* [papi] Add `verified` flag to config and `ActivateClientConfig` to OIDC service
* [papi] implement `ActivateClientConfig`
* [gitpod-db/go] add `setClientConfigVerifiedFlag`
* [gitpod-db/migration] add `d_b_oidc_client_config.verified` field
* [papi] Don't deactive on UpdateClientConfig
* [gitpod-db/go] add missing `Verified` field
* On "activate" request also mark as verified.
* [gitpod-db/go] fix mapping of `Verified` field
* [papi] ensure only verified OIDC client configs can be activated
* [papi] Skip the sign-in on verify-only requests.
* [papi] fix skipped tests
* [papi] fix mapping of OIDC configs
* rename RPC method
* fix tests after adding validation of claims
* fix: activation of record should deactivate others
* fix: update should unverify the entry
* remove Debug()
* [db-migration] fix: mark active entries as verified
* [papi] validate ID token claims
Some claims (e.g. email, name) are required. While it's defaults with most IdPs, some require manual configuration to make those claims appear in ID tokens.
* add test cases
* [gitpod-db] Add `d_b_oidc_client_config.active` field
* [papi] Add OIDCClientConfig.active to proto def
* [gitpod-db] Add OIDCClientConfig.active
* [papi] Add `activate` param to `/oidc/start` endpoint handler
If provided it should mark the OIDC client config as `active` in the DB.
* Fix propagation of state params and add tests.
* fix import of deprecated ioutil
* refactor GetStartParams
* consider `activate` from create request
* [experiment] Add "Sign in with SSO" to Login
Reusing existing parts:
* `/complete-auth` page of Dashbaord to forward results of authN flows running in a modal
* Adding preliminary UI to the Login view: Org-slug and simple button.
* [gitpod-db] get team/org by slug
* [gitpod-db] fix OIDCClientConfig.OrganizationID field's type
* [oidc] consider returnTo URL
* [oidc] consider orgSlug param from start request
* [oidc] fix oauth2 clientId propagation
* [oidc] fix a flaky test
* [onboarding] skip for organizational accounts
* Move SSO Login UI into it's own component
* adjust validation a bit, add useCallbacks
* adding GetOIDCClientConfigByOrgSlug
* add table name
* removing commented out code
---------
Co-authored-by: Brad Harris <bmharris@gmail.com>
Using JWT tokens for encoding/decoding/validation of state params carried throughout the OIDC/OAuth2 flow.
Validating of integrity is crucial, as this piece of information contains the ID of the OIDC client to continue with when Gitpod receives the callback from a 3rd party. Tests should show that expiration time is checked and signature validation is effective.
