feat: sso implementation

backend/api/src/main/kotlin/io/tolgee/configuration/PublicConfigurationDTO.kt

@@ -28,6 +28,9 @@ class PublicConfigurationDTO(
   val maxTranslationTextLength: Long = properties.maxTranslationTextLength
   val recaptchaSiteKey = properties.recaptcha.siteKey
   val chatwootToken = properties.chatwootToken
+  val nativeEnabled = properties.authentication.nativeEnabled
+  val customLoginLogo = properties.authentication.sso.customLogoUrl
+  val customLoginText = properties.authentication.sso.customButtonText
   val capterraTracker = properties.capterraTracker
   val ga4Tag = properties.ga4Tag
   val postHogApiKey: String? = properties.postHog.apiKey
@@ -49,7 +52,9 @@ class PublicConfigurationDTO(
     val oauth2: OAuthPublicExtendsConfigDTO,
   )
 
-  data class OAuthPublicConfigDTO(val clientId: String?) {
+  data class OAuthPublicConfigDTO(
+    val clientId: String?,
+  ) {
     val enabled: Boolean = clientId != null && clientId.isNotEmpty()
   }
 

backend/api/src/main/kotlin/io/tolgee/hateoas/ee/SsoTenantModel.kt

@@ -0,0 +1,18 @@
+package io.tolgee.hateoas.ee
+
+import org.springframework.hateoas.RepresentationModel
+import org.springframework.hateoas.server.core.Relation
+import java.io.Serializable
+
+@Suppress("unused")
+@Relation(collectionRelation = "ssoTenants", itemRelation = "ssoTenant")
+class SsoTenantModel(
+  val authorizationUri: String,
+  val clientId: String,
+  val clientSecret: String,
+  val tokenUri: String,
+  val isEnabled: Boolean,
+  val jwkSetUri: String,
+  val domainName: String,
+) : RepresentationModel<SsoTenantModel>(),
+  Serializable

backend/api/src/main/kotlin/io/tolgee/security/thirdParty/GithubOAuthDelegate.kt

@@ -5,6 +5,7 @@ import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
 import io.tolgee.model.UserAccount
+import io.tolgee.model.enums.ThirdPartyAuthType
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
 import io.tolgee.service.security.SignUpService
@@ -57,12 +58,13 @@ class GithubOAuthDelegate(
 
       // get github user emails
       val emails =
-        restTemplate.exchange(
-          githubConfigurationProperties.userUrl + "/emails",
-          HttpMethod.GET,
-          entity,
-          Array<GithubEmailResponse>::class.java,
-        ).body
+        restTemplate
+          .exchange(
+            githubConfigurationProperties.userUrl + "/emails",
+            HttpMethod.GET,
+            entity,
+            Array<GithubEmailResponse>::class.java,
+          ).body
           ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
 
       val verifiedEmails = Arrays.stream(emails).filter { it.verified }.collect(Collectors.toList())
@@ -74,7 +76,7 @@ class GithubOAuthDelegate(
         )?.email
           ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
 
-      val userAccountOptional = userAccountService.findByThirdParty("github", userResponse!!.id!!)
+      val userAccountOptional = userAccountService.findByThirdParty(ThirdPartyAuthType.GITHUB, userResponse!!.id!!)
       val user =
         userAccountOptional.orElseGet {
           userAccountService.findActive(githubEmail)?.let {
@@ -85,7 +87,7 @@ class GithubOAuthDelegate(
           newUserAccount.username = githubEmail
           newUserAccount.name = userResponse.name ?: userResponse.login
           newUserAccount.thirdPartyAuthId = userResponse.id
-          newUserAccount.thirdPartyAuthType = "github"
+          newUserAccount.thirdPartyAuthType = ThirdPartyAuthType.GITHUB
           newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
 
           signUpService.signUp(newUserAccount, invitationCode, null)

backend/api/src/main/kotlin/io/tolgee/security/thirdParty/GoogleOAuthDelegate.kt

@@ -5,6 +5,7 @@ import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
 import io.tolgee.model.UserAccount
+import io.tolgee.model.enums.ThirdPartyAuthType
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
 import io.tolgee.service.security.SignUpService
@@ -76,7 +77,7 @@ class GoogleOAuthDelegate(
 
         val googleEmail = userResponse.email ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
 
-        val userAccountOptional = userAccountService.findByThirdParty("google", userResponse!!.sub!!)
+        val userAccountOptional = userAccountService.findByThirdParty(ThirdPartyAuthType.GOOGLE, userResponse!!.sub!!)
         val user =
           userAccountOptional.orElseGet {
             userAccountService.findActive(googleEmail)?.let {
@@ -88,7 +89,7 @@ class GoogleOAuthDelegate(
               ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
             newUserAccount.name = userResponse.name ?: (userResponse.given_name + " " + userResponse.family_name)
             newUserAccount.thirdPartyAuthId = userResponse.sub
-            newUserAccount.thirdPartyAuthType = "google"
+            newUserAccount.thirdPartyAuthType = ThirdPartyAuthType.GOOGLE
             newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
             signUpService.signUp(newUserAccount, invitationCode, null)
 

backend/api/src/main/kotlin/io/tolgee/security/thirdParty/OAuth2Delegate.kt

@@ -4,17 +4,14 @@ import io.tolgee.configuration.tolgee.OAuth2AuthenticationProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
-import io.tolgee.model.UserAccount
+import io.tolgee.model.enums.ThirdPartyAuthType
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
+import io.tolgee.security.thirdParty.data.OAuthUserDetails
 import io.tolgee.service.security.SignUpService
 import io.tolgee.service.security.UserAccountService
 import org.slf4j.LoggerFactory
-import org.springframework.http.HttpEntity
-import org.springframework.http.HttpHeaders
-import org.springframework.http.HttpMethod
-import org.springframework.http.HttpStatus
-import org.springframework.http.MediaType
+import org.springframework.http.*
 import org.springframework.stereotype.Component
 import org.springframework.util.LinkedMultiValueMap
 import org.springframework.util.MultiValueMap
@@ -28,6 +25,7 @@ class OAuth2Delegate(
   private val restTemplate: RestTemplate,
   properties: TolgeeProperties,
   private val signUpService: SignUpService,
+  private val oAuthUserHandler: OAuthUserHandler,
 ) {
   private val oauth2ConfigurationProperties: OAuth2AuthenticationProperties = properties.authentication.oauth2
   private val logger = LoggerFactory.getLogger(this::class.java)
@@ -90,33 +88,18 @@ class OAuth2Delegate(
             logger.info("Third party user email is null. Missing scope email?")
             throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
           }
+        val userData =
+          OAuthUserDetails(
+            sub = userResponse.sub!!,
+            name = userResponse.name,
+            givenName = userResponse.given_name,
+            familyName = userResponse.family_name,
+            email = email,
+            domain = null,
+            organizationId = null,
+          )
+        val user = oAuthUserHandler.findOrCreateUser(userData, invitationCode, ThirdPartyAuthType.OAUTH2)
 
-        val userAccountOptional = userAccountService.findByThirdParty("oauth2", userResponse.sub!!)
-        val user =
-          userAccountOptional.orElseGet {
-            userAccountService.findActive(email)?.let {
-              throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
-            }
-
-            val newUserAccount = UserAccount()
-            newUserAccount.username =
-              userResponse.email ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
-
-            // build name for userAccount based on available fields by third party
-            var name = userResponse.email!!.split("@")[0]
-            if (userResponse.name != null) {
-              name = userResponse.name!!
-            } else if (userResponse.given_name != null && userResponse.family_name != null) {
-              name = "${userResponse.given_name} ${userResponse.family_name}"
-            }
-            newUserAccount.name = name
-            newUserAccount.thirdPartyAuthId = userResponse.sub
-            newUserAccount.thirdPartyAuthType = "oauth2"
-            newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
-            signUpService.signUp(newUserAccount, invitationCode, null)
-
-            newUserAccount
-          }
         val jwt = jwtService.emitToken(user.id)
         return JwtAuthenticationResponse(jwt)
       }

backend/api/src/main/kotlin/io/tolgee/security/thirdParty/OAuthUserHandler.kt

@@ -0,0 +1,117 @@
+package io.tolgee.security.thirdParty
+
+import io.tolgee.component.cacheWithExpiration.CacheWithExpirationManager
+import io.tolgee.constants.Caches
+import io.tolgee.constants.Message
+import io.tolgee.exceptions.AuthenticationException
+import io.tolgee.model.UserAccount
+import io.tolgee.model.enums.OrganizationRoleType
+import io.tolgee.model.enums.ThirdPartyAuthType
+import io.tolgee.security.thirdParty.data.OAuthUserDetails
+import io.tolgee.service.SsoConfigService
+import io.tolgee.service.organization.OrganizationRoleService
+import io.tolgee.service.security.SignUpService
+import io.tolgee.service.security.UserAccountService
+import org.springframework.stereotype.Component
+
+@Component
+class OAuthUserHandler(
+  private val signUpService: SignUpService,
+  private val organizationRoleService: OrganizationRoleService,
+  private val userAccountService: UserAccountService,
+  private val ssoConfService: SsoConfigService,
+  private val cacheWithExpirationManager: CacheWithExpirationManager,
+) {
+  fun findOrCreateUser(
+    userResponse: OAuthUserDetails,
+    invitationCode: String?,
+    thirdPartyAuthType: ThirdPartyAuthType,
+  ): UserAccount {
+    val userAccountOptional =
+      if (thirdPartyAuthType == ThirdPartyAuthType.SSO && userResponse.domain != null) {
+        userAccountService.findByDomainSso(userResponse.domain, userResponse.sub!!)
+      } else {
+        userAccountService.findByThirdParty(thirdPartyAuthType, userResponse.sub!!)
+      }
+
+    if (userAccountOptional.isPresent && thirdPartyAuthType == ThirdPartyAuthType.SSO) {
+      updateRefreshToken(userAccountOptional.get(), userResponse.refreshToken)
+      cacheSsoUser(userAccountOptional.get().id, thirdPartyAuthType)
+    }
+
+    return userAccountOptional.orElseGet {
+      userAccountService.findActive(userResponse.email)?.let {
+        throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
+      }
+
+      val newUserAccount = UserAccount()
+      newUserAccount.username = userResponse.email
+
+      val name =
+        userResponse.name ?: run {
+          if (userResponse.givenName != null && userResponse.familyName != null) {
+            "${userResponse.givenName} ${userResponse.familyName}"
+          } else {
+            userResponse.email.split("@")[0]
+          }
+        }
+      newUserAccount.name = name
+      newUserAccount.thirdPartyAuthId = userResponse.sub
+      if (userResponse.domain != null) {
+        newUserAccount.ssoConfig = ssoConfService.save(newUserAccount, userResponse.domain!!)
+      }
+      newUserAccount.thirdPartyAuthType = thirdPartyAuthType
+      newUserAccount.ssoRefreshToken = userResponse.refreshToken
+      newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
+
+      signUpService.signUp(newUserAccount, invitationCode, null)
+
+      // grant role to user only if request is not from oauth2 delegate
+      if (userResponse.organizationId != null &&
+        thirdPartyAuthType != ThirdPartyAuthType.OAUTH2 &&
+        invitationCode == null
+      ) {
+        organizationRoleService.grantRoleToUser(
+          newUserAccount,
+          userResponse.organizationId,
+          OrganizationRoleType.MEMBER,
+        )
+      }
+
+      cacheSsoUser(newUserAccount.id, thirdPartyAuthType)
+
+      newUserAccount
+    }
+  }
+
+  fun updateRefreshToken(
+    userAccount: UserAccount,
+    refreshToken: String?,
+  ) {
+    if (userAccount.ssoRefreshToken != refreshToken) {
+      userAccount.ssoRefreshToken = refreshToken
+      userAccountService.save(userAccount)
+    }
+  }
+
+  fun updateRefreshToken(
+    userAccountId: Long,
+    refreshToken: String?,
+  ) {
+    val userAccount = userAccountService.get(userAccountId)
+
+    if (userAccount.ssoRefreshToken != refreshToken) {
+      userAccount.ssoRefreshToken = refreshToken
+      userAccountService.save(userAccount)
+    }
+  }
+
+  private fun cacheSsoUser(
+    userId: Long,
+    thirdPartyAuthType: ThirdPartyAuthType,
+  ) {
+    if (thirdPartyAuthType == ThirdPartyAuthType.SSO) {
+      cacheWithExpirationManager.putCache(Caches.IS_SSO_USER_VALID, userId, true)
+    }
+  }
+}

backend/api/src/main/kotlin/io/tolgee/security/thirdParty/data/OAuthUserDetails.kt

@@ -0,0 +1,12 @@
+package io.tolgee.security.thirdParty.data
+
+data class OAuthUserDetails(
+  var sub: String? = null,
+  var name: String? = null,
+  var givenName: String? = null,
+  var familyName: String? = null,
+  var email: String = "",
+  val domain: String? = null,
+  val organizationId: Long? = null,
+  val refreshToken: String? = null,
+)

backend/app/build.gradle

@@ -77,6 +77,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-mail'
     implementation 'org.springframework.boot:spring-boot-starter-cache'
     implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation("org.springframework.security:spring-security-oauth2-client")
     implementation "org.springframework.boot:spring-boot-starter-validation"
     implementation "org.springframework.boot:spring-boot-starter-hateoas"
     implementation "org.springframework.boot:spring-boot-configuration-processor"

backend/app/src/main/kotlin/io/tolgee/configuration/WebSecurityConfig.kt

@@ -103,23 +103,24 @@ class WebSecurityConfig(
   @Bean
   @Order(10)
   @ConditionalOnProperty(value = ["tolgee.internal.controller-enabled"], havingValue = "false", matchIfMissing = true)
-  fun internalSecurityFilterChain(httpSecurity: HttpSecurity): SecurityFilterChain {
-    return httpSecurity
+  fun internalSecurityFilterChain(httpSecurity: HttpSecurity): SecurityFilterChain =
+    httpSecurity
       .securityMatcher("/internal/**")
       .authorizeRequests()
       .anyRequest()
       .denyAll()
       .and()
       .build()
-  }
 
   override fun addInterceptors(registry: InterceptorRegistry) {
     registry.addInterceptor(rateLimitInterceptor)
     registry.addInterceptor(authenticationInterceptor)
 
-    registry.addInterceptor(organizationAuthorizationInterceptor)
+    registry
+      .addInterceptor(organizationAuthorizationInterceptor)
       .addPathPatterns("/v2/organizations/**")
-    registry.addInterceptor(projectAuthorizationInterceptor)
+    registry
+      .addInterceptor(projectAuthorizationInterceptor)
       .addPathPatterns("/v2/projects/**", "/api/project/**", "/api/repository/**")
   }