Add OIDC authentication documentation and update related resources

Introduced a comprehensive OIDC implementation guide (doc/OIDC_Implementation.md) and linked it from the documentation index and setup guide. Updated environment variable examples and explanations in doc/Setup.md for OIDC configuration. Improved resource strings and logging for OIDC user management, including clarifying admin actions required for existing accounts and moving OIDC-related messages between resource files.

Author: s1t5

Resources/SharedResource.en-GB.resx

@@ -172,13 +172,4 @@
   <data name="EMLFormatDescription" xml:space="preserve">
     <value>Creates individual .eml files organised in folders.</value>
   </data>
-  <data name="OidcUserCannotHavePassword" xml:space="preserve">
-    <value>OIDC users cannot have a password. They authenticate through the OIDC provider.</value>
-  </data>
-  <data name="OidcUserCannotChangeUsername" xml:space="preserve">
-    <value>OIDC user usernames cannot be changed as they are linked to the OIDC provider identity.</value>
-  </data>
-  <data name="OidcUserCannotChangePassword" xml:space="preserve">
-    <value>OIDC users cannot change their password. Password management is handled by your OIDC provider.</value>
-  </data>
 </root>

Resources/SharedResource.resx

@@ -2347,8 +2347,17 @@
   <data name="SignInWithOAuth" xml:space="preserve">
     <value>Login with OAuth</value>
   </data>
+  <data name="OidcUserCannotHavePassword" xml:space="preserve">
+    <value>OIDC users cannot have a password. They authenticate through the OIDC provider.</value>
+  </data>
+  <data name="OidcUserCannotChangeUsername" xml:space="preserve">
+    <value>OIDC user usernames cannot be changed as they are linked to the OIDC provider identity.</value>
+  </data>
+  <data name="OidcUserCannotChangePassword" xml:space="preserve">
+    <value>OIDC users cannot change their password. Password management is handled by your OIDC provider.</value>
+  </data>
   <data name="OidcAccountAlreadyExists" xml:space="preserve">
-    <value>An account with this email already exists. Please login with your password and link your OIDC account in your profile settings.</value>
+    <value>An account with this email already exists. Please contact your administrator to remove or modify the existing local account before using OIDC authentication.</value>
   </data>
   <data name="OidcAccountPendingApproval" xml:space="preserve">
     <value>Your account is pending admin approval. Please contact an administrator.</value>
@@ -2362,4 +2371,4 @@
   <data name="OidcClaimLengthExceeded" xml:space="preserve">
     <value>Claim values exceed maximum allowed length</value>
   </data>
-</root>
+</root>

Services/UserService.cs

@@ -84,7 +84,7 @@ public async Task<User> GetOrCreateUserFromRemoteIdentity(
 
             if (existingEmailUser != null)
             {
-                _logger.LogWarning("OIDC login attempted with email {Email} that already exists for user {Username}. Automatic linking is disabled for security. User must manually link their account.", 
+                _logger.LogWarning("OIDC login attempted with email {Email} that already exists for user {Username}. Automatic linking is disabled for security. Administrator must remove or modify the existing local account before using OIDC authentication.", 
                     email, existingEmailUser.Username);
                 throw new InvalidOperationException(_localizer["OidcAccountAlreadyExists"]);
             }

doc/Index.md

@@ -18,6 +18,7 @@ Mail Archiver is a comprehensive application designed to archive emails from var
 ### ⚙️ Configuration & Usage
 - [Access Logging](Logs.md)
 - [Docker Compose Logs Guide](DockerComposeLogs.md)
+- [OpenID Connect (OIDC) Authentication](OIDC_Implementation.md)
 - [Retention Policies](RetentionPolicies.md)
 - [Mailbox Migration](MailboxMigration.md)
 - [Mail Search Guide](Search.md)

doc/OIDC_Implementation.md

@@ -0,0 +1,174 @@
+# 🔐 OpenID Connect (OIDC) Authentication Guide
+
+[← Back to Documentation Index](Index.md)
+
+## 📋 Overview
+
+This guide provides comprehensive instructions for setting up OpenID Connect (OIDC) authentication in the Mail Archiver application, with specific examples for Microsoft Entra ID (Azure AD) integration. OIDC enables secure single sign-on (SSO) authentication using external identity providers.
+
+## 📚 Table of Contents
+
+1. [Overview](#overview)
+2. [Prerequisites](#prerequisites)
+3. [OIDC Configuration](#oidc-configuration)
+   - [Enable OIDC in Configuration](#enable-oidc-in-configuration)
+   - [Environment Variables](#environment-variables)
+4. [Microsoft Entra ID Setup](#microsoft-entra-id-setup)
+   - [Create App Registration](#create-app-registration)
+   - [Configure Authentication](#configure-authentication)
+   - [Set Token Configuration](#set-token-configuration)
+5. [Testing and Validation](#testing-and-validation)
+6. [User Management with OIDC](#user-management-with-oidc)
+7. [Troubleshooting](#troubleshooting)
+
+## 🌐 Overview
+
+The Mail Archiver application supports OpenID Connect (OIDC) authentication, allowing users to authenticate using external identity providers such as Microsoft Entra ID and other OIDC-compliant providers. This feature enhances security by leveraging enterprise identity management systems and enables single sign-on (SSO) capabilities.
+
+## 🛠️ Prerequisites
+
+- Administrative access to your chosen OIDC identity provider (e.g., Microsoft Entra ID)
+- Mail Archiver application already deployed and accessible via HTTPS
+- DNS name configured for your Mail Archiver instance (required for callback URLs)
+- Administrative access to the Mail Archiver application and host system for configuration
+
+## ⚙️ OIDC Configuration
+
+### Enable OIDC in Configuration
+
+To enable OIDC authentication, you need to configure the OAuth section in your `appsettings.json` file or environment variables for the docker deployment (see [Installation and Setup](Setup.md)).
+
+#### Example Configuration (appsettings.json)
+
+```json
+{
+  "OAuth": {
+    "Enabled": true,
+    "Authority": "https://sts.windows.net/{TENANT-ID}/",
+    "ClientId": "YOUR-CLIENT-ID",
+    "ClientSecret": "YOUR-CLIENT-SECRET",
+    "ClientScopes": [
+      "openid",
+      "profile",
+      "email"
+    ]
+  }
+}
+```
+
+### Environment Variables
+
+When using Docker Compose or environment variables, configure the following variables in your `docker-compose.yml` file under the `mailarchive-app` service environment section:
+
+```yaml
+environment:
+  # OIDC Configuration
+  - OAuth__Enabled=true
+  - OAuth__Authority=https://sts.windows.net/{TENANT-ID}/
+  - OAuth__ClientId=YOUR-CLIENT-ID
+  - OAuth__ClientSecret=YOUR-CLIENT-SECRET
+  - OAuth__ClientScopes__0=openid
+  - OAuth__ClientScopes__1=profile
+  - OAuth__ClientScopes__2=email
+```
+
+### Configuration Parameters Explained
+
+- **OAuth__Enabled**: Set to `true` to enable OIDC authentication
+- **OAuth__Authority**: The OpenID Connect authority URL of your identity provider
+- **OAuth__ClientId**: The client ID assigned by your identity provider
+- **OAuth__ClientSecret**: The client secret assigned by your identity provider
+- **OAuth__ClientScopes**: Array of scopes requested from the identity provider
+
+> ⚠️ **Important**: The Client Secret should be kept secure. Use Docker secrets or environment variables in production environments.
+
+## ☁️ Microsoft Entra ID Setup
+
+This section provides step-by-step instructions for configuring Microsoft Entra ID (formerly Azure AD) as an OIDC identity provider for Mail Archiver.
+
+### 🚀 Create App Registration
+
+1. Navigate to the [Microsoft Entra Admin Center](https://entra.microsoft.com)
+2. Sign in with your administrator account
+3. In the left navigation pane, select **App registrations**
+4. Click **+ New registration** at the top of the App registrations page
+5. Fill in the following details:
+   - **Name**: Enter a descriptive name (e.g., "Mail Archiver OIDC")
+   - **Supported account types**: Select **Accounts in this organizational directory only**
+   - **Redirect URI**: Select **Web** and enter your Mail Archiver callback URL:
+     ```
+     https://your-mail-archiver-domain/oidc-signin-completed
+     ```
+     Replace `your-mail-archiver-domain` with your actual domain (e.g., `mailarchiver.example.com`)
+
+6. Click **Register**
+
+### 🔐 Configure Authentication
+
+1. After registration, note down the following values from the **Overview** page:
+   - **Application (client) ID** - You'll need this as `OAuth__ClientId`
+   - **Directory (tenant) ID** - You'll need this in the Authority URL
+
+2. In the left menu, select **Authentication**
+3. Click **Settings**
+4. Under **Implicit grant and hybrid flows**, ensure **ID tokens** is checked
+5. Under **Supported account types**, verify your selection matches your requirements
+6. Under **Redirect URIs**, ensure your callback URL is listed correctly
+
+### 🎯 Configure API Permissions
+
+1. In the left menu, select **API permissions**
+2. Click **+ Add a permission**
+3. Select **Microsoft Graph**
+4. Choose **Delegated permissions**
+5. Add the following permissions (if needed for additional features):
+   - **openid** - Sign users in 
+   - **email** - View users' email address
+   - **profile** - View users' basic profile
+6. Click **Add permissions**
+7. Click **Grant admin consent for [Your Organization]** if you want to pre-authorize the application
+
+### 🔑 Generate Client Secret
+
+1. Navigate to **Certificates & secrets** in the left menu
+2. Under **Client secrets**, click **+ New client secret**
+3. Provide a description (e.g., "Mail Archiver Auth Secret")
+4. Select an expiration period
+5. Click **Add**
+6. **Important**: Copy the **Value** immediately and store it securely. This secret will not be shown again. It's needed as the `OAuth__ClientSecret`
+
+## 🧪 Testing and Validation
+
+### Initial Setup Testing
+
+1. Restart your Mail Archiver application after configuring OIDC settings
+2. Navigate to your Mail Archiver login page
+3. You should see a new "Login with OAuth" button alongside the regular login form
+4. Click the "Login with OAuth" button to initiate the OIDC flow
+5. You should be redirected to your identity provider's login page
+6. After successful authentication, you should be redirected back to Mail Archiver
+
+### User Provisioning Validation
+
+- First-time OIDC users will be automatically created in the Mail Archiver database
+- Users will be created with the default "User" role and will need admin approval for access
+
+## 👥 User Management with OIDC
+
+### User Roles and Permissions
+
+OIDC users follow the same role-based access control as local users:
+- **Admin**: Full system access (requires manual assignment by existing admin)
+- **User**: Standard user access to assigned mail accounts
+- **Self-Manager**: Can manage their own account and add new accounts
+
+### Password Management
+
+OIDC users cannot have or change passwords within Mail Archiver since authentication is handled by the external identity provider:
+- The "Change Password" option will be disabled for OIDC users
+- Password reset must be handled through the OIDC provider
+- Local password fields will remain empty for OIDC users
+
+---
+
+**Note**: This guide is current as of 2025. Identity provider services regularly update their interfaces and features, so some UI elements may differ. Always refer to the latest documentation from your identity provider for the most up-to-date information.

doc/Setup.md

@@ -70,6 +70,18 @@ services:
       - Logging__LogLevel__Default=Information
       - Logging__LogLevel__Microsoft_AspNetCore=Warning
       - Logging__LogLevel__Microsoft_EntityFrameworkCore_Database_Command=Warning
+
+      # Security Settings
+      - AllowedHosts=mailarchiver.example.com;www.mailarchiver.example.com
+
+      # OIDC Configuration (see OIDC_Implementation.md for detailed setup)
+      - OAuth__Enabled=true
+      - OAuth__Authority=https://example.com
+      - OAuth__ClientId=YOUR-CLIENT-ID
+      - OAuth__ClientSecret=YOUR-CLIENT-SECRET
+      - OAuth__ClientScopes__0=openid
+      - OAuth__ClientScopes__1=profile
+      - OAuth__ClientScopes__2=email
     ports:
       - "5000:5000"
     networks:
@@ -183,6 +195,21 @@ docker compose restart
 - `Logging__LogLevel__Microsoft_AspNetCore`: Log level for ASP.NET Core framework messages. Default is `Warning`.
 - `Logging__LogLevel__Microsoft_EntityFrameworkCore_Database_Command`: Log level for Entity Framework database commands. Default is `Warning`.
 
+### 🛡️ Security Settings
+- `AllowedHosts`: A semicolon-separated list of host names that the application is allowed to serve. This helps prevent HTTP Host header attacks. Example: `AllowedHosts=mailarchiver.example.com;www.mailarchiver.example.com`. **Important**: Do not use `*` in production environments as it disables host header validation.
+
+### 🔐 OIDC Configuration
+
+For detailed setup instructions for OpenID Connect authentication, see [OIDC Implementation Guide](OIDC_Implementation.md).
+
+- `OAuth__Enabled`: Enable or disable OIDC authentication (true/false)
+- `OAuth__Authority`: The OpenID Connect authority URL (e.g., https://sts.windows.net/{TENANT-ID}/ for Azure AD)
+- `OAuth__ClientId`: The client ID assigned by your identity provider
+- `OAuth__ClientSecret`: The client secret assigned by your identity provider
+- `OAuth__ClientScopes__0`: First scope requested from the identity provider (openid)
+- `OAuth__ClientScopes__1`: Second scope requested from the identity provider (profile)
+- `OAuth__ClientScopes__2`: Third scope requested from the identity provider (email)
+
 ## 🔐 Kestrel HTTPS Configuration (Optional)
 
 While the application is meant to be accessed through a reverse proxy with HTTPS, you can also configure the Kestrel web server to use SSL/TLS certificates. This provides end-to-end encryption between the reverse proxy and the application container.