Add OIDC/SSO authentication support (fixes #512) (#1678)

* Add OIDC/SSO authentication support

Implements OpenID Connect (OIDC) Single Sign-On authentication
to address issue #512.

Features:
- OIDC authentication via ASP.NET Core middleware
- Support for multiple IdPs (Entra ID, Okta, Auth0, etc.)
- Automatic user provisioning with configurable group mappings
- HttpOnly cookie-based session management
- Rate limiting for provisioning attempts
- Comprehensive environment variable configuration
- Docker secrets support for sensitive values
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- Backward compatible with existing local authentication

Security:
- JWT signature validation via OIDC discovery
- Cryptographically secure cookie secrets (32-byte)
- SameSite=Lax cookie protection
- No secrets in frontend bundles
- Proper error handling without information leakage

Documentation:
- Added SSO configuration to DockerEnvironmentVariables.md
- Includes examples for major IdP providers
- Environment variable reference with _FILE variants

Closes #512

* Fix HttpOnly cookie logout and token handling

* Add OIDC/SSO authentication with full backward compatibility

Addresses feedback from PR review:

- Restored MapGetAndPost for all endpoints to support existing GET integrations
- Login API now returns tokens by default, preserving compatibility for generic clients
- Added cookie_auth opt-in parameter for Web GUI to use secure HttpOnly cookies
- Added #region SSO markers to isolate SSO-related code
- Enhanced OIDC claim extraction with fallbacks for Azure AD/Entra ID
- SSO users blocked from standard login form (must use OIDC flow)
- Reduced HSTS lifetime from 1 year to 24 hours (homelab-friendly)
- Added security warnings for client secret storage (code, docs, UI)
- Added environment vars to configure rate limiting for SSO

This commit ensures the SSO implementation adds new functionality
without modifying existing API behavior.

---------

Co-authored-by: Xadmin <xadmin@dontfail.us>

Author: zstinnett

DnsServerCore/Auth/AuthManager.cs

@@ -840,6 +840,9 @@ public async Task<UserSession> CreateSessionAsync(UserSessionType type, string t
         {
             User user = await AuthenticateUserAsync(username, password, totp, remoteAddress);
 
+            if (user.IsSsoUser && (type == UserSessionType.Standard))
+                throw new DnsWebServiceException("SSO users must login via SSO provider.");
+
             UserSession session = new UserSession(type, tokenName, user, remoteAddress, userAgent);
 
             if (!_sessions.TryAdd(session.Token, session))
@@ -869,6 +872,21 @@ public UserSession CreateApiToken(string tokenName, string username, IPAddress r
             return session;
         }
 
+        public UserSession CreateSsoSession(User user, IPAddress remoteAddress, string userAgent)
+        {
+            if (user.Disabled)
+                throw new DnsWebServiceException("Account is suspended.");
+
+            UserSession session = new UserSession(UserSessionType.Standard, null, user, remoteAddress, userAgent);
+
+            if (!_sessions.TryAdd(session.Token, session))
+                throw new DnsWebServiceException("Error while creating session. Please try again.");
+
+            user.LoggedInFrom(remoteAddress);
+
+            return session;
+        }
+
         public UserSession DeleteSession(string token)
         {
             if (_sessions.TryRemove(token, out UserSession session))

DnsServerCore/Auth/User.cs

@@ -52,6 +52,7 @@ class User : IComparable<User>
         AuthenticatorKeyUri _totpKeyUri;
         bool _totpEnabled;
         bool _disabled;
+        bool _isSsoUser; // New field for SSO tracking
         int _sessionTimeoutSeconds = 30 * 60; //default 30 mins
 
         DateTime _previousSessionLoggedOn;
@@ -85,6 +86,7 @@ public User(BinaryReader bR, IReadOnlyDictionary<string, Group> groups)
             {
                 case 1:
                 case 2:
+                case 3: // Version 3 adds IsSsoUser
                     _displayName = bR.ReadShortString();
                     _username = bR.ReadShortString();
                     _passwordHashType = (UserPasswordHashType)bR.ReadByte();
@@ -102,6 +104,12 @@ public User(BinaryReader bR, IReadOnlyDictionary<string, Group> groups)
                     }
 
                     _disabled = bR.ReadBoolean();
+
+                    if (version >= 3)
+                    {
+                        _isSsoUser = bR.ReadBoolean();
+                    }
+
                     _sessionTimeoutSeconds = bR.ReadInt32();
 
                     _previousSessionLoggedOn = bR.ReadDateTime();
@@ -259,7 +267,7 @@ public bool IsMemberOfGroup(Group group)
 
         public void WriteTo(BinaryWriter bW)
         {
-            bW.Write((byte)2);
+            bW.Write((byte)3); // Bump version to 3
             bW.WriteShortString(_displayName);
             bW.WriteShortString(_username);
             bW.Write((byte)_passwordHashType);
@@ -274,6 +282,7 @@ public void WriteTo(BinaryWriter bW)
 
             bW.Write(_totpEnabled);
             bW.Write(_disabled);
+            bW.Write(_isSsoUser); // Write IsSsoUser
             bW.Write(_sessionTimeoutSeconds);
 
             bW.Write(_previousSessionLoggedOn);
@@ -417,6 +426,12 @@ public IPAddress RecentSessionRemoteAddress
         public ICollection<Group> MemberOfGroups
         { get { return _memberOfGroups.Values; } }
 
+        public bool IsSsoUser
+        {
+            get { return _isSsoUser; }
+            set { _isSsoUser = value; }
+        }
+
         #endregion
     }
 }

DnsServerCore/DnsServerCore.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
@@ -46,6 +46,7 @@
 	<ItemGroup>
 		<PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
 		<PackageReference Include="QRCoder" Version="1.7.0" />
+		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.*" />
 	</ItemGroup>
 
 	<ItemGroup>