Epic: Single Sign On

[doc-han]

Description

This PR Implements the Full SSO Experience epic.

• Github & Google sign-in/sign-up (Microsoft deferred)
• SSO sign-ups go through the same AccountHook as password sign-ups. ***

Login page with SSO buttons	Register page with SSO buttons
Signup confirmation page (SSO signup)	Email collision flash on login
SSO-only user tries password login	Profile page. link/unlink provider

Closes #4621

Validation steps

Setup

• Configure OAuth clients/app on a provider(Google or Github).
• Set the redirect URL to <host>/authenticate/<provider>/callback where is google or github for now.
• Set your CLIENT_ID and CLIENT_SECRET as env variables. eg. GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET.

Validation

Sign up via SSO

#	Step	Expected
1	New User → "Sign up with GitHub"	Confirmation screen appears
2	Click Cancel	No user created
3	Click Confirm	Account created & Logged in, email has no password
4	Repeat with Google	Same result

Sign in via SSO

#	Step	Expected
1	Existing SSO user → "Sign in with GitHub"	Straight in, no confirmation screen
2	MFA user → SSO sign-in	Routes to MFA validation page

Email collision

#	Step	Expected
1	Existing password account at you@domain.com + SSO sign-up with same email	Redirected to login with "an account already exists, link from profile" message
2	Check DB (if you can)	No user_identities row created

Link from /profile

#	Step	Expected
1	Click Link next to an unlinked provider → authorise	Flash confirms link
2	Log out, sign in via that provider	Succeeds

Unlink from /profile

#	Step	Expected
1	Account with password + SSO → click Unlink	Identity removed
2	SSO-only account, unlink last identity	Refused with "set a password first"
3	Forgot-password → set password → Unlink	Succeeds

Forgot password (SSO-only)

#	Step	Expected
1	SSO-only account tries password login	Flash "This account uses single sign-on"
2	Forgot password → set password	Both password and SSO sign-in work

AI Usage

Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):

• I have used Claude Code
• I have used another model
• I have not used AI

You can read more details in our
Responsible AI Policy

Pre-submission checklist

• I have performed an AI review of my code (we recommend using /review
  with Claude Code)
• I have implemented and tested all related authorization policies.
  (e.g., :owner, :admin, :editor, :viewer)
• I have updated the changelog.
• I have ticked a box in "AI usage" in this PR

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.2%. Comparing base (7c23fff) to head (6883427).

Files with missing lines	Patch %	Lines
lib/lightning_web/controllers/oidc_controller.ex	87.1%	9 Missing ⚠️
lib/lightning/config/bootstrap.ex	46.2%	7 Missing ⚠️
lib/lightning/auth_providers/cache_warmer.ex	64.3%	5 Missing ⚠️
...ning_web/live/profile_live/identities_component.ex	88.9%	5 Missing ⚠️
lib/lightning_web/components/sso_icons.ex	33.3%	4 Missing ⚠️
lib/lightning/auth_providers/github_handler.ex	57.1%	3 Missing ⚠️
lib/lightning/auth_providers/google_handler.ex	85.7%	1 Missing ⚠️
...ghtning_web/controllers/user_session_controller.ex	75.0%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #4751     +/-   ##
=======================================
- Coverage   90.3%   90.2%   -0.1%     
=======================================
  Files        442     447      +5     
  Lines      22540   22735    +195     
=======================================
+ Hits       20353   20507    +154     
- Misses      2187    2228     +41     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ghost]

Now I have enough information to perform the security review. This PR adds SSO functionality (GitHub/Google OAuth providers, identity linking/unlinking, signup confirmation). Let me assess each check:

S0 (project scoping): The PR touches only user accounts, identities, sessions, and OAuth flows — none of which are project-scoped resources (no work with workflows, runs, dataclips, work orders, collections, project credentials, triggers, edges, or jobs). New queries (get_user_by_identity, list_user_identities) operate on instance-wide user data, which is correct.

S1 (authorization): New web entrypoints check authorization appropriately:

• OidcController.link/2 (lib/lightning_web/controllers/oidc_controller.ex:39) gates on conn.assigns.current_user, redirecting unauthenticated users
• IdentitiesComponent.handle_event("unlink-identity", ...) (lib/lightning_web/live/profile_live/identities_component.ex:18) operates only on socket.assigns.user (the current user from profile), so users cannot affect other accounts' identities
• handle_sso_login (lib/lightning_web/controllers/oidc_controller.ex:204) explicitly refuses to auto-link to pre-existing email accounts, preventing identity-based account takeover
• handle_sso_link (lib/lightning_web/controllers/oidc_controller.ex:174) refuses to link an identity already attached to a different account

S2 (audit trail): Per the agent guidance, S2 applies to project/instance configuration changes. This PR modifies user-level account state (registration, identity linking) — analogous to existing account operations (signup, password change) which do not write to Lightning.Auditing.Audit. SSO provider config is loaded from env vars at bootstrap, not mutated through the app, so no config-resource write occurs. No existing lib/lightning/accounts/audit.ex module exists for this domain.

Security Review ✅

• S0 (project scoping): N/A — PR scope is user accounts, SSO identities, and OAuth flows; no project-scoped resources (workflows, runs, dataclips, collections, etc.) are touched.
• S1 (authorization): New link/unlink/login paths gate on current_user, refuse to auto-link existing-email accounts (oidc_controller.ex:209), and reject identities already bound to another user (oidc_controller.ex:182), preventing identity-hijack/account-takeover.
• S2 (audit trail): N/A — SSO provider configuration is env-driven (bootstrap.ex:506), and user/identity mutations are account-level operations, not project or instance configuration writes.