Implement Feishu OAuth provider using standard client:
- Set up Feishu-specific endpoints for authorization, token, and userinfo
- Use user_id as sub claim for Feishu user identification
- Extract correct user information from nested 'data' field in Feishu responses
Configuration requirements:
- Set FEISHU_CLIENT_ID and FEISHU_CLIENT_SECRET environment variables to enable Feishu OAuth
- Set ENABLE_OAUTH_SIGNUP=true to allow automatic user creation after OAuth login
- Set DEFAULT_USER_ROLE=user to grant immediate access after OAuth registration
- Set OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true to enable merging of existing user accounts with matching emails
Enables Google Workspace group-based role assignment by integrating with
Google Cloud Identity API to fetch user groups in real-time.
Key improvements:
- Fetches groups directly from Google API using cloud-identity.groups.readonly scope
- Enables admin role assignment based on Google group membership
- Maintains full backward compatibility with existing OAuth configurations
- Includes comprehensive test suite with proper async mocking
- Complete documentation with Google Cloud Console setup guide
Addresses limitation where Google Workspace doesn't include group membership
claims in OAuth JWT tokens, preventing group-based role assignment.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enables Google Workspace group-based role assignment by integrating with
Google Cloud Identity API to fetch user groups in real-time.
Key improvements:
- Fetches groups directly from Google API using cloud-identity.groups.readonly scope
- Enables admin role assignment based on Google group membership
- Maintains full backward compatibility with existing OAuth configurations
- Includes comprehensive test suite with proper async mocking
- Complete documentation with Google Cloud Console setup guide
Addresses limitation where Google Workspace doesn't include group membership
claims in OAuth JWT tokens, preventing group-based role assignment.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added OAUTH_USE_PICTURE_CLAIM to config.py
Added check to oauth.py on OAUTH_USE_PICTURE_CLAIM, to decide whether to user the profile picture in the claim or the default user.png
When the OAuth groups claim does not yield a list, `user_oauth_groups` was previously
set to None, causing a TypeError during membership checks. Changed this default to
an empty list (`[]`) to ensure the variable is always iterable, preventing errors
for non-admin users while logging in.
This fix ensures stability in the `update_user_groups` function.
Introducing two new env config options to control cookies settings regarding
authentication. These values are taken into use when setting 'token' and 'oauth_id_token'.
To maintain backwards compatibility, the original session cookie values are used as
fallback.
Separation is done to prevent issues with the session cookie. When the config value was
set as 'strict', the oauth flow was broken (since the session cookie was not provided
after the callback).
Providing a separate config for auth & session cookies allows us to keep the 'strict'
settings for auth related cookies, while also allowing the session cookie to behave as
intended (e.g., by configuring it as 'lax').
The original config was added in commit #af4f8aa. However a later commit #a2e889c reused
this config option for other type of cookies, which was not the original intent.
