Generic SSO Framework with Pluggable Provider Support (Initial: MS Entra ID) #32
Description
Feature Description
Implement a generic, pluggable Single Sign-On (SSO) framework to allow integration with multiple identity providers. The first implementation should support Microsoft Entra ID (Azure AD), but the design must allow for other providers (like Okta, Auth0, Google, etc.) to be easily added in the future. The solution should include both backend (Scala/ZIO) and frontend (Angular) components.
Problem / Opportunity
StatusBoard currently uses API key-based authentication, which is not sufficient for modern enterprise environments where SSO is required. There is a need for a secure, standards-based authentication mechanism that supports federation, user profiles, and seamless integration with corporate identity solutions. The primary beneficiaries will be enterprise integrators, platform admins, and end users who need a better user experience and enhanced security.
Acceptance Criteria
- Users can log in to StatusBoard via Microsoft Entra ID SSO
- SSO provider is selected via configuration, and new providers can be plugged in by implementing the required trait
- Backend validates JWT tokens and identifies users generically
- API key authentication remains available for legacy/service-to-service integrations
- Angular frontend integrates with the chosen SSO via standard libraries (e.g., MSAL for Entra)
- Documentation and sample configuration for enabling/disabling providers and adding new ones
- Unit tests and code samples for extending the generic framework
Proposed Solution
- Abstract SSO provider interface (trait) in backend to enable multiple providers
- Implement OIDC/OAuth2 flow for providers, starting with MS Entra ID using its OIDC endpoints and JWT configuration
- Add configuration support for provider selection, with the ability to specify provider-specific parameters (e.g., clientId, tenant, JWKS URL)
- Retain API key pathway for non-user/service integrations
- On frontend, use provider SDK (MSAL for Entra) to manage user authentication/session. Inject tokens in HTTP requests to backend
- Provide detailed examples and docs for further provider integrations
- Perform security review and include test cases
Dependencies / Related
N/A
Additional Context
This implementation ensures StatusBoard stays relevant for enterprises, enhances security, and reduces friction for end users and identity administrators. The approach also benefits open source adopters who may wish to use other providers instead of MS Entra ID.