ui/src/auth/OidcCallback.tsx

import { useEffect, useRef } from 'react';
import { Navigate, useNavigate } from 'react-router';
import { useAuthStore } from './auth-store';
import { api } from '../api/client';
import { Card, Spinner, Alert, Button } from '@cameleer/design-system';
import { config } from '../config';

export function OidcCallback() {
  const { isAuthenticated, loading, error, loginWithOidcCode } = useAuthStore();
  const navigate = useNavigate();
  const exchanged = useRef(false);

  useEffect(() => {
    if (exchanged.current) return;
    exchanged.current = true;

    const params = new URLSearchParams(window.location.search);
    const code = params.get('code');
    const errorParam = params.get('error');

    if (errorParam) {
      // prompt=none failed — no session, fall back to login form
      if (errorParam === 'login_required' || errorParam === 'interaction_required') {
        window.location.replace(`${config.basePath}login?local`);
        return;
      }
      // consent_required — retry without prompt=none so user can grant scopes
      if (errorParam === 'consent_required' && !sessionStorage.getItem('oidc-consent-retry')) {
        sessionStorage.setItem('oidc-consent-retry', '1');
        api.GET('/auth/oidc/config').then(({ data }) => {
          if (data?.authorizationEndpoint && data?.clientId) {
            const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
            const p = new URLSearchParams({
              response_type: 'code',
              client_id: data.clientId,
              redirect_uri: redirectUri,
              scope: 'openid email profile',
            });
            window.location.href = `${data.authorizationEndpoint}?${p}`;
          }
        }).catch(() => {
          window.location.replace(`${config.basePath}login?local`);
        });
        return;
      }
      sessionStorage.removeItem('oidc-consent-retry');
      useAuthStore.setState({
        error: params.get('error_description') || errorParam,
        loading: false,
      });
      return;
    }

    sessionStorage.removeItem('oidc-consent-retry');

    if (!code) {
      useAuthStore.setState({ error: 'No authorization code received', loading: false });
      return;
    }

    const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
    const codeVerifier = sessionStorage.getItem('oidc-code-verifier') ?? undefined;
    sessionStorage.removeItem('oidc-code-verifier');
    loginWithOidcCode(code, redirectUri, codeVerifier);
  }, [loginWithOidcCode]);

  if (isAuthenticated) return <Navigate to="/" replace />;

  return (
    <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh', background: 'var(--surface-ground)' }}>
      <Card>
        <div style={{ padding: '2rem', textAlign: 'center', minWidth: 320 }}>
          <h2 style={{ marginBottom: '1rem' }}>cameleer3</h2>
          {loading && <Spinner />}
          {error && (
            <>
              <Alert variant="error">{error}</Alert>
              <Button variant="secondary" onClick={() => navigate('/login?local')} style={{ marginTop: 16 }}>
                Back to Login
              </Button>
            </>
          )}
        </div>
      </Card>
    </div>
  );
}
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`import { useEffect, useRef } from 'react';`
			`import { Navigate, useNavigate } from 'react-router';`
			`import { useAuthStore } from './auth-store';`
fix: handle consent_required by retrying OIDC without prompt=none When prompt=none fails with consent_required (scopes not yet granted), retry the OIDC flow without prompt=none so the user can grant consent once. Uses sessionStorage flag to prevent infinite loops — falls back to local login if the retry also fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:29:31 +02:00			`import { api } from '../api/client';`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`import { Card, Spinner, Alert, Button } from '@cameleer/design-system';`
fix: include BASE_PATH in OIDC redirect_uri for subpath deployments Behind a reverse proxy with strip-prefix (e.g., Traefik at /server/), the OIDC redirect_uri must include the prefix so the callback routes back through the proxy. Now uses config.basePath (from <base href>) instead of hardcoding '/'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:14:34 +02:00			`import { config } from '../config';`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00
			`export function OidcCallback() {`
			`const { isAuthenticated, loading, error, loginWithOidcCode } = useAuthStore();`
			`const navigate = useNavigate();`
			`const exchanged = useRef(false);`

			`useEffect(() => {`
			`if (exchanged.current) return;`
			`exchanged.current = true;`

			`const params = new URLSearchParams(window.location.search);`
			`const code = params.get('code');`
			`const errorParam = params.get('error');`

			`if (errorParam) {`
fix: handle consent_required by retrying OIDC without prompt=none When prompt=none fails with consent_required (scopes not yet granted), retry the OIDC flow without prompt=none so the user can grant consent once. Uses sessionStorage flag to prevent infinite loops — falls back to local login if the retry also fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:29:31 +02:00			`// prompt=none failed — no session, fall back to login form`
feat: auto-redirect to OIDC provider for true SSO When OIDC is configured, the login page automatically redirects to the provider with prompt=none. If the user has an active OIDC session, they are signed in without seeing a login page. If the provider returns login_required (no session), falls back to the login form via ?local. Users can bypass auto-redirect with /login?local. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:20:55 +02:00			`if (errorParam === 'login_required' \|\| errorParam === 'interaction_required') {`
			window.location.replace(`${config.basePath}login?local`);
			`return;`
			`}`
fix: handle consent_required by retrying OIDC without prompt=none When prompt=none fails with consent_required (scopes not yet granted), retry the OIDC flow without prompt=none so the user can grant consent once. Uses sessionStorage flag to prevent infinite loops — falls back to local login if the retry also fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:29:31 +02:00			`// consent_required — retry without prompt=none so user can grant scopes`
			`if (errorParam === 'consent_required' && !sessionStorage.getItem('oidc-consent-retry')) {`
			`sessionStorage.setItem('oidc-consent-retry', '1');`
			`api.GET('/auth/oidc/config').then(({ data }) => {`
			`if (data?.authorizationEndpoint && data?.clientId) {`
			const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
			`const p = new URLSearchParams({`
			`response_type: 'code',`
			`client_id: data.clientId,`
			`redirect_uri: redirectUri,`
			`scope: 'openid email profile',`
			`});`
			window.location.href = `${data.authorizationEndpoint}?${p}`;
			`}`
			`}).catch(() => {`
			window.location.replace(`${config.basePath}login?local`);
			`});`
			`return;`
			`}`
			`sessionStorage.removeItem('oidc-consent-retry');`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`useAuthStore.setState({`
			`error: params.get('error_description') \|\| errorParam,`
			`loading: false,`
			`});`
			`return;`
			`}`

fix: handle consent_required by retrying OIDC without prompt=none When prompt=none fails with consent_required (scopes not yet granted), retry the OIDC flow without prompt=none so the user can grant consent once. Uses sessionStorage flag to prevent infinite loops — falls back to local login if the retry also fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:29:31 +02:00			`sessionStorage.removeItem('oidc-consent-retry');`

Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`if (!code) {`
			`useAuthStore.setState({ error: 'No authorization code received', loading: false });`
			`return;`
			`}`

fix: include BASE_PATH in OIDC redirect_uri for subpath deployments Behind a reverse proxy with strip-prefix (e.g., Traefik at /server/), the OIDC redirect_uri must include the prefix so the callback routes back through the proxy. Now uses config.basePath (from <base href>) instead of hardcoding '/'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:14:34 +02:00			const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
refactor: architecture cleanup — OIDC dedup, PKCE, K8s hardening - Extract OidcProviderHelper for shared discovery + JWK source construction - Add SystemRole.normalizeScope() to centralize role normalization - Merge duplicate claim extraction in OidcTokenExchanger - Add PKCE (S256) to OIDC authorization flow (frontend + backend) - Add SecurityContext (runAsNonRoot) to all K8s deployments - Fix postgres probe to use $POSTGRES_USER instead of hardcoded username - Remove default credentials from Dockerfile - Extract sanitize_branch() to shared .gitea/sanitize-branch.sh - Fix sidebar to use /exchanges/ paths directly, remove legacy redirects - Centralize basePath computation in router.tsx via config module Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 21:57:29 +02:00			`const codeVerifier = sessionStorage.getItem('oidc-code-verifier') ?? undefined;`
			`sessionStorage.removeItem('oidc-code-verifier');`
			`loginWithOidcCode(code, redirectUri, codeVerifier);`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`}, [loginWithOidcCode]);`

			`if (isAuthenticated) return <Navigate to="/" replace />;`

			`return (`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`<div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh', background: 'var(--surface-ground)' }}>`
			`<Card>`
			`<div style={{ padding: '2rem', textAlign: 'center', minWidth: 320 }}>`
			`<h2 style={{ marginBottom: '1rem' }}>cameleer3</h2>`
			`{loading && <Spinner />}`
			`{error && (`
			`<>`
			`<Alert variant="error">{error}</Alert>`
fix: Back to Login button navigates to /login?local to prevent auto-redirect Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 01:31:57 +02:00			`<Button variant="secondary" onClick={() => navigate('/login?local')} style={{ marginTop: 16 }}>`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`Back to Login`
			`</Button>`
			`</>`
			`)}`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`</div>`
feat: migrate UI to @cameleer/design-system, add backend endpoints Backend: - Add agent_events table (V5) and lifecycle event recording - Add route catalog endpoint (GET /routes/catalog) - Add route metrics endpoint (GET /routes/metrics) - Add agent events endpoint (GET /agents/events-log) - Enrich AgentInstanceResponse with tps, errorRate, activeRoutes, uptimeSeconds - Add TimescaleDB retention/compression policies (V6) Frontend: - Replace custom Mission Control UI with @cameleer/design-system components - Rebuild all pages: Dashboard, ExchangeDetail, RoutesMetrics, AgentHealth, AgentInstance, RBAC, AuditLog, OIDC, DatabaseAdmin, OpenSearchAdmin, Swagger - New LayoutShell with design system AppShell, Sidebar, TopBar, CommandPalette - Consume design system from Gitea npm registry (@cameleer/design-system@0.0.1) - Add .npmrc for scoped registry, update Dockerfile with REGISTRY_TOKEN arg CI: - Pass REGISTRY_TOKEN build-arg to UI Docker build step Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-19 17:38:39 +01:00			`</Card>`
Add OIDC login flow to UI and fix dark mode datetime picker icons - Add "Sign in with SSO" button on login page (shown when OIDC is configured) - Add /oidc/callback route to exchange authorization code for JWT tokens - Add loginWithOidcCode action to auth store - Treat issuer URI as complete discovery URL (no auto-append of .well-known) - Update admin page placeholder to show full discovery URL format - Fix datetime picker calendar icon visibility in dark mode (color-scheme) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 14:19:06 +01:00			`</div>`
			`);`
			`}`