Feature: login though OIDC only

app/assets/stylesheets/application.scss

@@ -1047,4 +1047,12 @@ td.day .calendar-text {
       top: 0;
     }
   }
-}
+}
+
+.btn-oidc-only {
+  font-size: 36px;
+  padding: 4px;
+  margin: 12px 10px;
+  display: flex;
+  justify-content: center;
+}

app/helpers/application_helper.rb

@@ -698,4 +698,14 @@ def unverified_notice(resource)
   def theme_path
     "themes/#{params[:theme_preview] || current_space&.theme || TeSS::Config.site['default_theme'] || 'default'}"
   end
+
+  def omniauth_login_link(provider, config)
+    link_to(
+      t('authentication.omniauth.log_in_with',
+        provider: config.options[:label] ||
+                  t("authentication.omniauth.providers.#{provider}", default: provider.to_s.titleize)),
+      omniauth_authorize_path('user', provider),
+      method: :post
+    )
+  end
 end

app/models/user.rb

@@ -62,7 +62,9 @@ class User < ApplicationRecord
   before_save :set_username_for_invitee
 
   # Include default devise modules. Others available are: :lockable, :timeoutable
-  if TeSS::Config.feature['registration']
+  if TeSS::Config.feature['login_through_oidc_only']
+    devise :database_authenticatable, :confirmable, :trackable, :validatable, :omniauthable, :authentication_keys => [:login]
+  elsif TeSS::Config.feature['registration']
     devise :database_authenticatable, :confirmable, :registerable, :invitable, :recoverable, :rememberable, :trackable,
            :validatable, :omniauthable, :authentication_keys => [:login]
   elsif TeSS::Config.feature['invitation']

app/views/devise/sessions/_omniauth_options.html.erb

@@ -1,7 +1,8 @@
 <% if devise_mapping.omniauthable? -%>
   <% Devise.omniauth_configs.each do |provider, config| -%>
     <%= link_to(omniauth_authorize_path(resource_name, provider), method: :post,
-                class: config.options[:logo] ? '' : 'btn btn-default') do %>
+                class: config.options[:logo] ? '' :
+                    TeSS::Config.feature["login_through_oidc_only"] ? 'btn btn-default btn-lg btn-oidc-only' : 'btn btn-default') do %>
       <% if config.options[:logo].present? %>
         <%= image_tag(config.options[:logo], class: "omniauth-logo omniauth-#{provider}") -%>
       <% else %>

app/views/devise/sessions/new.html.erb

@@ -1,6 +1,8 @@
 <div class="account-form">
   <div class="page-header">
+    <% if !TeSS::Config.feature["login_through_oidc_only"] %>
     <%= page_title 'Log in' %>
+    <% end %>
   </div>
   <div class="form-middle">
     <% if resource_class.omniauth_providers.any? && devise_mapping.omniauthable? %>
@@ -10,19 +12,33 @@
       <hr/>
     <% end %>
 
+    <% if TeSS::Config.feature["login_through_oidc_only"] %>
+    <dl class="faq">
+      <div class="question">
+        <dt>
+          <h4><div class="expand">+</div><%= t('authentication.omniauth.admin') %></h4>
+        </dt>
+        <dd style="display: none;">
+    <% end %>
     <%= simple_form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
       <div class="h4"><%= t('authentication.password.title') %></div>
       <p><%= t('authentication.password.description') %></p>
       <%= f.input :login, label: t('authentication.password.email_or_username'), autofocus: true %>
       <%= f.input :password, label: t('authentication.password.password'),
-                             input_html: { autocomplete: 'off' } %>
+                            input_html: { autocomplete: 'off' } %>
       <% if devise_mapping.rememberable? -%>
         <%= f.input :remember_me, label: t('authentication.password.remember_me'), as: :boolean %>
       <% end -%>
       <div class="actions">
         <%= f.submit t('authentication.password.log_in'), :class => 'btn btn-primary' %>
       </div>
     <% end %>
+    <% if !TeSS::Config.feature["login_through_oidc_only"] %>
     <%= render "devise/shared/links" %>
+    <% else %>
+        </dd>
+      </div>
+    </dl>
+    <% end %>
   </div>
 </div>

app/views/layouts/_login_menu.html.erb

@@ -1,14 +1,16 @@
+<% if TeSS::Config.feature["login_through_oidc_only"] && Devise.omniauth_configs.size == 1 %>
+<li>
+  <% provider, config = Devise.omniauth_configs.first %>
+  <%= omniauth_login_link(provider, config) %>
+</li>
+<% else %>
 <li class="dropdown">
   <a class="dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
     <strong>Log In</strong> <span class="caret"></span>
   </a>
   <ul class="dropdown-menu dropdown-menu-right">
     <% Devise.omniauth_configs.each do |provider, config| -%>
-      <li class="dropdown-item">
-        <%= link_to t('authentication.omniauth.log_in_with',
-              provider: config.options[:label] || t("authentication.omniauth.providers.#{provider}", default: provider.to_s.titleize)),
-                    omniauth_authorize_path('user', provider), method: :post %>
-      </li>
+      <li class="dropdown-item"><%= omniauth_login_link(provider, config) %></li>
     <% end %>
 
     <li class="dropdown-item">
@@ -23,3 +25,4 @@
     <% end %>
   </ul>
 </li>
+<% end %>

config/locales/en.yml

@@ -743,6 +743,7 @@ en:
         oidc: OpenID Connect
         oidc2: Alternative OpenID Connect
       log_in_with: 'Log in with %{provider}'
+      admin: Admin
   ingestion:
     categories:
       events: 'Events'

config/tess.example.yml

@@ -147,13 +147,11 @@ default: &default
   feature:
     elearning_materials: false
     events: true
-    invitation: false
     materials: true
     nodes: false
     collections: true
     content_providers: true
     subscription: true
-    registration: true
     trainers: false
     workflows: true
     sources: false
@@ -171,6 +169,9 @@ default: &default
     learning_paths: false
     collection_curation: true
     spaces: false
+    invitation: false
+    registration: false
+    login_through_oidc_only: false # when true, only the first oidc authentication will be available in TeSS, useful when you have your org SSO. Be careful! invitation and registration must be false when using this feature.
   restrict_content_provider_selection: false
   user_ingestion_methods: ['bioschemas']
   placeholder:

test/controllers/static_controller_test.rb

@@ -493,4 +493,25 @@ class StaticControllerTest < ActionController::TestCase
       end
     end
   end
+
+  test 'should find log in drop down when login_through_oidc_only is disabled' do
+    with_settings({ feature: { login_through_oidc_only: false } }) do
+      get :home
+      assert_select 'ul.user-options.nav.navbar-nav.navbar-right' do
+        assert_select 'a.dropdown-toggle', count: 1
+      end
+    end
+  end
+
+  test 'should find log in button when login_through_oidc_only is enabled' do
+    Devise.stub( :omniauth_configs, { oidc: OpenStruct.new(options: { label: "OIDC" }) }
+    ) do
+      with_settings({ feature: { login_through_oidc_only: true } }) do
+        get :home
+        assert_select 'ul.user-options.nav.navbar-nav.navbar-right' do
+          assert_select 'a[href="/users/auth/oidc"]', text: 'Log in', count: 1
+        end
+      end
+    end
+  end
 end

test/integration/login_test.rb

@@ -29,6 +29,24 @@ class LoginTest < ActionDispatch::IntegrationTest
     logout_user
   end
 
+  test 'should not see big login button and admin login when login_through_oidc_only is disabled' do
+    with_settings({ feature: { login_through_oidc_only: false } }) do
+      get '/users/sign_in'
+      assert_response :success
+      assert_select 'div.form-middle a.btn-oidc-only', false
+      assert_select 'dl.faq', false
+    end
+  end
+
+  test 'should see big login button and admin login when login_through_oidc_only is enabled' do
+    with_settings({ feature: { login_through_oidc_only: true } }) do
+      get '/users/sign_in'
+      assert_response :success
+      assert_select 'div.form-middle a.btn-oidc-only'
+      assert_select 'dl.faq'
+    end
+  end
+
   private
 
   def login_user(username, identifier, password)