Conversation
On-prem customers running SAML for multiple orgs need a deployment-wide way to remove the OIDC option from the UI. Without that flag, users still saw OIDC buttons on the login page, and some login redirects reached /login/ without an issuer and failed with "No auth issuer set". Add app.disable_oidc_login to the frontend config, hide the OIDC buttons on the login page, and route menu and expired-session redirects back through the SPA login screen so SSO-only setups do not fall into the backend OIDC handler. Add webdriver coverage for default-login-slug and disabled-OIDC login behavior, plus a focused auth_service test for the token refresh redirect. Keep that test's fake globals narrow enough to pass the stricter CI TypeScript checks.
bduffany
left a comment
bduffany
left a comment
There was a problem hiding this comment.
Instead of adding a new config flag, can we check whether auth.oauth_providers is empty?
| testGlobal.localStorage = new FakeStorage() as Storage & FakeStorage; | ||
| testGlobal.sessionStorage = new FakeStorage() as Storage & FakeStorage; | ||
|
|
||
| const AuthService = require("./auth_service").AuthService as typeof import("./auth_service").AuthService; |
There was a problem hiding this comment.
In my buildbuddy-ui-development skill I had to tell codex to not use require and instead always use plain old import or import type directives at the top of the file
Currently if that slice is empty and self auth is not enabled, we will abort during startup and never configure SAML from the first place. I was hoping to avoid touching that logic, which may affect our cloud setup, and just give the user a flag to by-pass things. But if you think that's a more sensible path, I can try going down that route.
Good recommendation. Will add to AGENTS.md |
The SAML and GitHub providers are optional so it seems reasonable to make OIDC another optional provider. For Cloud, OIDC should always be configured so it shouldn't have any impact there. |
3 participants
On-prem customers running SAML for multiple orgs need a
deployment-wide way to remove the OIDC option from the UI.
Without that flag, users still saw OIDC buttons on the login page,
and some login redirects reached /login/ without an issuer and
failed with "No auth issuer set".
Add app.disable_oidc_login to the frontend config, hide the OIDC
buttons on the login page, and route menu and expired-session
redirects back through the SPA login screen so SSO-only setups do
not fall into the backend OIDC handler.
Add webdriver coverage for default-login-slug and disabled-OIDC
login behavior, plus a focused auth_service test for the token
refresh redirect. Keep that test's fake globals narrow enough to
pass the stricter CI TypeScript checks.
Part of https://github.com/buildbuddy-io/buildbuddy-internal/issues/6820