allow change auth provider

backend/api/src/main/kotlin/io/tolgee/api/v2/controllers/organization/OrganizationController.kt

@@ -27,6 +27,7 @@ import io.tolgee.model.Project
 import io.tolgee.model.UserAccount
 import io.tolgee.model.enums.OrganizationRoleType
 import io.tolgee.model.enums.ProjectPermissionType
+import io.tolgee.model.enums.ThirdPartyAuthType
 import io.tolgee.model.views.UserAccountWithOrganizationRoleView
 import io.tolgee.openApiDocs.OpenApiOrderExtension
 import io.tolgee.security.authentication.AllowApiAccess
@@ -108,6 +109,11 @@ class OrganizationController(
     ) {
       throw PermissionException()
     }
+    if (authenticationFacade.authenticatedUserEntity.thirdPartyAuthType === ThirdPartyAuthType.SSO &&
+      authenticationFacade.authenticatedUser.role != UserAccount.Role.ADMIN
+    ) {
+      throw PermissionException(Message.SSO_USER_CANNOT_CREATE_ORGANIZATION)
+    }
     this.organizationService.create(dto).let {
       return ResponseEntity(
         organizationModelAssembler.toModel(OrganizationView.of(it, OrganizationRoleType.OWNER)),

backend/api/src/main/kotlin/io/tolgee/configuration/PublicConfigurationDTO.kt

@@ -1,6 +1,7 @@
 package io.tolgee.configuration
 
 import io.swagger.v3.oas.annotations.media.Schema
+import io.tolgee.configuration.tolgee.AuthenticationProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.FileStoragePath
 import io.tolgee.constants.MtServiceType
@@ -14,9 +15,11 @@ class PublicConfigurationDTO(
   val version: String,
 ) {
   val authentication: Boolean = properties.authentication.enabled
-  var authMethods: AuthMethodsDTO? = null
-  val passwordResettable: Boolean
-  val allowRegistrations: Boolean
+  val authMethods: AuthMethodsDTO? = properties.authentication.asAuthMethodsDTO()
+
+  @Deprecated("Use nativeEnabled instead", ReplaceWith("nativeEnabled"))
+  val passwordResettable: Boolean = properties.authentication.nativeEnabled
+  val allowRegistrations: Boolean = properties.authentication.registrationsAllowed
   val screenshotsUrl = properties.fileStorageUrl + "/" + FileStoragePath.SCREENSHOTS
   val maxUploadFileSize = properties.maxUploadFileSize
   val clientSentryDsn = properties.sentry.clientDsn
@@ -28,6 +31,7 @@ class PublicConfigurationDTO(
   val maxTranslationTextLength: Long = properties.maxTranslationTextLength
   val recaptchaSiteKey = properties.recaptcha.siteKey
   val chatwootToken = properties.chatwootToken
+  val nativeEnabled = properties.authentication.nativeEnabled
   val capterraTracker = properties.capterraTracker
   val ga4Tag = properties.ga4Tag
   val postHogApiKey: String? = properties.postHog.apiKey
@@ -50,10 +54,40 @@ class PublicConfigurationDTO(
       connected = properties.slack.token != null,
     )
 
+  companion object {
+    private fun AuthenticationProperties.asAuthMethodsDTO(): AuthMethodsDTO? {
+      if (!enabled) {
+        return null
+      }
+
+      return AuthMethodsDTO(
+        OAuthPublicConfigDTO(github.clientId),
+        OAuthPublicConfigDTO(google.clientId),
+        OAuthPublicExtendsConfigDTO(
+          oauth2.clientId,
+          oauth2.authorizationUrl,
+          oauth2.scopes,
+        ),
+        SsoGlobalPublicConfigDTO(
+          ssoGlobal.enabled,
+          ssoGlobal.clientId,
+          ssoGlobal.domain,
+          ssoGlobal.customLogoUrl,
+          ssoGlobal.customLoginText,
+        ),
+        SsoOrganizationsPublicConfigDTO(
+          ssoOrganizations.enabled,
+        ),
+      )
+    }
+  }
+
   class AuthMethodsDTO(
     val github: OAuthPublicConfigDTO,
     val google: OAuthPublicConfigDTO,
     val oauth2: OAuthPublicExtendsConfigDTO,
+    val ssoGlobal: SsoGlobalPublicConfigDTO,
+    val ssoOrganizations: SsoOrganizationsPublicConfigDTO,
   )
 
   data class OAuthPublicConfigDTO(val clientId: String?) {
@@ -68,6 +102,18 @@ class PublicConfigurationDTO(
     val enabled: Boolean = !clientId.isNullOrEmpty()
   }
 
+  data class SsoGlobalPublicConfigDTO(
+    val enabled: Boolean,
+    val clientId: String?,
+    val domain: String?,
+    val customLogoUrl: String?,
+    val customLoginText: String?,
+  )
+
+  data class SsoOrganizationsPublicConfigDTO(
+    val enabled: Boolean,
+  )
+
   data class MtServicesDTO(
     val defaultPrimaryService: MtServiceType?,
     val services: Map<MtServiceType, MtServiceDTO>,
@@ -82,23 +128,4 @@ class PublicConfigurationDTO(
     val enabled: Boolean,
     val connected: Boolean,
   )
-
-  init {
-    if (authentication) {
-      authMethods =
-        AuthMethodsDTO(
-          OAuthPublicConfigDTO(
-            properties.authentication.github.clientId,
-          ),
-          OAuthPublicConfigDTO(properties.authentication.google.clientId),
-          OAuthPublicExtendsConfigDTO(
-            properties.authentication.oauth2.clientId,
-            properties.authentication.oauth2.authorizationUrl,
-            properties.authentication.oauth2.scopes,
-          ),
-        )
-    }
-    passwordResettable = properties.authentication.nativeEnabled
-    allowRegistrations = properties.authentication.registrationsAllowed
-  }
 }

backend/api/src/main/kotlin/io/tolgee/controllers/PublicController.kt

@@ -4,30 +4,38 @@ import com.fasterxml.jackson.databind.node.TextNode
 import io.swagger.v3.oas.annotations.Operation
 import io.swagger.v3.oas.annotations.tags.Tag
 import io.tolgee.component.email.TolgeeEmailSender
+import io.tolgee.configuration.tolgee.AuthenticationProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.dtos.misc.EmailParams
+import io.tolgee.dtos.request.AuthProviderChangeRequestDto
 import io.tolgee.dtos.request.auth.ResetPassword
 import io.tolgee.dtos.request.auth.ResetPasswordRequest
 import io.tolgee.dtos.request.auth.SignUpDto
+import io.tolgee.dtos.response.AuthProviderChangeResponseDto
 import io.tolgee.dtos.security.LoginRequest
+import io.tolgee.exceptions.AuthenticationException
 import io.tolgee.exceptions.BadRequestException
+import io.tolgee.exceptions.DisabledFunctionalityException
 import io.tolgee.exceptions.NotFoundException
 import io.tolgee.model.UserAccount
 import io.tolgee.openApiDocs.OpenApiHideFromPublicDocs
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.authorization.BypassEmailVerification
 import io.tolgee.security.payload.JwtAuthenticationResponse
 import io.tolgee.security.ratelimit.RateLimited
+import io.tolgee.security.service.thirdParty.SsoDelegate
 import io.tolgee.security.thirdParty.GithubOAuthDelegate
 import io.tolgee.security.thirdParty.GoogleOAuthDelegate
 import io.tolgee.security.thirdParty.OAuth2Delegate
+import io.tolgee.service.AuthProviderChangeRequestService
 import io.tolgee.service.EmailVerificationService
 import io.tolgee.service.security.*
 import jakarta.validation.Valid
 import jakarta.validation.constraints.NotBlank
 import jakarta.validation.constraints.NotNull
 import org.apache.commons.lang3.RandomStringUtils
+import org.springframework.context.annotation.Lazy
 import org.springframework.http.MediaType
 import org.springframework.transaction.annotation.Transactional
 import org.springframework.web.bind.annotation.*
@@ -41,6 +49,7 @@ class PublicController(
   private val githubOAuthDelegate: GithubOAuthDelegate,
   private val googleOAuthDelegate: GoogleOAuthDelegate,
   private val oauth2Delegate: OAuth2Delegate,
+  private val ssoDelegate: SsoDelegate,
   private val properties: TolgeeProperties,
   private val userAccountService: UserAccountService,
   private val tolgeeEmailSender: TolgeeEmailSender,
@@ -49,6 +58,9 @@ class PublicController(
   private val signUpService: SignUpService,
   private val mfaService: MfaService,
   private val userCredentialsService: UserCredentialsService,
+  private val authProperties: AuthenticationProperties,
+  @Lazy
+  private val authProviderChangeRequestService: AuthProviderChangeRequestService,
 ) {
   @Operation(summary = "Generate JWT token")
   @PostMapping("/generatetoken")
@@ -57,11 +69,17 @@ class PublicController(
     @RequestBody @Valid
     loginRequest: LoginRequest,
   ): JwtAuthenticationResponse {
+    if (!authProperties.nativeEnabled) {
+      throw AuthenticationException(Message.NATIVE_AUTHENTICATION_DISABLED)
+    }
+
     val userAccount = userCredentialsService.checkUserCredentials(loginRequest.username, loginRequest.password)
     mfaService.checkMfa(userAccount, loginRequest.otp)
 
     // two factor passed, so we can generate super token
     val jwt = jwtService.emitToken(userAccount.id, true)
+
+    authProviderChangeRequestService.resolveChangeRequestIfExist(userAccount)
     return JwtAuthenticationResponse(jwt)
   }
 
@@ -72,7 +90,32 @@ class PublicController(
     @RequestBody @Valid
     request: ResetPasswordRequest,
   ) {
+    if (!authProperties.nativeEnabled) {
+      throw DisabledFunctionalityException(Message.NATIVE_AUTHENTICATION_DISABLED)
+    }
+
     val userAccount = userAccountService.findActive(request.email!!) ?: return
+    if (userAccount.accountType === UserAccount.AccountType.MANAGED) {
+      val params =
+        EmailParams(
+          to = request.email!!,
+          subject = "Password Reset Request - SSO Managed Account",
+          text =
+            """
+            Hello! 👋<br/><br/>
+            We received a request to reset the password for your account. However, your account is managed by your organization and uses a single sign-on (SSO) service for login.<br/><br/>
+            To access your account, please use the "SSO Login" button on the Tolgee login page. No password reset is needed.<br/><br/>
+            If you did not make this request, you may safely ignore this email.<br/><br/>
+
+            Regards,<br/>
+            Tolgee
+            """.trimIndent(),
+        )
+
+      tolgeeEmailSender.sendEmail(params)
+      return
+    }
+
     val code = RandomStringUtils.randomAlphabetic(50)
     userAccountService.setResetPasswordCode(userAccount, code)
 
@@ -106,6 +149,9 @@ class PublicController(
     @PathVariable("code") code: String,
     @PathVariable("email") email: String,
   ) {
+    if (!authProperties.nativeEnabled) {
+      throw DisabledFunctionalityException(Message.NATIVE_AUTHENTICATION_DISABLED)
+    }
     validateEmailCode(code, email)
   }
 
@@ -116,7 +162,13 @@ class PublicController(
     @RequestBody @Valid
     request: ResetPassword,
   ) {
+    if (!authProperties.nativeEnabled) {
+      throw DisabledFunctionalityException(Message.NATIVE_AUTHENTICATION_DISABLED)
+    }
     val userAccount = validateEmailCode(request.code!!, request.email!!)
+    if (userAccount.accountType === UserAccount.AccountType.MANAGED) {
+      throw AuthenticationException(Message.OPERATION_UNAVAILABLE_FOR_ACCOUNT_TYPE)
+    }
     if (userAccount.accountType === UserAccount.AccountType.THIRD_PARTY) {
       userAccountService.setAccountType(userAccount, UserAccount.AccountType.LOCAL)
     }
@@ -138,6 +190,9 @@ class PublicController(
     if (!reCaptchaValidationService.validate(dto.recaptchaToken, "")) {
       throw BadRequestException(Message.INVALID_RECAPTCHA_TOKEN)
     }
+    if (!authProperties.nativeEnabled) {
+      throw DisabledFunctionalityException(Message.NATIVE_AUTHENTICATION_DISABLED)
+    }
     return signUpService.signUp(dto)
   }
 
@@ -176,6 +231,7 @@ class PublicController(
     @RequestParam(value = "code", required = true) code: String?,
     @RequestParam(value = "redirect_uri", required = true) redirectUri: String?,
     @RequestParam(value = "invitationCode", required = false) invitationCode: String?,
+    @RequestParam(value = "domain", required = false) domain: String?,
   ): JwtAuthenticationResponse {
     if (properties.internal.fakeGithubLogin && code == "this_is_dummy_code") {
       val user = getFakeGithubUser()
@@ -194,12 +250,29 @@ class PublicController(
         oauth2Delegate.getTokenResponse(code, invitationCode, redirectUri)
       }
 
+      "sso" -> {
+        ssoDelegate.getTokenResponse(code, invitationCode, redirectUri, domain)
+      }
+
       else -> {
         throw NotFoundException(Message.SERVICE_NOT_FOUND)
       }
     }
   }
 
+  @PostMapping("/auth-provider/request-change")
+  fun submitOrCancelAuthProviderChangeRequest(
+    @RequestBody authProviderChangeRequestDto: AuthProviderChangeRequestDto,
+  ) {
+    authProviderChangeRequestService.confirmOrCancel(authProviderChangeRequestDto)
+  }
+
+  @GetMapping("/auth-provider/get-request")
+  fun getAuthProviderChangeRequest(
+    @RequestParam("requestId") id: Long,
+  ): AuthProviderChangeResponseDto =
+    AuthProviderChangeResponseDto.fromEntity(authProviderChangeRequestService.getById(id))
+
   private fun getFakeGithubUser(): UserAccount {
     val username = "[email protected]"
     val user =

backend/api/src/main/kotlin/io/tolgee/hateoas/ee/SsoTenantModel.kt

@@ -0,0 +1,18 @@
+package io.tolgee.hateoas.ee
+
+import org.springframework.hateoas.RepresentationModel
+import org.springframework.hateoas.server.core.Relation
+import java.io.Serializable
+
+@Suppress("unused")
+@Relation(collectionRelation = "ssoTenants", itemRelation = "ssoTenant")
+class SsoTenantModel(
+  val authorizationUri: String,
+  val clientId: String,
+  val clientSecret: String,
+  val tokenUri: String,
+  val isEnabled: Boolean,
+  val jwkSetUri: String,
+  val domainName: String,
+) : RepresentationModel<SsoTenantModel>(),
+  Serializable

backend/api/src/main/kotlin/io/tolgee/security/thirdParty/GithubOAuthDelegate.kt

@@ -5,10 +5,12 @@ import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
 import io.tolgee.model.UserAccount
+import io.tolgee.model.enums.ThirdPartyAuthType
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
 import io.tolgee.service.security.SignUpService
 import io.tolgee.service.security.UserAccountService
+import org.springframework.context.annotation.Lazy
 import org.springframework.http.HttpEntity
 import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpMethod
@@ -25,6 +27,8 @@ class GithubOAuthDelegate(
   private val restTemplate: RestTemplate,
   properties: TolgeeProperties,
   private val signUpService: SignUpService,
+  @Lazy
+  private val userConflictManager: UserConflictManager,
 ) {
   private val githubConfigurationProperties: GithubAuthenticationProperties = properties.authentication.github
 
@@ -74,18 +78,19 @@ class GithubOAuthDelegate(
         )?.email
           ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
 
-      val userAccountOptional = userAccountService.findByThirdParty("github", userResponse!!.id!!)
+      val userAccountOptional = userAccountService.findByThirdParty(ThirdPartyAuthType.GITHUB, userResponse!!.id!!)
+      userConflictManager.resolveRequestIfExist(userAccountOptional)
       val user =
         userAccountOptional.orElseGet {
           userAccountService.findActive(githubEmail)?.let {
-            throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
+            manageUserNameConflict(it)
           }
 
           val newUserAccount = UserAccount()
           newUserAccount.username = githubEmail
           newUserAccount.name = userResponse.name ?: userResponse.login
           newUserAccount.thirdPartyAuthId = userResponse.id
-          newUserAccount.thirdPartyAuthType = "github"
+          newUserAccount.thirdPartyAuthType = ThirdPartyAuthType.GITHUB
           newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
 
           signUpService.signUp(newUserAccount, invitationCode, null)
@@ -106,6 +111,14 @@ class GithubOAuthDelegate(
     throw AuthenticationException(Message.THIRD_PARTY_AUTH_UNKNOWN_ERROR)
   }
 
+  private fun manageUserNameConflict(user: UserAccount) {
+    userConflictManager.manageUserNameConflict(
+      user,
+      ThirdPartyAuthType.GITHUB,
+      newAccountType = UserAccount.AccountType.THIRD_PARTY,
+    )
+  }
+
   class GithubEmailResponse {
     var email: String? = null
     var primary = false