sqlpage
diff --git a/‎examples/official-site/sqlpage/migrations/07_authentication.sql‎
Lines changed: 37 additions & 12 deletions b/‎examples/official-site/sqlpage/migrations/07_authentication.sql‎
Lines changed: 37 additions & 12 deletions
diff --git a/‎examples/official-site/sqlpage/migrations/61_oidc_functions.sql‎
Lines changed: 172 additions & 0 deletions b/‎examples/official-site/sqlpage/migrations/61_oidc_functions.sql‎
Lines changed: 172 additions & 0 deletions
diff --git a/‎examples/official-site/sso/index.sql‎
Lines changed: 7 additions & 0 deletions b/‎examples/official-site/sso/index.sql‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎examples/official-site/sso/single_sign_on.md‎
Lines changed: 120 additions & 0 deletions b/‎examples/official-site/sso/single_sign_on.md‎
Lines changed: 120 additions & 0 deletions
@@ -2,13 +2,41 @@
 INSERT INTO component (name, description, icon, introduced_in_version)
 VALUES (
         'authentication',
-        'An advanced component that can be used to create pages with password-restricted access.
-        When used, this component has to be at the top of your page, because once the page has begun being sent to the browser, it is too late to restrict access to it.
-        The authentication component checks if the user has sent the correct password, and if not, redirects them to the URL specified in the link parameter.
-        If you don''t want to re-check the password on every page (which is an expensive operation),
-        you can check the password only once and store a session token in your database. 
-        You can use the cookie component to set the session token cookie in the client browser,
-        and then check whether the token matches what you stored in subsequent pages.',
+        '
+Create pages with password-restricted access.
+
+
+When you want to add user authentication to your SQLPage application, 
+you have two main options:
+
+1. The `authentication` component:
+   - lets you manage usernames and passwords yourself
+   - does not require any external service
+   - gives you fine-grained control over 
+     - which pages and actions are protected
+     - the look of the login form
+     - the duration of the session
+     - the permissions of each user
+2. [**Single sign-on**](/sso)
+   - lets users log in with their existing accounts (like Google, Microsoft, or your organization''s own identity provider)
+   - requires setting up an external service (Google, Microsoft, etc.)
+   - frees you from implementing a lot of features like password reset, account creation, user management, etc.
+
+This page describes the first option.
+
+When used, this component has to be at the top of your page,
+because once the page has begun being sent to the browser,
+it is too late to restrict access to it.
+
+The authentication component checks if the user has sent the correct password,
+and if not, redirects them to the URL specified in the link parameter.
+
+If you don''t want to re-check the password on every page (which is an expensive operation),
+you can check the password only once and store a session token in your database
+(see the session example below).
+
+You can use the [cookie component](?component=cookie) to set the session token cookie in the client browser,
+and then check whether the token matches what you stored in subsequent pages.',
         'lock',
         '0.7.2'
     );
@@ -158,9 +186,6 @@ RETURNING
 ### Single sign-on with OIDC (OpenID Connect)
 
 If you don''t want to manage your own user database,
-you can use OpenID Connect and OAuth2 to authenticate users.
-This allows users to log in with their Google, Facebook, or internal company account.
-
-You will find an example of how to do this in the
-[Single sign-on with OIDC](https://github.com/sqlpage/SQLPage/tree/main/examples/single%20sign%20on).
+you can [use OpenID Connect and OAuth2](/sso) to authenticate users.
+This allows users to log in with their Google, Microsoft, or internal company account.
 ');
@@ -0,0 +1,172 @@
+INSERT INTO
+    sqlpage_functions (
+        "name",
+        "introduced_in_version",
+        "icon",
+        "description_md"
+    )
+VALUES
+    (
+        'user_info_token',
+        '0.35.0',
+        'key',
+        '# Accessing information about the current user, when logged in with SSO
+
+This function can be used only when you have [configured Single Sign-On with an OIDC provider](/sso).
+
+## The ID Token
+
+When a user logs in through OIDC, your application receives an [identity token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) from the identity provider.
+This token contains information about the user, such as their name and email address.
+The `sqlpage.user_info_token()` function lets you access the entire contents of the ID token, as a JSON object.
+You can then use [your database''s JSON functions](/blog.sql?post=JSON+in+SQL%3A+A+Comprehensive+Guide) to process that JSON.
+
+If you need to access a specific claim, it is easier and more performant to use the
+[`sqlpage.user_info()`](?function=user_info) function instead.
+
+### Example: Displaying User Information
+
+```sql
+select ''list'' as component;
+select key as title, value as description
+from json_each(sqlpage.user_info_token());
+```
+
+This sqlite-specific example will show all the information available about the current user, such as:
+- `sub`: A unique identifier for the user
+- `name`: The user''s full name
+- `email`: The user''s email address
+- `picture`: A URL to the user''s profile picture
+
+### Security Notes
+
+- The ID token is automatically verified by SQLPage to ensure it hasn''t been tampered with.
+- The token is only available to authenticated users: if no user is logged in or sso is not configured, this function returns NULL
+- If some information is not available in the token, you have to configure it on your OIDC provider, SQLPage can''t do anything about it.
+- The token is stored in a signed http-only cookie named `sqlpage_auth`. You can use [the cookie component](/component.sql?component=cookie) to delete it, and the user will be redirected to the login page on the next page load.
+'
+    );
+
+INSERT INTO
+    sqlpage_functions (
+        "name",
+        "introduced_in_version",
+        "icon",
+        "description_md"
+    )
+VALUES
+    (
+        'user_info',
+        '0.34.0',
+        'user',
+        '# Accessing Specific User Information
+
+The `sqlpage.user_info` function is a convenient way to access specific pieces of information about the currently logged-in user.
+When you [configure Single Sign-On](/sso), your OIDC provider will issue an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) for the user,
+which contains *claims*, with information about the user.
+
+Calling `sqlpage.user_info(claim_name)` lets you access these claims directly from SQL.
+
+## How to Use
+
+The function takes one parameter: the name of the *claim* (the piece of information you want to retrieve).
+
+For example, to display a personalized welcome message, with the user''s name, you can use:
+
+```sql
+select ''text'' as component;
+select ''Welcome, '' || sqlpage.user_info(''name'') || ''!'' as title;
+```
+
+## Available Information
+
+The exact information available depends on your identity provider (the service you chose to authenticate with),
+its configuration, and the scopes you requested.
+Use [`sqlpage.user_info_token()`](?function=user_info_token) to see all the information available in the ID token of the current user.
+
+Here are some commonly available fields:
+
+### Basic Information
+- `name`: The user''s full name (usually first and last name separated by a space)
+- `email`: The user''s email address (*warning*: there is no guarantee that the user currently controls this email address. Use the `sub` claim for database references instead.)
+- `picture`: URL to the user''s profile picture
+
+### User Identifiers
+- `sub`: A unique identifier for the user (use this to uniquely identify the user in your database)
+- `preferred_username`: The username the user prefers to use
+
+### Name Components
+- `given_name`: The user''s first name
+- `family_name`: The user''s last name
+
+## Examples
+
+### Personalized Welcome Message
+```sql
+select ''text'' as component,
+    ''Welcome back, **'' || sqlpage.user_info(''given_name'') || ''**!'' as contents_md;
+```
+
+### User Profile Card
+```sql
+select ''card'' as component;
+select 
+    sqlpage.user_info(''name'') as title,
+    sqlpage.user_info(''email'') as description,
+    sqlpage.user_info(''picture'') as image;
+```
+
+### Conditional Content Based on custom claims
+
+Some identity providers let you add custom claims to the ID token.
+This lets you customize the behavior of your application based on arbitrary user attributes,
+such as the user''s role.
+
+```sql
+-- show everything to admins, only public items to others
+select ''list'' as component;
+select title from my_items
+  where is_public or sqlpage.user_info(''role'') = ''admin''
+```
+
+## Security Best Practices
+
+> ⚠️ **Important**: Always use the `sub` claim to identify users in your database, not their email address.
+> The `sub` claim is guaranteed to be unique and stable for each user, while email addresses can change.
+> In most providers, receiving an id token with a given email does not guarantee that the user currently controls that email.
+
+```sql
+-- Store the user''s ID in your database
+insert into user_preferences (user_id, theme)
+values (sqlpage.user_info(''sub''), ''dark'');
+```
+
+## Troubleshooting
+
+If you''re not getting the information you expect:
+
+1. Check that OIDC is properly configured in your `sqlpage.json`
+2. Verify that you requested the right scopes in your OIDC configuration
+3. Try using `sqlpage.user_info_token()` to see all available information
+4. Check your OIDC provider''s documentation for the exact claim names they use
+
+Remember: If the user is not logged in or the requested information is not available, this function returns NULL.
+'
+    );
+
+INSERT INTO
+    sqlpage_function_parameters (
+        "function",
+        "index",
+        "name",
+        "description_md",
+        "type"
+    )
+VALUES
+    (
+        'user_info',
+        1,
+        'claim',
+        'The name of the user information to retrieve. Common values include ''name'', ''email'', ''picture'', ''sub'', ''preferred_username'', ''given_name'', and ''family_name''. The exact values available depend on your OIDC provider and configuration.',
+        'TEXT'
+    );
@@ -0,0 +1,7 @@
+select 'http_header' as component,
+    'public, max-age=600, stale-while-revalidate=3600, stale-if-error=86400' as "Cache-Control",
+    '<https://sql-page.com/sso>; rel="canonical"' as "Link";
+
+select 'dynamic' as component, properties FROM example WHERE component = 'shell' LIMIT 1;
+
+select 'text' as component, sqlpage.read_file_as_text('sso/single_sign_on.md') as contents_md, true as article;
@@ -0,0 +1,120 @@
+# Setting Up Single Sign-On in SQLPage
+
+
+When you want to add user authentication to your SQLPage application, you have two main options:
+
+1. The [authentication component](/component.sql?component=authentication):
+   A simple username/password system, that you have to manage yourself.
+2. **OpenID Connect (OIDC)**:
+   A single sign-on system that lets users log in with their existing accounts (like Google, Microsoft, or your organization's own identity provider).
+
+This guide will help you set up single sign-on using OpenID connect with SQLPage quickly.
+
+## Essential Terms
+
+- **OIDC** ([OpenID Connect](https://openid.net/developers/how-connect-works/)): The protocol that enables secure login with existing accounts. While it adds some complexity, it's an industry standard that ensures your users' data stays safe.
+- **Issuer** (or identity provider): The service that verifies your users' identity (like Google or Microsoft)
+- **Identity Token**: A secure message from the issuer containing user information. It is stored as a cookie on the user's computer, and sent with every request after login. SQLPage will redirect all requests that do not contain a valid token to the identity provider's login page.
+- **Claim**: A piece of information contained in the token about the user (like their name or email)
+
+## Quick Setup Guide
+
+### Choose an OIDC Provider
+
+Here are the setup guides for
+[Google](https://developers.google.com/identity/openid-connect/openid-connect),
+[Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app),
+[GitHub](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps),
+and [Keycloak](https://www.keycloak.org/getting-started/getting-started-docker) (self-hosted).
+
+### Register Your Application
+
+1. Go to your chosen provider's developer console
+2. Create a new application
+3. Set the redirect URI to `http://localhost:8080/sqlpage/oidc_callback`. (We will change that later when you deploy your site to a hosting provider such as [datapage](https://beta.datapage.app/)).
+4. Note down the client ID and client secret
+
+### Configure SQLPage
+
+Create or edit `sqlpage/sqlpage.json` to add the following configuration keys:
+
+```json
+{
+  "oidc_issuer_url": "https://accounts.google.com",
+  "oidc_client_id": "your-client-id",
+  "oidc_client_secret": "your-client-secret",
+  "host": "localhost:8080"
+}
+```
+
+#### Provider-specific settings
+- Google: `https://accounts.google.com`
+- Microsoft: `https://login.microsoftonline.com/{tenant}/v2.0`. [Find your value of `{tenant}`](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-create-new-tenant).
+- GitHub: `https://github.com`
+- Keycloak: Use [your realm's base url](https://www.keycloak.org/securing-apps/oidc-layers), ending in `/auth/realms/{realm}`.
+- For other OIDC providers, you can usually find the issuer URL by
+  looking for a "discovery document" or "well-known configuration" at an URL that ends with the suffix `/.well-known/openid-configuration`.
+  Strip the suffix and use it as the `oidc_issuer_url`.
+
+### Restart SQLPage
+
+When you restart your SQLPage instance, it should automatically contact
+the identity provider, find its login URL, and the public keys that will be used to check the validity of its identity tokens.
+
+The next time an user loads page on your SQLPage website, they will be redirected to 
+the provider's login page. Upon successful login, they will be redirected back to
+the page they were initially requesting on your website.
+
+## Access User Information in Your SQL
+
+Once you have successfully configured SSO, you can access information
+about the authenticated user who is visiting the current page using the following functions:
+- [`sqlpage.user_info`](/functions.sql?function=user_info) to access a particular claim about the user such as `name` or `email`,
+- [`sqlpage.user_info_token`](/functions.sql?function=user_info_token) to access the entire identity token as json.
+
+Access user data in your SQL files:
+
+```sql
+select 'text' as component, '
+
+Welcome, ' || sqlpage.user_info('name') || '!
+
+You have visited this site ' || 
+    (select count(*) from page_visits where user=sqlpage.user_info('sub')) ||
+' times before.
+' as contents_md;
+
+insert into page_visits
+  (path, user)
+values
+  (sqlpage.path(), sqlpage.user_info('sub'));
+```
+
+## Going to Production
+
+When deploying to production:
+
+1. Update the redirect URI in your OIDC provider's settings to:
+   ```
+   https://your-domain.com/sqlpage/oidc_callback
+   ```
+
+2. Update your `sqlpage.json`:
+   ```json
+   {
+     "oidc_issuer_url": "https://accounts.google.com",
+     "oidc_client_id": "your-client-id",
+     "oidc_client_secret": "your-client-secret",
+     "host": "your-domain.com"
+   }
+   ```
+
+3. If you're using HTTPS (recommended), make sure your `host` setting matches your domain name exactly.
+
+## Troubleshooting
+
+- If login fails, check that the redirect URI matches exactly
+- Verify that your client ID and secret are correct
+- Make sure your `host` setting matches your application's URL
+- For local development, use `http://localhost:8080` as the host
+- For production, use your actual domain name