feat(auth): multi-IdP config.json + login provider picker (phase 1)#4
Merged
Conversation
config.json may now list several OAuth IdPs; the login screen shows one button
per provider ("Sign in with <label>"). A bare single object is still accepted
(treated as a one-IdP list), so existing otel/antalya configs are unchanged.
- oauth-config.js: split loadOAuthConfig into loadConfigDoc (fetch + normalize a
list, or wrap a bare object; id/label default to the issuer host) and
resolveIdp (per-IdP OIDC discovery). oauth.js untouched.
- app.js: resolveConfig resolves the *selected* IdP; the choice persists as
`oauth_idp` in sessionStorage (survives the OAuth redirect like oauth_state),
driving token exchange/refresh and per-IdP bearer/ch_auth. login(idpId),
selectIdp, loadIdps; signOut clears the selection.
- login.js: one button per IdP when >1 (async-loaded; single fallback on 1 or
load failure). CH side needs no change — it validates each JWT against the
token_processor matching its `iss`.
Docs: config.json.example + README document the list shape. Verified in-browser:
3-IdP picker renders; single-IdP regression intact. 360 tests pass;
oauth-config/login at 100%, app.js within gate.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QennTvGKAtJZrv9EpQagef
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phase 1 of multi-IdP support:
config.jsoncan list several OAuth providers, and the login screen shows one button per IdP. Fully backward-compatible and opt-in.Config shape
{ "idps": [ { "id": "google", "label": "Google", "issuer": "https://accounts.google.com", "client_id": "…" }, { "id": "acme", "label": "Acme SSO", "issuer": "https://acme.auth0.com", "client_id": "…", "client_secret": "…" } ] }A bare single object (today's format) is treated as a one-IdP list — otel/antalya configs are unchanged. Per-entry
id/labelare optional (default: issuer host).Changes
oauth-config.js: splitloadOAuthConfig→loadConfigDoc(fetch + normalize a list, or wrap a bare object) +resolveIdp(per-IdP OIDC discovery).oauth.jsuntouched.app.js:resolveConfigresolves the selected IdP; the choice persists asoauth_idpin sessionStorage (survives the OAuth redirect, likeoauth_state) and drives token exchange / refresh / per-IdPbearer+ch_auth. Addslogin(idpId),selectIdp,loadIdps;signOutclears the selection.login.js: one "Sign in with …" button per IdP when >1 (async-loaded; falls back to the single button for 1 IdP or a load failure).token_processormatching itsiss, so offering several IdPs needs no extra CH wiring.config.json.example+ README "Configuring OAuth → Multiple IdPs".Verification
npm test→ 360 pass;oauth-config.js+login.jsat 100%,app.jswithin its gate.Phase 2 (auto-generating
config.jsonfrom ClickHousetoken_processors) builds on this list shape.🤖 Generated with Claude Code
https://claude.ai/code/session_01QennTvGKAtJZrv9EpQagef