Support OIDC Connect Discovery document

[kamilkisiela]

Spec: https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.2
User could provide a link to the doc, pass a client id and a secret.

Why? Not all OIDC providers follow the same convention for endpoints. Azure AD has /userinfo under a different host.

[n1ru4l]

okay so people will put it into a form on the hive settings website http://brrrrrt/.well-known/openid-configuration
we will fetch a JSON file from that and that will be used instead of the OAuth API Url that is now used by everything.

Things to touch:

• Database Schema (Store discovery document url)
• GraphQL API (store discovery document instead of oauth_api_url)
• Web APP UI
• supertokens backend config on app service

[n1ru4l]

Right now we already introduced support for more granular configuration via the UI through #835

[wethekings303]

Would this support OIDC login for any provider that uses oauth such as keycloak? Right now OIDC only supports google, okta, and github - https://the-guild.dev/graphql/hive/docs/self-hosting/oidc-login.

We currently use organization scoped SSO - https://the-guild.dev/graphql/hive/docs/management/sso-oidc-provider. This allows sso after sso integration was setup manually through the UI using the settings referenced at - #835. It would be great if from the initial deployment we could use SSO.

[n1ru4l]

@wethekings303 This issue tracks supporting OIDC Discovery documents for organizations. ANY OIDC Compliant provider can be connected to an organization (see https://the-guild.dev/graphql/hive/docs/management/sso-oidc-provider).

You are referring to a self-hosted OIDC login.

Regarding

It would be great if from the initial deployment we could use SSO.

This will be covered via the admin API #2994