kalamdb
diff --git a/‎Cargo.lock‎
Lines changed: 422 additions & 28 deletions b/‎Cargo.lock‎
Lines changed: 422 additions & 28 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/Cargo.toml‎
Lines changed: 2 additions & 0 deletions b/‎backend/crates/kalamdb-api/Cargo.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/login.rs‎
Lines changed: 7 additions & 0 deletions b/‎backend/crates/kalamdb-api/src/http/auth/login.rs‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/login_options.rs‎
Lines changed: 66 additions & 0 deletions b/‎backend/crates/kalamdb-api/src/http/auth/login_options.rs‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/mod.rs‎
Lines changed: 6 additions & 2 deletions b/‎backend/crates/kalamdb-api/src/http/auth/mod.rs‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/models/login_options.rs‎
Lines changed: 42 additions & 0 deletions b/‎backend/crates/kalamdb-api/src/http/auth/models/login_options.rs‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/models/mod.rs‎
Lines changed: 11 additions & 0 deletions b/‎backend/crates/kalamdb-api/src/http/auth/models/mod.rs‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/models/oidc_device.rs‎
Lines changed: 60 additions & 0 deletions b/‎backend/crates/kalamdb-api/src/http/auth/models/oidc_device.rs‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎backend/crates/kalamdb-api/src/http/auth/models/oidc_exchange.rs‎
Lines changed: 13 additions & 0 deletions b/‎backend/crates/kalamdb-api/src/http/auth/models/oidc_exchange.rs‎
Lines changed: 13 additions & 0 deletions
@@ -135,6 +135,7 @@ ulid = "1.1"
 
 # JWT authentication
 jsonwebtoken = { version = "10.4.0", default-features = false, features = ["aws_lc_rs"] }
+openidconnect = { version = "4.0.1", default-features = false, features = ["reqwest", "rustls-tls"] }
 
 # Configuration
 toml = "1.1.2"
 
@@ -15,6 +15,7 @@ kalamdb-configs = { path = "../kalamdb-configs" }
 kalamdb-core = { path = "../kalamdb-core" }
 kalamdb-jobs = { path = "../kalamdb-jobs" }
 kalamdb-live = { path = "../kalamdb-live" }
+kalamdb-observability = { path = "../kalamdb-observability" }
 kalamdb-raft = { path = "../kalamdb-raft" }
 kalamdb-sql = { package = "kalamdb-dialect", path = "../kalamdb-dialect" }
 kalamdb-auth = { path = "../kalamdb-auth" }
@@ -56,6 +57,7 @@ tracing = { workspace = true }
 tokio = { workspace = true }
 futures-util = { workspace = true }
 reqwest = { workspace = true }
+openidconnect = { workspace = true }
 
 # Base64 encoding/decoding
 base64 = { workspace = true }
 
@@ -48,6 +48,13 @@ pub async fn login_handler(
         ));
     }
 
+    if !config.local.enabled {
+        return HttpResponse::Forbidden().json(AuthErrorResponse::new(
+            "local_auth_disabled",
+            "Local username/password login is disabled. Use the configured OIDC login method.",
+        ));
+    }
+
     // Authenticate using unified auth flow (includes localhost/empty password rules)
     let auth_request = AuthRequest::Credentials {
         user: body.user.clone(),
 
@@ -0,0 +1,66 @@
+use std::sync::Arc;
+
+use actix_web::{web, HttpResponse};
+use kalamdb_auth::providers::jwt_config;
+use kalamdb_core::app_context::AppContext;
+
+use super::models::{
+    AuthLoginOptionsResponse, LocalLoginOptions, OidcDeviceFlowOptions, OidcLoginOptions,
+};
+
+pub async fn login_options_handler(app_context: web::Data<Arc<AppContext>>) -> HttpResponse {
+    let config = app_context.config();
+    let oidc = if config.auth.oidc.enabled {
+        match (config.auth.oidc.issuer_str(), config.auth.oidc.client_id_str()) {
+            (Some(issuer), Some(client_id)) => {
+                let public_metadata =
+                    match jwt_config::get_jwt_config().oidc_public_metadata(issuer).await {
+                        Ok(metadata) => Some(metadata),
+                        Err(error) => {
+                            log::warn!("OIDC login-options metadata discovery failed: {}", error);
+                            None
+                        },
+                    };
+                let device_authorization_endpoint = public_metadata
+                    .as_ref()
+                    .and_then(|metadata| metadata.device_authorization_endpoint.clone())
+                    .or_else(|| config.auth.oidc.device_authorization_endpoint.clone());
+
+                Some(OidcLoginOptions {
+                    enabled: true,
+                    display_name: config.auth.oidc.display_name.clone(),
+                    issuer: issuer.to_string(),
+                    client_id: client_id.to_string(),
+                    authorization_endpoint: public_metadata
+                        .as_ref()
+                        .and_then(|metadata| metadata.authorization_endpoint.clone()),
+                    token_endpoint: public_metadata
+                        .as_ref()
+                        .and_then(|metadata| metadata.token_endpoint.clone()),
+                    device_authorization_endpoint: device_authorization_endpoint.clone(),
+                    scopes: public_metadata
+                        .as_ref()
+                        .map(|metadata| metadata.scopes.clone())
+                        .unwrap_or_else(|| config.auth.oidc.scopes.clone()),
+                    device_flow: Some(OidcDeviceFlowOptions {
+                        direct_supported: device_authorization_endpoint.is_some(),
+                        broker_supported: config.auth.oidc.broker_device_flow_enabled,
+                        device_authorization_endpoint,
+                        broker_start_endpoint: Some("/v1/api/auth/oidc/device/start".to_string()),
+                        broker_poll_endpoint: Some("/v1/api/auth/oidc/device/poll".to_string()),
+                    }),
+                })
+            },
+            _ => None,
+        }
+    } else {
+        None
+    };
+
+    HttpResponse::Ok().json(AuthLoginOptionsResponse {
+        local: LocalLoginOptions {
+            enabled: config.auth.local.enabled,
+        },
+        oidc,
+    })
+}
@@ -14,19 +14,23 @@ pub mod models;
 
 mod audit;
 mod login;
+mod login_options;
 mod logout;
 mod me;
-mod oauth;
+mod oidc_device;
+mod oidc_exchange;
 mod refresh;
 mod setup;
 
 use actix_web::HttpResponse;
 use kalamdb_auth::AuthError;
 pub(crate) use login::login_handler;
+pub(crate) use login_options::login_options_handler;
 pub(crate) use logout::logout_handler;
 pub(crate) use me::me_handler;
 use models::AuthErrorResponse;
-pub(crate) use oauth::oauth_providers_handler;
+pub(crate) use oidc_device::{oidc_device_poll_handler, oidc_device_start_handler};
+pub(crate) use oidc_exchange::{oidc_code_exchange_handler, oidc_token_exchange_handler};
 pub(crate) use refresh::refresh_handler;
 pub(crate) use setup::{server_setup_handler, setup_status_handler};
 
 
@@ -0,0 +1,42 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct AuthLoginOptionsResponse {
+    pub local: LocalLoginOptions,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub oidc: Option<OidcLoginOptions>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct LocalLoginOptions {
+    pub enabled: bool,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcLoginOptions {
+    pub enabled: bool,
+    pub display_name: String,
+    pub issuer: String,
+    pub client_id: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub authorization_endpoint: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub token_endpoint: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub device_authorization_endpoint: Option<String>,
+    pub scopes: Vec<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub device_flow: Option<OidcDeviceFlowOptions>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcDeviceFlowOptions {
+    pub direct_supported: bool,
+    pub broker_supported: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub device_authorization_endpoint: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub broker_start_endpoint: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub broker_poll_endpoint: Option<String>,
+}
@@ -3,14 +3,25 @@
 //! This module contains type-safe models for all authentication endpoints.
 
 mod error_response;
+mod login_options;
 mod login_response;
+mod oidc_device;
+mod oidc_exchange;
 mod setup_request;
 mod setup_response;
 mod user_info;
 
 pub use error_response::AuthErrorResponse;
 pub use kalamdb_auth::LoginRequest;
+pub use login_options::{
+    AuthLoginOptionsResponse, LocalLoginOptions, OidcDeviceFlowOptions, OidcLoginOptions,
+};
 pub use login_response::LoginResponse;
+pub use oidc_device::{
+    OidcDevicePollRequest, OidcDevicePollResponse, OidcDevicePollStatus, OidcDeviceStartRequest,
+    OidcDeviceStartResponse,
+};
+pub use oidc_exchange::{OidcCodeExchangeRequest, OidcTokenExchangeRequest};
 pub use setup_request::ServerSetupRequest;
 pub use setup_response::ServerSetupResponse;
 pub use user_info::{CurrentUserResponse, UserInfo};
@@ -0,0 +1,60 @@
+use serde::{Deserialize, Serialize};
+
+use super::UserInfo;
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcDeviceStartRequest {
+    #[serde(default)]
+    pub scopes: Vec<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcDeviceStartResponse {
+    pub device_session_id: String,
+    pub verification_uri: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub verification_uri_complete: Option<String>,
+    pub user_code: String,
+    pub expires_in_seconds: u64,
+    pub interval_seconds: u64,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcDevicePollRequest {
+    #[serde(alias = "session_id")]
+    pub device_session_id: String,
+}
+
+#[derive(Debug, Serialize)]
+pub struct OidcDevicePollResponse {
+    pub status: OidcDevicePollStatus,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub interval_seconds: Option<u64>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub token_type: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub access_token: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub expires_at: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub refresh_token: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub refresh_expires_at: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub user: Option<UserInfo>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub admin_ui_access: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub message: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum OidcDevicePollStatus {
+    Pending,
+    SlowDown,
+    Authorized,
+    Denied,
+    Expired,
+    Failed,
+}
@@ -0,0 +1,13 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcCodeExchangeRequest {
+    pub code: String,
+    pub redirect_uri: String,
+    pub code_verifier: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct OidcTokenExchangeRequest {
+    pub token: String,
+}