Add OIDC implementation with authentication and configuration support

.env.example

@@ -0,0 +1,79 @@
+# PlanarAlly Environment Configuration
+# Copy this file to .env and configure your values
+
+# Python environment
+PYTHONPATH=./server/src
+MYPYPATH=./server/src
+
+# =============================================================================
+# GENERAL CONFIGURATION
+# =============================================================================
+
+# The client url is the full URL to the landing page of the application
+PA_CLIENT_URL=https://your-domain.com/
+
+# Allow users to sign up for new accounts
+PA_ALLOW_SIGNUPS=true
+
+# Enable username/password login (set to false to use only OIDC)
+PA_USERNAME_PASS=true
+
+# Enable exporting of campaigns
+PA_ENABLE_EXPORT=true
+
+# =============================================================================
+# WEBSERVER CONFIGURATION
+# =============================================================================
+
+# Host and port for the webserver
+PA_WEBSERVER_HOST=0.0.0.0
+PA_WEBSERVER_PORT=8000
+
+# CORS allowed origins
+PA_CORS_ALLOWED_ORIGINS=https://your-domain.com/
+
+# =============================================================================
+# OIDC CONFIGURATION
+# =============================================================================
+
+# Enable OIDC authentication
+PA_OIDC_ENABLED=false
+
+# OIDC provider domain (for discovery)
+PA_OIDC_DOMAIN=https://your-oidc-provider.com
+
+# OIDC client credentials
+PA_OIDC_CLIENT_ID=your-client-id
+PA_OIDC_CLIENT_SECRET=your-client-secret
+
+# OIDC audience (optional)
+PA_OIDC_AUDIENCE=
+
+# OIDC provider display name
+PA_OIDC_PROVIDER_NAME=OIDC
+
+# Username field from OIDC user info to use as PlanarAlly username
+# Options: preferred_username, name, email, sub, given_name, nickname
+PA_OIDC_USERNAME_FIELD=preferred_username
+
+# Direct OIDC URL overrides (bypass discovery)
+PA_OIDC_AUTHORIZE_URL=https://your-oidc-provider.com/auth
+PA_OIDC_TOKEN_URL=https://your-oidc-provider.com/token
+PA_OIDC_USERINFO_URL=https://your-oidc-provider.com/userinfo
+
+# =============================================================================
+# EXAMPLE CONFIGURATIONS
+# =============================================================================
+
+# Example 1: OIDC-only authentication
+# PA_USERNAME_PASS=false
+# PA_OIDC_ENABLED=true
+
+# Example 2: Both authentication methods
+# PA_USERNAME_PASS=true
+# PA_OIDC_ENABLED=true
+
+# OIDC scopes to request (space-separated)
+# Standard scopes: openid, profile, email, address, phone
+# Custom scopes: groups, roles, department (provider-specific)
+PA_OIDC_SCOPE=openid profile email

CHANGELOG.md

@@ -10,6 +10,21 @@ tech changes will usually be stripped from release notes for the public
 
 ## Unreleased
 
+### Added
+
+-   **OIDC (OpenID Connect) Authentication Support**
+    -   Full OIDC authentication flow implementation with OAuth2 authorization code flow
+    -   Support for OIDC discovery endpoints for automatic provider configuration
+    -   Configurable OIDC provider settings including domain, client credentials, and scopes
+    -   Option for direct URL configuration to bypass discovery for custom providers
+    -   Automatic user creation and management with configurable username field mapping
+    -   Secure state parameter validation to prevent CSRF attacks
+    -   Server-side token exchange and user information retrieval
+    -   Client-side OIDC login UI with provider-specific branding support
+    -   Seamless integration with existing user management system
+    -   [server] Fallback safety mechanism to prevent user lockout when OIDC is misconfigured
+    -   [server] Comprehensive logging for troubleshooting OIDC authentication flows
+    -   [server] Support for custom audience parameters for provider-specific requirements
 ## [2025.3]
 
 ### Added

client/index.html

@@ -5,7 +5,13 @@
         <link rel="shortcut icon" type="image/png" href="/static/favicon.png" />
         <meta name="viewport" content="width=device-width, initial-scale=1.0" />
         <meta name="PA-signup" content="true" />
+        <meta name="PA-username-pass" content="true" />
         <meta name="PA-mail" content="true" />
+        <meta name="PA-oidc" content="false" />
+        <meta name="PA-oidc-domain" content="" />
+        <meta name="PA-oidc-client-id" content="" />
+        <meta name="PA-oidc-audience" content="" />
+        <meta name="PA-oidc-provider" content="OIDC" />
         <script type="importmap">
             {
                 "imports": {