ui/src/auth/OidcCallback.tsx

import { useEffect, useRef } from 'react';
import { Navigate, useNavigate } from 'react-router';
import { useAuthStore } from './auth-store';
import { Card, Spinner, Alert, Button } from '@cameleer/design-system';
import { config } from '../config';

export function OidcCallback() {
  const { isAuthenticated, loading, error, loginWithOidcCode } = useAuthStore();
  const navigate = useNavigate();
  const exchanged = useRef(false);

  useEffect(() => {
    if (exchanged.current) return;
    exchanged.current = true;

    const params = new URLSearchParams(window.location.search);
    const code = params.get('code');
    const errorParam = params.get('error');

    if (errorParam) {
      // prompt=none SSO attempt failed (no active session) — fall back to login form
      if (errorParam === 'login_required' || errorParam === 'interaction_required') {
        window.location.replace(`${config.basePath}login?local`);
        return;
      }
      useAuthStore.setState({
        error: params.get('error_description') || errorParam,
        loading: false,
      });
      return;
    }

    if (!code) {
      useAuthStore.setState({ error: 'No authorization code received', loading: false });
      return;
    }

    const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
    loginWithOidcCode(code, redirectUri);
  }, [loginWithOidcCode]);

  if (isAuthenticated) return <Navigate to="/" replace />;

  return (
    <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh', background: 'var(--surface-ground)' }}>
      <Card>
        <div style={{ padding: '2rem', textAlign: 'center', minWidth: 320 }}>
          <h2 style={{ marginBottom: '1rem' }}>cameleer3</h2>
          {loading && <Spinner />}
          {error && (
            <>
              <Alert variant="error">{error}</Alert>
              <Button variant="secondary" onClick={() => navigate('/login')} style={{ marginTop: 16 }}>
                Back to Login
              </Button>
            </>
          )}
        </div>
      </Card>
    </div>
  );
}
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`import { useEffect, useRef } from 'react';`
			`import { Navigate, useNavigate } from 'react-router';`
			`import { useAuthStore } from './auth-store';`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`import { Card, Spinner, Alert, Button } from '@cameleer/design-system';`
fix: include BASE_PATH in OIDC redirect_uri for subpath deployments Behind a reverse proxy with strip-prefix (e.g., Traefik at /server/), the OIDC redirect_uri must include the prefix so the callback routes back through the proxy. Now uses config.basePath (from <base href>) instead of hardcoding '/'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:14:34 +02:00			`import { config } from '../config';`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00
			`export function OidcCallback() {`
			`const { isAuthenticated, loading, error, loginWithOidcCode } = useAuthStore();`
			`const navigate = useNavigate();`
			`const exchanged = useRef(false);`

			`useEffect(() => {`
			`if (exchanged.current) return;`
			`exchanged.current = true;`

			`const params = new URLSearchParams(window.location.search);`
			`const code = params.get('code');`
			`const errorParam = params.get('error');`

			`if (errorParam) {`
feat: auto-redirect to OIDC provider for true SSO When OIDC is configured, the login page automatically redirects to the provider with prompt=none. If the user has an active OIDC session, they are signed in without seeing a login page. If the provider returns login_required (no session), falls back to the login form via ?local. Users can bypass auto-redirect with /login?local. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:20:55 +02:00			`// prompt=none SSO attempt failed (no active session) — fall back to login form`
			`if (errorParam === 'login_required' \|\| errorParam === 'interaction_required') {`
			window.location.replace(`${config.basePath}login?local`);
			`return;`
			`}`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`useAuthStore.setState({`
			`error: params.get('error_description') \|\| errorParam,`
			`loading: false,`
			`});`
			`return;`
			`}`

			`if (!code) {`
			`useAuthStore.setState({ error: 'No authorization code received', loading: false });`
			`return;`
			`}`

fix: include BASE_PATH in OIDC redirect_uri for subpath deployments Behind a reverse proxy with strip-prefix (e.g., Traefik at /server/), the OIDC redirect_uri must include the prefix so the callback routes back through the proxy. Now uses config.basePath (from <base href>) instead of hardcoding '/'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:14:34 +02:00			const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`loginWithOidcCode(code, redirectUri);`
			`}, [loginWithOidcCode]);`

			`if (isAuthenticated) return <Navigate to="/" replace />;`

			`return (`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`<div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh', background: 'var(--surface-ground)' }}>`
			`<Card>`
			`<div style={{ padding: '2rem', textAlign: 'center', minWidth: 320 }}>`
			`<h2 style={{ marginBottom: '1rem' }}>cameleer3</h2>`
			`{loading && <Spinner />}`
			`{error && (`
			`<>`
			`<Alert variant="error">{error}</Alert>`
			`<Button variant="secondary" onClick={() => navigate('/login')} style={{ marginTop: 16 }}>`
			`Back to Login`
			`</Button>`
			`</>`
			`)}`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`</div>`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`</Card>`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`</div>`
			`);`
			`}`