
+      assert %Lightning.Accounts.User{id: same_id} =
+               Lightning.Accounts.get_user_by_identity(
+                 handler.name,
+                 "new-link-uid"
+               )
+
+      assert same_id == user.id
+    end
+
+    test "flashes info when identity is already linked to the same account", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      user = user_fixture()
+
+      insert(:user_identity,
+        user: user,
+        provider: handler.name,
+        uid: "existing-uid"
+      )
+
+      expect_token(bypass, handler.wellknown)
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => user.email,
+        "sub" => "existing-uid"
+      })
+
+      conn =
+        conn
+        |> log_in_user(user)
+        |> put_session(:sso_link_intent_provider, handler.name)
+        |> get(
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == ~p"/profile"
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "already linked"
+    end
+
+    test "rejects linking an identity already claimed by another user", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      user = user_fixture()
+      other_user = user_fixture()
+
+      insert(:user_identity,
+        user: other_user,
+        provider: handler.name,
+        uid: "claimed-uid"
+      )
+
+      expect_token(bypass, handler.wellknown)
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => "anything@example.com",
+        "sub" => "claimed-uid"
+      })
+
+      conn =
+        conn
+        |> log_in_user(user)
+        |> put_session(:sso_link_intent_provider, handler.name)
+        |> get(
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == ~p"/profile"
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~ "already linked"
+
+      # Still belongs to the other user
+      assert %Lightning.Accounts.User{id: same_id} =
+               Lightning.Accounts.get_user_by_identity(
+                 handler.name,
+                 "claimed-uid"
+               )
+
+      assert same_id == other_user.id
+    end
+  end
+
   describe "GET /authenticate/callback" do
     setup %{conn: conn} do
       subscription_id =
diff --git a/test/lightning_web/live/profile_live_test.exs b/test/lightning_web/live/profile_live_test.exs
index 6706f48997b..ea2c48a6f81 100644
--- a/test/lightning_web/live/profile_live_test.exs
+++ b/test/lightning_web/live/profile_live_test.exs
@@ -820,4 +820,104 @@ defmodule LightningWeb.ProfileLiveTest do
       refute has_element?(view, "#gdpr-banner")
     end
   end
+
+  describe "Identities Component" do
+    setup do
+      handler_name = :crypto.strong_rand_bytes(6) |> Base.url_encode64()
+
+      wellknown = %Lightning.AuthProviders.WellKnown{
+        authorization_endpoint: "https://example.com/authorize",
+        token_endpoint: "https://example.com/token",
+        userinfo_endpoint: "https://example.com/userinfo"
+      }
+
+      {:ok, handler} =
+        Lightning.AuthProviders.Handler.new(handler_name,
+          wellknown: wellknown,
+          client_id: "id",
+          client_secret: "secret",
+          redirect_uri: "http://localhost/callback_url"
+        )
+
+      Lightning.AuthProviders.create_handler(handler)
+      on_exit(fn -> Lightning.AuthProviders.remove_handler(handler) end)
+
+      {:ok, handler: handler}
+    end
+
+    test "renders Link button when provider is not linked", %{
+      conn: conn,
+      handler: handler
+    } do
+      user = user_fixture()
+      conn = log_in_user(conn, user)
+
+      {:ok, view, _html} = live(conn, ~p"/profile", on_error: :raise)
+
+      assert has_element?(view, "#link-#{handler.name}-button")
+      refute has_element?(view, "#unlink-#{handler.name}-button")
+    end
+
+    test "renders Unlink button when provider is linked", %{
+      conn: conn,
+      handler: handler
+    } do
+      user = user_fixture()
+
+      insert(:user_identity,
+        user: user,
+        provider: handler.name,
+        uid: "abc"
+      )
+
+      conn = log_in_user(conn, user)
+      {:ok, view, _html} = live(conn, ~p"/profile", on_error: :raise)
+
+      assert has_element?(view, "#unlink-#{handler.name}-button")
+      refute has_element?(view, "#link-#{handler.name}-button")
+    end
+
+    test "unlink event removes the identity", %{conn: conn, handler: handler} do
+      user = user_fixture()
+
+      insert(:user_identity,
+        user: user,
+        provider: handler.name,
+        uid: "abc"
+      )
+
+      conn = log_in_user(conn, user)
+      {:ok, view, _html} = live(conn, ~p"/profile", on_error: :raise)
+
+      view
+      |> element("#unlink-#{handler.name}-button")
+      |> render_click()
+
+      assert Lightning.Accounts.list_user_identities(user) == []
+    end
+
+    test "unlink is refused for SSO-only user with only one identity", %{
+      conn: conn,
+      handler: handler
+    } do
+      user = insert(:user, hashed_password: nil)
+
+      insert(:user_identity,
+        user: user,
+        provider: handler.name,
+        uid: "abc"
+      )
+
+      conn = log_in_user(conn, user)
+      {:ok, view, _html} = live(conn, ~p"/profile", on_error: :raise)
+
+      html =
+        view
+        |> element("#unlink-#{handler.name}-button")
+        |> render_click()
+
+      assert html =~ "Set a password"
+      assert [_] = Lightning.Accounts.list_user_identities(user)
+    end
+  end
 end
diff --git a/test/support/factories.ex b/test/support/factories.ex
index 94c2a6de221..cd92c039fda 100644
--- a/test/support/factories.ex
+++ b/test/support/factories.ex
@@ -308,6 +308,13 @@ defmodule Lightning.Factories do
     }
   end
 
+  def user_identity_factory do
+    %Lightning.Accounts.UserIdentity{
+      provider: "github",
+      uid: sequence(:user_identity_uid, &"uid-#{&1}")
+    }
+  end
+
   def user_token_factory do
     %Lightning.Accounts.UserToken{
       token: fn -> Ecto.UUID.generate() end

From 671b321f2e049cee4f5ea086801850b079ef8086 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Tue, 19 May 2026 16:44:48 +0000
Subject: [PATCH 04/17] feat: add new provider

---
 .env.example                                  | 10 ++--
 lib/lightning/auth_providers/cache_warmer.ex  |  8 +++-
 .../auth_providers/google_handler.ex          | 42 +++++++++++++++++
 lib/lightning/config.ex                       | 11 +++++
 lib/lightning/config/bootstrap.ex             | 27 +++++++++--
 lib/lightning_web/components/sso_icons.ex     | 47 +++++++++++++++++++
 .../user_registration_html/new.html.heex      | 19 ++------
 .../user_session_html/new.html.heex           | 19 ++------
 .../live/profile_live/identities_component.ex | 26 ++--------
 .../auth_providers/google_handler_test.exs    | 42 +++++++++++++++++
 10 files changed, 190 insertions(+), 61 deletions(-)
 create mode 100644 lib/lightning/auth_providers/google_handler.ex
 create mode 100644 lib/lightning_web/components/sso_icons.ex
 create mode 100644 test/lightning/auth_providers/google_handler_test.exs

diff --git a/.env.example b/.env.example
index 765abd6f59b..6a245cb2fa9 100644
--- a/.env.example
+++ b/.env.example
@@ -13,9 +13,13 @@
 # SALESFORCE_CLIENT_ID=3MVG9_ghE
 # SALESFORCE_CLIENT_SECRET=703777B
 
-# Set this up to handle Google OAuth credentials (ex: GoogleSheets)
-# GOOGLE_CLIENT_ID=660274980707
-# GOOGLE_CLIENT_SECRET=GOCSPX-ua
+# Set GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET to enable GitHub SSO sign-in
+# GITHUB_CLIENT_ID=
+# GITHUB_CLIENT_SECRET=
+
+# Set GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET to enable Google SSO sign-in
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
 
 # Choose an admin email address and configure a mailer. If you don't specify
 # mailer details the local test adaptor will be used and mail previews can be
diff --git a/lib/lightning/auth_providers/cache_warmer.ex b/lib/lightning/auth_providers/cache_warmer.ex
index e55327adb83..01f8024a346 100644
--- a/lib/lightning/auth_providers/cache_warmer.ex
+++ b/lib/lightning/auth_providers/cache_warmer.ex
@@ -39,7 +39,13 @@ defmodule Lightning.AuthProviders.CacheWarmer do
         _ -> []
       end
 
-    case db_entries ++ github_entries do
+    google_entries =
+      case Lightning.AuthProviders.GoogleHandler.build() do
+        {:ok, handler} -> [{handler.name, handler}]
+        _ -> []
+      end
+
+    case db_entries ++ github_entries ++ google_entries do
       [] -> :ignore
       entries -> {:ok, entries}
     end
diff --git a/lib/lightning/auth_providers/google_handler.ex b/lib/lightning/auth_providers/google_handler.ex
new file mode 100644
index 00000000000..7b54f222e80
--- /dev/null
+++ b/lib/lightning/auth_providers/google_handler.ex
@@ -0,0 +1,42 @@
+defmodule Lightning.AuthProviders.GoogleHandler do
+  @moduledoc """
+  Builds a Handler for Google OAuth2 SSO login from environment configuration.
+
+  Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET to enable Google login.
+  """
+
+  alias Lightning.AuthProviders.Handler
+  alias Lightning.AuthProviders.WellKnown
+
+  @name "google"
+  @authorization_endpoint "https://accounts.google.com/o/oauth2/v2/auth"
+  @token_endpoint "https://oauth2.googleapis.com/token"
+  @userinfo_endpoint "https://openidconnect.googleapis.com/v1/userinfo"
+
+  def handler_name, do: @name
+
+  @spec build() :: {:ok, Handler.t()} | {:error, :not_configured}
+  def build do
+    client_id = Lightning.Config.google_oauth(:client_id)
+    client_secret = Lightning.Config.google_oauth(:client_secret)
+    redirect_uri = Lightning.Config.google_oauth(:redirect_uri)
+
+    if client_id && client_secret && redirect_uri do
+      wellknown = %WellKnown{
+        authorization_endpoint: @authorization_endpoint,
+        token_endpoint: @token_endpoint,
+        userinfo_endpoint: @userinfo_endpoint
+      }
+
+      Handler.new(@name,
+        client_id: client_id,
+        client_secret: client_secret,
+        redirect_uri: redirect_uri,
+        wellknown: wellknown,
+        scope: "openid email profile"
+      )
+    else
+      {:error, :not_configured}
+    end
+  end
+end
diff --git a/lib/lightning/config.ex b/lib/lightning/config.ex
index 04f8e6a826a..ea3c0b82d55 100644
--- a/lib/lightning/config.ex
+++ b/lib/lightning/config.ex
@@ -119,6 +119,12 @@ defmodule Lightning.Config do
       |> Keyword.get(key)
     end
 
+    @impl true
+    def google_oauth(key) do
+      Application.get_env(:lightning, :google_oauth, [])
+      |> Keyword.get(key)
+    end
+
     @impl true
     def check_flag?(flag) do
       Application.get_env(:lightning, flag)
@@ -461,6 +467,7 @@ defmodule Lightning.Config do
   @callback get_extension_mod(key :: atom()) :: any()
   @callback google(key :: atom()) :: any()
   @callback github_oauth(key :: atom()) :: any()
+  @callback google_oauth(key :: atom()) :: any()
   @callback grace_period() :: integer()
   @callback instance_admin_email() :: String.t()
   @callback kafka_alternate_storage_enabled?() :: boolean()
@@ -618,6 +625,10 @@ defmodule Lightning.Config do
     impl().github_oauth(key)
   end
 
+  def google_oauth(key) do
+    impl().google_oauth(key)
+  end
+
   def cors_origin do
     impl().cors_origin()
   end
diff --git a/lib/lightning/config/bootstrap.ex b/lib/lightning/config/bootstrap.ex
index 534c936564a..05124505a66 100644
--- a/lib/lightning/config/bootstrap.ex
+++ b/lib/lightning/config/bootstrap.ex
@@ -512,11 +512,7 @@ defmodule Lightning.Config.Bootstrap do
 
     if github_client_id && github_client_secret do
       github_redirect_uri =
-        if url_port in [80, 443] do
-          "#{url_scheme}://#{host}/authenticate/github/callback"
-        else
-          "#{url_scheme}://#{host}:#{url_port}/authenticate/github/callback"
-        end
+        sso_redirect_uri(url_scheme, host, url_port, "github")
 
       config :lightning, :github_oauth,
         client_id: github_client_id,
@@ -524,6 +520,19 @@ defmodule Lightning.Config.Bootstrap do
         redirect_uri: github_redirect_uri
     end
 
+    google_client_id = env!("GOOGLE_CLIENT_ID", :string, nil)
+    google_client_secret = env!("GOOGLE_CLIENT_SECRET", :string, nil)
+
+    if google_client_id && google_client_secret do
+      google_redirect_uri =
+        sso_redirect_uri(url_scheme, host, url_port, "google")
+
+      config :lightning, :google_oauth,
+        client_id: google_client_id,
+        client_secret: google_client_secret,
+        redirect_uri: google_redirect_uri
+    end
+
     if config_env() == :prod do
       unless database_url do
         raise """
@@ -1026,6 +1035,14 @@ defmodule Lightning.Config.Bootstrap do
       {:error, worker_key_error("could not be parsed: #{Exception.message(e)}")}
   end
 
+  defp sso_redirect_uri(url_scheme, host, url_port, provider) do
+    if url_port in [80, 443] do
+      "#{url_scheme}://#{host}/authenticate/#{provider}/callback"
+    else
+      "#{url_scheme}://#{host}:#{url_port}/authenticate/#{provider}/callback"
+    end
+  end
+
   defp worker_key_error(reason) do
     """
     WORKER_RUNS_PRIVATE_KEY #{reason}
diff --git a/lib/lightning_web/components/sso_icons.ex b/lib/lightning_web/components/sso_icons.ex
new file mode 100644
index 00000000000..38a947b64aa
--- /dev/null
+++ b/lib/lightning_web/components/sso_icons.ex
@@ -0,0 +1,47 @@
+defmodule LightningWeb.Components.SsoIcons do
+  @moduledoc """
+  SVG icons for SSO providers, shared between sign-in, sign-up, and the profile
+  identities section.
+  """
+  use LightningWeb, :component
+
+  attr :name, :string, required: true
+  attr :class, :string, default: "h-4 w-4 inline-block"
+
+  def provider_icon(%{name: "github"} = assigns) do
+    ~H"""
+    <svg class={@class} viewBox="0 0 16 16" fill="currentColor" aria-hidden="true">
+      <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
+    </svg>
+    """
+  end
+
+  def provider_icon(%{name: "google"} = assigns) do
+    ~H"""
+    <svg class={@class} viewBox="0 0 48 48" aria-hidden="true">
+      <path
+        fill="#FFC107"
+        d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z"
+      />
+      <path
+        fill="#FF3D00"
+        d="M6.306 14.691l6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z"
+      />
+      <path
+        fill="#4CAF50"
+        d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238C29.211 35.091 26.715 36 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z"
+      />
+      <path
+        fill="#1976D2"
+        d="M43.611 20.083H42V20H24v8h11.303c-.792 2.237-2.231 4.166-4.087 5.571.001-.001.002-.001.003-.002l6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z"
+      />
+    </svg>
+    """
+  end
+
+  def provider_icon(assigns) do
+    ~H"""
+    <.icon name="hero-identification" class={@class} />
+    """
+  end
+end
diff --git a/lib/lightning_web/controllers/user_registration_html/new.html.heex b/lib/lightning_web/controllers/user_registration_html/new.html.heex
index d1b56e9f2e4..014f3abce48 100644
--- a/lib/lightning_web/controllers/user_registration_html/new.html.heex
+++ b/lib/lightning_web/controllers/user_registration_html/new.html.heex
@@ -97,21 +97,10 @@
                   <.button theme="secondary">
                     <a href={provider.url} class="w-full">
                       <div class="-ml-1 inline-flex items-center">
-                        <%= if provider.name == "github" do %>
-                          <svg
-                            class="h-4 w-4 inline-block"
-                            viewBox="0 0 16 16"
-                            fill="currentColor"
-                            aria-hidden="true"
-                          >
-                            <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
-                          </svg>
-                        <% else %>
-                          <.icon
-                            name="hero-identification"
-                            class="h-4 w-4 inline-block"
-                          />
-                        <% end %>
+                        <LightningWeb.Components.SsoIcons.provider_icon
+                          name={provider.name}
+                          class="h-4 w-4 inline-block"
+                        />
                         <span class="ml-1 inline-block align-middle">
                           Sign up with {String.capitalize(provider.name)}
                         </span>
diff --git a/lib/lightning_web/controllers/user_session_html/new.html.heex b/lib/lightning_web/controllers/user_session_html/new.html.heex
index 168d2f27c7f..659a042ebde 100644
--- a/lib/lightning_web/controllers/user_session_html/new.html.heex
+++ b/lib/lightning_web/controllers/user_session_html/new.html.heex
@@ -61,21 +61,10 @@
                   <.button theme="secondary">
                     <a href={provider.url} class="w-full">
                       <div class="-ml-1 inline-flex items-center">
-                        <%= if provider.name == "github" do %>
-                          <svg
-                            class="h-4 w-4 inline-block"
-                            viewBox="0 0 16 16"
-                            fill="currentColor"
-                            aria-hidden="true"
-                          >
-                            <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
-                          </svg>
-                        <% else %>
-                          <.icon
-                            name="hero-identification"
-                            class="h-4 w-4 inline-block"
-                          />
-                        <% end %>
+                        <LightningWeb.Components.SsoIcons.provider_icon
+                          name={provider.name}
+                          class="h-4 w-4 inline-block"
+                        />
                         <span class="ml-1 inline-block align-middle">
                           Sign in with {String.capitalize(provider.name)}
                         </span>
diff --git a/lib/lightning_web/live/profile_live/identities_component.ex b/lib/lightning_web/live/profile_live/identities_component.ex
index 14b52aa320f..8683ee1b49a 100644
--- a/lib/lightning_web/live/profile_live/identities_component.ex
+++ b/lib/lightning_web/live/profile_live/identities_component.ex
@@ -115,7 +115,10 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
       class="flex items-center justify-between py-4 gap-4"
     >
       <div class="flex items-center gap-3 min-w-0">
-        <.provider_icon name={@provider.name} />
+        <LightningWeb.Components.SsoIcons.provider_icon
+          name={@provider.name}
+          class="h-6 w-6 text-gray-700"
+        />
         <div class="min-w-0">
           <p class="text-sm font-medium text-gray-900 capitalize">
             {display_name(@provider.name)}
@@ -156,26 +159,5 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
     """
   end
 
-  attr :name, :string, required: true
-
-  defp provider_icon(%{name: "github"} = assigns) do
-    ~H"""
-    <svg
-      class="h-6 w-6 text-gray-700"
-      viewBox="0 0 16 16"
-      fill="currentColor"
-      aria-hidden="true"
-    >
-      <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z" />
-    </svg>
-    """
-  end
-
-  defp provider_icon(assigns) do
-    ~H"""
-    <.icon name="hero-identification" class="h-6 w-6 text-gray-700" />
-    """
-  end
-
   defp display_name(provider), do: String.capitalize(provider)
 end
diff --git a/test/lightning/auth_providers/google_handler_test.exs b/test/lightning/auth_providers/google_handler_test.exs
new file mode 100644
index 00000000000..fc64abde1f5
--- /dev/null
+++ b/test/lightning/auth_providers/google_handler_test.exs
@@ -0,0 +1,42 @@
+defmodule Lightning.AuthProviders.GoogleHandlerTest do
+  use ExUnit.Case, async: false
+
+  import Mox
+
+  alias Lightning.AuthProviders.GoogleHandler
+  alias Lightning.AuthProviders.Handler
+
+  setup :verify_on_exit!
+
+  setup do
+    Mox.stub_with(Lightning.MockConfig, Lightning.Config.API)
+    prev = Application.get_env(:lightning, :google_oauth)
+    on_exit(fn -> Application.put_env(:lightning, :google_oauth, prev || []) end)
+    :ok
+  end
+
+  test "build/0 returns :not_configured when credentials are missing" do
+    Application.put_env(:lightning, :google_oauth, [])
+    assert {:error, :not_configured} = GoogleHandler.build()
+  end
+
+  test "build/0 returns a configured handler when all keys are set" do
+    Application.put_env(:lightning, :google_oauth,
+      client_id: "id",
+      client_secret: "secret",
+      redirect_uri: "http://localhost/authenticate/google/callback"
+    )
+
+    assert {:ok, %Handler{name: "google", scope: "openid email profile"}} =
+             GoogleHandler.build()
+  end
+
+  test "build/0 returns :not_configured when redirect_uri is missing" do
+    Application.put_env(:lightning, :google_oauth,
+      client_id: "id",
+      client_secret: "secret"
+    )
+
+    assert {:error, :not_configured} = GoogleHandler.build()
+  end
+end

From d9fa75f1d95c8e65ac1f625d4749b6304e452b53 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 22 May 2026 05:42:22 +0000
Subject: [PATCH 05/17] feat: disable auto-link of acocunts

---
 .../controllers/oidc_controller.ex            | 10 +++--
 .../controllers/oidc_controller_test.exs      | 41 ++++++++++++++-----
 2 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index 76de3aae66a..9e64b5f30d9 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -135,9 +135,13 @@ defmodule LightningWeb.OidcController do
 
       nil ->
         case Accounts.get_user_by_email(email) do
-          %User{} = user ->
-            Accounts.link_user_identity(user, provider, uid)
-            do_log_in(conn, user)
+          %User{} ->
+            conn
+            |> put_flash(
+              :info,
+              "An account already exists for #{email}. Sign in and link your #{display_name(provider)} account from your profile settings to use single sign-on."
+            )
+            |> redirect(to: Routes.user_session_path(conn, :new))
 
           nil ->
             name = extract_name(userinfo)
diff --git a/test/lightning_web/controllers/oidc_controller_test.exs b/test/lightning_web/controllers/oidc_controller_test.exs
index 556d72a7b69..c783d2907c0 100644
--- a/test/lightning_web/controllers/oidc_controller_test.exs
+++ b/test/lightning_web/controllers/oidc_controller_test.exs
@@ -65,7 +65,7 @@ defmodule LightningWeb.OidcControllerTest do
   describe "GET /authenticate/:provider/callback" do
     setup :setup_handler
 
-    test "logs the given person in", %{
+    test "logs in users whose identity is already linked", %{
       conn: conn,
       bypass: bypass,
       handler: handler
@@ -74,6 +74,12 @@ defmodule LightningWeb.OidcControllerTest do
 
       user = Lightning.AccountsFixtures.user_fixture()
 
+      insert(:user_identity,
+        user: user,
+        provider: handler.name,
+        uid: "sub-#{user.id}"
+      )
+
       expect_userinfo(bypass, handler.wellknown, %{
         "email" => user.email,
         "sub" => "sub-#{user.id}"
@@ -88,14 +94,14 @@ defmodule LightningWeb.OidcControllerTest do
       assert redirected_to(conn) == "/projects"
     end
 
-    test "auto-links an identity for an existing email-only user and logs them in",
+    test "redirects to login with a notice when email matches an existing account",
          %{conn: conn, bypass: bypass, handler: handler} do
       expect_token(bypass, handler.wellknown)
       user = Lightning.AccountsFixtures.user_fixture()
 
       expect_userinfo(bypass, handler.wellknown, %{
         "email" => user.email,
-        "sub" => "github-uid-1"
+        "sub" => "unlinked-uid"
       })
 
       conn =
@@ -104,15 +110,19 @@ defmodule LightningWeb.OidcControllerTest do
           Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
         )
 
-      assert redirected_to(conn) == "/projects"
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
 
-      assert %Lightning.Accounts.User{id: same_id} =
-               Lightning.Accounts.get_user_by_identity(
-                 handler.name,
-                 "github-uid-1"
-               )
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~
+               "An account already exists"
 
-      assert same_id == user.id
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~
+               "link your #{String.capitalize(handler.name)} account"
+
+      # No identity was silently created
+      refute Lightning.Accounts.get_user_by_identity(
+               handler.name,
+               "unlinked-uid"
+             )
     end
 
     test "auto-registers a new user when there is no existing email or identity",
@@ -175,7 +185,16 @@ defmodule LightningWeb.OidcControllerTest do
 
       user = insert(:user, mfa_enabled: true, user_totp: build(:user_totp))
 
-      expect_userinfo(bypass, handler.wellknown, %{"email" => user.email})
+      insert(:user_identity,
+        user: user,
+        provider: handler.name,
+        uid: "mfa-uid-#{user.id}"
+      )
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => user.email,
+        "sub" => "mfa-uid-#{user.id}"
+      })
 
       conn =
         conn

From 448d93c694316a2d7d3412dd553aeb94d9b007c6 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 22 May 2026 08:38:59 +0000
Subject: [PATCH 06/17] feat: prompt user before creating new sso account

---
 .../controllers/oidc_controller.ex            | 108 ++++++++++++++---
 lib/lightning_web/controllers/oidc_html.ex    |   7 ++
 .../oidc_html/confirm_signup.html.heex        |  64 ++++++++++
 lib/lightning_web/router.ex                   |   3 +
 .../controllers/oidc_controller_test.exs      | 113 ++++++++++++++++--
 5 files changed, 271 insertions(+), 24 deletions(-)
 create mode 100644 lib/lightning_web/controllers/oidc_html.ex
 create mode 100644 lib/lightning_web/controllers/oidc_html/confirm_signup.html.heex

diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index 9e64b5f30d9..b14abbd45c8 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -11,6 +11,7 @@ defmodule LightningWeb.OidcController do
   action_fallback LightningWeb.FallbackController
 
   @link_intent_session_key :sso_link_intent_provider
+  @pending_signup_session_key :sso_pending_signup
 
   plug :fetch_current_user
 
@@ -89,6 +90,81 @@ defmodule LightningWeb.OidcController do
     close_browser_window(conn)
   end
 
+  @doc """
+  Renders the confirmation page shown after a successful SSO callback that
+  would create a brand-new account. We ask the user to confirm before
+  provisioning so they aren't surprised by an account they didn't realise was
+  being created.
+  """
+  def confirm_signup(conn, _params) do
+    case get_session(conn, @pending_signup_session_key) do
+      %{} = pending ->
+        render(conn, :confirm_signup, pending: pending)
+
+      _ ->
+        conn
+        |> clear_pending_signup()
+        |> put_flash(:error, "No pending sign-up to confirm.")
+        |> redirect(to: Routes.user_session_path(conn, :new))
+    end
+  end
+
+  @doc """
+  Confirms a pending SSO signup. Creates the account, links the identity, and
+  logs the user in.
+  """
+  def complete_signup(conn, _params) do
+    case get_session(conn, @pending_signup_session_key) do
+      %{
+        "provider" => provider,
+        "uid" => uid,
+        "email" => email,
+        "first_name" => first_name,
+        "last_name" => last_name
+      } ->
+        attrs = %{
+          email: email,
+          first_name: first_name,
+          last_name: last_name
+        }
+
+        case Accounts.register_user_from_sso(attrs, provider, uid) do
+          {:ok, user} ->
+            conn
+            |> clear_pending_signup()
+            |> do_log_in(user)
+
+          {:error, _changeset} ->
+            conn
+            |> clear_pending_signup()
+            |> put_flash(
+              :error,
+              "Could not create your account. Please try again."
+            )
+            |> redirect(to: Routes.user_session_path(conn, :new))
+        end
+
+      _ ->
+        conn
+        |> clear_pending_signup()
+        |> put_flash(:error, "No pending sign-up to confirm.")
+        |> redirect(to: Routes.user_session_path(conn, :new))
+    end
+  end
+
+  @doc """
+  Cancels a pending SSO signup, clearing the stashed state.
+  """
+  def cancel_signup(conn, _params) do
+    conn
+    |> clear_pending_signup()
+    |> redirect(to: Routes.user_session_path(conn, :new))
+  end
+
+  defp clear_pending_signup(conn) do
+    delete_session(conn, @pending_signup_session_key)
+  end
+
   defp handle_sso_link(conn, %User{} = current_user, provider, uid) do
     case Accounts.get_user_by_identity(provider, uid) do
       %User{id: id} when id == current_user.id ->
@@ -144,25 +220,27 @@ defmodule LightningWeb.OidcController do
             |> redirect(to: Routes.user_session_path(conn, :new))
 
           nil ->
-            name = extract_name(userinfo)
-            attrs = Map.merge(name, %{email: email})
-
-            case Accounts.register_user_from_sso(attrs, provider, uid) do
-              {:ok, user} ->
-                do_log_in(conn, user)
-
-              {:error, _changeset} ->
-                conn
-                |> put_flash(
-                  :error,
-                  "Could not create your account. Please try again."
-                )
-                |> redirect(to: Routes.user_session_path(conn, :new))
-            end
+            request_signup_confirmation(conn, provider, uid, email, userinfo)
         end
     end
   end
 
+  defp request_signup_confirmation(conn, provider, uid, email, userinfo) do
+    %{first_name: first_name, last_name: last_name} = extract_name(userinfo)
+
+    pending = %{
+      "provider" => provider,
+      "uid" => uid,
+      "email" => email,
+      "first_name" => first_name,
+      "last_name" => last_name
+    }
+
+    conn
+    |> put_session(@pending_signup_session_key, pending)
+    |> redirect(to: ~p"/authenticate/signup/confirm")
+  end
+
   defp do_log_in(conn, %{mfa_enabled: true} = user) do
     conn
     |> UserAuth.log_in_user(user)
diff --git a/lib/lightning_web/controllers/oidc_html.ex b/lib/lightning_web/controllers/oidc_html.ex
new file mode 100644
index 00000000000..8e47ad2153f
--- /dev/null
+++ b/lib/lightning_web/controllers/oidc_html.ex
@@ -0,0 +1,7 @@
+defmodule LightningWeb.OidcHTML do
+  @moduledoc false
+
+  use LightningWeb, :html
+
+  embed_templates "oidc_html/*"
+end
diff --git a/lib/lightning_web/controllers/oidc_html/confirm_signup.html.heex b/lib/lightning_web/controllers/oidc_html/confirm_signup.html.heex
new file mode 100644
index 00000000000..37e36a21434
--- /dev/null
+++ b/lib/lightning_web/controllers/oidc_html/confirm_signup.html.heex
@@ -0,0 +1,64 @@
+<LayoutComponents.nav conn={@conn} />
+<LayoutComponents.page_content>
+  <:header>
+    <LayoutComponents.header>
+      <:title>Create your account</:title>
+    </LayoutComponents.header>
+  </:header>
+  <LayoutComponents.centered>
+    <div id="confirm-signup">
+      <.form
+        :let={_f}
+        for={%{}}
+        as={:signup}
+        action={~p"/authenticate/signup/confirm"}
+      >
+        <div class="grid grid-cols-6 gap-6">
+          <div class="col-span-6 md:col-span-3 sm:col-span-4 border rounded-md shadow-xs bg-white p-6">
+            <%= if error = Phoenix.Flash.get(@flash, :error) do %>
+              <div class="alert alert-danger" role="alert">
+                {error}
+              </div>
+            <% end %>
+
+            <p class="text-sm text-gray-700 mb-4">
+              No account exists for <strong>{@pending["email"]}</strong>
+              yet. We'll create a new account using your
+              <strong>{String.capitalize(@pending["provider"])}</strong>
+              profile.
+            </p>
+
+            <dl class="text-sm text-gray-700 mb-6 space-y-1">
+              <div class="flex">
+                <dt class="w-28 text-gray-500">Email</dt>
+                <dd>{@pending["email"]}</dd>
+              </div>
+              <%= if @pending["first_name"] != "" or @pending["last_name"] != "" do %>
+                <div class="flex">
+                  <dt class="w-28 text-gray-500">Name</dt>
+                  <dd>{@pending["first_name"]} {@pending["last_name"]}</dd>
+                </div>
+              <% end %>
+              <div class="flex">
+                <dt class="w-28 text-gray-500">Provider</dt>
+                <dd>{String.capitalize(@pending["provider"])}</dd>
+              </div>
+            </dl>
+
+            <div class="grid grid-flow-row gap-3 auto-rows-max">
+              <.button type="submit" theme="primary">
+                Create account and continue
+              </.button>
+              <.link
+                href={~p"/authenticate/signup/cancel"}
+                class="text-xs text-secondary-700 text-center"
+              >
+                Cancel
+              </.link>
+            </div>
+          </div>
+        </div>
+      </.form>
+    </div>
+  </LayoutComponents.centered>
+</LayoutComponents.page_content>
diff --git a/lib/lightning_web/router.ex b/lib/lightning_web/router.ex
index dd6814a5dd6..6b854cf9d1f 100644
--- a/lib/lightning_web/router.ex
+++ b/lib/lightning_web/router.ex
@@ -64,6 +64,9 @@ defmodule LightningWeb.Router do
     post "/users/confirm", UserConfirmationController, :create
 
     get "/authenticate/callback", OidcController, :new
+    get "/authenticate/signup/confirm", OidcController, :confirm_signup
+    post "/authenticate/signup/confirm", OidcController, :complete_signup
+    get "/authenticate/signup/cancel", OidcController, :cancel_signup
     get "/authenticate/:provider", OidcController, :show
     get "/authenticate/:provider/link", OidcController, :link
     get "/authenticate/:provider/callback", OidcController, :new
diff --git a/test/lightning_web/controllers/oidc_controller_test.exs b/test/lightning_web/controllers/oidc_controller_test.exs
index c783d2907c0..8f638e70649 100644
--- a/test/lightning_web/controllers/oidc_controller_test.exs
+++ b/test/lightning_web/controllers/oidc_controller_test.exs
@@ -125,7 +125,7 @@ defmodule LightningWeb.OidcControllerTest do
              )
     end
 
-    test "auto-registers a new user when there is no existing email or identity",
+    test "prompts the user to confirm before creating a brand-new account",
          %{conn: conn, bypass: bypass, handler: handler} do
       expect_token(bypass, handler.wellknown)
       email = "new-sso-user-#{System.unique_integer([:positive])}@example.com"
@@ -142,16 +142,19 @@ defmodule LightningWeb.OidcControllerTest do
           Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
         )
 
-      assert redirected_to(conn) == "/projects"
+      assert redirected_to(conn) == ~p"/authenticate/signup/confirm"
 
-      user = Lightning.Accounts.get_user_by_email(email)
-      assert user
-      assert user.first_name == "First"
-      assert user.last_name == "Last"
-      assert is_nil(user.hashed_password)
-      refute is_nil(user.confirmed_at)
+      assert get_session(conn, :sso_pending_signup) == %{
+               "provider" => handler.name,
+               "uid" => "fresh-uid-1",
+               "email" => email,
+               "first_name" => "First",
+               "last_name" => "Last"
+             }
 
-      assert Lightning.Accounts.get_user_by_identity(handler.name, "fresh-uid-1")
+      # No account or identity is created until the user confirms
+      refute Lightning.Accounts.get_user_by_email(email)
+      refute Lightning.Accounts.get_user_by_identity(handler.name, "fresh-uid-1")
     end
 
     test "redirects to login when userinfo has no email", %{
@@ -411,6 +414,98 @@ defmodule LightningWeb.OidcControllerTest do
     end
   end
 
+  describe "SSO signup confirmation flow" do
+    test "GET /authenticate/signup/confirm renders the confirmation page",
+         %{conn: conn} do
+      pending = %{
+        "provider" => "github",
+        "uid" => "uid-123",
+        "email" => "new@example.com",
+        "first_name" => "Pat",
+        "last_name" => "Doe"
+      }
+
+      conn =
+        conn
+        |> Plug.Test.init_test_session(%{sso_pending_signup: pending})
+        |> get(~p"/authenticate/signup/confirm")
+
+      html = html_response(conn, 200)
+      assert html =~ "Create your account"
+      assert html =~ "new@example.com"
+      assert html =~ "Github"
+      assert html =~ "Pat Doe"
+    end
+
+    test "GET /authenticate/signup/confirm redirects to login when no pending signup",
+         %{conn: conn} do
+      conn = get(conn, ~p"/authenticate/signup/confirm")
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+    end
+
+    test "POST /authenticate/signup/confirm creates the account and logs in",
+         %{conn: conn} do
+      email = "confirm-signup-#{System.unique_integer([:positive])}@example.com"
+
+      pending = %{
+        "provider" => "github",
+        "uid" => "confirm-uid",
+        "email" => email,
+        "first_name" => "Alice",
+        "last_name" => "Smith"
+      }
+
+      conn =
+        conn
+        |> Plug.Test.init_test_session(%{sso_pending_signup: pending})
+        |> post(~p"/authenticate/signup/confirm", %{})
+
+      assert redirected_to(conn) == "/projects"
+
+      user = Lightning.Accounts.get_user_by_email(email)
+      assert user
+      assert user.first_name == "Alice"
+      assert user.last_name == "Smith"
+      assert is_nil(user.hashed_password)
+      refute is_nil(user.confirmed_at)
+
+      assert %Lightning.Accounts.User{id: same_id} =
+               Lightning.Accounts.get_user_by_identity("github", "confirm-uid")
+
+      assert same_id == user.id
+      refute get_session(conn, :sso_pending_signup)
+    end
+
+    test "POST /authenticate/signup/confirm redirects when there is no pending signup",
+         %{conn: conn} do
+      conn = post(conn, ~p"/authenticate/signup/confirm", %{})
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "No pending sign-up"
+    end
+
+    test "GET /authenticate/signup/cancel clears the pending signup",
+         %{conn: conn} do
+      pending = %{
+        "provider" => "github",
+        "uid" => "cancel-uid",
+        "email" => "cancel@example.com",
+        "first_name" => "C",
+        "last_name" => "X"
+      }
+
+      conn =
+        conn
+        |> Plug.Test.init_test_session(%{sso_pending_signup: pending})
+        |> get(~p"/authenticate/signup/cancel")
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+      refute get_session(conn, :sso_pending_signup)
+      refute Lightning.Accounts.get_user_by_email("cancel@example.com")
+    end
+  end
+
   describe "GET /authenticate/callback" do
     setup %{conn: conn} do
       subscription_id =

From a1cbc2ab79ab20fc9deba9e59135f2396220ac03 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 22 May 2026 15:26:11 +0000
Subject: [PATCH 07/17] feat: route so registration through account-hook

---
 lib/lightning/accounts.ex                | 10 +++-------
 lib/lightning/extensions/account_hook.ex | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/lib/lightning/accounts.ex b/lib/lightning/accounts.ex
index e6fc2bba1e3..f2bec9fa7d6 100644
--- a/lib/lightning/accounts.ex
+++ b/lib/lightning/accounts.ex
@@ -283,14 +283,10 @@ defmodule Lightning.Accounts do
   A `user_registered` event is broadcast on success.
   """
   def register_user_from_sso(attrs, provider, uid) do
+    attrs = Map.put(attrs, :sso_identity, %{provider: provider, uid: uid})
+
     Repo.transact(fn ->
-      with {:ok, user} <-
-             %User{}
-             |> User.sso_registration_changeset(attrs)
-             |> Repo.insert(),
-           {:ok, _identity} <- link_user_identity(user, provider, uid) do
-        {:ok, user}
-      end
+      AccountHook.handle_register_user(attrs)
     end)
     |> tap(fn result ->
       with {:ok, user} <- result do
diff --git a/lib/lightning/extensions/account_hook.ex b/lib/lightning/extensions/account_hook.ex
index d10bdade6a4..bc192cc047b 100644
--- a/lib/lightning/extensions/account_hook.ex
+++ b/lib/lightning/extensions/account_hook.ex
@@ -4,9 +4,24 @@ defmodule Lightning.Extensions.AccountHook do
 
   alias Ecto.Changeset
   alias Lightning.Accounts.User
+  alias Lightning.Accounts.UserIdentity
   alias Lightning.Repo
 
   @spec handle_register_user(map()) :: {:ok, User.t()} | {:error, Changeset.t()}
+  def handle_register_user(
+        %{sso_identity: %{provider: provider, uid: uid}} = attrs
+      ) do
+    attrs = Map.delete(attrs, :sso_identity)
+
+    with {:ok, user} <-
+           %User{}
+           |> User.sso_registration_changeset(attrs)
+           |> Repo.insert(),
+         {:ok, _identity} <- link_identity(user, provider, uid) do
+      {:ok, user}
+    end
+  end
+
   def handle_register_user(attrs) do
     with {:ok, data} <-
            User.user_registration_changeset(attrs)
@@ -31,4 +46,10 @@ defmodule Lightning.Extensions.AccountHook do
     |> User.changeset(attrs)
     |> Repo.insert()
   end
+
+  defp link_identity(%User{id: user_id}, provider, uid) do
+    %UserIdentity{}
+    |> UserIdentity.changeset(%{user_id: user_id, provider: provider, uid: uid})
+    |> Repo.insert(on_conflict: :nothing, conflict_target: [:provider, :uid])
+  end
 end

From aaf20a926be6c96daa72bf2cdfc30a51591c32c1 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Mon, 25 May 2026 06:10:55 +0000
Subject: [PATCH 08/17] tests: update tests

---
 lib/lightning_web/live/profile_live/identities_component.ex | 6 ++++--
 test/lightning_web/live/profile_live_test.exs               | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/lightning_web/live/profile_live/identities_component.ex b/lib/lightning_web/live/profile_live/identities_component.ex
index 8683ee1b49a..645527849f7 100644
--- a/lib/lightning_web/live/profile_live/identities_component.ex
+++ b/lib/lightning_web/live/profile_live/identities_component.ex
@@ -33,7 +33,8 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
          |> put_flash(
            :error,
            "Set a password (via the password reset link) before unlinking your only sign-in method."
-         )}
+         )
+         |> push_navigate(to: ~p"/profile")}
 
       {:error, :not_linked} ->
         {:noreply,
@@ -47,7 +48,8 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
          |> put_flash(
            :error,
            "Could not unlink your #{display_name(provider)} account."
-         )}
+         )
+         |> push_navigate(to: ~p"/profile")}
     end
   end
 
diff --git a/test/lightning_web/live/profile_live_test.exs b/test/lightning_web/live/profile_live_test.exs
index ea2c48a6f81..cd068aaf021 100644
--- a/test/lightning_web/live/profile_live_test.exs
+++ b/test/lightning_web/live/profile_live_test.exs
@@ -911,10 +911,11 @@ defmodule LightningWeb.ProfileLiveTest do
       conn = log_in_user(conn, user)
       {:ok, view, _html} = live(conn, ~p"/profile", on_error: :raise)
 
-      html =
+      {:ok, _view, html} =
         view
         |> element("#unlink-#{handler.name}-button")
         |> render_click()
+        |> follow_redirect(conn, ~p"/profile")
 
       assert html =~ "Set a password"
       assert [_] = Lightning.Accounts.list_user_identities(user)

From d83242ad0cff5b4cc413957a655d8b3937db88ca Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Mon, 25 May 2026 06:36:33 +0000
Subject: [PATCH 09/17] chore: resolve dialyzer

---
 lib/lightning/auth_providers/cache_warmer.ex     | 8 ++++++++
 lib/lightning_web/controllers/oidc_controller.ex | 9 ---------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/lib/lightning/auth_providers/cache_warmer.ex b/lib/lightning/auth_providers/cache_warmer.ex
index 01f8024a346..19d6d8d63c7 100644
--- a/lib/lightning/auth_providers/cache_warmer.ex
+++ b/lib/lightning/auth_providers/cache_warmer.ex
@@ -10,6 +10,14 @@ defmodule Lightning.AuthProviders.CacheWarmer do
   # https://github.com/whitfin/cachex/issues/276
   @dialyzer {:nowarn_function, init: 1}
 
+  # `GithubHandler.build/0` and `GoogleHandler.build/0` read their client
+  # credentials through `Lightning.Config.*_oauth/1`, which dispatches
+  # dynamically through an extension module. Dialyzer can't see that the
+  # binary branch is reachable, so it concludes `build/0` only ever returns
+  # `{:error, :not_configured}` and flags the `{:ok, _}` pattern here as
+  # unreachable. The runtime behaviour is fine.
+  @dialyzer {:nowarn_function, execute: 1}
+
   @doc """
   Returns the interval for this warmer.
   """
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index b14abbd45c8..7feb724bb3f 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -270,15 +270,6 @@ defmodule LightningWeb.OidcController do
     end
   end
 
-  defp extract_email(userinfo) when is_list(userinfo) do
-    userinfo
-    |> Enum.find(& &1["primary"])
-    |> case do
-      %{"email" => email} when is_binary(email) -> email
-      _ -> nil
-    end
-  end
-
   defp extract_email(%{"email" => email}) when is_binary(email), do: email
   defp extract_email(_), do: nil
 

From fc630ad09191e8682859526f6701995078d753cf Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 00:20:10 +0000
Subject: [PATCH 10/17] feat: pick user email from dedicated endpoint (Github)

---
 .../auth_providers/github_handler.ex          |   4 +-
 lib/lightning/auth_providers/handler.ex       |  53 +++++-
 lib/lightning/auth_providers/well_known.ex    |  10 +-
 .../auth_providers/github_handler_test.exs    |  46 +++++
 .../controllers/oidc_controller_test.exs      | 158 ++++++++++++++++++
 test/support/bypass_helpers.ex                |  13 ++
 6 files changed, 275 insertions(+), 9 deletions(-)
 create mode 100644 test/lightning/auth_providers/github_handler_test.exs

diff --git a/lib/lightning/auth_providers/github_handler.ex b/lib/lightning/auth_providers/github_handler.ex
index f43c308dbcd..83ebfcc3888 100644
--- a/lib/lightning/auth_providers/github_handler.ex
+++ b/lib/lightning/auth_providers/github_handler.ex
@@ -12,6 +12,7 @@ defmodule Lightning.AuthProviders.GithubHandler do
   @authorization_endpoint "https://github.com/login/oauth/authorize"
   @token_endpoint "https://github.com/login/oauth/access_token"
   @userinfo_endpoint "https://api.github.com/user"
+  @user_emails_endpoint "https://api.github.com/user/emails"
 
   def handler_name, do: @name
 
@@ -25,7 +26,8 @@ defmodule Lightning.AuthProviders.GithubHandler do
       wellknown = %WellKnown{
         authorization_endpoint: @authorization_endpoint,
         token_endpoint: @token_endpoint,
-        userinfo_endpoint: @userinfo_endpoint
+        userinfo_endpoint: @userinfo_endpoint,
+        user_emails_endpoint: @user_emails_endpoint
       }
 
       Handler.new(@name,
diff --git a/lib/lightning/auth_providers/handler.ex b/lib/lightning/auth_providers/handler.ex
index c3757180518..41f6634b273 100644
--- a/lib/lightning/auth_providers/handler.ex
+++ b/lib/lightning/auth_providers/handler.ex
@@ -106,10 +106,55 @@ defmodule Lightning.AuthProviders.Handler do
   @spec get_userinfo(handler :: __MODULE__.t(), token :: OAuth2.AccessToken.t()) ::
           map()
   def get_userinfo(handler, token) do
-    OAuth2.Client.get!(
-      %{handler.client | token: token},
-      handler.wellknown.userinfo_endpoint
-    ).body
+    client = %{handler.client | token: token}
+
+    userinfo =
+      OAuth2.Client.get!(client, handler.wellknown.userinfo_endpoint).body
+
+    maybe_resolve_email(client, handler.wellknown, userinfo)
+  end
+
+  # Some providers (e.g. GitHub) omit `email` from userinfo; fall back to the emails endpoint and pick the primary, verified address.
+  defp maybe_resolve_email(
+         client,
+         %{user_emails_endpoint: endpoint},
+         %{} = userinfo
+       )
+       when is_binary(endpoint) do
+    if is_binary(userinfo["email"]) do
+      userinfo
+    else
+      case fetch_primary_verified_email(client, endpoint) do
+        nil -> userinfo
+        email -> Map.put(userinfo, "email", email)
+      end
+    end
+  end
+
+  defp maybe_resolve_email(_client, _wellknown, userinfo), do: userinfo
+
+  defp fetch_primary_verified_email(client, endpoint) do
+    case OAuth2.Client.get(client, endpoint) do
+      {:ok, %OAuth2.Response{body: emails}} when is_list(emails) ->
+        select_primary_verified_email(emails)
+
+      _ ->
+        nil
+    end
+  end
+
+  defp select_primary_verified_email(emails) do
+    primary =
+      Enum.find_value(emails, fn
+        %{"primary" => true, "verified" => true, "email" => email} -> email
+        _ -> nil
+      end)
+
+    primary ||
+      Enum.find_value(emails, fn
+        %{"verified" => true, "email" => email} -> email
+        _ -> nil
+      end)
   end
 
   defp validate_opts(opts) do
diff --git a/lib/lightning/auth_providers/well_known.ex b/lib/lightning/auth_providers/well_known.ex
index 347d188056f..39169b20cda 100644
--- a/lib/lightning/auth_providers/well_known.ex
+++ b/lib/lightning/auth_providers/well_known.ex
@@ -4,20 +4,22 @@ defmodule Lightning.AuthProviders.WellKnown do
   """
   use HTTPoison.Base
 
-  @fields [
+  @discovery_fields [
     :authorization_endpoint,
     :token_endpoint,
     :userinfo_endpoint,
     :introspection_endpoint
   ]
 
-  defstruct @fields
+  # `:user_emails_endpoint` resolves a verified email for providers (e.g. GitHub) whose userinfo endpoint doesn't return one.
+  defstruct @discovery_fields ++ [:user_emails_endpoint]
 
   @type t :: %__MODULE__{
           authorization_endpoint: String.t(),
           token_endpoint: String.t(),
           userinfo_endpoint: String.t(),
-          introspection_endpoint: String.t()
+          introspection_endpoint: String.t(),
+          user_emails_endpoint: String.t() | nil
         }
 
   @spec fetch(discovery_url :: String.t()) ::
@@ -42,7 +44,7 @@ defmodule Lightning.AuthProviders.WellKnown do
   def new(%{} = json_body) do
     struct!(
       __MODULE__,
-      @fields
+      @discovery_fields
       |> Enum.map(fn key ->
         {key, json_body[key |> to_string()]}
       end)
diff --git a/test/lightning/auth_providers/github_handler_test.exs b/test/lightning/auth_providers/github_handler_test.exs
new file mode 100644
index 00000000000..495bc86d45f
--- /dev/null
+++ b/test/lightning/auth_providers/github_handler_test.exs
@@ -0,0 +1,46 @@
+defmodule Lightning.AuthProviders.GithubHandlerTest do
+  use ExUnit.Case, async: false
+
+  import Mox
+
+  alias Lightning.AuthProviders.GithubHandler
+  alias Lightning.AuthProviders.Handler
+
+  setup :verify_on_exit!
+
+  setup do
+    Mox.stub_with(Lightning.MockConfig, Lightning.Config.API)
+    prev = Application.get_env(:lightning, :github_oauth)
+    on_exit(fn -> Application.put_env(:lightning, :github_oauth, prev || []) end)
+    :ok
+  end
+
+  test "build/0 returns :not_configured when credentials are missing" do
+    Application.put_env(:lightning, :github_oauth, [])
+    assert {:error, :not_configured} = GithubHandler.build()
+  end
+
+  test "build/0 returns a configured handler with a user emails endpoint" do
+    Application.put_env(:lightning, :github_oauth,
+      client_id: "id",
+      client_secret: "secret",
+      redirect_uri: "http://localhost/authenticate/github/callback"
+    )
+
+    assert {:ok, %Handler{name: "github", wellknown: wellknown}} =
+             GithubHandler.build()
+
+    # GitHub's /user endpoint does not reliably return a verified email, so the
+    # handler must point at /user/emails for fallback resolution.
+    assert wellknown.user_emails_endpoint == "https://api.github.com/user/emails"
+  end
+
+  test "build/0 returns :not_configured when redirect_uri is missing" do
+    Application.put_env(:lightning, :github_oauth,
+      client_id: "id",
+      client_secret: "secret"
+    )
+
+    assert {:error, :not_configured} = GithubHandler.build()
+  end
+end
diff --git a/test/lightning_web/controllers/oidc_controller_test.exs b/test/lightning_web/controllers/oidc_controller_test.exs
index 8f638e70649..e590afb3fb9 100644
--- a/test/lightning_web/controllers/oidc_controller_test.exs
+++ b/test/lightning_web/controllers/oidc_controller_test.exs
@@ -33,6 +33,35 @@ defmodule LightningWeb.OidcControllerTest do
     {:ok, handler: handler, bypass: bypass}
   end
 
+  # A handler that resolves email from a dedicated emails endpoint, mirroring
+  # GitHub's `/user/emails`.
+  def setup_handler_with_user_emails(_) do
+    bypass = Bypass.open()
+
+    wellknown = %AuthProviders.WellKnown{
+      authorization_endpoint: "#{endpoint_url(bypass)}/authorization_endpoint",
+      token_endpoint: "#{endpoint_url(bypass)}/token_endpoint",
+      userinfo_endpoint: "#{endpoint_url(bypass)}/userinfo_endpoint",
+      user_emails_endpoint: "#{endpoint_url(bypass)}/user_emails_endpoint"
+    }
+
+    handler_name = :crypto.strong_rand_bytes(6) |> Base.url_encode64()
+
+    {:ok, handler} =
+      AuthProviders.Handler.new(handler_name,
+        wellknown: wellknown,
+        client_id: "id",
+        client_secret: "secret",
+        redirect_uri: "http://localhost/callback_url"
+      )
+
+    AuthProviders.create_handler(handler)
+
+    on_exit(fn -> AuthProviders.remove_handler(handler) end)
+
+    {:ok, handler: handler, bypass: bypass}
+  end
+
   describe "GET /authenticate/:provider" do
     setup :setup_handler
 
@@ -273,6 +302,135 @@ defmodule LightningWeb.OidcControllerTest do
     end
   end
 
+  # GitHub's /user endpoint returns a null email for users without a public
+  # profile email, even when the user:email scope is granted. Providers that set
+  # a `user_emails_endpoint` must resolve the primary, verified email from it.
+  describe "GET /authenticate/:provider/callback (email resolution fallback)" do
+    setup :setup_handler_with_user_emails
+
+    test "resolves the primary verified email when userinfo has none", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      expect_token(bypass, handler.wellknown)
+
+      # userinfo carries no email (the GitHub "no public email" case)
+      expect_userinfo(bypass, handler.wellknown, %{"sub" => "gh-uid-1"})
+
+      expect_user_emails(bypass, handler.wellknown, [
+        %{
+          "email" => "secondary@example.com",
+          "primary" => false,
+          "verified" => true
+        },
+        %{
+          "email" => "primary@example.com",
+          "primary" => true,
+          "verified" => true
+        },
+        %{
+          "email" => "unverified@example.com",
+          "primary" => false,
+          "verified" => false
+        }
+      ])
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      # The signup confirmation flow is reached, meaning an email was resolved.
+      assert redirected_to(conn) == ~p"/authenticate/signup/confirm"
+
+      assert get_session(conn, :sso_pending_signup)["email"] ==
+               "primary@example.com"
+    end
+
+    test "falls back to any verified email when none is marked primary", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      expect_token(bypass, handler.wellknown)
+      expect_userinfo(bypass, handler.wellknown, %{"sub" => "gh-uid-2"})
+
+      expect_user_emails(bypass, handler.wellknown, [
+        %{
+          "email" => "unverified@example.com",
+          "primary" => true,
+          "verified" => false
+        },
+        %{
+          "email" => "verified@example.com",
+          "primary" => false,
+          "verified" => true
+        }
+      ])
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert get_session(conn, :sso_pending_signup)["email"] ==
+               "verified@example.com"
+    end
+
+    test "errors when the emails endpoint has no verified address", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      expect_token(bypass, handler.wellknown)
+      expect_userinfo(bypass, handler.wellknown, %{"sub" => "gh-uid-3"})
+
+      expect_user_emails(bypass, handler.wellknown, [
+        %{
+          "email" => "unverified@example.com",
+          "primary" => true,
+          "verified" => false
+        }
+      ])
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "Could not retrieve your email"
+    end
+
+    test "prefers the userinfo email and skips the emails endpoint when present",
+         %{conn: conn, bypass: bypass, handler: handler} do
+      expect_token(bypass, handler.wellknown)
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "sub" => "gh-uid-4",
+        "email" => "public@example.com"
+      })
+
+      # No expect_user_emails/3 stub: if the endpoint were called, Bypass would
+      # fail the test, proving the extra request is skipped.
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert get_session(conn, :sso_pending_signup)["email"] ==
+               "public@example.com"
+    end
+  end
+
   describe "GET /authenticate/:provider/link" do
     setup :setup_handler
 
diff --git a/test/support/bypass_helpers.ex b/test/support/bypass_helpers.ex
index 90e52d28c11..cc51a5a4b8e 100644
--- a/test/support/bypass_helpers.ex
+++ b/test/support/bypass_helpers.ex
@@ -88,6 +88,19 @@ defmodule Lightning.BypassHelpers do
     expect_userinfo(bypass, wellknown, {200, body})
   end
 
+  @doc """
+  Add a user emails endpoint expectation (e.g. GitHub's `/user/emails`). Used to
+  test providers that resolve a verified email from a dedicated endpoint.
+  """
+  def expect_user_emails(bypass, wellknown, emails) do
+    path = URI.new!(wellknown.user_emails_endpoint).path
+
+    Bypass.expect(bypass, "GET", path, fn conn ->
+      Plug.Conn.put_resp_header(conn, "content-type", "application/json")
+      |> Plug.Conn.resp(200, Jason.encode!(emails))
+    end)
+  end
+
   @doc """
   Generate an http url for use with a Bypass test process
   """

From 4e579f9e981b036e3d0a0fea57d731d735158e1e Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 00:56:42 +0000
Subject: [PATCH 11/17] chore: update deployment.md

---
 DEPLOYMENT.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index 4861f89b045..16276373697 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -360,8 +360,51 @@ been marked as recovered.
 Once all files have either been recovered or discarded, the triggers can be
 enabled once more.
 
+### Single Sign-On (SSO)
+
+Lightning supports SSO **sign-in** with GitHub and Google, letting users
+authenticate with an external identity provider instead of an email/password.
+
+> SSO sign-in is distinct from two other, similarly-named features. Don't mix up
+> their environment variables:
+>
+> - **GitHub App** (`GITHUB_APP_ID`, `GITHUB_APP_CLIENT_ID`,
+>   `GITHUB_APP_CLIENT_SECRET`, `GITHUB_CERT`) — used for project **version
+>   control / repo sync**, with callback `/oauth/github/callback`. See
+>   [GitHub](#github) above. This is **not** sign-in.
+> - **Credential OAuth** — clients that **jobs** use to connect to external
+>   systems (e.g. Google Sheets, Salesforce). These are configured per-project
+>   in the UI, not via these environment variables.
+
+Enable a provider by setting its client ID and secret. Each provider has its own
+callback (redirect) URL that you must register in the provider's OAuth app
+settings. The redirect URL is derived automatically from your configured
+host/scheme/port — you only need to register the matching URL below.
+
+| Provider | Variables                                  | Redirect / Callback URL                                  |
+| -------- | ------------------------------------------ | -------------------------------------------------------- |
+| GitHub   | `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET` | `https://<ENDPOINT DOMAIN>/authenticate/github/callback` |
+| Google   | `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET` | `https://<ENDPOINT DOMAIN>/authenticate/google/callback` |
+
+For **GitHub**, create an **OAuth App** (Settings → Developer settings → OAuth
+Apps — _not_ a GitHub App) and request the `read:user` and `user:email` scopes.
+GitHub's userinfo endpoint omits the email for users without a public profile
+email, so Lightning resolves the primary, verified address via the granted
+`user:email` scope.
+
+> ⚠️ **Upgrading from the older Google login?** The new Google SSO provider
+> reuses the same `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` as the
+> [Google Oauth2](#google-oauth2) setup below, but expects the callback
+> `/authenticate/google/callback` (not `/authenticate/callback`). Add the new
+> callback URL to your Google OAuth client's authorized redirect URIs.
+
 ### Google Oauth2
 
+> These `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` variables are also used by
+> [Single Sign-On (SSO)](#single-sign-on-sso) above, which expects a different
+> callback URL (`/authenticate/google/callback`). If you use Google for SSO
+> sign-in, register both callback URLs on the same OAuth client.
+
 Using your Google Cloud account, provision a new OAuth 2.0 Client with the 'Web
 application' type.
 

From 3c04662f7e1442e3e7037e19da3f5575729781e3 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 05:00:32 +0000
Subject: [PATCH 12/17] feat: rollback

---
 .../migrations/20260515133933_allow_null_hashed_password.exs    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs b/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs
index e72167253d9..d68296553e7 100644
--- a/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs
+++ b/priv/repo/migrations/20260515133933_allow_null_hashed_password.exs
@@ -3,7 +3,7 @@ defmodule Lightning.Repo.Migrations.AllowNullHashedPassword do
 
   def change do
     alter table(:users) do
-      modify :hashed_password, :string, null: true
+      modify :hashed_password, :string, null: true, from: {:string, null: false}
     end
   end
 end

From 1985ee158aaf0bcc94dcf53198ae4f35bdb20cfd Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 05:01:46 +0000
Subject: [PATCH 13/17] feat: only allow verified emails

---
 lib/lightning/auth_providers/handler.ex       | 11 ++-
 .../controllers/oidc_controller.ex            | 40 +++++---
 .../controllers/oidc_controller_test.exs      | 92 +++++++++++++++++++
 3 files changed, 129 insertions(+), 14 deletions(-)

diff --git a/lib/lightning/auth_providers/handler.ex b/lib/lightning/auth_providers/handler.ex
index 41f6634b273..862fc3493de 100644
--- a/lib/lightning/auth_providers/handler.ex
+++ b/lib/lightning/auth_providers/handler.ex
@@ -122,11 +122,16 @@ defmodule Lightning.AuthProviders.Handler do
        )
        when is_binary(endpoint) do
     if is_binary(userinfo["email"]) do
-      userinfo
+      Map.put(userinfo, "email_verified", true)
     else
       case fetch_primary_verified_email(client, endpoint) do
-        nil -> userinfo
-        email -> Map.put(userinfo, "email", email)
+        nil ->
+          userinfo
+
+        email ->
+          userinfo
+          |> Map.put("email", email)
+          |> Map.put("email_verified", true)
       end
     end
   end
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index 7feb724bb3f..c7977cddf16 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -210,21 +210,34 @@ defmodule LightningWeb.OidcController do
         do_log_in(conn, user)
 
       nil ->
-        case Accounts.get_user_by_email(email) do
-          %User{} ->
-            conn
-            |> put_flash(
-              :info,
-              "An account already exists for #{email}. Sign in and link your #{display_name(provider)} account from your profile settings to use single sign-on."
-            )
-            |> redirect(to: Routes.user_session_path(conn, :new))
-
-          nil ->
-            request_signup_confirmation(conn, provider, uid, email, userinfo)
+        if email_verified?(userinfo) do
+          handle_unlinked_identity(conn, provider, uid, email, userinfo)
+        else
+          conn
+          |> put_flash(
+            :error,
+            "Your #{display_name(provider)} email address has not been verified. Please verify it with #{display_name(provider)} and try signing in again."
+          )
+          |> redirect(to: Routes.user_session_path(conn, :new))
         end
     end
   end
 
+  defp handle_unlinked_identity(conn, provider, uid, email, userinfo) do
+    case Accounts.get_user_by_email(email) do
+      %User{} ->
+        conn
+        |> put_flash(
+          :info,
+          "An account already exists for #{email}. Sign in and link your #{display_name(provider)} account from your profile settings to use single sign-on."
+        )
+        |> redirect(to: Routes.user_session_path(conn, :new))
+
+      nil ->
+        request_signup_confirmation(conn, provider, uid, email, userinfo)
+    end
+  end
+
   defp request_signup_confirmation(conn, provider, uid, email, userinfo) do
     %{first_name: first_name, last_name: last_name} = extract_name(userinfo)
 
@@ -273,6 +286,11 @@ defmodule LightningWeb.OidcController do
   defp extract_email(%{"email" => email}) when is_binary(email), do: email
   defp extract_email(_), do: nil
 
+  defp email_verified?(%{"email_verified" => verified}),
+    do: verified in [true, "true"]
+
+  defp email_verified?(_), do: false
+
   defp extract_uid(%{"sub" => sub}) when is_binary(sub), do: sub
   defp extract_uid(%{"id" => id}) when is_integer(id), do: to_string(id)
   defp extract_uid(%{"id" => id}) when is_binary(id), do: id
diff --git a/test/lightning_web/controllers/oidc_controller_test.exs b/test/lightning_web/controllers/oidc_controller_test.exs
index e590afb3fb9..efa1b3c7b05 100644
--- a/test/lightning_web/controllers/oidc_controller_test.exs
+++ b/test/lightning_web/controllers/oidc_controller_test.exs
@@ -130,6 +130,7 @@ defmodule LightningWeb.OidcControllerTest do
 
       expect_userinfo(bypass, handler.wellknown, %{
         "email" => user.email,
+        "email_verified" => true,
         "sub" => "unlinked-uid"
       })
 
@@ -161,6 +162,7 @@ defmodule LightningWeb.OidcControllerTest do
 
       expect_userinfo(bypass, handler.wellknown, %{
         "email" => email,
+        "email_verified" => true,
         "sub" => "fresh-uid-1",
         "name" => "First Last"
       })
@@ -207,6 +209,96 @@ defmodule LightningWeb.OidcControllerTest do
                "Could not retrieve your email"
     end
 
+    test "refuses to provision a new account when the email is not verified", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      expect_token(bypass, handler.wellknown)
+      email = "unverified-#{System.unique_integer([:positive])}@example.com"
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => email,
+        "email_verified" => false,
+        "sub" => "unverified-uid"
+      })
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "has not been verified"
+
+      # No account or identity is provisioned for an unverified email
+      refute Lightning.Accounts.get_user_by_email(email)
+
+      refute Lightning.Accounts.get_user_by_identity(
+               handler.name,
+               "unverified-uid"
+             )
+
+      refute get_session(conn, :sso_pending_signup)
+    end
+
+    test "rejects an unverified email without revealing an existing account", %{
+      conn: conn,
+      bypass: bypass,
+      handler: handler
+    } do
+      expect_token(bypass, handler.wellknown)
+      user = Lightning.AccountsFixtures.user_fixture()
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => user.email,
+        "email_verified" => false,
+        "sub" => "unverified-existing-uid"
+      })
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      # The unverified probe gets the generic "not verified" message, not the
+      # "an account already exists" notice — so account existence isn't leaked.
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "has not been verified"
+
+      refute Phoenix.Flash.get(conn.assigns.flash, :info)
+    end
+
+    test "refuses to provision a new account when no email_verified claim is present",
+         %{conn: conn, bypass: bypass, handler: handler} do
+      expect_token(bypass, handler.wellknown)
+      email = "no-claim-#{System.unique_integer([:positive])}@example.com"
+
+      expect_userinfo(bypass, handler.wellknown, %{
+        "email" => email,
+        "sub" => "no-claim-uid"
+      })
+
+      conn =
+        get(
+          conn,
+          Routes.oidc_path(conn, :new, handler.name, %{"code" => "callback_code"})
+        )
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "has not been verified"
+
+      refute Lightning.Accounts.get_user_by_email(email)
+    end
+
     test "logs the person in but marks totp as pending for users wth MFA enabled",
          %{
            conn: conn,

From f4bcd1a9cd47eb842f6cbb53bfdf3b522dad1e82 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 05:30:39 +0000
Subject: [PATCH 14/17] feat: enforce at most one identity match

---
 lib/lightning/accounts.ex                     | 27 +++++++++---
 lib/lightning/extensions/account_hook.ex      |  8 ++--
 .../controllers/oidc_controller.ex            |  8 ++++
 test/lightning/accounts_test.exs              | 41 +++++++++++++++++--
 4 files changed, 70 insertions(+), 14 deletions(-)

diff --git a/lib/lightning/accounts.ex b/lib/lightning/accounts.ex
index f2bec9fa7d6..d4b1f6eecb7 100644
--- a/lib/lightning/accounts.ex
+++ b/lib/lightning/accounts.ex
@@ -206,14 +206,29 @@ defmodule Lightning.Accounts do
   end
 
   @doc """
-  Links an SSO provider identity to an existing user account.
-
-  Silently succeeds if the identity already exists (on_conflict: :nothing).
+  Links an SSO provider identity to a user; idempotent if already linked to the same user, `{:error, :identity_already_linked}` if claimed by another.
   """
   def link_user_identity(%User{id: user_id}, provider, uid) do
-    %UserIdentity{}
-    |> UserIdentity.changeset(%{user_id: user_id, provider: provider, uid: uid})
-    |> Repo.insert(on_conflict: :nothing, conflict_target: [:provider, :uid])
+    case get_identity(provider, uid) do
+      %UserIdentity{user_id: ^user_id} = identity ->
+        {:ok, identity}
+
+      %UserIdentity{} ->
+        {:error, :identity_already_linked}
+
+      nil ->
+        %UserIdentity{}
+        |> UserIdentity.changeset(%{
+          user_id: user_id,
+          provider: provider,
+          uid: uid
+        })
+        |> Repo.insert()
+    end
+  end
+
+  defp get_identity(provider, uid) do
+    Repo.get_by(UserIdentity, provider: provider, uid: uid)
   end
 
   @doc """
diff --git a/lib/lightning/extensions/account_hook.ex b/lib/lightning/extensions/account_hook.ex
index bc192cc047b..50ba7005ada 100644
--- a/lib/lightning/extensions/account_hook.ex
+++ b/lib/lightning/extensions/account_hook.ex
@@ -3,8 +3,8 @@ defmodule Lightning.Extensions.AccountHook do
   @behaviour Lightning.Extensions.AccountHooking
 
   alias Ecto.Changeset
+  alias Lightning.Accounts
   alias Lightning.Accounts.User
-  alias Lightning.Accounts.UserIdentity
   alias Lightning.Repo
 
   @spec handle_register_user(map()) :: {:ok, User.t()} | {:error, Changeset.t()}
@@ -47,9 +47,7 @@ defmodule Lightning.Extensions.AccountHook do
     |> Repo.insert()
   end
 
-  defp link_identity(%User{id: user_id}, provider, uid) do
-    %UserIdentity{}
-    |> UserIdentity.changeset(%{user_id: user_id, provider: provider, uid: uid})
-    |> Repo.insert(on_conflict: :nothing, conflict_target: [:provider, :uid])
+  defp link_identity(%User{} = user, provider, uid) do
+    Accounts.link_user_identity(user, provider, uid)
   end
 end
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index c7977cddf16..5da031906f8 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -193,6 +193,14 @@ defmodule LightningWeb.OidcController do
             )
             |> redirect(to: ~p"/profile")
 
+          {:error, :identity_already_linked} ->
+            conn
+            |> put_flash(
+              :error,
+              "This #{display_name(provider)} identity is already linked to a different account."
+            )
+            |> redirect(to: ~p"/profile")
+
           {:error, _reason} ->
             conn
             |> put_flash(
diff --git a/test/lightning/accounts_test.exs b/test/lightning/accounts_test.exs
index 3237fe9503b..cc0493eb831 100644
--- a/test/lightning/accounts_test.exs
+++ b/test/lightning/accounts_test.exs
@@ -182,11 +182,29 @@ defmodule Lightning.AccountsTest do
       assert identity.uid == "abc"
     end
 
-    test "is idempotent on (provider, uid) conflicts" do
+    test "is idempotent when already linked to the same user" do
       user = insert(:user)
-      insert(:user_identity, user: user, provider: "github", uid: "abc")
 
-      assert {:ok, _} = Accounts.link_user_identity(user, "github", "abc")
+      existing =
+        insert(:user_identity, user: user, provider: "github", uid: "abc")
+
+      assert {:ok, identity} = Accounts.link_user_identity(user, "github", "abc")
+      # Returns the existing persisted row, not a fake unpersisted struct
+      assert identity.id == existing.id
+    end
+
+    test "errors when the (provider, uid) is claimed by a different user" do
+      other_user = insert(:user)
+      insert(:user_identity, user: other_user, provider: "github", uid: "abc")
+
+      user = insert(:user)
+
+      assert {:error, :identity_already_linked} =
+               Accounts.link_user_identity(user, "github", "abc")
+
+      # The identity still belongs to the original owner
+      assert %User{id: owner_id} = Accounts.get_user_by_identity("github", "abc")
+      assert owner_id == other_user.id
     end
   end
 
@@ -233,6 +251,23 @@ defmodule Lightning.AccountsTest do
 
       assert "has already been taken" in errors_on(changeset).email
     end
+
+    test "rolls back without orphaning a user when the identity is already claimed" do
+      other_user = insert(:user)
+      insert(:user_identity, user: other_user, provider: "github", uid: "taken")
+
+      email = unique_user_email()
+
+      assert {:error, :identity_already_linked} =
+               Accounts.register_user_from_sso(
+                 %{email: email, first_name: "Sso", last_name: "User"},
+                 "github",
+                 "taken"
+               )
+
+      # The user insert is rolled back with the failed identity link
+      refute Accounts.get_user_by_email(email)
+    end
   end
 
   describe "list_user_identities/1" do

From a57c320ece82ec2e168884e6d6ef9732d4fcd809 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 05:51:05 +0000
Subject: [PATCH 15/17] chore: break long lines

---
 lib/lightning/auth_providers/handler.ex    | 3 ++-
 lib/lightning/auth_providers/well_known.ex | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/lightning/auth_providers/handler.ex b/lib/lightning/auth_providers/handler.ex
index 862fc3493de..1edb000b4b9 100644
--- a/lib/lightning/auth_providers/handler.ex
+++ b/lib/lightning/auth_providers/handler.ex
@@ -114,7 +114,8 @@ defmodule Lightning.AuthProviders.Handler do
     maybe_resolve_email(client, handler.wellknown, userinfo)
   end
 
-  # Some providers (e.g. GitHub) omit `email` from userinfo; fall back to the emails endpoint and pick the primary, verified address.
+  # Some providers (e.g. GitHub) omit `email` from userinfo; fall back to the
+  # emails endpoint and pick the primary, verified address.
   defp maybe_resolve_email(
          client,
          %{user_emails_endpoint: endpoint},
diff --git a/lib/lightning/auth_providers/well_known.ex b/lib/lightning/auth_providers/well_known.ex
index 39169b20cda..1a3e16efc91 100644
--- a/lib/lightning/auth_providers/well_known.ex
+++ b/lib/lightning/auth_providers/well_known.ex
@@ -11,7 +11,8 @@ defmodule Lightning.AuthProviders.WellKnown do
     :introspection_endpoint
   ]
 
-  # `:user_emails_endpoint` resolves a verified email for providers (e.g. GitHub) whose userinfo endpoint doesn't return one.
+  # `:user_emails_endpoint` resolves a verified email for providers (e.g.
+  # GitHub) whose userinfo endpoint doesn't return one.
   defstruct @discovery_fields ++ [:user_emails_endpoint]
 
   @type t :: %__MODULE__{

From e85908b093dd3d742da4c8b4d7dde7b93c0a17ae Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 07:29:23 +0000
Subject: [PATCH 16/17] refactor:  reuse methods

---
 lib/lightning/auth_providers.ex               |   6 +
 lib/lightning/auth_providers/cache_warmer.ex  |  10 +-
 .../controllers/oidc_controller.ex            |  16 +-
 .../live/profile_live/identities_component.ex |  10 +-
 .../lightning/auth_providers/handler_test.exs | 139 ++++++++++++++++++
 5 files changed, 165 insertions(+), 16 deletions(-)
 create mode 100644 test/lightning/auth_providers/handler_test.exs

diff --git a/lib/lightning/auth_providers.ex b/lib/lightning/auth_providers.ex
index 0524e28a4b3..566e34787a4 100644
--- a/lib/lightning/auth_providers.ex
+++ b/lib/lightning/auth_providers.ex
@@ -10,6 +10,12 @@ defmodule Lightning.AuthProviders do
   alias Lightning.AuthProviders.WellKnown
   alias Lightning.Repo
 
+  @doc """
+  Returns a human-friendly name for a provider, e.g. `"github"` -> `"Github"`.
+  """
+  @spec display_name(provider :: String.t()) :: String.t()
+  def display_name(provider), do: String.capitalize(provider)
+
   @spec get_existing() :: AuthConfig.t() | nil
   def get_existing do
     from(ap in AuthConfig) |> Repo.one()
diff --git a/lib/lightning/auth_providers/cache_warmer.ex b/lib/lightning/auth_providers/cache_warmer.ex
index 19d6d8d63c7..c235b24067c 100644
--- a/lib/lightning/auth_providers/cache_warmer.ex
+++ b/lib/lightning/auth_providers/cache_warmer.ex
@@ -5,6 +5,8 @@ defmodule Lightning.AuthProviders.CacheWarmer do
   use Cachex.Warmer
   alias Lightning.AuthProviders
 
+  require Logger
+
   # Suppress dialyzer warning for Cachex.Warmer.init/1
   # This has been fixed upstream but not released on hex.
   # https://github.com/whitfin/cachex/issues/276
@@ -38,7 +40,13 @@ defmodule Lightning.AuthProviders.CacheWarmer do
           _ -> []
         end
       rescue
-        _ -> []
+        error ->
+          Logger.warning(
+            "AuthProviders.CacheWarmer failed to warm the DB-backed provider: " <>
+              Exception.message(error)
+          )
+
+          []
       end
 
     github_entries =
diff --git a/lib/lightning_web/controllers/oidc_controller.ex b/lib/lightning_web/controllers/oidc_controller.ex
index 5da031906f8..9eb84c8e015 100644
--- a/lib/lightning_web/controllers/oidc_controller.ex
+++ b/lib/lightning_web/controllers/oidc_controller.ex
@@ -171,7 +171,7 @@ defmodule LightningWeb.OidcController do
         conn
         |> put_flash(
           :info,
-          "Your #{display_name(provider)} account is already linked."
+          "Your #{AuthProviders.display_name(provider)} account is already linked."
         )
         |> redirect(to: ~p"/profile")
 
@@ -179,7 +179,7 @@ defmodule LightningWeb.OidcController do
         conn
         |> put_flash(
           :error,
-          "This #{display_name(provider)} identity is already linked to a different account."
+          "This #{AuthProviders.display_name(provider)} identity is already linked to a different account."
         )
         |> redirect(to: ~p"/profile")
 
@@ -189,7 +189,7 @@ defmodule LightningWeb.OidcController do
             conn
             |> put_flash(
               :info,
-              "Linked your #{display_name(provider)} account."
+              "Linked your #{AuthProviders.display_name(provider)} account."
             )
             |> redirect(to: ~p"/profile")
 
@@ -197,7 +197,7 @@ defmodule LightningWeb.OidcController do
             conn
             |> put_flash(
               :error,
-              "This #{display_name(provider)} identity is already linked to a different account."
+              "This #{AuthProviders.display_name(provider)} identity is already linked to a different account."
             )
             |> redirect(to: ~p"/profile")
 
@@ -205,7 +205,7 @@ defmodule LightningWeb.OidcController do
             conn
             |> put_flash(
               :error,
-              "Could not link your #{display_name(provider)} account. Please try again."
+              "Could not link your #{AuthProviders.display_name(provider)} account. Please try again."
             )
             |> redirect(to: ~p"/profile")
         end
@@ -224,7 +224,7 @@ defmodule LightningWeb.OidcController do
           conn
           |> put_flash(
             :error,
-            "Your #{display_name(provider)} email address has not been verified. Please verify it with #{display_name(provider)} and try signing in again."
+            "Your #{AuthProviders.display_name(provider)} email address has not been verified. Please verify it with #{AuthProviders.display_name(provider)} and try signing in again."
           )
           |> redirect(to: Routes.user_session_path(conn, :new))
         end
@@ -237,7 +237,7 @@ defmodule LightningWeb.OidcController do
         conn
         |> put_flash(
           :info,
-          "An account already exists for #{email}. Sign in and link your #{display_name(provider)} account from your profile settings to use single sign-on."
+          "An account already exists for #{email}. Sign in and link your #{AuthProviders.display_name(provider)} account from your profile settings to use single sign-on."
         )
         |> redirect(to: Routes.user_session_path(conn, :new))
 
@@ -333,8 +333,6 @@ defmodule LightningWeb.OidcController do
     end
   end
 
-  defp display_name(provider), do: String.capitalize(provider)
-
   defp broadcast_message(state, data) do
     [subscription_id, mod, component_id, current_tab] =
       OauthCredentialHelper.decode_state(state)
diff --git a/lib/lightning_web/live/profile_live/identities_component.ex b/lib/lightning_web/live/profile_live/identities_component.ex
index 645527849f7..3bd560f13be 100644
--- a/lib/lightning_web/live/profile_live/identities_component.ex
+++ b/lib/lightning_web/live/profile_live/identities_component.ex
@@ -23,7 +23,7 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
          socket
          |> put_flash(
            :info,
-           "Unlinked your #{display_name(provider)} account."
+           "Unlinked your #{AuthProviders.display_name(provider)} account."
          )
          |> push_navigate(to: ~p"/profile")}
 
@@ -47,7 +47,7 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
          socket
          |> put_flash(
            :error,
-           "Could not unlink your #{display_name(provider)} account."
+           "Could not unlink your #{AuthProviders.display_name(provider)} account."
          )
          |> push_navigate(to: ~p"/profile")}
     end
@@ -123,7 +123,7 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
         />
         <div class="min-w-0">
           <p class="text-sm font-medium text-gray-900 capitalize">
-            {display_name(@provider.name)}
+            {AuthProviders.display_name(@provider.name)}
           </p>
           <%= if @provider.identity do %>
             <p class="text-xs text-gray-500 truncate">
@@ -143,7 +143,7 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
             phx-click="unlink-identity"
             phx-value-provider={@provider.name}
             phx-target={@myself}
-            data-confirm={"Unlink #{display_name(@provider.name)} from your account?"}
+            data-confirm={"Unlink #{AuthProviders.display_name(@provider.name)} from your account?"}
           >
             Unlink
           </.button>
@@ -160,6 +160,4 @@ defmodule LightningWeb.ProfileLive.IdentitiesComponent do
     </li>
     """
   end
-
-  defp display_name(provider), do: String.capitalize(provider)
 end
diff --git a/test/lightning/auth_providers/handler_test.exs b/test/lightning/auth_providers/handler_test.exs
new file mode 100644
index 00000000000..914f113f64e
--- /dev/null
+++ b/test/lightning/auth_providers/handler_test.exs
@@ -0,0 +1,139 @@
+defmodule Lightning.AuthProviders.HandlerTest do
+  use ExUnit.Case, async: true
+
+  import Lightning.BypassHelpers
+
+  alias Lightning.AuthProviders.Handler
+  alias Lightning.AuthProviders.WellKnown
+
+  defp build_handler(name, wellknown) do
+    {:ok, handler} =
+      Handler.new(name,
+        wellknown: wellknown,
+        client_id: "id",
+        client_secret: "secret",
+        redirect_uri: "http://localhost/callback"
+      )
+
+    handler
+  end
+
+  describe "get_userinfo/2 with a GitHub-style emails endpoint" do
+    setup do
+      bypass = Bypass.open()
+
+      wellknown = %WellKnown{
+        authorization_endpoint: "#{endpoint_url(bypass)}/authorization_endpoint",
+        token_endpoint: "#{endpoint_url(bypass)}/token_endpoint",
+        userinfo_endpoint: "#{endpoint_url(bypass)}/userinfo_endpoint",
+        user_emails_endpoint: "#{endpoint_url(bypass)}/user_emails_endpoint"
+      }
+
+      {:ok,
+       handler: build_handler("github", wellknown),
+       bypass: bypass,
+       token: OAuth2.AccessToken.new("access-token")}
+    end
+
+    test "resolves the primary verified email when userinfo has none", ctx do
+      expect_userinfo(ctx.bypass, ctx.handler.wellknown, %{"sub" => "1"})
+
+      expect_user_emails(ctx.bypass, ctx.handler.wellknown, [
+        %{
+          "email" => "second@example.com",
+          "primary" => false,
+          "verified" => true
+        },
+        %{
+          "email" => "primary@example.com",
+          "primary" => true,
+          "verified" => true
+        },
+        %{"email" => "nope@example.com", "primary" => false, "verified" => false}
+      ])
+
+      userinfo = Handler.get_userinfo(ctx.handler, ctx.token)
+
+      assert userinfo["email"] == "primary@example.com"
+      assert userinfo["email_verified"] == true
+    end
+
+    test "falls back to any verified email when none is primary", ctx do
+      expect_userinfo(ctx.bypass, ctx.handler.wellknown, %{"sub" => "1"})
+
+      expect_user_emails(ctx.bypass, ctx.handler.wellknown, [
+        %{
+          "email" => "unverified@example.com",
+          "primary" => true,
+          "verified" => false
+        },
+        %{
+          "email" => "verified@example.com",
+          "primary" => false,
+          "verified" => true
+        }
+      ])
+
+      userinfo = Handler.get_userinfo(ctx.handler, ctx.token)
+
+      assert userinfo["email"] == "verified@example.com"
+      assert userinfo["email_verified"] == true
+    end
+
+    test "treats a present public profile email as verified without a second call",
+         ctx do
+      expect_userinfo(ctx.bypass, ctx.handler.wellknown, %{
+        "sub" => "1",
+        "email" => "public@example.com"
+      })
+
+      # No expect_user_emails/3 stub: Bypass fails the test if /user/emails is hit.
+      userinfo = Handler.get_userinfo(ctx.handler, ctx.token)
+
+      assert userinfo["email"] == "public@example.com"
+      assert userinfo["email_verified"] == true
+    end
+
+    test "leaves userinfo unresolved when no verified email is available", ctx do
+      expect_userinfo(ctx.bypass, ctx.handler.wellknown, %{"sub" => "1"})
+
+      expect_user_emails(ctx.bypass, ctx.handler.wellknown, [
+        %{
+          "email" => "unverified@example.com",
+          "primary" => true,
+          "verified" => false
+        }
+      ])
+
+      userinfo = Handler.get_userinfo(ctx.handler, ctx.token)
+
+      refute Map.has_key?(userinfo, "email")
+      refute userinfo["email_verified"]
+    end
+  end
+
+  describe "get_userinfo/2 with a standard OIDC provider" do
+    test "returns userinfo unchanged when there is no emails endpoint" do
+      bypass = Bypass.open()
+
+      wellknown = %WellKnown{
+        authorization_endpoint: "#{endpoint_url(bypass)}/authorization_endpoint",
+        token_endpoint: "#{endpoint_url(bypass)}/token_endpoint",
+        userinfo_endpoint: "#{endpoint_url(bypass)}/userinfo_endpoint"
+      }
+
+      handler = build_handler("google", wellknown)
+
+      expect_userinfo(bypass, wellknown, %{
+        "sub" => "1",
+        "email" => "g@example.com",
+        "email_verified" => true
+      })
+
+      userinfo = Handler.get_userinfo(handler, OAuth2.AccessToken.new("token"))
+
+      assert userinfo["email"] == "g@example.com"
+      assert userinfo["email_verified"] == true
+    end
+  end
+end

From 213850d39b87c5e0fba488bc899dfa5a31422438 Mon Sep 17 00:00:00 2001
From: Farhan Yahaya <yahyafarhan48@gmail.com>
Date: Fri, 5 Jun 2026 07:29:34 +0000
Subject: [PATCH 17/17] chore: update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d81117c4cde..53e7e2e2170 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,9 @@ and this project adheres to
 
 ### Added
 
+- Single Sign-On (SSO) sign-in with GitHub and Google, including account
+  [#4621](https://github.com/OpenFn/lightning/issues/4621)
+
 ### Changed
 
 ### Fixed