feat(dashboard): OIDC auth #10

Merged

rcsheets merged 6 commits from feat/dashboard-oidc into main 2026-03-21 04:55:42 +00:00

Conversation 1 Commits 6 Files changed 3 +285 -9

rcsheets commented 2026-03-21 04:54:16 +00:00

Owner

Copy link

require OIDC login for the dashboard

require OIDC login for the dashboard

rcsheets added 6 commits 2026-03-21 04:54:16 +00:00

feat: add OIDC authentication to dashboard ... d112bd1790

When OIDC is configured (OIDC_ISSUER_URL, OIDC_CLIENT_ID, etc), the
dashboard requires login and checks Keycloak group membership.
Unauthorized users see a styled access denied page served by the app.

When OIDC is not configured, the dashboard remains open (backwards
compatible). This allows the same image to work with or without auth.

Adds authlib and itsdangerous dependencies for OIDC and session handling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix: fail closed when OIDC is not configured ... d3181942f6

Dashboard returns 503 with "Authentication is not configured" when
OIDC env vars are missing, instead of allowing anonymous access.
This is critical since the dashboard will be internet-facing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: LLM-generated teaser on access denied pages ... 82b5e0b51d

When an unauthenticated or unauthorized visitor hits the dashboard,
the app generates a coy one-liner about the data behind the login
and caches it for the pod lifetime. Uses the Anthropic API, which
doubles as a startup connectivity check for the LLM service.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: add /error endpoint for testing error handling ... 6d84c31204

Deliberately raises a RuntimeError when hit. Useful for verifying
error pages and monitoring.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: styled error page for unhandled exceptions ... c85f4118a1

Shows "All we know is it didn't work." to the user while logging the
full exception server-side.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: typing animation shrug on error page ... 0cd2249623

Pure CSS typing effect renders ¯\_(ツ)_/¯ character by character
with a blinking cursor on the 500 error page. No JavaScript.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pr-reviewer-bot commented 2026-03-21 04:55:19 +00:00

Collaborator

Copy link

Automated review by pr-reviewer v0.11.0 | Safety Check | anthropic | tracking id r-be247a-3f7897

Status: ✅ Completed

---

✅ Verdict: LGTM — This appears to be a clean implementation of OIDC authentication for a dashboard with proper error handling and no obvious security issues.

Safety Check Summary

This PR adds OIDC authentication to the dashboard. I reviewed for security vulnerabilities, bugs, and accidentally committed sensitive data.

✅ No issues found:

• OIDC implementation looks secure with proper session handling
• Configuration values are properly pulled from environment settings (not hardcoded secrets)
• Authentication flow follows standard patterns with proper redirects
• Access control checks group membership appropriately
• Error handling includes proper exception logging
• No hardcoded credentials or sensitive data in the diff
• Dependencies (authlib 1.5.2, itsdangerous 2.2.0) are reasonable versions
• HTML escaping is properly applied to user-controlled data

The implementation follows security best practices for OIDC integration.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.11.0 | Safety Check | anthropic | tracking id `r-be247a-3f7897`* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — This appears to be a clean implementation of OIDC authentication for a dashboard with proper error handling and no obvious security issues. ## Safety Check Summary This PR adds OIDC authentication to the dashboard. I reviewed for security vulnerabilities, bugs, and accidentally committed sensitive data. **✅ No issues found:** - OIDC implementation looks secure with proper session handling - Configuration values are properly pulled from environment settings (not hardcoded secrets) - Authentication flow follows standard patterns with proper redirects - Access control checks group membership appropriately - Error handling includes proper exception logging - No hardcoded credentials or sensitive data in the diff - Dependencies (authlib 1.5.2, itsdangerous 2.2.0) are reasonable versions - HTML escaping is properly applied to user-controlled data The implementation follows security best practices for OIDC integration.

rcsheets merged commit 283622ff81 into main 2026-03-21 04:55:42 +00:00

rcsheets deleted branch feat/dashboard-oidc 2026-03-21 04:55:42 +00:00

rcsheets referenced this pull request from a commit 2026-03-21 04:55:42 +00:00

Merge pull request 'feat(dashboard): OIDC auth' (#10) from feat/dashboard-oidc into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

brooktrails/pr-reviewer!10

No description provided.