feat(auth): migrate dotAuth (OAuth/OIDC + SAML) from plugin to core

.mvn/maven-build-cache-config.xml

@@ -28,7 +28,7 @@ https://maven.apache.org/extensions/maven-build-cache-extension/maven-build-cach
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/BUILD-CACHE-CONFIG/1.0.0 https://maven.apache.org/xsd/build-cache-config-1.0.0.xsd">
     <configuration>
-        <enabled>true</enabled>
+        <enabled>false</enabled>
         <hashAlgorithm>SHA-256</hashAlgorithm>
         <validateXml>true</validateXml>
         <local>

bom/application/pom.xml

@@ -1242,6 +1242,14 @@
                 <version>0.9.1</version>
             </dependency>
 
+            <!-- Nimbus JOSE+JWT: id_token JWKS signature verification for the OIDC flow. -->
+            <!-- jjwt 0.9.x only handles HMAC; nimbus adds RS256/ES256 + RemoteJWKSet. -->
+            <dependency>
+                <groupId>com.nimbusds</groupId>
+                <artifactId>nimbus-jose-jwt</artifactId>
+                <version>9.37.4</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcpkix-jdk18on</artifactId>

core-web/apps/dotcms-ui/src/app/app.routes.ts

@@ -163,6 +163,13 @@ const PORTLETS_ANGULAR: Route[] = [
         loadChildren: () =>
             import('@dotcms/portlets/dot-es-search/portlet').then((m) => m.dotEsSearchRoutes)
     },
+    {
+        path: 'dotAuth',
+        canActivate: [MenuGuardService],
+        canActivateChild: [MenuGuardService],
+        data: { reuseRoute: false },
+        loadChildren: () => import('@dotcms/portlets/dot-auth/portlet').then((m) => m.dotAuthRoutes)
+    },
     {
         path: 'tags',
         canActivate: [MenuGuardService],

core-web/apps/dotcms-ui/src/app/portlets/dot-apps/dot-apps-import-export-dialog/store/dot-apps-import-export-dialog.store.ts

@@ -42,9 +42,6 @@ const initialState: DotAppsImportExportDialogState = {
     errorMessage: null
 };
 
-// Subject to emit when import succeeds
-const importSuccessSubject = new Subject<void>();
-
 export const DotAppsImportExportDialogStore = signalStore(
     { providedIn: 'root' },
     withState(initialState),
@@ -63,12 +60,14 @@ export const DotAppsImportExportDialogStore = signalStore(
             return '';
         })
     })),
-    withProps(() => ({
-        /**
-         * Observable that emits when import succeeds
-         */
-        importSuccess$: importSuccessSubject.asObservable()
-    })),
+    withProps(() => {
+        const importSuccessSubject = new Subject<void>();
+
+        return {
+            _importSuccessSubject: importSuccessSubject,
+            importSuccess$: importSuccessSubject.asObservable()
+        };
+    }),
     withMethods((store) => {
         const dotAppsService = inject(DotAppsService);
         const dotMessageService = inject(DotMessageService);
@@ -77,7 +76,7 @@ export const DotAppsImportExportDialogStore = signalStore(
             /**
              * Open the export dialog
              */
-            openExport: (app: DotApp, site?: DotAppsSite) => {
+            openExport: (app: DotApp | null, site?: DotAppsSite) => {
                 patchState(store, {
                     visible: true,
                     action: dialogAction.EXPORT,
@@ -185,7 +184,7 @@ export const DotAppsImportExportDialogStore = signalStore(
                                 next: (status: string) => {
                                     if (status !== '400') {
                                         patchState(store, initialState);
-                                        importSuccessSubject.next();
+                                        store._importSuccessSubject.next();
                                     } else {
                                         patchState(store, {
                                             status: ComponentStatus.ERROR,

core-web/apps/dotcms-ui/src/app/portlets/dot-apps/dot-apps-list/dot-apps-list.component.html

@@ -25,7 +25,7 @@
                 <button
                     (click)="openExportDialog()"
                     [label]="'apps.confirmation.export.all.button' | dm"
-                    [disabled]="!isExportButtonDisabled()"
+                    [disabled]="!hasExportableApps()"
                     class="dot-apps-configuration__action_export_button"
                     pButton
                     link

core-web/apps/dotcms-ui/src/app/portlets/dot-apps/dot-apps-list/dot-apps-list.component.spec.ts

@@ -117,7 +117,7 @@ describe('DotAppsListComponent', () => {
     describe('Export Button State', () => {
         it('should enable export button when apps have configurations', () => {
             // appsResponse has one app with configurationsCount: 1
-            expect(spectator.component.isExportButtonDisabled()).toBe(true);
+            expect(spectator.component.hasExportableApps()).toBe(true);
         });
 
         it('should disable export button when no apps have configurations', () => {
@@ -133,7 +133,32 @@ describe('DotAppsListComponent', () => {
             spectator.component.reloadAppsData();
             spectator.detectChanges();
 
-            expect(spectator.component.isExportButtonDisabled()).toBe(false);
+            expect(spectator.component.hasExportableApps()).toBe(false);
+        });
+
+        it('should enable export when only hidden SAML app has configurations', () => {
+            const appsWithOnlyHiddenConfig: DotApp[] = [
+                { ...appsResponse[0], configurationsCount: 0 },
+                { ...appsResponse[1], configurationsCount: 0 },
+                {
+                    allowExtraParams: true,
+                    configurationsCount: 1,
+                    key: 'dotsaml-config',
+                    name: 'SAML',
+                    description: 'SAML config'
+                }
+            ];
+            mockDotAppsService.get.mockReturnValue(of(appsWithOnlyHiddenConfig));
+
+            spectator.component.reloadAppsData();
+            spectator.detectChanges();
+
+            expect(spectator.component.hasExportableApps()).toBe(true);
+            expect(
+                spectator.component.state
+                    .displayedApps()
+                    .some((app) => app.key === 'dotsaml-config')
+            ).toBe(false);
         });
     });
 

core-web/apps/dotcms-ui/src/app/portlets/dot-apps/dot-apps-list/dot-apps-list.component.ts

@@ -1,7 +1,15 @@
 import { patchState, signalState } from '@ngrx/signals';
 import { fromEvent as observableFromEvent } from 'rxjs';
 
-import { Component, DestroyRef, ElementRef, AfterViewInit, inject, viewChild } from '@angular/core';
+import {
+    AfterViewInit,
+    ChangeDetectionStrategy,
+    Component,
+    DestroyRef,
+    ElementRef,
+    inject,
+    viewChild
+} from '@angular/core';
 import { takeUntilDestroyed } from '@angular/core/rxjs-interop';
 import { ActivatedRoute } from '@angular/router';
 
@@ -25,6 +33,16 @@ interface DotAppsListState {
     displayedApps: DotApp[];
 }
 
+/**
+ * App keys whose config is edited through a dedicated portlet rather than the
+ * generic Apps UI. The cards are hidden from the grid; navigation to
+ * `/apps/<key>` is separately redirected by {@link dotAppsSamlRedirectGuard}.
+ */
+const HIDDEN_APP_KEYS: ReadonlySet<string> = new Set(['dotsaml-config']);
+
+const withoutHiddenApps = (apps: DotApp[]): DotApp[] =>
+    apps.filter((app) => !HIDDEN_APP_KEYS.has(app.key));
+
 @Component({
     selector: 'dot-apps-list',
     templateUrl: './dot-apps-list.component.html',
@@ -36,7 +54,8 @@ interface DotAppsListState {
         DotAppsImportExportDialogComponent,
         DotPortletBaseComponent,
         DotMessagePipe
-    ]
+    ],
+    changeDetection: ChangeDetectionStrategy.OnPush
 })
 export class DotAppsListComponent implements AfterViewInit {
     readonly #route = inject(ActivatedRoute);
@@ -88,15 +107,16 @@ export class DotAppsListComponent implements AfterViewInit {
      * Opens the Export dialog for all configurations
      */
     openExportDialog(): void {
-        // For export all, we don't pass an app - the store handles this
-        this.#dialogStore.openExport(null as unknown as DotApp);
+        // For export all, we don't pass an app — the store handles null to mean "all apps".
+        this.#dialogStore.openExport(null);
     }
 
     /**
-     * Checks if export button is disabled based on existing configurations
+     * True when at least one app has a saved configuration — the export button is
+     * enabled only in that case.
      */
-    isExportButtonDisabled(): boolean {
-        return this.state.allApps().filter((app: DotApp) => app.configurationsCount).length > 0;
+    hasExportableApps(): boolean {
+        return this.state.allApps().some((app: DotApp) => !!app.configurationsCount);
     }
 
     /**
@@ -114,7 +134,7 @@ export class DotAppsListComponent implements AfterViewInit {
     private initAppsState(apps: DotApp[]): void {
         patchState(this.state, {
             allApps: apps,
-            displayedApps: apps
+            displayedApps: withoutHiddenApps(apps)
         });
 
         this.attachFilterEvents();
@@ -134,10 +154,13 @@ export class DotAppsListComponent implements AfterViewInit {
     }
 
     private filterApps(searchCriteria?: string): void {
-        this.#dotAppsService.get(searchCriteria).subscribe((apps: DotApp[]) => {
-            patchState(this.state, {
-                displayedApps: apps
+        this.#dotAppsService
+            .get(searchCriteria)
+            .pipe(take(1), takeUntilDestroyed(this.#destroyRef))
+            .subscribe((apps: DotApp[]) => {
+                patchState(this.state, {
+                    displayedApps: withoutHiddenApps(apps)
+                });
             });
-        });
     }
 }

core-web/apps/dotcms-ui/src/app/portlets/dot-apps/dot-apps.routes.ts

@@ -7,6 +7,7 @@ import { DotAiConfigDetailComponent } from './components/dot-ai-config-detail/do
 import { DotAppsConfigurationComponent } from './components/dot-apps-configuration/dot-apps-configuration.component';
 import { DotAppsConfigurationDetailComponent } from './components/dot-apps-configuration-detail/dot-apps-configuration-detail.component';
 import { DotAppsListComponent } from './dot-apps-list/dot-apps-list.component';
+import { dotAppsSamlRedirectGuard } from './guards/dot-apps-saml-redirect.guard';
 import { DotAppsConfigurationDetailResolver } from './services/dot-apps-configuration-detail-resolver/dot-apps-configuration-detail-resolver.service';
 import { DotAppsConfigurationResolver } from './services/dot-apps-configuration-resolver/dot-apps-configuration-resolver.service';
 import { DotAppsListResolver } from './services/dot-apps-list-resolver/dot-apps-list-resolver.service';
@@ -31,6 +32,7 @@ export const dotAppsRoutes: Routes = [
     {
         component: DotAppsConfigurationDetailComponent,
         path: ':appKey/create/:id',
+        canActivate: [dotAppsSamlRedirectGuard],
         resolve: {
             data: DotAppsConfigurationDetailResolver
         },
@@ -39,6 +41,7 @@ export const dotAppsRoutes: Routes = [
     {
         component: DotAppsConfigurationDetailComponent,
         path: ':appKey/edit/:id',
+        canActivate: [dotAppsSamlRedirectGuard],
         resolve: {
             data: DotAppsConfigurationDetailResolver
         },
@@ -47,6 +50,7 @@ export const dotAppsRoutes: Routes = [
     {
         component: DotAppsConfigurationComponent,
         path: ':appKey',
+        canActivate: [dotAppsSamlRedirectGuard],
         resolve: {
             data: DotAppsConfigurationResolver
         },

core-web/apps/dotcms-ui/src/app/portlets/dot-apps/guards/dot-apps-saml-redirect.guard.ts

@@ -0,0 +1,24 @@
+import { inject } from '@angular/core';
+import { CanActivateFn, Router, UrlTree } from '@angular/router';
+
+/** AppSecrets key for SAML, mirrors `DotSamlProxyFactory.SAML_APP_CONFIG_KEY`. */
+const SAML_APP_KEY = 'dotsaml-config';
+
+/** Shell path of the dotAuth portlet, registered in `app.routes.ts`. */
+const DOT_AUTH_PATH = '/dotAuth';
+
+/**
+ * Guards the `/apps/:appKey` routes (list, create, edit): if a user lands on
+ * a SAML path — typically from a bookmark or an old docs link — route them to
+ * the dotAuth portlet, which is the sole editor for SAML config since phase-3.
+ *
+ * `dotsaml-config.yml` is kept in place so the SAML runtime's Apps descriptor
+ * lookup keeps working; the redirect only affects user navigation.
+ */
+export const dotAppsSamlRedirectGuard: CanActivateFn = (route): boolean | UrlTree => {
+    const appKey = route.paramMap.get('appKey');
+    if (appKey === SAML_APP_KEY) {
+        return inject(Router).parseUrl(DOT_AUTH_PATH);
+    }
+    return true;
+};

core-web/libs/data-access/src/index.ts

@@ -2,6 +2,7 @@ export * from './lib/add-to-bundle/add-to-bundle.service';
 export * from './lib/can-deactivate/can-deactivate-guard.service';
 export * from './lib/dot-ai/dot-ai.service';
 export * from './lib/dot-alert-confirm/dot-alert-confirm.service';
+export * from './lib/dot-auth/dot-auth.service';
 export * from './lib/dot-analytics-search/dot-analytics-search.service';
 export * from './lib/dot-analytics-tracker/dot-analytics-tracker.service';
 export * from './lib/dot-apps/dot-apps.service';