Support linkOAuth settings action #5731

ref DEV-3595

Author: tung2744

.make-lint-translation-keys-expect

@@ -29,8 +29,8 @@ resources/authgear/templates/en/web/authflowv2/layout.html:5:14: template transl
 resources/authgear/templates/en/web/authflowv2/login.html:256:37: translation key not defined: "%s-icon"
 resources/authgear/templates/en/web/authflowv2/preview_widget.html:127:39: translation key not defined: "%s-icon"
 resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html:58:44: translation key not defined: "v2.page.settings-identity-list-email.default.provider.%s"
-resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:57:32: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
-resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:106:35: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:77:32: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:128:35: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
 resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html:58:44: translation key not defined: "v2.page.settings-identity-list-phone.default.provider.%s"
 resources/authgear/templates/en/web/authflowv2/settings_layout.html:3:14: template translation is forbidden: `widget`
 resources/authgear/templates/en/web/authflowv2/settings_mfa.html:69:44: translation key not defined: "/settings/mfa/create_oob_otp_%s"

.vettedpositions

@@ -58,10 +58,10 @@
 /pkg/auth/handler/webapp/app_static_assets.go:39:33: requestcontext
 /pkg/auth/handler/webapp/auth_entry_point_middleware.go:35:10: requestcontext
 /pkg/auth/handler/webapp/authflow_change_password.go:96:26: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1062:30: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1067:24: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1075:19: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1083:18: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1070:30: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1075:24: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1083:19: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1091:18: requestcontext
 /pkg/auth/handler/webapp/authflow_create_password.go:132:26: requestcontext
 /pkg/auth/handler/webapp/authflow_enter_oob_otp.go:156:26: requestcontext
 /pkg/auth/handler/webapp/authflow_enter_password.go:139:26: requestcontext
@@ -128,7 +128,7 @@
 /pkg/auth/handler/webapp/authflowv2/settings_identity_edit_phone.go:134:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_edit_username.go:121:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_list_email.go:153:30: requestcontext
-/pkg/auth/handler/webapp/authflowv2/settings_identity_list_oauth.go:148:30: requestcontext
+/pkg/auth/handler/webapp/authflowv2/settings_identity_list_oauth.go:242:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_list_phone.go:158:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_list_username.go:87:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_new_username.go:74:30: requestcontext
@@ -239,11 +239,11 @@
 /pkg/auth/handler/webapp/setup_whatsapp_otp.go:62:27: requestcontext
 /pkg/auth/handler/webapp/signup.go:90:27: requestcontext
 /pkg/auth/handler/webapp/signup.go:101:28: requestcontext
-/pkg/auth/handler/webapp/sso_callback.go:41:53: requestcontext
-/pkg/auth/handler/webapp/sso_callback.go:47:26: requestcontext
-/pkg/auth/handler/webapp/sso_callback.go:55:58: requestcontext
-/pkg/auth/handler/webapp/sso_callback.go:60:44: requestcontext
-/pkg/auth/handler/webapp/sso_callback.go:71:44: requestcontext
+/pkg/auth/handler/webapp/sso_callback.go:42:53: requestcontext
+/pkg/auth/handler/webapp/sso_callback.go:48:26: requestcontext
+/pkg/auth/handler/webapp/sso_callback.go:65:58: requestcontext
+/pkg/auth/handler/webapp/sso_callback.go:77:44: requestcontext
+/pkg/auth/handler/webapp/sso_callback.go:92:44: requestcontext
 /pkg/auth/handler/webapp/tester.go:279:27: requestcontext
 /pkg/auth/handler/webapp/turbo_response_writer.go:29:25: requestcontext
 /pkg/auth/handler/webapp/turbo_response_writer.go:34:29: requestcontext

docs/plans/settings-action/connect-oauth-sdk-js-web.md

@@ -0,0 +1,145 @@
+# Settings Action: Connect OAuth — JS Web SDK Implementation Plan
+
+> Source repo: `authgear-sdk-js`. Companion plan: `connect-oauth-server.md`.
+> Platform: **authgear-web**.
+
+## Goal
+
+Expose `startLinkOAuth(options)` / `finishLinkOAuth()` on the public `WebContainer`, mirroring the pattern of every other settings-action pair (e.g. `startAddEmail` / `finishAddEmail`).
+
+## Public API (target)
+
+`oauthProviderAlias` is **required**. The server rejects requests without it.
+
+```ts
+// Start — redirects the browser to Authgear, which redirects to the OAuth provider
+await authgear.startLinkOAuth({
+  redirectURI: "https://myapp.com/oauth-callback",
+  oauthProviderAlias: "google",   // required
+});
+
+// Finish — called on the redirectURI page after the round-trip
+await authgear.finishLinkOAuth();
+```
+
+---
+
+## File-by-file changes
+
+### 1. `packages/authgear-core/src/types.ts`
+
+**1a. Extend the `SettingsAction` enum.** Add a new member after `ChangeUsername` (the current last entry):
+
+```ts
+/**
+ * Connect an OAuth provider in Authgear settings page.
+ */
+LinkOAuth = "link_oauth",
+```
+
+**1b. Extend the `xSettingsAction` union in `_OIDCAuthenticationRequest`.** Append `"link_oauth"`:
+
+```ts
+xSettingsAction?:
+  | "change_password"
+  | "delete_account"
+  | "add_email"
+  | "add_phone"
+  | "add_username"
+  | "change_email"
+  | "change_phone"
+  | "change_username"
+  | "link_oauth";
+```
+
+`oauthProviderAlias?: string` is **already** on `_OIDCAuthenticationRequest` — no new field needed. `startSettingsAction` spreads `...options` into `authorizeEndpoint`, so adding `oauthProviderAlias` to `_InternalSettingsActionOptions` (step 2) is sufficient to forward it.
+
+---
+
+### 2. `packages/authgear-web/src/types.ts`
+
+**2a. Add `LinkOAuthOptions`.** Place after `ChangeUsernameOptions`:
+
+```ts
+/**
+ * Options for connecting an OAuth provider via settings action.
+ * @public
+ */
+export interface LinkOAuthOptions extends SettingsActionOptions {
+  /**
+   * The alias of the OAuth provider to link,
+   * as configured in Authgear Portal under Social / Enterprise Login.
+   * This field is required.
+   */
+  oauthProviderAlias: string;
+}
+```
+
+**2b. Add `oauthProviderAlias?` to `_InternalSettingsActionOptions`:**
+
+```ts
+export interface _InternalSettingsActionOptions extends SettingsActionOptions {
+  qLoginID?: string;
+  oauthProviderAlias?: string;
+}
+```
+
+---
+
+### 3. `packages/authgear-web/src/container.ts`
+
+No change to `startSettingsAction` — it already spreads `...options` into `authorizeEndpoint`, so `oauthProviderAlias` flows through automatically once it is on `_InternalSettingsActionOptions`.
+
+**3a. Add `startLinkOAuth`.** Place after `startChangeUsername`:
+
+```ts
+/**
+ * Start settings action "link_oauth" by redirecting to the authorization endpoint.
+ * @public
+ */
+async startLinkOAuth(options: LinkOAuthOptions): Promise<void> {
+  await this.startSettingsAction(SettingsAction.LinkOAuth, options);
+}
+```
+
+**3b. Add `finishLinkOAuth`.** Place after `finishChangeUsername`:
+
+```ts
+/**
+ * Finish settings action "link_oauth".
+ * @public
+ */
+async finishLinkOAuth(): Promise<void> {
+  return this.finishSettingsAction();
+}
+```
+
+`finishSettingsAction` delegates to `this.baseContainer._finishSettingsAction(window.location.href)`, identical to all other finish methods except `finishDeleteAccount`.
+
+---
+
+### 4. Public exports
+
+Add `LinkOAuthOptions` to `packages/authgear-web/src/index.ts` if types are explicitly re-exported there. `WebContainer` is already re-exported so the new methods come along automatically.
+
+---
+
+## Verification
+
+- **Type-check:** `npx tsc --noEmit` in `packages/authgear-core` and `packages/authgear-web`.
+- **Build:** `npm run build` in `packages/authgear-web`.
+- **API Extractor:** new `startLinkOAuth`, `finishLinkOAuth`, and `LinkOAuthOptions` should appear in the public API report.
+- **Manual:** complete the round trip against a local `authgear-server` with the server-side changes applied.
+
+---
+
+## Checklist
+
+- [ ] `SettingsAction.LinkOAuth` in `authgear-core/src/types.ts`
+- [ ] `"link_oauth"` in the `xSettingsAction` union
+- [ ] `LinkOAuthOptions` in `authgear-web/src/types.ts`
+- [ ] `oauthProviderAlias?` on `_InternalSettingsActionOptions`
+- [ ] `startLinkOAuth` / `finishLinkOAuth` on `WebContainer`
+- [ ] `LinkOAuthOptions` exported from the package entry point
+- [ ] TypeScript build / typecheck pass
+- [ ] API Extractor report regenerated and reviewed