feat(auth): add Entra ID OIDC authentication for web UI

[rbstp]

what

• Add OIDC authentication support for the Atlantis web UI, starting with Entra ID (Azure AD) as the first provider
• Support two authentication modes: client secret (any environment) and Azure workload identity (AKS deployments using federated service account tokens)
• Both OIDC and existing basic auth can be enabled simultaneously
• Session state stored in AES-GCM encrypted HTTP-only cookies (stateless)
• New --web-oidc-auth flag accepts a provider name (entraid), designed to be extensible for future providers
• Seven new configuration flags: --web-oidc-auth, --web-oidc-issuer-url, --web-oidc-client-id, --web-oidc-client-secret, --web-oidc-scopes, --web-oidc-cookie-secret, --web-oidc-azure-use-workload-identity

why

• The Atlantis web UI exposes privileged functionality (disable apply commands, discard/unlock plans) behind only optional basic auth with shared credentials, which does not meet security policies prohibiting shared login credentials
• Organizations need per-user SSO authentication to meet compliance requirements and enable future role-based access control
• Azure workload identity support eliminates the need to manage client secrets in AKS environments
• This is a common request from the community with 103 upvotes on the tracking issue

tests

• 32 new unit tests across server/oidc/, server/controllers/, and server/ packages
• Existing tests pass with no regressions
• Manual test: client secret flow with Docker on localhost
• Manual test: Azure workload identity flow on AKS cluster
• Log messages follow contribution guide conventions (lowercase, no colons, %q for strings)

references

• Partially addresses SAML/SSO Authentication for Atlantis Web UI and API #4452
• OIDC implementation based on ArgoCD's util/oidc/oidc.go (azureApp struct and getFederatedServiceAccountToken())
• ArgoCD Azure workload identity docs

[Copilot]

Pull request overview

Adds first-party OIDC authentication to the Atlantis web UI (starting with Entra ID / Azure AD), including support for Azure workload identity, stateless encrypted cookie sessions, and new CLI/config flags to enable/configure the feature.

Changes:

• Introduces server/oidc package (provider, Azure workload identity helper, cookie-based session/state management) plus controller endpoints for login/callback/logout.
• Extends web middleware and UI templates to support OIDC sessions (and coexist with basic auth), including displaying the signed-in user and a sign-out link.
• Adds new server flags/docs and bumps Go dependencies for OIDC + OAuth2 support.

Reviewed changes

Copilot reviewed 18 out of 19 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
server/user_config.go	Adds OIDC-related config fields to UserConfig.
server/server.go	Wires OIDC initialization and routes; surfaces OIDC state to the index view.
server/middleware.go	Extends auth middleware to accept OIDC sessions and redirect unauthenticated users.
server/middleware_test.go	Adds unit tests for basic auth / OIDC / combined behavior.
server/oidc/session.go	Implements encrypted stateless session cookies + signed state cookie handling.
server/oidc/session_test.go	Tests session/state cookie behavior and encryption expectations.
server/oidc/provider.go	Adds OIDC discovery + auth code exchange (incl. workload identity assertion) and email extraction.
server/oidc/azure_workload_identity.go	Reads/caches federated SA token from AZURE_FEDERATED_TOKEN_FILE.
server/oidc/azure_workload_identity_test.go	Tests federated token loading and caching behavior.
server/controllers/oidc_controller.go	Adds OIDC login/callback/logout handlers.
server/controllers/oidc_controller_test.go	Adds basic controller tests for error paths and logout behavior.
server/controllers/web_templates/web_templates.go	Extends index template data; adds login template wiring.
server/controllers/web_templates/templates/index.html.tmpl	Shows signed-in user + sign-out link when OIDC is enabled.
server/controllers/web_templates/templates/login.html.tmpl	Adds a login page template (currently not clearly wired to a route).
cmd/server.go	Adds flags/defaults/validation for OIDC configuration.
cmd/server_test.go	Updates test flag map to include new OIDC flags/defaults.
runatlantis.io/docs/server-configuration.md	Documents the new OIDC flags and example env vars.
go.mod	Adds go-oidc and updates oauth2 dependency versions.
go.sum	Updates checksums for new/updated dependencies.

[mvoitko]

This PR states "Closes #4452" but it only partially addresses the issue.

Issue #4452 requests general SSO/SAML authentication for the Atlantis web UI — not limited to a specific identity provider. However, this PR only implements Entra ID (Azure AD) as a supported OIDC provider. The provider list is hardcoded:

var ValidOIDCAuthProviders = []OIDCAuthProvider{OIDCAuthEntraID}

Key gaps relative to #4452:

• No generic OIDC provider support — users expecting to use Google, Okta, Keycloak, or other standard OIDC providers cannot do so
• No SAML support — the issue specifically requests SAML-based authentication
• No authorization/RBAC — the issue mentions user accounts, roles, and access controls as a desired goal

The PR description mentions the design is "extensible for future providers," but as-is, merging this with "Closes #4452" would close the issue while leaving the majority of requested SSO use cases unaddressed.

Consider either:

1. Changing "Closes SAML/SSO Authentication for Atlantis Web UI and API #4452" to "Partially addresses SAML/SSO Authentication for Atlantis Web UI and API #4452" / "Contributes to SAML/SSO Authentication for Atlantis Web UI and API #4452"
2. Or adding a generic OIDC provider option so any standard-compliant identity provider (Google, Okta, etc.) works out of the box