feat: Login with OAuth via OpenID Connect (OIDC) (#3280)

* initial oidc implementation

* add dynamic scheme

* e2e test setup

* add caching

* fix

* try this

* add libldap-2.5 to runtime dependencies (#2849)

* New translations en-us.json (Norwegian) (#2851)

* New Crowdin updates (#2855)

* New translations en-us.json (Italian)

* New translations en-us.json (Norwegian)

* New translations en-us.json (Portuguese)

* fix

* remove cache

* cache yarn deps

* cache docker image

* cleanup action

* lint

* fix tests

* remove not needed variables

* run code gen

* fix tests

* add docs

* move code into custom scheme

* remove unneeded type

* fix oidc admin

* add more tests

* add better spacing on login page

* create auth providers

* clean up testing stuff

* type fixes

* add OIDC auth method to postgres enum

* add option to bypass login screen and go directly to iDP

* remove check so we can fallback to another auth method oauth fails

* Add provider name to be shown at the login screen

* add new properties to admin about api

* fix spec

* add a prompt to change auth method when changing password

* Create new auth section. Add more info on auth methods

* update docs

* run ruff

* update docs

* format

* docs gen

* formatting

* initialize logger in class

* mypy type fixes

* docs gen

* add models to get proper fields in docs and fix serialization

* validate id token before using it

* only request a mealie token on initial callback

* remove unused method

* fix unit tests

* docs gen

* check for valid idToken before getting token

* add iss to mealie token

* check to see if we already have a mealie token before getting one

* fix lock file

* update authlib

* update lock file

* add remember me environment variable

* add user group setting to allow only certain groups to log in

---------

Co-authored-by: Carter Mintey <cmintey8@gmail.com>
Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com>

docs/docs/documentation/getting-started/authentication/ldap.md

@@ -0,0 +1,8 @@
+# LDAP Authentication
+
+If LDAP is enabled and [configured properly](../installation/backend-config.md), users will be able to log in with their LDAP credentials. If the user does not already have an account in Mealie, then one will be created.
+
+If the user already has an account in Mealie and wants to use their LDAP credentials instead, then you can go to the **User Management** page in the admin panel and change the "Authentication Backend" from `Mealie` to `LDAP`. If for whatever reason, the user no longer wants to use LDAP authentication, then you can switch this back to `Mealie`.
+
+!!! warning "Head's Up"
+    If you switch a user from `LDAP` to `Mealie` who was initially created by LDAP, then the user will have to reset their password through the password reset flow.

docs/docs/documentation/getting-started/authentication/oidc.md

@@ -0,0 +1,88 @@
+# OpenID Connect (OIDC) Authentication
+
+Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many identity providers, including:
+
+- [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect)
+- [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/)
+- [Keycloak](https://www.keycloak.org/docs/latest/securing_apps/#_oidc)
+- [Okta](https://www.okta.com/openid-connect/)
+
+## Account Linking
+
+Signing in with OAuth will automatically find your account in Mealie and link to it. If a user does not exist in Mealie, then one will be created (if enabled), but will be unable to log in with any other authentication method. An admin can configure another authentication method for such a user.
+
+## Provider Setup
+
+Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code** flow (with PKCE). The steps will vary by provider, but generally, the steps are as follows.
+
+1. Create a new client application
+    - The Provider type should be OIDC or OAuth2
+    - The Grant type should be `Authorization Code`
+    - The Application type should be `Web`
+    - The Client type should be `public`
+
+2. Configure redirect URI
+
+    The only redirect URI that is needed is `http(s)://DOMAIN:PORT/login`
+
+    The redirect URI should include any URL that Mealie is accessible from. Some examples include
+
+        http://localhost:9091/login
+        https://mealie.example.com/login
+
+3. Configure origins
+
+    If your identity provider enforces CORS on any endpoints, you will need to specify your Mealie URL as an Allowed Origin.
+
+4. Configure allowed scopes
+
+    The scopes required are `openid profile email groups`
+
+## Mealie Setup
+
+Take the client id and your discovery URL and update your environment variables to include the required OIDC variables described in [Installation - Backend Configuration](../installation/backend-config.md#openid-connect-oidc)
+
+## Examples
+
+### Authelia
+
+Follow the instructions in [Authelia's documentation](https://www.authelia.com/configuration/identity-providers/open-id-connect/). Below is an example config
+
+!!! warning
+
+    This is only an example and not meant to be an exhaustive configuration. You should read read through the documentation and adjust your configuration as needed.
+
+```yaml
+identity_providers:
+  oidc:
+    access_token_lifespan: 1h
+    authorize_code_lifespan: 1m
+    id_token_lifespan: 1h
+    refresh_token_lifespan: 90m
+    enable_client_debug_messages: false
+    enforce_pkce: public_clients_only
+    cors:
+      endpoints:
+        - authorization
+        - token
+        - revocation
+        - introspection
+      allowed_origins:
+        - https://mealie.example.com
+      allowed_origins_from_client_redirect_uris: false
+    clients:
+      - id: mealie
+        description: Mealie
+        authorization_policy: one_factor
+        redirect_uris:
+          - https://mealie.example.com/login
+        public: true
+        grant_types:
+          - authorization_code
+        scopes:
+          - openid
+          - profile
+          - groups
+          - email
+          - offline_access
+```