From 346e26867f07b9aa61ba9f6364987ed85827ee0e Mon Sep 17 00:00:00 2001
From: Parth <108089718+parthy007@users.noreply.github.com>
Date: Fri, 31 Oct 2025 15:29:20 +0530
Subject: [PATCH] Feat: OIDC PKCE flow  (#14407)

* feat: Add client config interface

* chore: update submodule hashes

* refactor: Fix interface name

chore: submodule hashes

* chore: Add data migration for adding grant-type

* fix: Change height & fontSize of dropdown

* chore: update submodule hash

* chore: update submodule hash

* resolve conflicts

* chore: update version to 3.20.29-lts across all components

---------

Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
---
 .version                                      |  2 +-
 frontend/.version                             |  2 +-
 frontend/ee                                   |  2 +-
 frontend/src/_ui/Select/styles.js             |  2 +
 server/.version                               |  2 +-
 ...761556597329-AddGrantTypeKeyInSSOConfig.ts | 96 +++++++++++++++++++
 server/ee                                     |  2 +-
 server/src/modules/auth/types/index.ts        |  7 ++
 8 files changed, 110 insertions(+), 5 deletions(-)
 create mode 100644 server/data-migrations/1761556597329-AddGrantTypeKeyInSSOConfig.ts

diff --git a/.version b/.version
index c3f7ac12c1..e1b4165710 100644
--- a/.version
+++ b/.version
@@ -1 +1 @@
-3.20.28-lts
+3.20.29-lts
diff --git a/frontend/.version b/frontend/.version
index c3f7ac12c1..e1b4165710 100644
--- a/frontend/.version
+++ b/frontend/.version
@@ -1 +1 @@
-3.20.28-lts
+3.20.29-lts
diff --git a/frontend/ee b/frontend/ee
index 5665f90bec..7cfcb38fc1 160000
--- a/frontend/ee
+++ b/frontend/ee
@@ -1 +1 @@
-Subproject commit 5665f90bec58cca14138945852835db8e0bde9cd
+Subproject commit 7cfcb38fc16571927e5a1445c87b7ed59e83c8e2
diff --git a/frontend/src/_ui/Select/styles.js b/frontend/src/_ui/Select/styles.js
index 899e3a58f1..d9d444f82a 100644
--- a/frontend/src/_ui/Select/styles.js
+++ b/frontend/src/_ui/Select/styles.js
@@ -61,6 +61,7 @@ export default function styles(darkMode, width = 224, height = 32, styles = {},
       padding: '10px 12px', // adjust padding to vertically center the text
       display: 'flex',
       alignItems: 'center',
+      fontSize: styles.fontSize ?? '12px',
     }),
     placeholder: (provided) => ({
       ...provided,
@@ -69,6 +70,7 @@ export default function styles(darkMode, width = 224, height = 32, styles = {},
     singleValue: (provided) => ({
       ...provided,
       color: darkMode ? '#fff' : '#232e3c',
+      fontSize: styles.fontSize ?? '12px',
     }),
     menuPortal: (provided) => ({ ...provided, zIndex: 2000 }),
   };
diff --git a/server/.version b/server/.version
index c3f7ac12c1..e1b4165710 100644
--- a/server/.version
+++ b/server/.version
@@ -1 +1 @@
-3.20.28-lts
+3.20.29-lts
diff --git a/server/data-migrations/1761556597329-AddGrantTypeKeyInSSOConfig.ts b/server/data-migrations/1761556597329-AddGrantTypeKeyInSSOConfig.ts
new file mode 100644
index 0000000000..3f748b5e27
--- /dev/null
+++ b/server/data-migrations/1761556597329-AddGrantTypeKeyInSSOConfig.ts
@@ -0,0 +1,96 @@
+import { dbTransactionWrap } from '@helpers/database.helper';
+import { MigrationProgress, processDataInBatches } from '@helpers/migration.helper';
+import { EntityManager, MigrationInterface, QueryRunner } from 'typeorm';
+
+export class AddGrantTypeKeyInSSOConfig1761556597329 implements MigrationInterface {
+  private readonly SSO_TYPE = 'openid';
+  private readonly BATCH_SIZE = 100;
+
+  private async getTotalCount(entityManager: EntityManager): Promise<number> {
+    const totalRecords = await entityManager.query(
+      `
+      SELECT COUNT(*)
+      FROM sso_configs
+      WHERE sso = $1
+    `,
+      [this.SSO_TYPE]
+    );
+    return parseInt(totalRecords[0].count, 10);
+  }
+
+  private fetchSSOConfigsBatch = async (entityManager: EntityManager, skip: number, take: number): Promise<any[]> => {
+    return await entityManager.query(
+      `
+        SELECT id, configs
+        FROM sso_configs
+        WHERE sso = $1
+        ORDER BY id
+        LIMIT $2 OFFSET $3
+      `,
+      [this.SSO_TYPE, take, skip]
+    );
+  };
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    const entityManager = queryRunner.manager;
+    const totalCount = await this.getTotalCount(entityManager);
+
+    if (totalCount === 0) return;
+
+    await dbTransactionWrap(async (entityManager: EntityManager) => {
+      const migrationProgress = new MigrationProgress('AddGrantTypeKeyInSSOConfig1761556597329', totalCount);
+
+      const processBatch = async (entityManager: EntityManager, ssoConfigs: any[]) => {
+        for (const ssoConfig of ssoConfigs) {
+          const configs = ssoConfig.configs;
+          if (configs && !configs.grant_type) {
+            configs.grant_type = 'authorization_code';
+
+            await entityManager.query(
+              `
+              UPDATE sso_configs
+              SET configs = $1
+              WHERE id = $2
+            `,
+              [configs, ssoConfig.id]
+            );
+          }
+          migrationProgress.show();
+        }
+      };
+      await processDataInBatches(entityManager, this.fetchSSOConfigsBatch, processBatch, this.BATCH_SIZE);
+    }, entityManager);
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    const entityManager = queryRunner.manager;
+    const totalCount = await this.getTotalCount(entityManager);
+
+    if (totalCount === 0) return;
+
+    await dbTransactionWrap(async (entityManager: EntityManager) => {
+      const migrationProgress = new MigrationProgress('AddGrantTypeKeyInSSOConfig1761556597329', totalCount);
+
+      const processBatch = async (entityManager: EntityManager, ssoConfigs: any[]) => {
+        for (const ssoConfig of ssoConfigs) {
+          const configs = ssoConfig.configs;
+          if (configs && configs.grant_type) {
+            delete configs.grant_type;
+
+            await entityManager.query(
+              `
+              UPDATE sso_configs
+              SET configs = $1
+              WHERE id = $2
+            `,
+              [configs, ssoConfig.id]
+            );
+          }
+          migrationProgress.show();
+        }
+      };
+
+      await processDataInBatches(entityManager, this.fetchSSOConfigsBatch, processBatch, this.BATCH_SIZE);
+    });
+  }
+}
diff --git a/server/ee b/server/ee
index 2e20b4b6b2..6f507336a2 160000
--- a/server/ee
+++ b/server/ee
@@ -1 +1 @@
-Subproject commit 2e20b4b6b28a984c3fd09d64f00f606b56dd532f
+Subproject commit 6f507336a229c0542ca95d77d54e6e31cbf2a068
diff --git a/server/src/modules/auth/types/index.ts b/server/src/modules/auth/types/index.ts
index 351d1655e5..888124f1b7 100644
--- a/server/src/modules/auth/types/index.ts
+++ b/server/src/modules/auth/types/index.ts
@@ -1,6 +1,7 @@
 import { FEATURE_KEY } from '../constants';
 import { FeatureConfig } from '@modules/app/types';
 import { MODULES } from '@modules/app/constants/modules';
+import { ClientMetadata } from 'openid-client';
 
 export interface Features {
   [FEATURE_KEY.LOGIN]: FeatureConfig;
@@ -25,3 +26,9 @@ export interface Features {
 export interface FeaturesConfig {
   [MODULES.AUTH]: Features;
 }
+
+export interface OidcClientConfig extends Partial<ClientMetadata> {
+  client_id: string;
+  client_secret?: string;
+  redirect_uris: string[];
+}