feat: add OpenID Connect authentication support

[btouchard]

Description

This PR adds OpenID Connect (OIDC) authentication support to Kaneo, enabling enterprise Single Sign-On (SSO) integration with identity providers like Keycloak, Auth0, Okta, Google Workspace, Azure AD, and any
OIDC-compliant provider.

Related Issue(s)

N/A - New feature implementation

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test addition or update
• Other (please describe)

Changes Made

Backend (API)

• Added genericOAuth plugin to better-auth configuration in apps/api/src/auth.ts
• Implemented OIDC provider configuration with auto-discovery support
• Added custom user info mapping for OIDC claims (sub, email, name, picture)
• Updated .env.sample with OIDC environment variables
• Modified health check endpoint in Dockerfile to use /config instead of /me
• Updated compose.local.yml with OIDC configuration example

Frontend (Web)

• Added genericOAuthClient plugin to auth client in apps/web/src/lib/auth-client.ts
• Implemented OIDC sign-in button in apps/web/src/routes/auth/sign-in.tsx
• Added KANEO_ENABLED_AUTH environment variable to control visible authentication methods
• Updated vite.config.ts to support KANEO_ environment variable prefix
• Added TypeScript definitions for new environment variables

Documentation

• Created comprehensive OIDC integration documentation:
  • apps/docs/content/docs/integrations/oidc.mdx - Main integration
  • apps/docs/content/docs/integrations/oidc/setup.mdx - Detailed setup guide
  • apps/docs/content/docs/integrations/oidc/configuration.mdx - Advanced configuration
• Updated README.md with OIDC authentication section
• Updated integrations navigation in meta.json

Other

• Added .gitignore for JetBrains IDEs

How Has This Been Tested?

• Unit tests
• Integration tests
• Manual testing
• Other (please describe):

Manual Testing:

• Tested OIDC login flow with Google OIDC provider
• Verified user creation and session management
• Tested multiple authentication methods (OIDC + standalone + guest)
• Verified environment variable configuration
• Tested discovery URL auto-configuration

Screenshots (if applicable)

N/A - Authentication flow follows existing UI patterns with new OIDC button

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Additional Notes

Environment Variables

API:

• OIDC_CLIENT_ID - OAuth2 client ID from identity provider
• OIDC_CLIENT_SECRET - OAuth2 client secret (keep secure!)
• OIDC_DISCOVERY_URL - OIDC well-known discovery endpoint
• OIDC_SCOPES - OAuth scopes (default: openid profile email)

Web:

• KANEO_ENABLED_AUTH - Comma-separated authentication methods (e.g., oidc,standalone,guest)

Security Considerations

• OIDC client secret should be stored securely (Kubernetes secrets, Docker secrets)
• HTTPS is required for production OIDC deployments
• CORS origins should be properly configured for production

Provider Support

Documented setup for:

• Keycloak
• Auth0
• Okta
• Google Workspace (Tested)
• Azure AD / Entra ID
• Generic OIDC providers (Tested with Authentik)

Breaking Changes

None - This is a purely additive feature. Existing authentication methods (email/password, GitHub, guest) continue to work unchanged.

[EricFeher]

Small change request, it would be nice if the provider name would be shown instead of OIDC

Suggestion:
Add a new environment variable called OIDC_PROVIDER
If not specified the logic should be like this: OIDC_PROVIDER ? OIDC_PROVIDER : "OIDC"

[aacevski]

Hey! Thank you so much for creating this pull request! Sorry for taking some time to respond, I've been focused on working on version 2 of Kaneo, with much improvements and is currently located on v2 branch of this project. Would it be an issue if you open the branch towards that repository? Again sorry for the troubles - if it's an issue on your end, I will take your changes and adapt it to the v2 branch and add you as an author of the commit.

[btouchard]

Hi
No, no, no worries, I can do that.
I'm going to test your v2, because your v1 is great, and I can't wait to see what you've consolidated.
I've already had feedback from my team 😁, such as being able to view the details of a task in the view (perhaps an extended view (list on the left, screen on the right) would be useful...
Okay, I'll take a look at your v2.
I'll close the PR when I open the one for v2.
Thanks for your work.
If you want to support another open source project, I created and maintain https://github.com/btouchard/ackify-ce