fix(deps): update sentry-javascript monorepo to v7.105.0

This PR stems from issue #2150, in turn following up on PR #1393

It adds additional details around the OIDC authentication feature, as well as details about how the team assignment works.

Co-authored-by: Daniel Herrmann <daniel.herrmann1@gmail.com>
Reviewed-on: #2151
Reviewed-by: konrad <k@knt.li>
Co-authored-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
Co-committed-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>

Dockerfile

@@ -44,3 +44,4 @@ ENV VIKUNJA_SERVICE_ROOTPATH=/app/vikunja/
 ENV VIKUNJA_DATABASE_PATH=/db/vikunja.db
 
 COPY --from=apibuilder /build/vikunja-* vikunja
+COPY --from=apibuilder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

config.yml.sample

@@ -6,7 +6,7 @@ service:
   # The duration of the issued JWT tokens in seconds.
   # The default is 259200 seconds (3 Days).
   jwtttl: 259200
-  # The duration of the "remember me" time in seconds. When the login request is made with 
+  # The duration of the "remember me" time in seconds. When the login request is made with
   # the long param set, the token returned will be valid for this period.
   # The default is 2592000 seconds (30 Days).
   jwtttllong: 2592000
@@ -48,7 +48,7 @@ service:
   # If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
   # is due.
   enableemailreminders: true
-  # If true, will allow users to request the complete deletion of their account. When using external authentication methods 
+  # If true, will allow users to request the complete deletion of their account. When using external authentication methods
   # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
   # for user deletion.
   enableuserdeletion: true
@@ -109,7 +109,7 @@ database:
 typesense:
   # Whether to enable the Typesense integration. If true, all tasks will be synced to the configured Typesense
   # instance and all search and filtering will run through Typesense instead of only through the database.
-  # Typesense allows fast fulltext search including fuzzy matching support. It may return different results than 
+  # Typesense allows fast fulltext search including fuzzy matching support. It may return different results than
   # what you'd get with a database-only search.
   enabled: false
   # The url to the Typesense instance you want to use. Can be hosted locally or in Typesense Cloud as long
@@ -203,7 +203,7 @@ ratelimit:
   # Possible values are "keyvalue", "memory" or "redis".
   # When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
   store: keyvalue
-  # The number of requests a user can make from the same IP to all unauthenticated routes (login, register, 
+  # The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
   # password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
   # You should only change this if you know what you're doing.
   noauthlimit: 10
@@ -301,13 +301,11 @@ auth:
     enabled: true
   # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
   # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
-  # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
+  # **Note:** Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible.
   # If the email is not public in those cases, authenticating will fail.
-  # **Note 2:** The frontend expects to be redirected after authentication by the third party
-  # to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url in your third party
-  # auth service accordingly if you're using the default vikunja frontend.
-  # The frontend will automatically provide the api with the redirect url, composed from the current url where it's hosted.
-  # If you want to use the desktop client with openid, make sure to allow redirects to `127.0.0.1`.
+  # **Note 2:** The frontend expects the third party to rediect the user <frontend-url>/auth/openid/<auth key> after authentication. Please make sure to configure the redirect url in your third party auth service accordingly if you're using the default vikunja frontend.
+  # The frontend will automatically provide the API with the redirect url, composed from the current url where it's hosted.
+  # If you want to use the desktop client with OpenID, make sure to allow redirects to `127.0.0.1`.
   # Take a look at the [default config file](https://kolaente.dev/vikunja/vikunja/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
   openid:
     # Enable or disable OpenID Connect authentication
@@ -325,6 +323,10 @@ auth:
         clientid:
         # The client secret used to authenticate Vikunja at the OpenID Connect provider.
         clientsecret:
+        # The scope necessary to use oidc.
+        # If you want to use the Feature to create and assign to vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/).
+        # e.g. scope: openid email profile vikunja_scope
+        scope: openid email profile
 
 # Prometheus metrics endpoint
 metrics:

desktop/package.json

@@ -52,7 +52,7 @@
   },
   "devDependencies": {
     "electron": "29.1.0",
-    "electron-builder": "24.12.0"
+    "electron-builder": "24.13.3"
   },
   "dependencies": {
     "connect-history-api-fallback": "2.0.0",

desktop/yarn.lock

@@ -40,10 +40,10 @@
   optionalDependencies:
     global-agent "^3.0.0"
 
-"@electron/notarize@2.1.0":
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-2.1.0.tgz#76aaec10c8687225e8d0a427cc9df67611c46ff3"
-  integrity sha512-Q02xem1D0sg4v437xHgmBLxI2iz/fc0D4K7fiVWHa/AnW8o7D751xyKNXgziA6HrTOme9ul1JfWN5ark8WH1xA==
+"@electron/notarize@2.2.1":
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-2.2.1.tgz#d0aa6bc43cba830c41bfd840b85dbe0e273f59fe"
+  integrity sha512-aL+bFMIkpR0cmmj5Zgy0LMKEpgy43/hw5zadEArgmAMWWlKc5buwFvFT9G/o/YJkvXAJm5q3iuTuLaiaXW39sg==
   dependencies:
     debug "^4.1.1"
     fs-extra "^9.0.1"
@@ -61,10 +61,10 @@
     minimist "^1.2.6"
     plist "^3.0.5"
 
-"@electron/universal@1.4.1":
-  version "1.4.1"
-  resolved "https://registry.yarnpkg.com/@electron/universal/-/universal-1.4.1.tgz#3fbda2a5ed9ff9f3304c8e8316b94c1e3a7b3785"
-  integrity sha512-lE/U3UNw1YHuowNbTmKNs9UlS3En3cPgwM5MI+agIgr/B1hSze9NdOP0qn7boZaI9Lph8IDv3/24g9IxnJP7aQ==
+"@electron/universal@1.5.1":
+  version "1.5.1"
+  resolved "https://registry.yarnpkg.com/@electron/universal/-/universal-1.5.1.tgz#f338bc5bcefef88573cf0ab1d5920fac10d06ee5"
+  integrity sha512-kbgXxyEauPJiQQUNG2VgUeyfQNFk6hBF11ISN2PNI6agUgPl55pv4eQmaqHzTAzchBvqZ2tQuRVaPStGf0mxGw==
   dependencies:
     "@electron/asar" "^3.2.1"
     "@malept/cross-spawn-promise" "^1.1.0"
@@ -253,25 +253,25 @@ app-builder-bin@4.0.0:
   resolved "https://registry.yarnpkg.com/app-builder-bin/-/app-builder-bin-4.0.0.tgz#1df8e654bd1395e4a319d82545c98667d7eed2f0"
   integrity sha512-xwdG0FJPQMe0M0UA4Tz0zEB8rBJTRA5a476ZawAqiBkMv16GRK5xpXThOjMaEOFnZ6zabejjG4J3da0SXG63KA==
 
-app-builder-lib@24.12.0:
-  version "24.12.0"
-  resolved "https://registry.yarnpkg.com/app-builder-lib/-/app-builder-lib-24.12.0.tgz#2e985968c341d28fc887be3ecee658e6a240e147"
-  integrity sha512-t/xinVrMbsEhwljLDoFOtGkiZlaxY1aceZbHERGAS02EkUHJp9lgs/+L8okXLlYCaDSqYdB05Yb8Co+krvguXA==
+app-builder-lib@24.13.3:
+  version "24.13.3"
+  resolved "https://registry.yarnpkg.com/app-builder-lib/-/app-builder-lib-24.13.3.tgz#36e47b65fecb8780bb73bff0fee4e0480c28274b"
+  integrity sha512-FAzX6IBit2POXYGnTCT8YHFO/lr5AapAII6zzhQO3Rw4cEDOgK+t1xhLc5tNcKlicTHlo9zxIwnYCX9X2DLkig==
   dependencies:
     "@develar/schema-utils" "~2.6.5"
-    "@electron/notarize" "2.1.0"
+    "@electron/notarize" "2.2.1"
     "@electron/osx-sign" "1.0.5"
-    "@electron/universal" "1.4.1"
+    "@electron/universal" "1.5.1"
     "@malept/flatpak-bundler" "^0.4.0"
     "@types/fs-extra" "9.0.13"
     async-exit-hook "^2.0.1"
     bluebird-lst "^1.0.9"
-    builder-util "24.9.4"
-    builder-util-runtime "9.2.3"
+    builder-util "24.13.1"
+    builder-util-runtime "9.2.4"
     chromium-pickle-js "^0.2.0"
     debug "^4.3.4"
     ejs "^3.1.8"
-    electron-publish "24.9.4"
+    electron-publish "24.13.1"
     form-data "^4.0.0"
     fs-extra "^10.1.0"
     hosted-git-info "^4.1.0"
@@ -409,24 +409,24 @@ buffer@^5.1.0:
     base64-js "^1.3.1"
     ieee754 "^1.1.13"
 
-builder-util-runtime@9.2.3:
-  version "9.2.3"
-  resolved "https://registry.yarnpkg.com/builder-util-runtime/-/builder-util-runtime-9.2.3.tgz#0a82c7aca8eadef46d67b353c638f052c206b83c"
-  integrity sha512-FGhkqXdFFZ5dNC4C+yuQB9ak311rpGAw+/ASz8ZdxwODCv1GGMWgLDeofRkdi0F3VCHQEWy/aXcJQozx2nOPiw==
+builder-util-runtime@9.2.4:
+  version "9.2.4"
+  resolved "https://registry.yarnpkg.com/builder-util-runtime/-/builder-util-runtime-9.2.4.tgz#13cd1763da621e53458739a1e63f7fcba673c42a"
+  integrity sha512-upp+biKpN/XZMLim7aguUyW8s0FUpDvOtK6sbanMFDAMBzpHDqdhgVYm6zc9HJ6nWo7u2Lxk60i2M6Jd3aiNrA==
   dependencies:
     debug "^4.3.4"
     sax "^1.2.4"
 
-builder-util@24.9.4:
-  version "24.9.4"
-  resolved "https://registry.yarnpkg.com/builder-util/-/builder-util-24.9.4.tgz#8cde880e7c719285e9cb30e6850ddd5bf475ac04"
-  integrity sha512-YNon3rYjPSm4XDDho9wD6jq7vLRJZUy9FR+yFZnHoWvvdVCnZakL4BctTlPABP41MvIH5yk2cTZ2YfkOhGistQ==
+builder-util@24.13.1:
+  version "24.13.1"
+  resolved "https://registry.yarnpkg.com/builder-util/-/builder-util-24.13.1.tgz#4a4c4f9466b016b85c6990a0ea15aa14edec6816"
+  integrity sha512-NhbCSIntruNDTOVI9fdXz0dihaqX2YuE1D6zZMrwiErzH4ELZHE6mdiB40wEgZNprDia+FghRFgKoAqMZRRjSA==
   dependencies:
     "7zip-bin" "~5.2.0"
     "@types/debug" "^4.1.6"
     app-builder-bin "4.0.0"
     bluebird-lst "^1.0.9"
-    builder-util-runtime "9.2.3"
+    builder-util-runtime "9.2.4"
     chalk "^4.1.2"
     cross-spawn "^7.0.3"
     debug "^4.3.4"
@@ -689,14 +689,14 @@ dir-compare@^3.0.0:
     buffer-equal "^1.0.0"
     minimatch "^3.0.4"
 
-dmg-builder@24.12.0:
-  version "24.12.0"
-  resolved "https://registry.yarnpkg.com/dmg-builder/-/dmg-builder-24.12.0.tgz#62a08162f2b3160a286d03ebb6db65c36a3711c7"
-  integrity sha512-nS22OyHUIYcK40UnILOtqC5Qffd1SN1Ljqy/6e+QR2H1wM3iNBrKJoEbDRfEmYYaALKNFRkKPqSbZKRsGUBdPw==
+dmg-builder@24.13.3:
+  version "24.13.3"
+  resolved "https://registry.yarnpkg.com/dmg-builder/-/dmg-builder-24.13.3.tgz#95d5b99c587c592f90d168a616d7ec55907c7e55"
+  integrity sha512-rcJUkMfnJpfCboZoOOPf4L29TRtEieHNOeAbYPWPxlaBw/Z1RKrRA86dOI9rwaI4tQSc/RD82zTNHprfUHXsoQ==
   dependencies:
-    app-builder-lib "24.12.0"
-    builder-util "24.9.4"
-    builder-util-runtime "9.2.3"
+    app-builder-lib "24.13.3"
+    builder-util "24.13.1"
+    builder-util-runtime "9.2.4"
     fs-extra "^10.1.0"
     iconv-lite "^0.6.2"
     js-yaml "^4.1.0"
@@ -739,16 +739,16 @@ ejs@^3.1.8:
   dependencies:
     jake "^10.8.5"
 
-electron-builder@24.12.0:
-  version "24.12.0"
-  resolved "https://registry.yarnpkg.com/electron-builder/-/electron-builder-24.12.0.tgz#95c41d14b3b1cc177db62715e42ef9fd27344491"
-  integrity sha512-dH4O9zkxFxFbBVFobIR5FA71yJ1TZSCvjZ2maCskpg7CWjBF+SNRSQAThlDyUfRuB+jBTMwEMzwARywmap0CSw==
+electron-builder@24.13.3:
+  version "24.13.3"
+  resolved "https://registry.yarnpkg.com/electron-builder/-/electron-builder-24.13.3.tgz#c506dfebd36d9a50a83ee8aa32d803d83dbe4616"
+  integrity sha512-yZSgVHft5dNVlo31qmJAe4BVKQfFdwpRw7sFp1iQglDRCDD6r22zfRJuZlhtB5gp9FHUxCMEoWGq10SkCnMAIg==
   dependencies:
-    app-builder-lib "24.12.0"
-    builder-util "24.9.4"
-    builder-util-runtime "9.2.3"
+    app-builder-lib "24.13.3"
+    builder-util "24.13.1"
+    builder-util-runtime "9.2.4"
     chalk "^4.1.2"
-    dmg-builder "24.12.0"
+    dmg-builder "24.13.3"
     fs-extra "^10.1.0"
     is-ci "^3.0.0"
     lazy-val "^1.0.5"
@@ -756,14 +756,14 @@ electron-builder@24.12.0:
     simple-update-notifier "2.0.0"
     yargs "^17.6.2"
 
-electron-publish@24.9.4:
-  version "24.9.4"
-  resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-24.9.4.tgz#70db542763a78e4980e4e6409c203aef320d0d05"
-  integrity sha512-FghbeVMfxHneHjsG2xUSC0NMZYWOOWhBxfZKPTbibcJ0CjPH0Ph8yb5CUO62nqywXfA5u1Otq6K8eOdOixxmNg==
+electron-publish@24.13.1:
+  version "24.13.1"
+  resolved "https://registry.yarnpkg.com/electron-publish/-/electron-publish-24.13.1.tgz#57289b2f7af18737dc2ad134668cdd4a1b574a0c"
+  integrity sha512-2ZgdEqJ8e9D17Hwp5LEq5mLQPjqU3lv/IALvgp+4W8VeNhryfGhYEQC/PgDPMrnWUp+l60Ou5SJLsu+k4mhQ8A==
   dependencies:
     "@types/fs-extra" "^9.0.11"
-    builder-util "24.9.4"
-    builder-util-runtime "9.2.3"
+    builder-util "24.13.1"
+    builder-util-runtime "9.2.4"
     chalk "^4.1.2"
     fs-extra "^10.1.0"
     lazy-val "^1.0.5"

docker/entrypoint.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env sh
-set -e
-
-if [ -n "$PUID" ] && [ "$PUID" -ne 0 ] && \
-   [ -n "$PGID" ] && [ "$PGID" -ne 0 ] ; then
-  echo "info: creating the new user vikunja with $PUID:$PGID"
-  groupmod -g "$PGID" -o vikunja
-  usermod -u "$PUID" -o vikunja
-  chown -R vikunja:vikunja ./files/
-  chown vikunja:vikunja .
-  exec su vikunja -c /app/vikunja/vikunja "$@"
-else
-  echo "info: creation of non-root user is skipped"
-  exec /app/vikunja/vikunja "$@"
-fi

docs/content/doc/setup/config.md

@@ -94,7 +94,7 @@ Environment path: `VIKUNJA_SERVICE_JWTTTL`
 
 ### jwtttllong
 
-The duration of the "remember me" time in seconds. When the login request is made with 
+The duration of the "remember me" time in seconds. When the login request is made with
 the long param set, the token returned will be valid for this period.
 The default is 2592000 seconds (30 Days).
 
@@ -289,7 +289,7 @@ Environment path: `VIKUNJA_SERVICE_ENABLEEMAILREMINDERS`
 
 ### enableuserdeletion
 
-If true, will allow users to request the complete deletion of their account. When using external authentication methods 
+If true, will allow users to request the complete deletion of their account. When using external authentication methods
 it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
 for user deletion.
 
@@ -406,7 +406,7 @@ Environment path: `VIKUNJA_SENTRY_FRONTENDDSN`
 
 ### type
 
-Database type to use. Supported types are mysql, postgres and sqlite.
+Database type to use. Supported values are mysql, postgres and sqlite. Vikunja is able to run with MySQL 8.0+, Mariadb 10.2+, PostgreSQL 12+, and sqlite.
 
 Default: `sqlite`
 
@@ -569,7 +569,7 @@ Environment path: `VIKUNJA_DATABASE_TLS`
 
 Whether to enable the Typesense integration. If true, all tasks will be synced to the configured Typesense
 instance and all search and filtering will run through Typesense instead of only through the database.
-Typesense allows fast fulltext search including fuzzy matching support. It may return different results than 
+Typesense allows fast fulltext search including fuzzy matching support. It may return different results than
 what you'd get with a database-only search.
 
 Default: `false`
@@ -1024,7 +1024,7 @@ Environment path: `VIKUNJA_RATELIMIT_STORE`
 
 ### noauthlimit
 
-The number of requests a user can make from the same IP to all unauthenticated routes (login, register, 
+The number of requests a user can make from the same IP to all unauthenticated routes (login, register,
 password confirmation, email verification, password reset request) per minute. This limit cannot be disabled.
 You should only change this if you know what you're doing.
 
@@ -1209,13 +1209,11 @@ Environment path: `VIKUNJA_AUTH_LOCAL`
 
 OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
 The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
-**Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
+**Note:** Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible.
 If the email is not public in those cases, authenticating will fail.
-**Note 2:** The frontend expects to be redirected after authentication by the third party
-to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url in your third party
-auth service accordingly if you're using the default vikunja frontend.
-The frontend will automatically provide the api with the redirect url, composed from the current url where it's hosted.
-If you want to use the desktop client with openid, make sure to allow redirects to `127.0.0.1`.
+**Note 2:** The frontend expects the third party to rediect the user <frontend-url>/auth/openid/<auth key> after authentication. Please make sure to configure the redirect url in your third party auth service accordingly if you're using the default vikunja frontend.
+The frontend will automatically provide the API with the redirect url, composed from the current url where it's hosted.
+If you want to use the desktop client with OpenID, make sure to allow redirects to `127.0.0.1`.
 Take a look at the [default config file](https://kolaente.dev/vikunja/vikunja/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
 
 Default: `<empty>`

docs/content/doc/setup/openid-examples.md

@@ -10,7 +10,7 @@ menu:
 
 # OpenID example configurations
 
-On this page you will find examples about how to set up Vikunja with a third-party OpenID provider.
+On this page you will find examples about how to set up Vikunja with a third-party OAuth 2.0 provider using OpenID Connect.
 To add another example, please [edit this document](https://kolaente.dev/vikunja/vikunja/src/branch/main/docs/content/doc/setup/openid-examples.md) and send a PR.
 
 {{< table_of_contents >}}
@@ -67,7 +67,7 @@ Google config:
 
 Note that there currently seems to be no way to stop creation of new users, even when `enableregistration` is `false` in the configuration. This means that this approach works well only with an "Internal Organization" app for Google Workspace, which limits the allowed users to organizational accounts only. External / public applications will potentially allow every Google user to register.
 
-## Keycloak 
+## Keycloak
 
 Vikunja Config:
 ```yaml
@@ -111,4 +111,7 @@ auth:
         clientsecret: "" # copy from Authentik
 ```
 
-**Note:** The `authurl` that Vikunja requires is not the `Authorize URL` that you can see in the Provider. Vikunja uses Open ID Discovery to find the correct endpoint to use. Vikunja does this by automatically accessing the `OpenID Configuration URL` (usually `https://authentik.mydomain.com/application/o/vikunja/.well-known/openid-configuration`). Use this URL without the `.well-known/openid-configuration` as the `authurl`.
+**Note:** The `authurl` that Vikunja requires is not the `Authorize URL` that you can see in the Provider.
+OpenID Discovery is used to find the correct endpoint to use automatically, by accessing the `OpenID Configuration URL` (usually `https://authentik.mydomain.com/application/o/vikunja/.well-known/openid-configuration`).
+Use this URL without the `.well-known/openid-configuration` as the `authurl`.
+Typically this URL can be found in the metadata section within your identity provider.

docs/content/doc/setup/openid.md

@@ -0,0 +1,180 @@
+---
+date: "2022-08-09:00:00+02:00"
+title: "OpenID"
+draft: false
+type: "doc"
+menu:
+  sidebar:
+    parent: "setup"
+---
+
+# OpenID
+
+Vikunja allows for authentication with an external identity source such as Authentik, Keycloak or similar via the
+[OpenID Connect](https://openid.net/developers/specs/) standard.
+
+{{< table_of_contents >}}
+
+## OpenID Connect Overview
+
+OpenID Connect is a standardized identity layer built on top of the more generic OAuth 2.0 specification, simplying interaction between the involved parties significantly.
+While the [OpenID specification](https://openid.net/specs/openid-connect-core-1_0.html#Overview) is worth a read, we summarize the most important basics here.
+
+The involved parties are:
+
+- **Resource Owner:** typically the end-user
+- **Resource Server:** the application server handling requests from the client, the Vikunja API in our case
+- **Client:** the application or client accessing the RS on behalf of the RO. Vikunja web frontend or any of the apps
+- **Authorization Server:** the server verifying the user identity and issuing tokens. These docs also use the words `OAuth 2.0 provider`, `Identity Provider` interchangeably.
+
+After the user is authenticated, the provider issues a token to the user, containing various claims.
+There's different types of tokens (ID token, access token, refresh token), and all of them are created as [JSON Web Token](https://www.rfc-editor.org/info/rfc7519).
+Claims in turn are assertions containing information about the token bearer, usually the user.
+
+**Scopes** are requested by the client when redirecting the end-user to the Authorization Server for authentication, and indirectly control which claims are included in the resulting tokens.
+There's certain default scopes, but its also possible to define custom scopes, which are used by the feature assigning users to Teams automatically.
+
+## Configuring OIDC Authentication
+
+To achieve authentication via an external provider, it is required to (a) configure a confidential Client on your OAuth 2.0 provider and (b) configure Vikunja to authenticate against this provider. 
+[Example configurations]({{< ref "openid-examples.md">}}) are provided for various different identity providers, below you can find generic guides though.
+
+OpenID Connect defines various flow types indicating how exactly the interaction between the involved parties work, Vikunja makes use of the standard **Authorization Code Flow**.
+
+### Step 1: Configure your Authorization Server
+
+The first step is to configure the Authorization Server to correctly handle requests coming from Vikunja.
+In general, this involves the following steps at a minimum:
+
+- Create a confidential client and obtain the client ID and client secret
+- Configure (whitelist) redirect URLs that can be used by Vikunja
+- Make sure the required scopes (`openid profile email` are the default scopes used by Vikunja) are supported
+- Optional: configure an additional scope for automatic team assignment, see below for details
+
+More detailled instructions for various different identity providers can be [found here]({{< ref "openid-examples.md">}})
+
+### Step 2: Configure Vikunja
+
+Vikunja has to be configured to use the identity provider. Please note that there is currently no option to configure these settings via environment variables, they have to be defined using the configuration file. The configuration schema is as follows:
+
+```yaml
+auth:
+  openid:
+    enabled: true
+    redirecturl: https://vikunja.mydomain.com/auth/openid/  <---- slash at the end is important
+    providers:
+      - name: <provider-name>
+        authurl: <auth-url>
+        clientid: <vikunja client-id>
+        clientsecret: <vikunja client-secret>
+        scope: openid profile email
+```
+
+The values for `authurl` can be obtained from the Metadata of your provider, while `clientid` and `clientsecret` are obtained when configuring the client.
+The scope usually doesn't need to be specified or changed, unless you want to configure the automatic team assignment.
+
+Optionally it is possible to disable local authentication and therefore forcing users to login via OpenID connect:
+
+```yaml
+auth:
+  local:
+    enabled: false
+```
+
+## Automatically assign users to teams
+
+Vikunja is capable of automatically adding users to a team based on OIDC claims added by the identity provider.
+If configured, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams.
+Teams which exist only because they were created from oidc attributes are not editable in Vikunja.
+
+To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally.
+Within the UI, the teams created through OIDC get a `(OIDC)` suffix to make them distinguishable from locally created teams.
+
+On a high level, you need to make sure that the **ID token** issued by your identity provider contains a `vikunja_groups` claim, following the structure defined below.
+It depends on the provider being used as well as the preferences of the administrator how this is achieved.
+Typically you'd want to request an additional scope (e.g. `vikunja_scope`) which then triggers the identity provider to add the claim.
+If the `vikunja_groups` is part of the **ID token**, Vikunja will  start the procedure and import teams and team memberships.
+
+The claim structure expexted by Vikunja is as follows:
+
+```json
+{
+    "vikunja_groups": [
+        {
+            "name": "team 1",
+            "oidcID": 33349
+        },
+        {
+            "name": "team 2",
+            "oidcID": 35933
+        }
+    ]
+}
+```
+
+For each team, you need to define a team `name` and an `oidcID`, where the `oidcID` can be any string with a length of less than 250 characters.
+The `oidcID` is used to uniquely identify the team, so please make sure to keep this unique.
+
+Below you'll find two example implementations for Authentik and Keycloak.
+If you've successfully implemented this with another identity provider, please let us know and submit a PR to improve the docs.
+
+### Setup in Authentik
+
+To configure automatic team management through Authentik, we assume you have already [set up Authentik]({{< ref "openid-examples.md">}}#authentik) as an OIDC provider for authentication with Vikunja.
+
+To use Authentik's group assignment feature, follow these steps:
+
+1. Edit [your config]({{< ref "config.md">}}) to include the following scopes: `openid profile email vikunja_scope`
+2. Open `<your authentik url>/if/admin/#/core/property-mappings`
+3. Create a new property mapping called `vikunja_scope` as scope mapping. There is a field `expression` to enter python expressions that will be delivered with the oidc token.
+4. Write a small script like the following to add group information to `vikunja_scope`:
+
+```python
+groupsDict = {"vikunja_groups": []}
+for group in request.user.ak_groups.all():
+  groupsDict["vikunja_groups"].append({"name": group.name, "oidcID": group.num_pk})
+return groupsDict
+```
+
+5. In Authentik's menu on the left, go to Applications > Providers > Select the Vikunja provider. Then click on "Edit", on the bottom open "Advanced protocol settings", select the newly created property mapping under "Scopes". Save the provider.
+
+Now when you log into Vikunja via Authentik it will show you a list of scopes you are claiming.
+You should see the description you entered on the OIDC provider's admin area.
+
+Proceed to vikunja and open the teams page in the sidebar menu.
+You should see "(OIDC)" written next to each team you were assigned through OIDC.
+
+### Setup in Keycloak
+
+The kind people from Makerspace Darmstadt e.V. have written [a guide on how to create a mapper for Vikunja here](https://github.com/makerspace-darmstadt/keycloak-vikunja-mapper).
+
+## Use cases
+
+All examples assume one team called "Team 1" to be configured within your provider.
+
+* *Token delivers team.name +team.oidcID and Vikunja team does not exist:* \
+New team will be created called "Team 1" with attribute oidcID: "33929"
+
+2. *In Vikunja Team with name "team 1" already exists in vikunja, but has no oidcID set:* \
+new team will be created called "team 1" with attribute oidcID: "33929"
+
+3. *In Vikunja Team with name "team 1" already exists in vikunja, but has different oidcID set:* \
+new team will be created called "team 1" with attribute oidcID: "33929"
+
+4. *In Vikunja Team with oidcID "33929" already exists in vikunja, but has different name than "team1":* \
+new team will be created called "team 1" with attribute oidcID: "33929"
+
+5. *Scope vikunja_scope is not set:* \
+nothing happens
+
+6. *oidcID is not set:* \
+You'll get error.
+Custom Scope malformed
+"The custom scope set by the OIDC provider is malformed. Please make sure the openid provider sets the data correctly for your scope. Check especially to have set an oidcID."
+
+7. *In Vikunja I am in "team 3" with oidcID "", but the token does not deliver any data for "team 3":* \
+You will stay in team 3 since it was not set by the oidc provider
+
+8. *In Vikunja I am in "team 3" with oidcID "12345", but the token does not deliver any data for "team 3"*:\
+You will be signed out of all teams, which have an oidcID set and are not contained in the token.
+Especially if you've been the last team member, the team will be deleted.

docs/content/doc/usage/errors.md

@@ -44,6 +44,7 @@ This document describes the different errors Vikunja can return.
 | 1020      | 412 | This user account is disabled. |
 | 1021      | 412 | This account is managed by a third-party authentication provider. |
 | 1021      | 412 | The username must not contain spaces. |
+| 1022      | 412 | The custom scope set by the OIDC provider is malformed. Please make sure the openid provider sets the data correctly for your scope. Check especially to have set an oidcID. |
 
 ## Validation
 
@@ -106,6 +107,9 @@ This document describes the different errors Vikunja can return.
 | 6005 | 409 | The user is already a member of that team.                           |
 | 6006 | 400 | Cannot delete the last team member.                                  |
 | 6007 | 403 | The team does not have access to the project to perform that action. |
+| 6008 | 400 | There are no teams found with that team name. |
+| 6009 | 400 | There is no oidc team with that team name and oidcId. |
+| 6010 | 400 | There are no oidc teams found for the user. |
 
 ## User Project Access
 

frontend/package.json

@@ -58,8 +58,8 @@
     "@infectoone/vue-ganttastic": "2.2.0",
     "@intlify/unplugin-vue-i18n": "2.0.0",
     "@kyvg/vue3-notification": "3.2.0",
-    "@sentry/tracing": "7.104.0",
-    "@sentry/vue": "7.104.0",
+    "@sentry/tracing": "7.105.0",
+    "@sentry/vue": "7.105.0",
     "@tiptap/core": "2.2.4",
     "@tiptap/extension-blockquote": "2.2.4",
     "@tiptap/extension-bold": "2.2.4",
@@ -141,7 +141,7 @@
     "@types/is-touch-device": "1.0.2",
     "@types/lodash.debounce": "4.0.9",
     "@types/marked": "5.0.2",
-    "@types/node": "20.11.22",
+    "@types/node": "20.11.24",
     "@types/postcss-preset-env": "7.7.0",
     "@types/sortablejs": "1.15.8",
     "@typescript-eslint/eslint-plugin": "7.1.0",
@@ -151,9 +151,9 @@
     "@vue/eslint-config-typescript": "12.0.0",
     "@vue/test-utils": "2.4.4",
     "@vue/tsconfig": "0.5.1",
-    "autoprefixer": "10.4.17",
+    "autoprefixer": "10.4.18",
     "browserslist": "4.23.0",
-    "caniuse-lite": "1.0.30001591",
+    "caniuse-lite": "1.0.30001593",
     "css-has-pseudo": "6.0.2",
     "csstype": "3.1.3",
     "cypress": "13.6.6",
@@ -174,7 +174,7 @@
     "typescript": "5.3.3",
     "vite": "5.1.4",
     "vite-plugin-inject-preload": "1.3.3",
-    "vite-plugin-pwa": "0.19.1",
+    "vite-plugin-pwa": "0.19.2",
     "vite-plugin-sentry": "1.4.0",
     "vite-svg-loader": "5.1.0",
     "vitest": "1.3.1",

frontend/pnpm-lock.yaml

@@ -35,11 +35,11 @@ dependencies:
     specifier: 3.2.0
     version: 3.2.0(vue@3.4.21)
   '@sentry/tracing':
-    specifier: 7.104.0
-    version: 7.104.0
+    specifier: 7.105.0
+    version: 7.105.0
   '@sentry/vue':
-    specifier: 7.104.0
-    version: 7.104.0(vue@3.4.21)
+    specifier: 7.105.0
+    version: 7.105.0(vue@3.4.21)
   '@tiptap/core':
     specifier: 2.2.4
     version: 2.2.4(@tiptap/pm@2.2.4)
@@ -277,8 +277,8 @@ devDependencies:
     specifier: 5.0.2
     version: 5.0.2
   '@types/node':
-    specifier: 20.11.22
-    version: 20.11.22
+    specifier: 20.11.24
+    version: 20.11.24
   '@types/postcss-preset-env':
     specifier: 7.7.0
     version: 7.7.0
@@ -307,14 +307,14 @@ devDependencies:
     specifier: 0.5.1
     version: 0.5.1
   autoprefixer:
-    specifier: 10.4.17
-    version: 10.4.17(postcss@8.4.35)
+    specifier: 10.4.18
+    version: 10.4.18(postcss@8.4.35)
   browserslist:
     specifier: 4.23.0
     version: 4.23.0
   caniuse-lite:
-    specifier: 1.0.30001591
-    version: 1.0.30001591
+    specifier: 1.0.30001593
+    version: 1.0.30001593
   css-has-pseudo:
     specifier: 6.0.2
     version: 6.0.2(postcss@8.4.35)
@@ -338,7 +338,7 @@ devDependencies:
     version: 13.6.2
   histoire:
     specifier: 0.17.9
-    version: 0.17.9(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4)
+    version: 0.17.9(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4)
   postcss:
     specifier: 8.4.35
     version: 8.4.35
@@ -371,13 +371,13 @@ devDependencies:
     version: 5.3.3
   vite:
     specifier: 5.1.4
-    version: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+    version: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
   vite-plugin-inject-preload:
     specifier: 1.3.3
     version: 1.3.3(vite@5.1.4)
   vite-plugin-pwa:
-    specifier: 0.19.1
-    version: 0.19.1(vite@5.1.4)(workbox-build@7.0.0)(workbox-window@7.0.0)
+    specifier: 0.19.2
+    version: 0.19.2(vite@5.1.4)(workbox-build@7.0.0)(workbox-window@7.0.0)
   vite-plugin-sentry:
     specifier: 1.4.0
     version: 1.4.0(vite@5.1.4)
@@ -386,7 +386,7 @@ devDependencies:
     version: 5.1.0(vue@3.4.21)
   vitest:
     specifier: 1.3.1
-    version: 1.3.1(@types/node@20.11.22)(happy-dom@13.6.2)(sass@1.71.1)(terser@5.24.0)
+    version: 1.3.1(@types/node@20.11.24)(happy-dom@13.6.2)(sass@1.71.1)(terser@5.24.0)
   vue-tsc:
     specifier: 1.8.27
     version: 1.8.27(typescript@5.3.3)
@@ -3686,7 +3686,7 @@ packages:
       capture-website: 2.4.1
       defu: 6.1.3
       fs-extra: 10.1.0
-      histoire: 0.17.9(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4)
+      histoire: 0.17.9(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4)
       pathe: 1.1.1
     transitivePeerDependencies:
       - bufferutil
@@ -3706,7 +3706,7 @@ packages:
       '@histoire/vendors': 0.17.8
       change-case: 4.1.2
       globby: 13.2.2
-      histoire: 0.17.9(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4)
+      histoire: 0.17.9(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4)
       launch-editor: 2.6.1
       pathe: 1.1.1
       vue: 3.4.21(typescript@5.3.3)
@@ -3725,7 +3725,7 @@ packages:
       chokidar: 3.5.3
       pathe: 1.1.1
       picocolors: 1.0.0
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     dev: true
 
   /@histoire/shared@0.17.9(vite@5.1.4):
@@ -3739,7 +3739,7 @@ packages:
       chokidar: 3.5.3
       pathe: 1.1.1
       picocolors: 1.0.0
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     dev: true
 
   /@histoire/vendors@0.17.8:
@@ -4209,45 +4209,45 @@ packages:
     resolution: {integrity: sha512-RbhOOTCNoCrbfkRyoXODZp75MlpiHMgbE5MEBZAnnnLyQNgrigEj4p0lzsMDyc1zVsJDLrivB58tgg3emX0eEA==}
     dev: true
 
-  /@sentry-internal/feedback@7.104.0:
-    resolution: {integrity: sha512-+OWqm+X9ZfEQQmxVoZsc9lpzd85pabAT+bEj57StRMTnfdRbD9TippS20nCD9N2Ql5v2/41NfiPONMejGbnOwg==}
+  /@sentry-internal/feedback@7.105.0:
+    resolution: {integrity: sha512-17doUQFKYgLfG7EmZXjZQ7HR/aBzuLDd+GVaCNthUPyiz/tltV7EFECDWwHpXqzQgYRgroSbY8PruMVujFGUUw==}
     engines: {node: '>=12'}
     dependencies:
-      '@sentry/core': 7.104.0
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry/core': 7.105.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
     dev: false
 
-  /@sentry-internal/replay-canvas@7.104.0:
-    resolution: {integrity: sha512-gfdnkFIpxAveKNghkvRCqv+hSiBkxYVoyFZLTvUPuM9Cmvmket1/PpnuWMC2jNtCEewG3gxkPDd4EaT9oa1HZQ==}
+  /@sentry-internal/replay-canvas@7.105.0:
+    resolution: {integrity: sha512-XMBdkjIDhap5Gwrub5wlUJhuUVJM4aL4lZV8KcxJZZSXgXsnyGYbEh9SPZOHO05jtbxTxVeL3Pik5qtYjdGnPA==}
     engines: {node: '>=12'}
     dependencies:
-      '@sentry/core': 7.104.0
-      '@sentry/replay': 7.104.0
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry/core': 7.105.0
+      '@sentry/replay': 7.105.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
     dev: false
 
-  /@sentry-internal/tracing@7.104.0:
-    resolution: {integrity: sha512-2z7OijM1J5ndJUiJJElC3iH9qb/Eb8eYm2v8oJhM8WVdc5uCKfrQuYHNgGOnmY2FOCfEUlTmMQGpDw7DJ67L5w==}
+  /@sentry-internal/tracing@7.105.0:
+    resolution: {integrity: sha512-b+AFYB7Bc9vmyxl2jbmuT4esX5G0oPfpz35A0sxFzmJIhvMg1YMDNio2c81BtKN+VSPORCnKMLhfk3kyKKvWMQ==}
     engines: {node: '>=8'}
     dependencies:
-      '@sentry/core': 7.104.0
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry/core': 7.105.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
     dev: false
 
-  /@sentry/browser@7.104.0:
-    resolution: {integrity: sha512-HsqO+mr1SowGoP0VbuWrQ2DZT0t5PLomy7LEYa6+4lbOemnY+5YV2NSwBTKbjYysvKipSwaRtPhXrsXsMaz8Bg==}
+  /@sentry/browser@7.105.0:
+    resolution: {integrity: sha512-OlYJzsZG109T1VpZ7O7KXf9IXCUUpp41lkkQM7ICBOBsfiHRUKmV5piTGCG5UgAvyb/gI/I1uQQtO4jthcHKEA==}
     engines: {node: '>=8'}
     dependencies:
-      '@sentry-internal/feedback': 7.104.0
-      '@sentry-internal/replay-canvas': 7.104.0
-      '@sentry-internal/tracing': 7.104.0
-      '@sentry/core': 7.104.0
-      '@sentry/replay': 7.104.0
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry-internal/feedback': 7.105.0
+      '@sentry-internal/replay-canvas': 7.105.0
+      '@sentry-internal/tracing': 7.105.0
+      '@sentry/core': 7.105.0
+      '@sentry/replay': 7.105.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
     dev: false
 
   /@sentry/cli@2.19.1:
@@ -4266,53 +4266,53 @@ packages:
       - supports-color
     dev: true
 
-  /@sentry/core@7.104.0:
-    resolution: {integrity: sha512-XPndD6IGQGd07/EntvYVzOWQUo/Gd7L3DwYFeEKeBv6ByWjbBNmVZFRhU0GPPsCHKyW9yMU9OO9diLSS4ijsRg==}
+  /@sentry/core@7.105.0:
+    resolution: {integrity: sha512-5xsaTG6jZincTeJUmZomlv20mVRZUEF1U/g89lmrSOybyk2+opEnB1JeBn4ODwnvmSik8r2QLr6/RiYlaxRJCg==}
     engines: {node: '>=8'}
     dependencies:
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
     dev: false
 
-  /@sentry/replay@7.104.0:
-    resolution: {integrity: sha512-HmWBr/u+SNeULxCxM8lJb2iqhjizeLGJtuKSShPEguEXIUT4kzdoqLh6wn7BAjiKzhmyjrnBcosR5LUqJtGYZQ==}
+  /@sentry/replay@7.105.0:
+    resolution: {integrity: sha512-hZD2m6fNL9gorUOaaEpqxeH7zNP4y2Ej0TdieM1HMQ2q9Zrm9yOzk9/7ALfbRLIZFRMFTqo9vvVztLs3E+Hx+g==}
     engines: {node: '>=12'}
     dependencies:
-      '@sentry-internal/tracing': 7.104.0
-      '@sentry/core': 7.104.0
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry-internal/tracing': 7.105.0
+      '@sentry/core': 7.105.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
     dev: false
 
-  /@sentry/tracing@7.104.0:
-    resolution: {integrity: sha512-p1mmqNKrCVlA4b6js3twZotAIdS1cLXh05oU9WmSAW3iDo1Vf9QO5+/9K1Vh3a9fPQt3nDJeD/OgAb7C4VBIsA==}
+  /@sentry/tracing@7.105.0:
+    resolution: {integrity: sha512-oqIb+3lVJI3nJC2pWJRSPKi81F2xL6VAaKtbEVI65QMrNOkK+kP1W9uT7BOMN8e6c0bkPRqAIZZfKmpqHa9X7g==}
     engines: {node: '>=8'}
     dependencies:
-      '@sentry-internal/tracing': 7.104.0
+      '@sentry-internal/tracing': 7.105.0
     dev: false
 
-  /@sentry/types@7.104.0:
-    resolution: {integrity: sha512-5bs0xe0+GZR4QBm9Nrqw59o0sv3kBtCosrZDVxBru/dQbrfnB+/kVorvuM0rV3+coNITTKcKDegSZmK1d2uOGQ==}
+  /@sentry/types@7.105.0:
+    resolution: {integrity: sha512-80o0KMVM+X2Ym9hoQxvJetkJJwkpCg7o6tHHFXI+Rp7fawc2iCMTa0IRQMUiSkFvntQLYIdDoNNuKdzz2PbQGA==}
     engines: {node: '>=8'}
     dev: false
 
-  /@sentry/utils@7.104.0:
-    resolution: {integrity: sha512-ZVg+xZirI9DlOi0NegNVocswdh/8p6QkzlQzDQY2LP2CC6JQdmwi64o0S4rPH4YIHNKQJTpIjduoxeKgd1EO5g==}
+  /@sentry/utils@7.105.0:
+    resolution: {integrity: sha512-YVAV0c2KLM8+VZCicQ/E/P2+J9Vs0hGhrXwV7w6ZEAtvxrg4oF270toL1WRhvcaf8JO4J1v4V+LuU6Txs4uEeQ==}
     engines: {node: '>=8'}
     dependencies:
-      '@sentry/types': 7.104.0
+      '@sentry/types': 7.105.0
     dev: false
 
-  /@sentry/vue@7.104.0(vue@3.4.21):
-    resolution: {integrity: sha512-tm8AyMkO1IWuDIaS4DQ67g5PNRSBHNcEGQafv0MQc6pKan5ClI5lolrT83Rg5Huu/jgvZm41h7ssq5nFo8OmUA==}
+  /@sentry/vue@7.105.0(vue@3.4.21):
+    resolution: {integrity: sha512-QWUWAwCFruw75aqsExHKZ9HWtFyFRo4+8UsCiXUWeMpcpQu+mZ4VzHbTxNBZKmSTA0jYa/tTpYXkfI5ozM+y4A==}
     engines: {node: '>=8'}
     peerDependencies:
       vue: 2.x || 3.x
     dependencies:
-      '@sentry/browser': 7.104.0
-      '@sentry/core': 7.104.0
-      '@sentry/types': 7.104.0
-      '@sentry/utils': 7.104.0
+      '@sentry/browser': 7.105.0
+      '@sentry/core': 7.105.0
+      '@sentry/types': 7.105.0
+      '@sentry/utils': 7.105.0
       vue: 3.4.21(typescript@5.3.3)
     dev: false
 
@@ -4759,7 +4759,7 @@ packages:
   /@types/fs-extra@9.0.13:
     resolution: {integrity: sha512-nEnwB++1u5lVDM2UI4c1+5R+FYaKfaAzS4OococimjVm3nQw3TuzH5UNsocrcTBbhnerblyHj4A49qXbIiZdpA==}
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
     dev: true
 
   /@types/har-format@1.2.10:
@@ -4783,7 +4783,7 @@ packages:
   /@types/keyv@3.1.3:
     resolution: {integrity: sha512-FXCJgyyN3ivVgRoml4h94G/p3kY+u/B86La+QptcqJaWtBWtmc6TtkNfS40n9bIvyLteHh7zXOtgbobORKPbDg==}
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
     dev: true
 
   /@types/linkify-it@3.0.2:
@@ -4824,8 +4824,8 @@ packages:
     resolution: {integrity: sha512-jhuKLIRrhvCPLqwPcx6INqmKeiA5EWrsCOPhrlFSrbrmU4ZMPjj5Ul/oLCMDO98XRUIwVm78xICz4EPCektzeQ==}
     dev: true
 
-  /@types/node@20.11.22:
-    resolution: {integrity: sha512-/G+IxWxma6V3E+pqK1tSl2Fo1kl41pK1yeCyDsgkF9WlVAme4j5ISYM2zR11bgLFJGLN5sVK40T4RJNuiZbEjA==}
+  /@types/node@20.11.24:
+    resolution: {integrity: sha512-Kza43ewS3xoLgCEpQrsT+xRo/EJej1y0kVYGiLFE1NEODXGzTfwiC6tXTLMQskn1X4/Rjlh0MQUvx9W+L9long==}
     dependencies:
       undici-types: 5.26.5
     dev: true
@@ -4845,20 +4845,20 @@ packages:
   /@types/postcss-preset-env@7.7.0:
     resolution: {integrity: sha512-biD8MwSiZo1Nztn1cIBPMcKNKzgFyU05AB96HIF9y3G4f9vdx2O60DHCSpWXChTp6mOEGu15fqIw2DetVVjghw==}
     dependencies:
-      autoprefixer: 10.4.17(postcss@8.4.35)
+      autoprefixer: 10.4.18(postcss@8.4.35)
       postcss: 8.4.35
     dev: true
 
   /@types/resolve@1.17.1:
     resolution: {integrity: sha512-yy7HuzQhj0dhGpD8RLXSZWEkLsV9ibvxvi6EiJ3bkqLAO1RGo0WbkWQiwpRlSFymTJRz0d3k5LM3kkx8ArDbLw==}
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
     dev: true
 
   /@types/responselike@1.0.0:
     resolution: {integrity: sha512-85Y2BjiufFzaMIlvJDvTTB8Fxl2xfLo4HgmHzVBz08w4wDePCTjYw66PdrolO0kzli3yam/YCgRufyo1DdQVTA==}
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
     dev: true
 
   /@types/semver@7.5.0:
@@ -4907,7 +4907,7 @@ packages:
     resolution: {integrity: sha512-oJoftv0LSuaDZE3Le4DbKX+KS9G36NzOeSap90UIK0yMA/NhKJhqlSGtNDORNRaIbQfzjXDrQa0ytJ6mNRGz/Q==}
     requiresBuild: true
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
     dev: true
     optional: true
 
@@ -5195,7 +5195,7 @@ packages:
       regenerator-runtime: 0.14.1
       systemjs: 6.14.3
       terser: 5.24.0
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     transitivePeerDependencies:
       - esbuild
       - supports-color
@@ -5208,7 +5208,7 @@ packages:
       vite: ^5.0.0
       vue: ^3.2.25
     dependencies:
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
       vue: 3.4.21(typescript@5.3.3)
     dev: true
 
@@ -5713,15 +5713,15 @@ packages:
     engines: {node: '>= 4.0.0'}
     dev: true
 
-  /autoprefixer@10.4.17(postcss@8.4.35):
-    resolution: {integrity: sha512-/cpVNRLSfhOtcGflT13P2794gVSgmPgTR+erw5ifnMLZb0UnSlkK4tquLmkd3BhA+nLo5tX8Cu0upUsGKvKbmg==}
+  /autoprefixer@10.4.18(postcss@8.4.35):
+    resolution: {integrity: sha512-1DKbDfsr6KUElM6wg+0zRNkB/Q7WcKYAaK+pzXn+Xqmszm/5Xa9coeNdtP88Vi+dPzZnMjhge8GIV49ZQkDa+g==}
     engines: {node: ^10 || ^12 || >=14}
     hasBin: true
     peerDependencies:
       postcss: ^8.1.0
     dependencies:
       browserslist: 4.23.0
-      caniuse-lite: 1.0.30001591
+      caniuse-lite: 1.0.30001593
       fraction.js: 4.3.7
       normalize-range: 0.1.2
       picocolors: 1.0.0
@@ -5902,7 +5902,7 @@ packages:
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
     hasBin: true
     dependencies:
-      caniuse-lite: 1.0.30001591
+      caniuse-lite: 1.0.30001593
       electron-to-chromium: 1.4.685
       node-releases: 2.0.14
       update-browserslist-db: 1.0.13(browserslist@4.23.0)
@@ -5988,8 +5988,8 @@ packages:
     engines: {node: '>=6'}
     dev: true
 
-  /caniuse-lite@1.0.30001591:
-    resolution: {integrity: sha512-PCzRMei/vXjJyL5mJtzNiUCKP59dm8Apqc3PH8gJkMnMXZGox93RbE76jHsmLwmIo6/3nsYIpJtx0O7u5PqFuQ==}
+  /caniuse-lite@1.0.30001593:
+    resolution: {integrity: sha512-UWM1zlo3cZfkpBysd7AS+z+v007q9G1+fLTUU42rQnY6t2axoogPW/xol6T7juU5EUoOhML4WgBIdG+9yYqAjQ==}
     dev: true
 
   /capital-case@1.0.4:
@@ -7730,7 +7730,7 @@ packages:
     engines: {node: '>=12.0.0'}
     dev: false
 
-  /histoire@0.17.9(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4):
+  /histoire@0.17.9(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)(vite@5.1.4):
     resolution: {integrity: sha512-z5Jb9QwbOw0TKvpkU0v7+CxJG6hIljIKMhWXzOfteteRZGDFElpTEwbr5/8EdPI6VTdF/k76fqZ07nmS9YdUvA==}
     hasBin: true
     peerDependencies:
@@ -7766,8 +7766,8 @@ packages:
       sade: 1.8.1
       shiki-es: 0.2.0
       sirv: 2.0.3
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
-      vite-node: 0.34.6(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
+      vite-node: 0.34.6(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     transitivePeerDependencies:
       - '@types/node'
       - bufferutil
@@ -8213,7 +8213,7 @@ packages:
     resolution: {integrity: sha512-KWYVV1c4i+jbMpaBC+U++4Va0cp8OisU185o73T1vo99hqi7w8tSJfUXYswwqqrjzwxa6KpRK54WhPvwf5w6PQ==}
     engines: {node: '>= 10.13.0'}
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
       merge-stream: 2.0.0
       supports-color: 7.2.0
     dev: true
@@ -9585,7 +9585,7 @@ packages:
       '@csstools/postcss-text-decoration-shorthand': 3.0.4(postcss@8.4.35)
       '@csstools/postcss-trigonometric-functions': 3.0.5(postcss@8.4.35)
       '@csstools/postcss-unset-value': 3.0.1(postcss@8.4.35)
-      autoprefixer: 10.4.17(postcss@8.4.35)
+      autoprefixer: 10.4.18(postcss@8.4.35)
       browserslist: 4.23.0
       css-blank-pseudo: 6.0.1(postcss@8.4.35)
       css-has-pseudo: 6.0.2(postcss@8.4.35)
@@ -11151,7 +11151,7 @@ packages:
       extsprintf: 1.3.0
     dev: true
 
-  /vite-node@0.34.6(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0):
+  /vite-node@0.34.6(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0):
     resolution: {integrity: sha512-nlBMJ9x6n7/Amaz6F3zJ97EBwR2FkzhBRxF5e+jE6LA3yi6Wtc2lyTij1OnDMIr34v5g/tVQtsVAzhT0jc5ygA==}
     engines: {node: '>=v14.18.0'}
     hasBin: true
@@ -11161,7 +11161,7 @@ packages:
       mlly: 1.4.2
       pathe: 1.1.1
       picocolors: 1.0.0
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     transitivePeerDependencies:
       - '@types/node'
       - less
@@ -11173,7 +11173,7 @@ packages:
       - terser
     dev: true
 
-  /vite-node@1.3.1(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0):
+  /vite-node@1.3.1(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0):
     resolution: {integrity: sha512-azbRrqRxlWTJEVbzInZCTchx0X69M/XPTCz4H+TLvlTcR/xH/3hkRqhOakT41fMJCMzXTu4UvegkZiEoJAWvng==}
     engines: {node: ^18.0.0 || >=20.0.0}
     hasBin: true
@@ -11182,7 +11182,7 @@ packages:
       debug: 4.3.4(supports-color@8.1.1)
       pathe: 1.1.1
       picocolors: 1.0.0
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     transitivePeerDependencies:
       - '@types/node'
       - less
@@ -11201,11 +11201,11 @@ packages:
       vite: ^3.0.0 || ^4.0.0
     dependencies:
       mime-types: 2.1.35
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     dev: true
 
-  /vite-plugin-pwa@0.19.1(vite@5.1.4)(workbox-build@7.0.0)(workbox-window@7.0.0):
-    resolution: {integrity: sha512-pxubJSqDfiUflmFfU8ErPP2eIHz7SqiSuJz6Qk2dPlEeC5Wm2hTInYhmVBYVx1KbVUEhQ4f8uCdmhYB/YP/pqw==}
+  /vite-plugin-pwa@0.19.2(vite@5.1.4)(workbox-build@7.0.0)(workbox-window@7.0.0):
+    resolution: {integrity: sha512-LSQJFPxCAQYbRuSyc9EbRLRqLpaBA9onIZuQFomfUYjWSgHuQLonahetDlPSC9zsxmkSEhQH8dXZN8yL978h3w==}
     engines: {node: '>=16.0.0'}
     peerDependencies:
       '@vite-pwa/assets-generator': ^0.2.4
@@ -11219,7 +11219,7 @@ packages:
       debug: 4.3.4(supports-color@8.1.1)
       fast-glob: 3.3.2
       pretty-bytes: 6.1.1
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
       workbox-build: 7.0.0(acorn@8.11.2)
       workbox-window: 7.0.0
     transitivePeerDependencies:
@@ -11233,7 +11233,7 @@ packages:
       vite: ^2.6.0 || ^3.0.0 || ^4.0.0 || ^5.0.0
     dependencies:
       '@sentry/cli': 2.19.1
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
     transitivePeerDependencies:
       - encoding
       - supports-color
@@ -11248,7 +11248,7 @@ packages:
       vue: 3.4.21(typescript@5.3.3)
     dev: true
 
-  /vite@5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0):
+  /vite@5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0):
     resolution: {integrity: sha512-n+MPqzq+d9nMVTKyewqw6kSt+R3CkvF9QAKY8obiQn8g1fwTscKxyfaYnC632HtBXAQGc1Yjomphwn1dtwGAHg==}
     engines: {node: ^18.0.0 || >=20.0.0}
     hasBin: true
@@ -11276,7 +11276,7 @@ packages:
       terser:
         optional: true
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
       esbuild: 0.19.12
       postcss: 8.4.35
       rollup: 4.12.0
@@ -11286,7 +11286,7 @@ packages:
       fsevents: 2.3.3
     dev: true
 
-  /vitest@1.3.1(@types/node@20.11.22)(happy-dom@13.6.2)(sass@1.71.1)(terser@5.24.0):
+  /vitest@1.3.1(@types/node@20.11.24)(happy-dom@13.6.2)(sass@1.71.1)(terser@5.24.0):
     resolution: {integrity: sha512-/1QJqXs8YbCrfv/GPQ05wAZf2eakUPLPa18vkJAKE7RXOKfVHqMZZ1WlTjiwl6Gcn65M5vpNUB6EFLnEdRdEXQ==}
     engines: {node: ^18.0.0 || >=20.0.0}
     hasBin: true
@@ -11311,7 +11311,7 @@ packages:
       jsdom:
         optional: true
     dependencies:
-      '@types/node': 20.11.22
+      '@types/node': 20.11.24
       '@vitest/expect': 1.3.1
       '@vitest/runner': 1.3.1
       '@vitest/snapshot': 1.3.1
@@ -11330,8 +11330,8 @@ packages:
       strip-literal: 2.0.0
       tinybench: 2.5.1
       tinypool: 0.8.2
-      vite: 5.1.4(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
-      vite-node: 1.3.1(@types/node@20.11.22)(sass@1.71.1)(terser@5.24.0)
+      vite: 5.1.4(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
+      vite-node: 1.3.1(@types/node@20.11.24)(sass@1.71.1)(terser@5.24.0)
       why-is-node-running: 2.2.2
     transitivePeerDependencies:
       - less

frontend/src/components/base/BaseButton.vue

@@ -26,7 +26,7 @@
 		class="base-button"
 		:href="href"
 		rel="noreferrer noopener nofollow"
-		target="_blank"
+		:target="openExternalInNewTab ? '_blank' : undefined"
 	>
 		<slot />
 	</a>
@@ -69,6 +69,7 @@ export interface BaseButtonProps extends /* @vue-ignore */ HTMLAttributes {
 	disabled?: boolean
 	to?: RouteLocationRaw
 	href?: string
+	openExternalInNewTab?: boolean
 }
 
 export interface BaseButtonEmits {
@@ -78,6 +79,7 @@ export interface BaseButtonEmits {
 const {
 	type = BASE_BUTTON_TYPES_MAP.BUTTON,
 	disabled = false,
+	openExternalInNewTab = true,
 } = defineProps<BaseButtonProps>()
 
 const emit = defineEmits<BaseButtonEmits>()

frontend/src/components/home/contentAuth.vue

@@ -122,7 +122,7 @@ const labelStore = useLabelStore()
 labelStore.loadAllLabels()
 
 const projectStore = useProjectStore()
-projectStore.loadProjects()
+projectStore.loadAllProjects()
 </script>
 
 <style lang="scss" scoped>

frontend/src/helpers/redirectToProvider.ts

@@ -11,14 +11,17 @@ export function getRedirectUrlFromCurrentFrontendPath(provider: IProvider): stri
 
 export const redirectToProvider = (provider: IProvider) => {
 
-	console.log({provider})
-
 	const redirectUrl = getRedirectUrlFromCurrentFrontendPath(provider)
 	const state = createRandomID(24)
 	localStorage.setItem('state', state)
 
-	window.location.href = `${provider.authUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUrl}&response_type=code&scope=openid email profile&state=${state}`
+	let scope = 'openid email profile'
+	if (provider.scope !== null){
+		scope = provider.scope
+	}
+	window.location.href = `${provider.authUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUrl}&response_type=code&scope=${scope}&state=${state}`
 }
+
 export const redirectToProviderOnLogout = (provider: IProvider) => {
 	if (provider.logoutUrl.length > 0) {
 		window.location.href = `${provider.logoutUrl}`

frontend/src/modelTypes/ITeam.ts

@@ -9,6 +9,7 @@ export interface ITeam extends IAbstract {
 	description: string
 	members: ITeamMember[]
 	right: Right
+	oidcId: string
 
 	createdBy: IUser
 	created: Date

frontend/src/models/team.ts

@@ -13,6 +13,7 @@ export default class TeamModel extends AbstractModel<ITeam> implements ITeam {
 	description = ''
 	members: ITeamMember[] = []
 	right: Right = RIGHTS.READ
+	oidcId = ''
 
 	createdBy: IUser = {} // FIXME: seems wrong
 	created: Date = null

frontend/src/services/savedFilter.ts

@@ -111,13 +111,13 @@ export function useSavedFilter(projectId?: MaybeRef<IProject['id']>) {
 
 	async function createFilter() {
 		filter.value = await filterService.create(filter.value)
-		await projectStore.loadProjects()
+		await projectStore.loadAllProjects()
 		router.push({name: 'project.index', params: {projectId: getProjectId(filter.value)}})
 	}
 
 	async function saveFilter() {
 		const response = await filterService.update(filter.value)
-		await projectStore.loadProjects()
+		await projectStore.loadAllProjects()
 		success({message: t('filters.edit.success')})
 		response.filters = objectToSnakeCase(response.filters)
 		filter.value = response
@@ -130,7 +130,7 @@ export function useSavedFilter(projectId?: MaybeRef<IProject['id']>) {
 
 	async function deleteFilter() {	
 		await filterService.delete(filter.value)
-		await projectStore.loadProjects()
+		await projectStore.loadAllProjects()
 		success({message: t('filters.delete.success')})
 		router.push({name: 'projects.index'})
 	}

frontend/src/stores/projects.ts

@@ -175,20 +175,28 @@ export const useProjectStore = defineStore('project', () => {
 		}
 	}
 
-	async function loadProjects() {
+	async function loadAllProjects() {
 		const cancel = setModuleLoading(setIsLoading)
 
 		const projectService = new ProjectService()
+		const loadedProjects: IProject[] = []
+		let page = 1
 		try {
-			const loadedProjects = await projectService.getAll({}, {is_archived: true}) as IProject[]
-			projects.value = {}
-			setProjects(loadedProjects)
-			loadedProjects.forEach(p => add(p))
-
-			return loadedProjects
+			do {
+				const newProjects = await projectService.getAll({}, {is_archived: true}, page) as IProject[]
+				loadedProjects.push(...newProjects)
+				page++
+			} while (page <= projectService.totalPages)
+			
 		} finally {
 			cancel()
 		}
+		
+		projects.value = {}
+		setProjects(loadedProjects)
+		loadedProjects.forEach(p => add(p))
+
+		return loadedProjects
 	}
 
 	function getAncestors(project: IProject): IProject[] {
@@ -222,7 +230,7 @@ export const useProjectStore = defineStore('project', () => {
 		setProjects,
 		removeProjectById,
 		toggleProjectFavorite,
-		loadProjects,
+		loadAllProjects,
 		createProject,
 		updateProject,
 		deleteProject,

frontend/src/stores/tasks.ts

@@ -473,7 +473,7 @@ export const useTaskStore = defineStore('task', () => {
 		task = await taskService.update(task)
 		
 		// reloading the projects list so that the Favorites project shows up or is hidden when there are (or are not) favorite tasks
-		await projectStore.loadProjects() 
+		await projectStore.loadAllProjects() 
 		
 		return task
 	}

frontend/src/types/IProvider.ts

@@ -4,4 +4,5 @@ export interface IProvider {
 	authUrl: string;
 	clientId: string;
 	logoutUrl: string;
+	scope: string;
 }

frontend/src/views/migrate/MigrationHandler.vue

@@ -27,6 +27,7 @@
 						:loading="migrationService.loading"
 						:disabled="migrationService.loading || undefined"
 						:href="authUrl"
+						:open-external-in-new-tab="false"
 					>
 						{{ $t('migrate.getStarted') }}
 					</x-button>
@@ -212,7 +213,7 @@ async function migrate() {
 			const result = await migrationFileService.migrate(migrationConfig as File)
 			message.value = result.message
 			const projectStore = useProjectStore()
-			return projectStore.loadProjects()
+			return projectStore.loadAllProjects()
 		}
 		
 		await migrationService.migrate(migrationConfig as MigrationConfig)

frontend/src/views/teams/EditTeam.vue

@@ -4,7 +4,7 @@
 		:class="{ 'is-loading': teamService.loading }"
 	>
 		<card
-			v-if="userIsAdmin"
+			v-if="userIsAdmin && !team.oidcId"
 			class="is-fullwidth"
 			:title="title"
 		>
@@ -77,7 +77,7 @@
 			:padding="false"
 		>
 			<div
-				v-if="userIsAdmin"
+				v-if="userIsAdmin && !team.oidcId"
 				class="p-4"
 			>
 				<div class="field has-addons">

frontend/src/views/teams/ListTeams.vue

@@ -17,11 +17,13 @@
 			class="teams box"
 		>
 			<li
-				v-for="team in teams"
-				:key="team.id"
+				v-for="t in teams"
+				:key="t.id"
 			>
-				<router-link :to="{name: 'teams.edit', params: {id: team.id}}">
-					{{ team.name }}
+				<router-link :to="{name: 'teams.edit', params: {id: t.id}}">
+					<p>
+						{{ t.name }}
+					</p>
 				</router-link>
 			</li>
 		</ul>
@@ -63,7 +65,7 @@ ul.teams {
   li {
     list-style: none;
     margin: 0;
-    border-bottom: 1px solid $border;
+    border-bottom: 1px solid var(--grey-200);
 
     a {
       color: var(--text);

frontend/src/views/user/settings/ApiTokens.vue

@@ -286,16 +286,15 @@ function toggleGroupPermissionsFromChild(group: string, checked: boolean) {
 					:key="group"
 					class="mb-2"
 				>
-					<strong class="is-capitalized">{{ formatPermissionTitle(group) }}</strong><br>
 					<template
-						v-if="Object.keys(routes).length > 1"
+						v-if="Object.keys(routes).length >= 1"
 					>
 						<Fancycheckbox
 							v-model="newTokenPermissionsGroup[group]"
-							class="mr-2 is-italic"
+							class="mr-2 is-capitalized has-text-weight-bold"
 							@update:modelValue="checked => selectPermissionGroup(group, checked)"
 						>
-							{{ $t('user.settings.apiTokens.selectAll') }}
+							{{ formatPermissionTitle(group) }}
 						</Fancycheckbox>
 						<br>
 					</template>
@@ -305,7 +304,7 @@ function toggleGroupPermissionsFromChild(group: string, checked: boolean) {
 					>
 						<Fancycheckbox
 							v-model="newTokenPermissions[group][route]"
-							class="mr-2 is-capitalized"
+							class="ml-4 mr-2 is-capitalized"
 							@update:modelValue="checked => toggleGroupPermissionsFromChild(group, checked)"
 						>
 							{{ formatPermissionTitle(route) }}

magefile.go

@@ -25,7 +25,6 @@ import (
 	"context"
 	"crypto/sha256"
 	"fmt"
-	"github.com/iancoleman/strcase"
 	"io"
 	"os"
 	"os/exec"
@@ -34,6 +33,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/iancoleman/strcase"
+
 	"github.com/magefile/mage/mg"
 	"golang.org/x/sync/errgroup"
 	"gopkg.in/yaml.v3"

pkg/db/fixtures/buckets.yml

@@ -25,6 +25,7 @@
   title: testbucket4 - other project
   project_id: 2
   created_by_id: 1
+  position: 1
   created: 2020-04-18 21:13:52
   updated: 2020-04-18 21:13:52
 # The following are not or only partly owned by user 1
@@ -241,4 +242,11 @@
   project_id: 38
   created_by_id: 15
   created: 2020-04-18 21:13:52
-  updated: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 40
+  title: testbucket40
+  project_id: 2
+  created_by_id: 1
+  position: 10
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52

pkg/db/fixtures/projects.yml

@@ -16,6 +16,7 @@
   owner_id: 3
   position: 2
   done_bucket_id: 4
+  default_bucket_id: 40
   updated: 2018-12-02 15:13:12
   created: 2018-12-01 15:13:12
 -

pkg/db/fixtures/team_members.yml

@@ -55,3 +55,7 @@
   team_id: 13
   user_id: 10
   created: 2018-12-01 15:13:12
+-
+  team_id: 14
+  user_id: 10
+  created: 2018-12-01 15:13:12

pkg/db/fixtures/teams.yml

@@ -28,4 +28,8 @@
   created_by_id: 7
 - id: 13
   name: testteam13
-  created_by_id: 7
+  created_by_id: 7
+- id: 14
+  name: testteam14
+  created_by_id: 7
+  oidc_id: 14

pkg/migration/20230104152903.go

@@ -0,0 +1,43 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package migration
+
+import (
+	"src.techknowlogick.com/xormigrate"
+	"xorm.io/xorm"
+)
+
+type teams20230104152903 struct {
+	OidcID string `xorm:"varchar(250) null" maxLength:"250" json:"oidc_id"`
+}
+
+func (teams20230104152903) TableName() string {
+	return "teams"
+}
+
+func init() {
+	migrations = append(migrations, &xormigrate.Migration{
+		ID:          "20230104152903",
+		Description: "Adding OidcID to teams",
+		Migrate: func(tx *xorm.Engine) error {
+			return tx.Sync2(teams20230104152903{})
+		},
+		Rollback: func(tx *xorm.Engine) error {
+			return nil
+		},
+	})
+}

pkg/models/error.go

@@ -1059,7 +1059,6 @@ func (err ErrTeamNameCannotBeEmpty) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusBadRequest, Code: ErrCodeTeamNameCannotBeEmpty, Message: "The team name cannot be empty"}
 }
 
-// ErrTeamDoesNotExist represents an error where a team does not exist
 type ErrTeamDoesNotExist struct {
 	TeamID int64
 }
@@ -1178,6 +1177,54 @@ func (err ErrTeamDoesNotHaveAccessToProject) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusForbidden, Code: ErrCodeTeamDoesNotHaveAccessToProject, Message: "This team does not have access to the project."}
 }
 
+// ErrOIDCTeamDoesNotExist represents an error where a team with specified name and specified oidcId property does not exist
+type ErrOIDCTeamDoesNotExist struct {
+	OidcID string
+	Name   string
+}
+
+// IsErrOIDCTeamDoesNotExist checks if an error is ErrOIDCTeamDoesNotExist.
+func IsErrOIDCTeamDoesNotExist(err error) bool {
+	_, ok := err.(ErrOIDCTeamDoesNotExist)
+	return ok
+}
+
+// ErrTeamDoesNotExist represents an error where a team does not exist
+func (err ErrOIDCTeamDoesNotExist) Error() string {
+	return fmt.Sprintf("No team with that name and valid oidcId could be found. [Team Name: %v] [OidcID : %v] ", err.Name, err.OidcID)
+}
+
+// ErrCodeTeamDoesNotExist holds the unique world-error code of this error
+const ErrCodeOIDCTeamDoesNotExist = 6008
+
+// HTTPError holds the http error description
+func (err ErrOIDCTeamDoesNotExist) HTTPError() web.HTTPError {
+	return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No team with that name and valid oidcId could be found."}
+}
+
+// ErrOIDCTeamsDoNotExistForUser represents an error where an oidcTeam does not exist for the user
+type ErrOIDCTeamsDoNotExistForUser struct {
+	UserID int64
+}
+
+// IsErrOIDCTeamsDoNotExistForUser checks if an error is ErrOIDCTeamsDoNotExistForUser.
+func IsErrOIDCTeamsDoNotExistForUser(err error) bool {
+	_, ok := err.(ErrOIDCTeamsDoNotExistForUser)
+	return ok
+}
+
+func (err ErrOIDCTeamsDoNotExistForUser) Error() string {
+	return fmt.Sprintf("No teams with property oidcId could be found for user [User ID: %d]", err.UserID)
+}
+
+// ErrCodeTeamDoesNotExist holds the unique world-error code of this error
+const ErrCodeOIDCTeamsDoNotExistForUser = 6009
+
+// HTTPError holds the http error description
+func (err ErrOIDCTeamsDoNotExistForUser) HTTPError() web.HTTPError {
+	return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No Teams with property oidcId could be found for User."}
+}
+
 // ====================
 // User <-> Project errors
 // ====================

pkg/models/project.go

@@ -316,8 +316,8 @@ func GetProjectSimplByTaskID(s *xorm.Session, taskID int64) (l *Project, err err
 	return &project, nil
 }
 
-// GetProjectsSimplByTaskIDs gets a list of projects by a task ids
-func GetProjectsSimplByTaskIDs(s *xorm.Session, taskIDs []int64) (ps map[int64]*Project, err error) {
+// GetProjectsMapSimplByTaskIDs gets a list of projects by a task ids
+func GetProjectsMapSimplByTaskIDs(s *xorm.Session, taskIDs []int64) (ps map[int64]*Project, err error) {
 	ps = make(map[int64]*Project)
 	err = s.
 		Select("projects.*").
@@ -328,8 +328,18 @@ func GetProjectsSimplByTaskIDs(s *xorm.Session, taskIDs []int64) (ps map[int64]*
 	return
 }
 
-// GetProjectsByIDs returns a map of projects from a slice with project ids
-func GetProjectsByIDs(s *xorm.Session, projectIDs []int64) (projects map[int64]*Project, err error) {
+func GetProjectsSimplByTaskIDs(s *xorm.Session, taskIDs []int64) (ps []*Project, err error) {
+	err = s.
+		Select("projects.*").
+		Table(Project{}).
+		Join("INNER", "tasks", "projects.id = tasks.project_id").
+		In("tasks.id", taskIDs).
+		Find(&ps)
+	return
+}
+
+// GetProjectsMapByIDs returns a map of projects from a slice with project ids
+func GetProjectsMapByIDs(s *xorm.Session, projectIDs []int64) (projects map[int64]*Project, err error) {
 	projects = make(map[int64]*Project, len(projectIDs))
 
 	if len(projectIDs) == 0 {
@@ -340,6 +350,17 @@ func GetProjectsByIDs(s *xorm.Session, projectIDs []int64) (projects map[int64]*
 	return
 }
 
+func GetProjectsByIDs(s *xorm.Session, projectIDs []int64) (projects []*Project, err error) {
+	projects = make([]*Project, 0, len(projectIDs))
+
+	if len(projectIDs) == 0 {
+		return
+	}
+
+	err = s.In("id", projectIDs).Find(&projects)
+	return
+}
+
 type projectOptions struct {
 	search      string
 	user        *user.User
@@ -455,7 +476,7 @@ SELECT DISTINCT * FROM all_projects ORDER BY position `+limitSQL, args...).Find(
 
 	totalCount, err = s.
 		SQL(`WITH RECURSIVE all_projects as (`+baseQuery+`)
-SELECT count(*) FROM all_projects GROUP BY all_projects.id`, args...).
+SELECT COUNT(DISTINCT all_projects.id) FROM all_projects`, args...).
 		Count(&Project{})
 	if err != nil {
 		return nil, 0, err
@@ -519,19 +540,24 @@ func getSavedFilterProjects(s *xorm.Session, doer *user.User) (savedFiltersProje
 }
 
 // GetAllParentProjects returns all parents of a given project
-func (p *Project) GetAllParentProjects(s *xorm.Session) (err error) {
-	if p.ParentProjectID == 0 {
-		return
-	}
-
-	parent, err := GetProjectSimpleByID(s, p.ParentProjectID)
-	if err != nil {
-		return err
-	}
-
-	p.ParentProject = parent
-
-	return parent.GetAllParentProjects(s)
+func GetAllParentProjects(s *xorm.Session, projectID int64) (allProjects map[int64]*Project, err error) {
+	allProjects = make(map[int64]*Project)
+	err = s.SQL(`WITH RECURSIVE all_projects AS (
+		    SELECT
+		        p.*
+		    FROM
+		        projects p
+		    WHERE
+		        p.id = ?
+		    UNION ALL
+		    SELECT
+		        p.*
+		    FROM
+		        projects p
+		            INNER JOIN all_projects pc ON p.ID = pc.parent_project_id
+		)
+		SELECT DISTINCT * FROM all_projects`, projectID).Find(&allProjects)
+	return
 }
 
 // addProjectDetails adds owner user objects and project tasks to all projects in the slice
@@ -559,7 +585,7 @@ func addProjectDetails(s *xorm.Session, projects []*Project, a web.Auth) (err er
 		return err
 	}
 
-	subscriptions, err := GetSubscriptions(s, SubscriptionEntityProject, projectIDs, a)
+	subscriptions, err := GetSubscriptionsForProjects(s, projects, a)
 	if err != nil {
 		log.Errorf("An error occurred while getting project subscriptions for a project: %s", err.Error())
 		subscriptions = make(map[int64][]*Subscription)
@@ -646,12 +672,14 @@ func checkProjectBeforeUpdateOrDelete(s *xorm.Session, project *Project) (err er
 			}
 		}
 
-		var parent *Project
-		parent, err = GetProjectSimpleByID(s, project.ParentProjectID)
+		allProjects, err := GetAllParentProjects(s, project.ParentProjectID)
 		if err != nil {
 			return err
 		}
 
+		var parent *Project
+		parent = allProjects[project.ParentProjectID]
+
 		// Check if there's a cycle in the parent relation
 		parentsVisited := make(map[int64]bool)
 		parentsVisited[project.ID] = true
@@ -660,11 +688,7 @@ func checkProjectBeforeUpdateOrDelete(s *xorm.Session, project *Project) (err er
 				break
 			}
 
-			// FIXME: Can we do this with better performance?
-			parent, err = GetProjectSimpleByID(s, parent.ParentProjectID)
-			if err != nil {
-				return err
-			}
+			parent = allProjects[parent.ParentProjectID]
 
 			if parentsVisited[parent.ID] {
 				return &ErrProjectCannotHaveACyclicRelationship{

pkg/models/subscription.go

@@ -223,7 +223,11 @@ func GetSubscriptions(s *xorm.Session, entityType SubscriptionEntityType, entity
 
 	switch entityType {
 	case SubscriptionEntityProject:
-		return getSubscriptionsForProjects(s, entityIDs, u)
+		projects, err := GetProjectsByIDs(s, entityIDs)
+		if err != nil {
+			return nil, err
+		}
+		return GetSubscriptionsForProjects(s, projects, u)
 	case SubscriptionEntityTask:
 		subs, err := getSubscriptionsForTasks(s, entityIDs, u)
 		if err != nil {
@@ -232,22 +236,34 @@ func GetSubscriptions(s *xorm.Session, entityType SubscriptionEntityType, entity
 
 		// If the task does not have a subscription directly or from its project, get the one
 		// from the parent and return it instead.
+		var taskIDsWithoutSubscription []int64
 		for _, eID := range entityIDs {
 			if _, has := subs[eID]; has {
 				continue
 			}
 
-			task, err := GetTaskByIDSimple(s, eID)
-			if err != nil {
-				return nil, err
-			}
-			projectSubscriptions, err := getSubscriptionsForProjects(s, []int64{task.ProjectID}, u)
-			if err != nil {
-				return nil, err
-			}
-			for _, subscription := range projectSubscriptions {
-				subs[eID] = subscription // The first project subscription is the subscription we're looking for
-				break
+			taskIDsWithoutSubscription = append(taskIDsWithoutSubscription, eID)
+		}
+
+		projects, err := GetProjectsSimplByTaskIDs(s, taskIDsWithoutSubscription)
+		if err != nil {
+			return nil, err
+		}
+
+		tasks, err := GetTasksSimpleByIDs(s, taskIDsWithoutSubscription)
+		if err != nil {
+			return nil, err
+		}
+
+		projectSubscriptions, err := GetSubscriptionsForProjects(s, projects, u)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, task := range tasks {
+			sub, has := projectSubscriptions[task.ProjectID]
+			if has {
+				subs[task.ID] = sub
 			}
 		}
 
@@ -257,48 +273,57 @@ func GetSubscriptions(s *xorm.Session, entityType SubscriptionEntityType, entity
 	return
 }
 
-func getSubscriptionsForProjects(s *xorm.Session, projectIDs []int64, u *user.User) (projectsToSubscriptions map[int64][]*Subscription, err error) {
-	origEntityIDs := projectIDs
+func GetSubscriptionsForProjects(s *xorm.Session, projects []*Project, a web.Auth) (projectsToSubscriptions map[int64][]*Subscription, err error) {
+	u, is := a.(*user.User)
+	if u != nil && !is {
+		return
+	}
+
 	var ps = make(map[int64]*Project)
+	origProjectIDs := make([]int64, 0, len(projects))
+	allProjectIDs := make([]int64, 0, len(projects))
 
-	for _, eID := range projectIDs {
-		if eID < 1 {
+	for _, p := range projects {
+		ps[p.ID] = p
+		origProjectIDs = append(origProjectIDs, p.ID)
+		allProjectIDs = append(allProjectIDs, p.ID)
+	}
+
+	// We can't just use the projects we have, we need to fetch the parents
+	// because they may not be loaded in the same object
+
+	for _, p := range projects {
+		if p.ParentProjectID == 0 {
 			continue
 		}
-		ps[eID], err = GetProjectSimpleByID(s, eID)
-		if err != nil && IsErrProjectDoesNotExist(err) {
-			// If the project does not exist, it might got deleted. There could still be subscribers though.
-			delete(ps, eID)
+
+		if _, has := ps[p.ParentProjectID]; has {
 			continue
 		}
-		if err != nil {
-			return nil, err
-		}
-		err = ps[eID].GetAllParentProjects(s)
+
+		parents, err := GetAllParentProjects(s, p.ID)
 		if err != nil {
 			return nil, err
 		}
 
-		parentIDs := []int64{}
-		var parent = ps[eID].ParentProject
+		// Walk the tree up until we reach the top
+		var parent = parents[p.ParentProjectID] // parent now has a pointer…
+		ps[p.ID].ParentProject = parents[p.ParentProjectID]
 		for parent != nil {
-			parentIDs = append(parentIDs, parent.ID)
-			parent = parent.ParentProject
+			allProjectIDs = append(allProjectIDs, parent.ID)
+			parent = parents[parent.ParentProjectID] // … which means we can update it here and then update the pointer in the map
 		}
-
-		// Now we have all parent ids
-		projectIDs = append(projectIDs, parentIDs...) // the child project id is already in there
 	}
 
 	var subscriptions []*Subscription
 	if u != nil {
 		err = s.
 			Where("user_id = ?", u.ID).
-			And(getSubscriberCondForEntities(SubscriptionEntityProject, projectIDs)).
+			And(getSubscriberCondForEntities(SubscriptionEntityProject, allProjectIDs)).
 			Find(&subscriptions)
 	} else {
 		err = s.
-			And(getSubscriberCondForEntities(SubscriptionEntityProject, projectIDs)).
+			And(getSubscriberCondForEntities(SubscriptionEntityProject, allProjectIDs)).
 			Find(&subscriptions)
 	}
 	if err != nil {
@@ -313,7 +338,7 @@ func getSubscriptionsForProjects(s *xorm.Session, projectIDs []int64, u *user.Us
 
 	// Rearrange so that subscriptions trickle down
 
-	for _, eID := range origEntityIDs {
+	for _, eID := range origProjectIDs {
 		// If the current project does not have a subscription, climb up the tree until a project has one,
 		// then use that subscription for all child projects
 		_, has := projectsToSubscriptions[eID]

pkg/models/task_overdue_reminder.go

@@ -139,7 +139,7 @@ func RegisterOverdueReminderCron() {
 			}
 		}
 
-		projects, err := GetProjectsSimplByTaskIDs(s, taskIDs)
+		projects, err := GetProjectsMapSimplByTaskIDs(s, taskIDs)
 		if err != nil {
 			log.Errorf("[Undone Overdue Tasks Reminder] Could not get projects for tasks: %s", err)
 			return

pkg/models/task_reminder.go

@@ -173,7 +173,7 @@ func getTasksWithRemindersDueAndTheirUsers(s *xorm.Session, now time.Time) (remi
 
 	seen := make(map[int64]map[int64]bool)
 
-	projects, err := GetProjectsSimplByTaskIDs(s, taskIDs)
+	projects, err := GetProjectsMapSimplByTaskIDs(s, taskIDs)
 	if err != nil {
 		return
 	}

pkg/models/tasks.go

@@ -356,6 +356,11 @@ func GetTaskSimple(s *xorm.Session, t *Task) (task Task, err error) {
 	return
 }
 
+func GetTasksSimpleByIDs(s *xorm.Session, ids []int64) (tasks []*Task, err error) {
+	err = s.In("id", ids).Find(&tasks)
+	return
+}
+
 // GetTasksByIDs returns all tasks for a project of ids
 func (bt *BulkTask) GetTasksByIDs(s *xorm.Session) (err error) {
 	for _, id := range bt.IDs {
@@ -586,7 +591,7 @@ func addMoreInfoToTasks(s *xorm.Session, taskMap map[int64]*Task, a web.Auth) (e
 	}
 
 	// Get all identifiers
-	projects, err := GetProjectsByIDs(s, projectIDs)
+	projects, err := GetProjectsMapByIDs(s, projectIDs)
 	if err != nil {
 		return err
 	}
@@ -652,7 +657,8 @@ func setTaskBucket(s *xorm.Session, task *Task, originalTask *Task, doCheckBucke
 	}
 
 	var bucket *Bucket
-	if task.Done && originalTask != nil && !originalTask.Done {
+	if task.Done && originalTask != nil &&
+		(!originalTask.Done || task.ProjectID != originalTask.ProjectID) {
 		task.BucketID = project.DoneBucketID
 	}
 
@@ -661,7 +667,10 @@ func setTaskBucket(s *xorm.Session, task *Task, originalTask *Task, doCheckBucke
 	}
 
 	// Either no bucket was provided or the task was moved between projects
-	if task.BucketID == 0 || (originalTask != nil && task.ProjectID != 0 && originalTask.ProjectID != task.ProjectID) {
+	// But if the task was moved between projects, don't update the done bucket
+	// because then we have it already updated to the done bucket.
+	if task.BucketID == 0 ||
+		(originalTask != nil && task.ProjectID != 0 && originalTask.ProjectID != task.ProjectID && !task.Done) {
 		task.BucketID, err = getDefaultBucketID(s, project)
 		if err != nil {
 			return
@@ -855,17 +864,18 @@ func (t *Task) Update(s *xorm.Session, a web.Auth) (err error) {
 	// Old task has the stored reminders
 	ot.Reminders = reminders
 
-	targetBucket, err := setTaskBucket(s, t, &ot, t.BucketID != 0 && t.BucketID != ot.BucketID, nil)
+	project, err := GetProjectSimpleByID(s, t.ProjectID)
+	if err != nil {
+		return err
+	}
+
+	targetBucket, err := setTaskBucket(s, t, &ot, t.BucketID != 0 && t.BucketID != ot.BucketID, project)
 	if err != nil {
 		return err
 	}
 
 	// If the task was moved into the done bucket and the task has a repeating cycle we should not update
 	// the bucket.
-	project, err := GetProjectSimpleByID(s, t.ProjectID)
-	if err != nil {
-		return err
-	}
 	if targetBucket.ID == project.DoneBucketID && t.RepeatAfter > 0 {
 		t.Done = true // This will trigger the correct re-scheduling of the task (happening in updateDone later)
 		t.BucketID = ot.BucketID

pkg/models/tasks_test.go

@@ -345,8 +345,7 @@ func TestTask_Update(t *testing.T) {
 		err = s.Commit()
 		require.NoError(t, err)
 
-		assert.Equal(t, int64(4), task.BucketID) // bucket 4 is the default bucket on project 2
-		assert.True(t, task.Done)                // bucket 4 is the done bucket, so the task should be marked as done as well
+		assert.Equal(t, int64(40), task.BucketID) // bucket 40 is the default bucket on project 2
 	})
 	t.Run("marking a task as done should move it to the done bucket", func(t *testing.T) {
 		db.LoadAndAssertFixtures(t)
@@ -387,7 +386,29 @@ func TestTask_Update(t *testing.T) {
 		db.AssertExists(t, "tasks", map[string]interface{}{
 			"id":         1,
 			"project_id": 2,
-			"bucket_id":  4,
+			"bucket_id":  40,
+		}, false)
+	})
+	t.Run("move done task to another project with a done bucket", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		task := &Task{
+			ID:        2,
+			Done:      true,
+			ProjectID: 2,
+		}
+		err := task.Update(s, u)
+		require.NoError(t, err)
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertExists(t, "tasks", map[string]interface{}{
+			"id":         2,
+			"project_id": 2,
+			"bucket_id":  4, // 4 is the done bucket
+			"done":       true,
 		}, false)
 	})
 	t.Run("repeating tasks should not be moved to the done bucket", func(t *testing.T) {

pkg/models/team_members.go

@@ -44,7 +44,6 @@ func (tm *TeamMember) Create(s *xorm.Session, a web.Auth) (err error) {
 	if err != nil {
 		return err
 	}
-
 	// Check if the user exists
 	member, err := user2.GetUserByUsername(s, tm.Username)
 	if err != nil {
@@ -109,6 +108,12 @@ func (tm *TeamMember) Delete(s *xorm.Session, _ web.Auth) (err error) {
 	return
 }
 
+func (tm *TeamMember) MembershipExists(s *xorm.Session) (exists bool, err error) {
+	return s.
+		Where("team_id = ? AND user_id = ?", tm.TeamID, tm.UserID).
+		Exist(&TeamMember{})
+}
+
 // Update toggles a team member's admin status
 // @Summary Toggle a team member's admin status
 // @Description If a user is team admin, this will make them member and vise-versa.

pkg/models/teams.go

@@ -38,6 +38,8 @@ type Team struct {
 	// The team's description.
 	Description string `xorm:"longtext null" json:"description"`
 	CreatedByID int64  `xorm:"bigint not null INDEX" json:"-"`
+	// The team's oidc id delivered by the oidc provider
+	OidcID string `xorm:"varchar(250) null" maxLength:"250" json:"oidc_id"`
 
 	// The user who created this team.
 	CreatedBy *user.User `xorm:"-" json:"created_by"`
@@ -86,11 +88,18 @@ func (*TeamMember) TableName() string {
 // TeamUser is the team member type
 type TeamUser struct {
 	user.User `xorm:"extends"`
-	// Whether or not the member is an admin of the team. See the docs for more about what a team admin can do
+	// Whether the member is an admin of the team. See the docs for more about what a team admin can do
 	Admin  bool  `json:"admin"`
 	TeamID int64 `json:"-"`
 }
 
+// OIDCTeam is the relevant data for a team and is delivered by oidc token
+type OIDCTeam struct {
+	Name        string
+	OidcID      string
+	Description string
+}
+
 // GetTeamByID gets a team by its ID
 func GetTeamByID(s *xorm.Session, id int64) (team *Team, err error) {
 	if id < 1 {
@@ -120,6 +129,34 @@ func GetTeamByID(s *xorm.Session, id int64) (team *Team, err error) {
 	return
 }
 
+// GetTeamByOidcIDAndName gets teams where oidc_id and name match parameters
+// For oidc team creation oidcID and Name need to be set
+func GetTeamByOidcIDAndName(s *xorm.Session, oidcID string, teamName string) (*Team, error) {
+	team := &Team{}
+	has, err := s.
+		Table("teams").
+		Where("oidc_id = ? AND name = ?", oidcID, teamName).
+		Get(team)
+	if !has || err != nil {
+		return nil, ErrOIDCTeamDoesNotExist{teamName, oidcID}
+	}
+	return team, nil
+}
+
+func FindAllOidcTeamIDsForUser(s *xorm.Session, userID int64) (ts []int64, err error) {
+	err = s.
+		Table("team_members").
+		Where("user_id = ? ", userID).
+		Join("RIGHT", "teams", "teams.id = team_members.team_id").
+		Where("teams.oidc_id != ? AND teams.oidc_id IS NOT NULL", "").
+		Cols("teams.id").
+		Find(&ts)
+	if ts == nil || err != nil {
+		return ts, err
+	}
+	return ts, nil
+}
+
 func addMoreInfoToTeams(s *xorm.Session, teams []*Team) (err error) {
 
 	if len(teams) == 0 {
@@ -270,7 +307,6 @@ func (t *Team) Create(s *xorm.Session, a web.Auth) (err error) {
 		return
 	}
 
-	// Insert the current user as member and admin
 	tm := TeamMember{TeamID: t.ID, Username: doer.Username, Admin: true}
 	if err = tm.Create(s, doer); err != nil {
 		return err

pkg/modules/auth/openid/openid.go

@@ -21,21 +21,22 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"strconv"
 	"strings"
 
 	"code.vikunja.io/web/handler"
 
 	"code.vikunja.io/api/pkg/db"
-	"xorm.io/xorm"
-
 	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/models"
 	"code.vikunja.io/api/pkg/modules/auth"
 	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/api/pkg/utils"
 	"github.com/coreos/go-oidc/v3/oidc"
 	petname "github.com/dustinkirkland/golang-petname"
 	"github.com/labstack/echo/v4"
 	"golang.org/x/oauth2"
+	"xorm.io/xorm"
 )
 
 // Callback contains the callback after an auth request was made and redirected
@@ -53,16 +54,17 @@ type Provider struct {
 	AuthURL         string `json:"auth_url"`
 	LogoutURL       string `json:"logout_url"`
 	ClientID        string `json:"client_id"`
+	Scope           string `json:"scope"`
 	ClientSecret    string `json:"-"`
 	openIDProvider  *oidc.Provider
 	Oauth2Config    *oauth2.Config `json:"-"`
 }
-
 type claims struct {
-	Email             string `json:"email"`
-	Name              string `json:"name"`
-	PreferredUsername string `json:"preferred_username"`
-	Nickname          string `json:"nickname"`
+	Email             string                   `json:"email"`
+	Name              string                   `json:"name"`
+	PreferredUsername string                   `json:"preferred_username"`
+	Nickname          string                   `json:"nickname"`
+	VikunjaGroups     []map[string]interface{} `json:"vikunja_groups"`
 }
 
 func init() {
@@ -96,6 +98,7 @@ func HandleCallback(c echo.Context) error {
 	// Check if the provider exists
 	providerKey := c.Param("provider")
 	provider, err := GetProvider(providerKey)
+	log.Debugf("Provider: %v", provider)
 	if err != nil {
 		log.Error(err)
 		return handler.HandleHTTPError(err, c)
@@ -145,6 +148,7 @@ func HandleCallback(c echo.Context) error {
 
 	// Extract custom claims
 	cl := &claims{}
+
 	err = idToken.Claims(cl)
 	if err != nil {
 		log.Errorf("Error getting token claims for provider %s: %v", provider.Name, err)
@@ -198,16 +202,182 @@ func HandleCallback(c echo.Context) error {
 		return handler.HandleHTTPError(err, c)
 	}
 
+	// does the oidc token contain well formed "vikunja_groups" through vikunja_scope
+	log.Debugf("Checking for vikunja_groups in token %v", cl.VikunjaGroups)
+	teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, provider)
+	if len(teamData) > 0 {
+		for _, err := range errs {
+			log.Errorf("Error creating teams for user and vikunja groups %s: %v", cl.VikunjaGroups, err)
+		}
+
+		// find old teams for user through oidc
+		oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
+		if err != nil {
+			log.Debugf("No oidc teams found for user %v", err)
+		}
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		if err != nil {
+			log.Errorf("Could not proceed with group routine %v", err)
+		}
+		teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
+		err = RemoveUserFromTeamsByIds(s, u, teamIDsToLeave)
+		if err != nil {
+			log.Errorf("Found error while leaving teams %v", err)
+		}
+		errs := RemoveEmptySSOTeams(s, teamIDsToLeave)
+		if len(errs) > 0 {
+			for _, err := range errs {
+				log.Errorf("Found error while removing empty teams %v", err)
+			}
+		}
+	}
 	err = s.Commit()
 	if err != nil {
+		_ = s.Rollback()
+		log.Errorf("Error creating new team for provider %s: %v", provider.Name, err)
 		return handler.HandleHTTPError(err, c)
 	}
-
 	// Create token
 	return auth.NewUserAuthTokenResponse(u, c, false)
 }
 
+func AssignOrCreateUserToTeams(s *xorm.Session, u *user.User, teamData []*models.OIDCTeam) (oidcTeams []int64, err error) {
+	if len(teamData) == 0 {
+		return
+	}
+	// check if we have seen these teams before.
+	// find or create Teams and assign user as teammember.
+	teams, err := GetOrCreateTeamsByOIDCAndNames(s, teamData, u)
+	if err != nil {
+		log.Errorf("Error verifying team for %v, got %v. Error: %v", u.Name, teams, err)
+		return nil, err
+	}
+	for _, team := range teams {
+		tm := models.TeamMember{TeamID: team.ID, UserID: u.ID, Username: u.Username}
+		exists, _ := tm.MembershipExists(s)
+		if !exists {
+			err = tm.Create(s, u)
+			if err != nil {
+				log.Errorf("Could not assign user %s to team %s: %v", u.Username, team.Name, err)
+			}
+		}
+		oidcTeams = append(oidcTeams, team.ID)
+	}
+	return oidcTeams, err
+}
+
+func RemoveEmptySSOTeams(s *xorm.Session, teamIDs []int64) (errs []error) {
+	for _, teamID := range teamIDs {
+		count, err := s.Where("team_id = ?", teamID).Count(&models.TeamMember{})
+		if count == 0 && err == nil {
+			log.Debugf("SSO team with id %v has no members. It will be deleted", teamID)
+			_, _err := s.Where("id = ?", teamID).Delete(&models.Team{})
+			if _err != nil {
+				errs = append(errs, _err)
+			}
+		}
+	}
+	return errs
+}
+
+func RemoveUserFromTeamsByIds(s *xorm.Session, u *user.User, teamIDs []int64) (err error) {
+
+	if len(teamIDs) < 1 {
+		return nil
+	}
+
+	log.Debugf("Removing team_member with user_id %v from team_ids %v", u.ID, teamIDs)
+	_, err = s.In("team_id", teamIDs).And("user_id = ?", u.ID).Delete(&models.TeamMember{})
+	return err
+}
+
+func getTeamDataFromToken(groups []map[string]interface{}, provider *Provider) (teamData []*models.OIDCTeam, errs []error) {
+	teamData = []*models.OIDCTeam{}
+	errs = []error{}
+	for _, team := range groups {
+		var name string
+		var description string
+		var oidcID string
+		_, exists := team["name"]
+		if exists {
+			name = team["name"].(string)
+		}
+		_, exists = team["description"]
+		if exists {
+			description = team["description"].(string)
+		}
+		_, exists = team["oidcID"]
+		if exists {
+			switch t := team["oidcID"].(type) {
+			case string:
+				oidcID = team["oidcID"].(string)
+			case int64:
+				oidcID = strconv.FormatInt(team["oidcID"].(int64), 10)
+			case float64:
+				oidcID = strconv.FormatFloat(team["oidcID"].(float64), 'f', -1, 64)
+			default:
+				log.Errorf("No oidcID assigned for %v or type %v not supported", team, t)
+			}
+		}
+		if name == "" || oidcID == "" {
+			log.Errorf("Claim of your custom scope does not hold name or oidcID for automatic group assignment through oidc provider. Please check %s", provider.Name)
+			errs = append(errs, &user.ErrOpenIDCustomScopeMalformed{})
+			continue
+		}
+		teamData = append(teamData, &models.OIDCTeam{Name: name, OidcID: oidcID, Description: description})
+	}
+	return teamData, errs
+}
+
+func getOIDCTeamName(name string) string {
+	return name + " (OIDC)"
+}
+
+func CreateOIDCTeam(s *xorm.Session, teamData *models.OIDCTeam, u *user.User) (team *models.Team, err error) {
+	team = &models.Team{
+		Name:        getOIDCTeamName(teamData.Name),
+		Description: teamData.Description,
+		OidcID:      teamData.OidcID,
+	}
+	err = team.Create(s, u)
+	return team, err
+}
+
+// GetOrCreateTeamsByOIDCAndNames returns a slice of teams which were generated from the oidc data. If a team did not exist previously it is automatically created.
+func GetOrCreateTeamsByOIDCAndNames(s *xorm.Session, teamData []*models.OIDCTeam, u *user.User) (te []*models.Team, err error) {
+	te = []*models.Team{}
+	// Procedure can only be successful if oidcID is set
+	for _, oidcTeam := range teamData {
+		team, err := models.GetTeamByOidcIDAndName(s, oidcTeam.OidcID, oidcTeam.Name)
+		if err != nil && !models.IsErrOIDCTeamDoesNotExist(err) {
+			return nil, err
+		}
+		if err != nil && models.IsErrOIDCTeamDoesNotExist(err) {
+			log.Debugf("Team with oidc_id %v and name %v does not exist. Creating team… ", oidcTeam.OidcID, oidcTeam.Name)
+			newTeam, err := CreateOIDCTeam(s, oidcTeam, u)
+			if err != nil {
+				return te, err
+			}
+			te = append(te, newTeam)
+			continue
+		}
+
+		if team.Name != getOIDCTeamName(oidcTeam.Name) {
+			team.Name = getOIDCTeamName(oidcTeam.Name)
+			err = team.Update(s, u)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		log.Debugf("Team with oidc_id %v and name %v already exists.", team.OidcID, team.Name)
+		te = append(te, team)
+	}
+	return te, err
+}
+
 func getOrCreateUser(s *xorm.Session, cl *claims, issuer, subject string) (u *user.User, err error) {
+
 	// Check if the user exists for that issuer and subject
 	u, err = user.GetUserWithEmail(s, &user.User{
 		Issuer:  issuer,

pkg/modules/auth/openid/openid_test.go

@@ -20,7 +20,9 @@ import (
 	"testing"
 
 	"code.vikunja.io/api/pkg/db"
-
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/api/pkg/utils"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -95,4 +97,145 @@ func TestGetOrCreateUser(t *testing.T) {
 			"email": cl.Email,
 		}, false)
 	})
+	t.Run("existing user, non existing team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		team := "new sso team"
+		oidcID := "47404"
+		cl := &claims{
+			Email: "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{
+				{"name": team, "oidcID": oidcID},
+			},
+		}
+
+		u, err := getOrCreateUser(s, cl, "https://some.service.com", "12345")
+		require.NoError(t, err)
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		for _, err := range errs {
+			require.NoError(t, err)
+		}
+		require.NoError(t, err)
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertExists(t, "users", map[string]interface{}{
+			"id":    u.ID,
+			"email": cl.Email,
+		}, false)
+		db.AssertExists(t, "teams", map[string]interface{}{
+			"id":   oidcTeams,
+			"name": team + " (OIDC)",
+		}, false)
+	})
+
+	t.Run("existing user, assign to existing team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		team := "testteam14"
+		oidcID := "14"
+		cl := &claims{
+			Email: "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{
+				{"name": team, "oidcID": oidcID},
+			},
+		}
+
+		u := &user.User{ID: 10}
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		for _, err := range errs {
+			require.NoError(t, err)
+		}
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertExists(t, "team_members", map[string]interface{}{
+			"team_id": oidcTeams,
+			"user_id": u.ID,
+		}, false)
+	})
+	t.Run("existing user, remove from existing team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		cl := &claims{
+			Email:         "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{},
+		}
+
+		u := &user.User{ID: 10}
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		if len(errs) > 0 {
+			for _, err := range errs {
+				require.NoError(t, err)
+			}
+		}
+		oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
+		require.NoError(t, err)
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
+		require.NoError(t, err)
+		err = RemoveUserFromTeamsByIds(s, u, teamIDsToLeave)
+		require.NoError(t, err)
+		errs = RemoveEmptySSOTeams(s, teamIDsToLeave)
+		for _, err = range errs {
+			require.NoError(t, err)
+		}
+		errs = RemoveEmptySSOTeams(s, teamIDsToLeave)
+		for _, err = range errs {
+			require.NoError(t, err)
+		}
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertMissing(t, "team_members", map[string]interface{}{
+			"team_id": oidcTeams,
+			"user_id": u.ID,
+		})
+	})
+	t.Run("existing user, remove from existing team and delete team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		cl := &claims{
+			Email:         "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{},
+		}
+
+		u := &user.User{ID: 10}
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		if len(errs) > 0 {
+			for _, err := range errs {
+				require.NoError(t, err)
+			}
+		}
+		oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
+		require.NoError(t, err)
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
+		require.NoError(t, err)
+		err = RemoveUserFromTeamsByIds(s, u, teamIDsToLeave)
+		require.NoError(t, err)
+		errs = RemoveEmptySSOTeams(s, teamIDsToLeave)
+		for _, err := range errs {
+			require.NoError(t, err)
+		}
+		err = s.Commit()
+		require.NoError(t, err)
+		db.AssertMissing(t, "teams", map[string]interface{}{
+			"id": oidcTeams,
+		})
+	})
 }

pkg/modules/auth/openid/providers.go

@@ -125,6 +125,10 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
 		logoutURL = ""
 	}
 
+	scope, _ := pi["scope"].(string)
+	if scope == "" {
+		scope = "openid profile email"
+	}
 	provider = &Provider{
 		Name:            pi["name"].(string),
 		Key:             k,
@@ -132,6 +136,7 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
 		OriginalAuthURL: pi["authurl"].(string),
 		ClientSecret:    pi["clientsecret"].(string),
 		LogoutURL:       logoutURL,
+		Scope:           scope,
 	}
 
 	cl, is := pi["clientid"].(int)

pkg/routes/routes.go

@@ -156,10 +156,10 @@ func setupSentry(e *echo.Echo) {
 			if hub != nil {
 				hub.WithScope(func(scope *sentry.Scope) {
 					scope.SetExtra("url", c.Request().URL)
-					hub.CaptureException(err)
+					hub.CaptureException(herr.Internal)
 				})
 			} else {
-				sentry.CaptureException(err)
+				sentry.CaptureException(herr.Internal)
 				log.Debugf("Could not add context for sending error '%s' to sentry", err.Error())
 			}
 			log.Debugf("Error '%s' sent to sentry", err.Error())

pkg/swagger/docs.go

@@ -8300,6 +8300,11 @@ const docTemplate = `{
                     "maxLength": 250,
                     "minLength": 1
                 },
+                "oidc_id": {
+                    "description": "The team's oidc id delivered by the oidc provider",
+                    "type": "string",
+                    "maxLength": 250
+                },
                 "updated": {
                     "description": "A timestamp when this relation was last updated. You cannot change this value.",
                     "type": "string"
@@ -8362,7 +8367,7 @@ const docTemplate = `{
             "type": "object",
             "properties": {
                 "admin": {
-                    "description": "Whether or not the member is an admin of the team. See the docs for more about what a team admin can do",
+                    "description": "Whether the member is an admin of the team. See the docs for more about what a team admin can do",
                     "type": "boolean"
                 },
                 "created": {
@@ -8430,6 +8435,11 @@ const docTemplate = `{
                     "maxLength": 250,
                     "minLength": 1
                 },
+                "oidc_id": {
+                    "description": "The team's oidc id delivered by the oidc provider",
+                    "type": "string",
+                    "maxLength": 250
+                },
                 "right": {
                     "$ref": "#/definitions/models.Right"
                 },
@@ -8573,6 +8583,9 @@ const docTemplate = `{
                 },
                 "name": {
                     "type": "string"
+                },
+                "scope": {
+                    "type": "string"
                 }
             }
         },

pkg/swagger/swagger.json

@@ -8292,6 +8292,11 @@
                     "maxLength": 250,
                     "minLength": 1
                 },
+                "oidc_id": {
+                    "description": "The team's oidc id delivered by the oidc provider",
+                    "type": "string",
+                    "maxLength": 250
+                },
                 "updated": {
                     "description": "A timestamp when this relation was last updated. You cannot change this value.",
                     "type": "string"
@@ -8354,7 +8359,7 @@
             "type": "object",
             "properties": {
                 "admin": {
-                    "description": "Whether or not the member is an admin of the team. See the docs for more about what a team admin can do",
+                    "description": "Whether the member is an admin of the team. See the docs for more about what a team admin can do",
                     "type": "boolean"
                 },
                 "created": {
@@ -8422,6 +8427,11 @@
                     "maxLength": 250,
                     "minLength": 1
                 },
+                "oidc_id": {
+                    "description": "The team's oidc id delivered by the oidc provider",
+                    "type": "string",
+                    "maxLength": 250
+                },
                 "right": {
                     "$ref": "#/definitions/models.Right"
                 },
@@ -8565,6 +8575,9 @@
                 },
                 "name": {
                     "type": "string"
+                },
+                "scope": {
+                    "type": "string"
                 }
             }
         },

pkg/swagger/swagger.yaml

@@ -904,6 +904,10 @@ definitions:
         maxLength: 250
         minLength: 1
         type: string
+      oidc_id:
+        description: The team's oidc id delivered by the oidc provider
+        maxLength: 250
+        type: string
       updated:
         description: A timestamp when this relation was last updated. You cannot change
           this value.
@@ -954,8 +958,8 @@ definitions:
   models.TeamUser:
     properties:
       admin:
-        description: Whether or not the member is an admin of the team. See the docs
-          for more about what a team admin can do
+        description: Whether the member is an admin of the team. See the docs for
+          more about what a team admin can do
         type: boolean
       created:
         description: A timestamp when this task was created. You cannot change this
@@ -1007,6 +1011,10 @@ definitions:
         maxLength: 250
         minLength: 1
         type: string
+      oidc_id:
+        description: The team's oidc id delivered by the oidc provider
+        maxLength: 250
+        type: string
       right:
         $ref: '#/definitions/models.Right'
       updated:
@@ -1116,6 +1124,8 @@ definitions:
         type: string
       name:
         type: string
+      scope:
+        type: string
     type: object
   todoist.Migration:
     properties:

pkg/user/error.go

@@ -426,6 +426,32 @@ func (err *ErrNoOpenIDEmailProvided) HTTPError() web.HTTPError {
 	}
 }
 
+// ErrNoOpenIDEmailProvided represents a "NoEmailProvided" kind of error.
+type ErrOpenIDCustomScopeMalformed struct {
+}
+
+// IsErrNoEmailProvided checks if an error is a ErrNoOpenIDEmailProvided.
+func IsErrOpenIDCustomScopeMalformed(err error) bool {
+	_, ok := err.(*ErrOpenIDCustomScopeMalformed)
+	return ok
+}
+
+func (err *ErrOpenIDCustomScopeMalformed) Error() string {
+	return "Custom Scope malformed"
+}
+
+// ErrCodeNoOpenIDEmailProvided holds the unique world-error code of this error
+const ErrCodeOpenIDCustomScopeMalformed = 1022
+
+// HTTPError holds the http error description
+func (err *ErrOpenIDCustomScopeMalformed) HTTPError() web.HTTPError {
+	return web.HTTPError{
+		HTTPCode: http.StatusPreconditionFailed,
+		Code:     ErrCodeOpenIDCustomScopeMalformed,
+		Message:  "The custom scope set by the OIDC provider is malformed. Please make sure the openid provider sets the data correctly for your scope. Check especially to have set an oidcID",
+	}
+}
+
 // ErrAccountDisabled represents a "AccountDisabled" kind of error.
 type ErrAccountDisabled struct {
 	UserID int64

pkg/utils/slice_difference.go

@@ -0,0 +1,37 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package utils
+
+// find the elements which appear in slice1, but not in slice2
+func NotIn(slice1 []int64, slice2 []int64) []int64 {
+	var diff []int64
+
+	for _, s1 := range slice1 {
+		found := false
+		for _, s2 := range slice2 {
+			if s1 == s2 {
+				found = true
+				break
+			}
+		}
+		// int64 not found. We add it to return slice
+		if !found {
+			diff = append(diff, s1)
+		}
+	}
+	return diff
+}