feat(social): Add SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT

[kiblik]

SAML and KEYCLOAK already had a customizable button label. Why not OIDC?

I was thinking about customization of others as well, but none of them can run as a standalone instance (only SAML, KEYCLOACK, and OIDC).

[dryrunsecurity]

This pull request contains an open redirect vulnerability: the OIDC login URL uses the user-controlled GET parameter request.GET.next directly in dojo/templates/dojo/login.html (lines 49–55) with no visible client-side validation. The scanner could not inspect server-side code/config, so no backend mitigation could be confirmed and the issue is considered confirmed.

Open Redirect in dojo/templates/dojo/login.html

Vulnerability

Open Redirect

Description

The 'next' parameter in the OIDC login URL is directly populated from the user-controlled GET parameter 'request.GET.next' without any visible client-side validation or sanitization. Due to persistent tool limitations preventing access to server-side code and configuration files, it was not possible to verify if any backend validation or mitigation for open redirects is in place. Therefore, based on the direct use of unvalidated user input in a redirect URL, the vulnerability is considered confirmed.

django-DefectDojo/dojo/templates/dojo/login.html

Lines 49 to 55 in 35ccc61

	<div class="form-group">
	{% if OIDC_ENABLED is True %}
	<div class="col-sm-offset-1 col-sm-2">
	<a href="{% url 'social:begin' 'oidc' %}?next={{ request.GET.next }}" style="color: rgb(255, 255, 255)" class="btn btn-success" type="button">{{ SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT }}</a>
	</div>
	{% endif %}

---

All finding details can be found in the DryRun Security Dashboard.