feat: support custom oauth & oidc providers (#2357)

## Summary
Add configurable custom OAuth/OIDC providers (phase 1) so projects can
integrate self‑hosted/regional identity providers without requiring code
changes.

## Problem
Current OAuth/OIDC providers are hardcoded, require provider-specific
code and env vars, and block customers who need self‑hosted or custom
IdPs (e.g. GitHub Enterprise, LINE, internal OIDC servers).

## Solution
Introduce database‑backed `oauth_providers` with custom:{identifier}
IDs, OIDC discovery + OAuth2 manual configuration, admin CRUD APIs, and
tier‑gated quotas, reusing existing /authorize and /callback flows with
JWT state + PKCE.

Author: cemalkilic

go.mod

@@ -60,6 +60,7 @@ require (
 	github.com/lestrrat-go/httprc v1.0.5 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lib/pq v1.10.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect

internal/api/api.go

@@ -375,6 +375,21 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 					})
 				})
 			}
+
+			// Custom OAuth/OIDC provider management endpoints
+			if globalConfig.CustomOAuth.Enabled {
+				r.Route("/custom-providers", func(r *router) {
+					// supports both OAuth2 and OIDC via provider_type)
+					r.Get("/", api.adminCustomOAuthProvidersList)   // Optional ?type=oauth2 or ?type=oidc filter
+					r.Post("/", api.adminCustomOAuthProviderCreate) // provider_type in request body
+
+					r.Route("/{identifier}", func(r *router) {
+						r.Get("/", api.adminCustomOAuthProviderGet)
+						r.Put("/", api.adminCustomOAuthProviderUpdate)
+						r.Delete("/", api.adminCustomOAuthProviderDelete)
+					})
+				})
+			}
 		})
 
 		// OAuth Dynamic Client Registration endpoint (public, rate limited)

internal/api/apierrors/errorcode.go

@@ -102,8 +102,12 @@ const (
 	ErrorCodeWeb3UnsupportedChain                   ErrorCode = "web3_unsupported_chain"
 	ErrorCodeOAuthDynamicClientRegistrationDisabled ErrorCode = "oauth_dynamic_client_registration_disabled"
 	ErrorCodeEmailAddressNotProvided                ErrorCode = "email_address_not_provided"
+	ErrorCodeFeatureDisabled                        ErrorCode = "feature_disabled"
 
 	ErrorCodeOAuthClientNotFound        ErrorCode = "oauth_client_not_found"
 	ErrorCodeOAuthAuthorizationNotFound ErrorCode = "oauth_authorization_not_found"
 	ErrorCodeOAuthConsentNotFound       ErrorCode = "oauth_consent_not_found"
+
+	ErrorCodeCustomProviderNotFound  ErrorCode = "custom_provider_not_found"
+	ErrorCodeOverCustomProviderQuota ErrorCode = "over_custom_provider_quota"
 )