Auth OIDC

[ryphon]

Adds OpenID Connect authentication

What Changed

OIDC Authentication

• Dynamic auth provider that fetches OIDC config from SpacetimeDB
• Config fields for OidcIssuer and OidcAudience
• Frontend integration with react-oidc-context
• Overlay mode bypasses OIDC (no auth required for the overlay to be utilized)

Cleaner container support

• Environment-based configuration via OIDC_ISSUER and OIDC_CLIENT_ID
• Persistent volume support for identity and data
• Database lock file handling for pod restarts (sorta)
• Retry logic for SpacetimeDB startup and publishing (sorta)

Infrastructure

• Modified SetConfig reducer to accept OIDC params and work without connection context (allows CLI init)
• Entrypoint script handles automatic initial database initialization

Why

Enables deployments with a full custom authentication flow.

Upgrade Notes

Breaking Changes:

• SetConfig reducer signature changed - add two new optional string params: oidcIssuer and oidcAudience
• Database schema updated with new config fields

Environment Variables (required for OIDC):

OIDC_ISSUER=https://authentik.example.com/application/o/pogly/
OIDC_CLIENT_ID=public-oidc-client-id

Optional:
STREAM_PLATFORM=twitch
STREAM_NAME=channel
USE_PASSWORD=false
STRICT_MODE=false

Shortcomings

• No user management UI - OIDC just gates initial access, still have to know the password for the module
• OIDC provider must be configured manually (callback URLs, client setup, and all via Environment Vars)
• Single-pod limitation due to DB locking (no horizontal scaling yet and no idea if this is relevant/important, maybe STDB handles this somewhere else, idk)