feat: implement OIDC login flow

Add SSO/OIDC authentication support using the PKCE authorization code
flow. The login screen now detects OIDC support via the /info endpoint
(with /version fallback) and shows an SSO login button when available.

Author: jmattheis

app/src/main/AndroidManifest.xml

@@ -43,10 +43,18 @@
             android:theme="@style/AppTheme.NoActionBar" />
         <activity
             android:name=".login.LoginActivity"
-            android:exported="false"
+            android:exported="true"
             android:label="Login"
+            android:launchMode="singleTop"
             android:theme="@style/AppTheme.NoActionBar.Login"
-            android:windowSoftInputMode="adjustResize" />
+            android:windowSoftInputMode="adjustResize">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data android:scheme="gotify" android:host="oidc" android:path="/callback" />
+            </intent-filter>
+        </activity>
         <activity
             android:name=".log.LogsActivity"
             android:exported="false"

app/src/main/kotlin/com/github/gotify/Settings.kt

@@ -45,6 +45,12 @@ internal class Settings(context: Context) {
     var clientCertPassword: String?
         get() = sharedPreferences.getString("clientCertPass", null)
         set(value) = sharedPreferences.edit { putString("clientCertPass", value) }
+    var oidcCodeVerifier: String?
+        get() = sharedPreferences.getString("oidc_code_verifier", null)
+        set(value) = sharedPreferences.edit { putString("oidc_code_verifier", value) }
+    var oidcState: String?
+        get() = sharedPreferences.getString("oidc_state", null)
+        set(value) = sharedPreferences.edit { putString("oidc_state", value) }
 
     init {
         sharedPreferences = context.getSharedPreferences("gotify", Context.MODE_PRIVATE)
@@ -61,6 +67,8 @@ internal class Settings(context: Context) {
         caCertPath = null
         clientCertPath = null
         clientCertPassword = null
+        oidcCodeVerifier = null
+        oidcState = null
     }
 
     fun setUser(name: String?, admin: Boolean) {

app/src/main/kotlin/com/github/gotify/api/ClientFactory.kt

@@ -4,6 +4,7 @@ import com.github.gotify.SSLSettings
 import com.github.gotify.Settings
 import com.github.gotify.client.ApiClient
 import com.github.gotify.client.api.InfoApi
+import com.github.gotify.client.api.OidcApi
 import com.github.gotify.client.api.UserApi
 import com.github.gotify.client.auth.ApiKeyAuth
 import com.github.gotify.client.auth.HttpBasicAuth
@@ -45,6 +46,14 @@ internal object ClientFactory {
         return unauthorized(settings, sslSettings, baseUrl).createService(InfoApi::class.java)
     }
 
+    fun oidcApi(
+        settings: Settings,
+        sslSettings: SSLSettings = settings.sslSettings(),
+        baseUrl: String = settings.url
+    ): OidcApi {
+        return unauthorized(settings, sslSettings, baseUrl).createService(OidcApi::class.java)
+    }
+
     fun userApiWithToken(settings: Settings): UserApi {
         return clientToken(settings).createService(UserApi::class.java)
     }

app/src/main/kotlin/com/github/gotify/login/LoginActivity.kt

@@ -12,6 +12,7 @@ import androidx.activity.result.contract.ActivityResultContracts
 import androidx.activity.viewModels
 import androidx.annotation.StringRes
 import androidx.appcompat.app.AppCompatActivity
+import androidx.core.net.toUri
 import androidx.lifecycle.Lifecycle
 import androidx.lifecycle.lifecycleScope
 import androidx.lifecycle.repeatOnLifecycle
@@ -107,20 +108,31 @@ internal class LoginActivity : AppCompatActivity() {
         }
         binding.advancedSettings.setOnClickListener { toggleShowAdvanced() }
         binding.login.setOnClickListener { doLogin() }
+        binding.oidcLogin.setOnClickListener { doOidcLogin() }
 
         viewModel.state.observe(this) { render(it) }
         lifecycleScope.launch {
             repeatOnLifecycle(Lifecycle.State.STARTED) {
                 viewModel.events.collect { handleEvent(it) }
             }
         }
+
+        handleOidcCallback(intent)
+    }
+
+    override fun onNewIntent(intent: Intent) {
+        super.onNewIntent(intent)
+        setIntent(intent)
+        handleOidcCallback(intent)
     }
 
     private fun render(state: LoginState) {
         binding.checkurlProgress.visibility = View.GONE
         binding.loginProgress.visibility = View.GONE
+        binding.oidcLoginProgress.visibility = View.GONE
         binding.checkurl.visibility = View.VISIBLE
         binding.credentialGroup.visibility = View.GONE
+        binding.oidcGroup.visibility = View.GONE
 
         when (state) {
             LoginState.UrlInput -> {
@@ -143,17 +155,35 @@ internal class LoginActivity : AppCompatActivity() {
                 binding.login.visibility = View.GONE
                 binding.loginProgress.visibility = View.VISIBLE
             }
+            LoginState.OidcAuthorizing -> {
+                showReadyState()
+                binding.oidcLogin.visibility = View.GONE
+                binding.oidcLoginProgress.visibility = View.VISIBLE
+            }
+            LoginState.OidcWaitingForCallback -> {
+                showReadyState()
+            }
+            LoginState.OidcExchangingToken -> {
+                binding.checkurl.visibility = View.GONE
+                binding.checkurlProgress.visibility = View.VISIBLE
+            }
         }
     }
 
     private fun showReadyState() {
-        val version = viewModel.gotifyVersion ?: return
-        binding.checkurl.text = getString(R.string.found_gotify_version, version)
+        val info = viewModel.gotifyInfo ?: return
+        binding.checkurl.text = getString(R.string.found_gotify_version, info.version)
         binding.credentialGroup.visibility = View.VISIBLE
+        if (info.oidc) {
+            binding.oidcGroup.visibility = View.VISIBLE
+        }
     }
 
     private fun handleEvent(event: LoginEvent) {
         when (event) {
+            is LoginEvent.OpenBrowser -> {
+                startActivity(Intent(Intent.ACTION_VIEW, event.url.toUri()))
+            }
             LoginEvent.LoginSuccess -> {
                 Utils.showSnackBar(this, getString(R.string.created_client))
                 startActivity(Intent(this, InitializationActivity::class.java))
@@ -184,6 +214,12 @@ internal class LoginActivity : AppCompatActivity() {
             LoginEvent.ClientCreationFailed -> {
                 Utils.showSnackBar(this, getString(R.string.create_client_failed))
             }
+            LoginEvent.OidcAuthorizeFailed -> {
+                Utils.showSnackBar(this, getString(R.string.oidc_authorize_failed))
+            }
+            LoginEvent.OidcTokenExchangeFailed -> {
+                Utils.showSnackBar(this, getString(R.string.oidc_token_exchange_failed))
+            }
         }
     }
 
@@ -206,6 +242,10 @@ internal class LoginActivity : AppCompatActivity() {
         viewModel.login(username, password)
     }
 
+    private fun doOidcLogin() {
+        showClientNameDialog(viewModel::startOidcAuthorize)
+    }
+
     private fun showClientNameDialog(onConfirm: (String) -> Unit) {
         val clientDialogBinding = ClientNameDialogBinding.inflate(layoutInflater)
         val clientDialogEditext = clientDialogBinding.clientNameEditext
@@ -225,6 +265,22 @@ internal class LoginActivity : AppCompatActivity() {
             .show()
     }
 
+    private fun handleOidcCallback(intent: Intent?) {
+        val data = intent?.data ?: return
+        if (!data.toString().startsWith(LoginViewModel.OIDC_REDIRECT_URI)) return
+
+        val code = data.getQueryParameter("code")
+        val state = data.getQueryParameter("state")
+        if (code == null || state == null) {
+            Logger.warn(
+                "OIDC callback missing parameters (code=${code != null}, state=${state != null})"
+            )
+            return
+        }
+
+        viewModel.handleOidcCallback(code, state)
+    }
+
     private fun toggleShowAdvanced() {
         advancedDialog = AdvancedDialog(this, layoutInflater)
             .onDisableSSLChanged { _, disable ->

app/src/main/kotlin/com/github/gotify/login/LoginState.kt

@@ -7,13 +7,19 @@ sealed class LoginState {
     object LoggingIn : LoginState()
     object WaitingForClientName : LoginState()
     object CreatingClient : LoginState()
+    object OidcAuthorizing : LoginState()
+    object OidcWaitingForCallback : LoginState()
+    object OidcExchangingToken : LoginState()
 }
 
 sealed class LoginEvent {
+    data class OpenBrowser(val url: String) : LoginEvent()
     object LoginSuccess : LoginEvent()
     object ShowClientNameDialog : LoginEvent()
     data class VersionError(val url: String, val code: Int) : LoginEvent()
     data class VersionException(val url: String, val message: String) : LoginEvent()
     object InvalidCredentials : LoginEvent()
     object ClientCreationFailed : LoginEvent()
+    object OidcAuthorizeFailed : LoginEvent()
+    object OidcTokenExchangeFailed : LoginEvent()
 }

app/src/main/kotlin/com/github/gotify/login/LoginViewModel.kt

@@ -11,8 +11,12 @@ import com.github.gotify.client.ApiClient
 import com.github.gotify.client.api.ClientApi
 import com.github.gotify.client.api.UserApi
 import com.github.gotify.client.model.ClientParams
+import com.github.gotify.client.model.GotifyInfo
+import com.github.gotify.client.model.OIDCExternalAuthorizeRequest
+import com.github.gotify.client.model.OIDCExternalTokenRequest
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.flow.receiveAsFlow
+import org.tinylog.kotlin.Logger
 
 internal class LoginViewModel(private val settings: Settings) : ViewModel() {
 
@@ -22,27 +26,48 @@ internal class LoginViewModel(private val settings: Settings) : ViewModel() {
     private val _events = Channel<LoginEvent>(Channel.BUFFERED)
     val events = _events.receiveAsFlow()
 
-    var gotifyVersion: String? = null
+    var gotifyInfo: GotifyInfo? = null
         private set
 
     private var authenticatedClient: ApiClient? = null
 
     fun invalidateUrl() {
-        gotifyVersion = null
+        gotifyInfo = null
         _state.value = LoginState.UrlInput
     }
 
     fun checkUrl(url: String) {
         _state.value = LoginState.CheckingUrl
         settings.url = url
 
+        try {
+            ClientFactory.infoApi(settings, settings.sslSettings(), url)
+                .info
+                .enqueue(
+                    Callback.call(
+                        onSuccess = Callback.SuccessBody { info ->
+                            gotifyInfo = info
+                            _state.value = LoginState.Ready
+                        },
+                        onError = { _ -> tryVersionEndpoint(url) }
+                    )
+                )
+        } catch (e: Exception) {
+            tryVersionEndpoint(url)
+        }
+    }
+
+    private fun tryVersionEndpoint(url: String) {
         try {
             ClientFactory.infoApi(settings, settings.sslSettings(), url)
                 .version
                 .enqueue(
                     Callback.call(
                         onSuccess = Callback.SuccessBody { version ->
-                            gotifyVersion = version.version
+                            gotifyInfo = GotifyInfo()
+                                .version(version.version)
+                                .oidc(false)
+                                .register(false)
                             _state.value = LoginState.Ready
                         },
                         onError = { exception ->
@@ -108,10 +133,92 @@ internal class LoginViewModel(private val settings: Settings) : ViewModel() {
         _state.value = LoginState.Ready
     }
 
+    fun startOidcAuthorize(clientName: String) {
+        _state.value = LoginState.OidcAuthorizing
+
+        val codeVerifier = PkceUtil.generateCodeVerifier()
+        val codeChallenge = PkceUtil.generateCodeChallenge(codeVerifier)
+        settings.oidcCodeVerifier = codeVerifier
+
+        val request = OIDCExternalAuthorizeRequest()
+            .codeChallenge(codeChallenge)
+            .redirectUri(OIDC_REDIRECT_URI)
+            .name(clientName)
+
+        Logger.info("OIDC: Requesting redirect url from gotify server: $request")
+
+        ClientFactory.oidcApi(settings)
+            .externalAuthorize(request)
+            .enqueue(
+                Callback.call(
+                    onSuccess = Callback.SuccessBody { response ->
+                        Logger.info("OIDC: Requested redirect url: $response")
+                        settings.oidcState = response.state
+                        _state.value = LoginState.OidcWaitingForCallback
+                        _events.trySend(
+                            LoginEvent.OpenBrowser(response.authorizeUrl)
+                        )
+                    },
+                    onError = { exception ->
+                        Logger.error("OIDC: authorize failed: ${exception.message}")
+                        _state.value = LoginState.Ready
+                        _events.trySend(LoginEvent.OidcAuthorizeFailed)
+                    }
+                )
+            )
+    }
+
+    fun handleOidcCallback(code: String, oidcState: String) {
+        val expectedState = settings.oidcState
+        if (expectedState == null || expectedState != oidcState) {
+            Logger.warn("OIDC: callback state mismatch (expected=$expectedState, got=$oidcState)")
+            _events.trySend(LoginEvent.OidcTokenExchangeFailed)
+            return
+        }
+
+        val verifier = settings.oidcCodeVerifier
+        if (verifier == null) {
+            Logger.warn("OIDC: callback missing code verifier")
+            return
+        }
+
+        settings.oidcCodeVerifier = null
+        settings.oidcState = null
+        _state.value = LoginState.OidcExchangingToken
+
+        val request = OIDCExternalTokenRequest()
+            .code(code)
+            .state(oidcState)
+            .codeVerifier(verifier)
+
+        Logger.error("OIDC: requesting client token: $request")
+
+        ClientFactory.oidcApi(settings, settings.sslSettings())
+            .externalToken(request)
+            .enqueue(
+                Callback.call(
+                    onSuccess = Callback.SuccessBody { response ->
+                        settings.token = response.token
+                        Logger.info("OIDC: login successful as ${response.user.name}")
+                        _events.trySend(LoginEvent.LoginSuccess)
+                    },
+                    onError = { exception ->
+                        Logger.error("OIDC: token exchange failed: ${exception.message}")
+                        _state.value = LoginState.Ready
+                        _events.trySend(LoginEvent.OidcTokenExchangeFailed)
+                    }
+                )
+            )
+    }
+
     class Factory(private val settings: Settings) : ViewModelProvider.Factory {
         @Suppress("UNCHECKED_CAST")
         override fun <T : ViewModel> create(modelClass: Class<T>): T {
             return LoginViewModel(settings) as T
         }
     }
+
+    companion object {
+        const val OIDC_REDIRECT_URI = "gotify://oidc/callback"
+    }
 }

app/src/main/kotlin/com/github/gotify/login/PkceUtil.kt

@@ -0,0 +1,19 @@
+package com.github.gotify.login
+
+import android.util.Base64
+import java.security.MessageDigest
+import java.security.SecureRandom
+
+internal object PkceUtil {
+    fun generateCodeVerifier(): String {
+        val bytes = ByteArray(32)
+        SecureRandom().nextBytes(bytes)
+        return Base64.encodeToString(bytes, Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING)
+    }
+
+    fun generateCodeChallenge(codeVerifier: String): String {
+        val digest = MessageDigest.getInstance("SHA-256")
+            .digest(codeVerifier.toByteArray(Charsets.US_ASCII))
+        return Base64.encodeToString(digest, Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING)
+    }
+}