Add OIDC section for sign in and sign up page

- name: :oidc → Identifier for this login provider in the app.
- scope: [:openid, :email, :profile] → Tells the provider we want the user’s ID (openid), their email, and basic profile info (name, picture, etc.).
- response_type: :code → Uses Authorization Code Flow, which is more secure because tokens are not exposed in the URL.
- issuer: Rails.application.secrets.oidc_issuer → The base URL of the OIDC provider (e.g., Auth0). Used to find its config.
- discovery: true → Automatically fetches the provider’s endpoints from its discovery document instead of manually setting them.
- client_auth_method: :basic → Sends client ID and secret using HTTP Basic Auth when exchanging the code for tokens.

Add system tests for OIDC Auth

Edit the oauth docs to support OIDC auth

app/assets/stylesheets/layout.scss

@@ -1393,7 +1393,8 @@ table {
 .button.button-facebook,
 .button.button-google,
 .button.button-wordpress,
-.button.button-saml {
+.button.button-saml,
+.button.button-oidc {
   color: inherit;
   font-weight: bold;
 
@@ -1453,6 +1454,16 @@ table {
   }
 }
 
+.button.button-oidc {
+  @include has-fa-icon(openid, brands);
+  background: #fdf9f1;
+  border-left: 3px solid #f7931e;
+
+  &::before {
+    color: #f7931e;
+  }
+}
+
 
 // 14. Verification
 // ----------------

app/components/admin/settings/features_tab_component.rb

@@ -4,6 +4,7 @@ class Admin::Settings::FeaturesTabComponent < ApplicationComponent
       feature.featured_proposals
       feature.facebook_login
       feature.google_login
+      feature.oidc_login
       feature.saml_login
       feature.twitter_login
       feature.wordpress_login

app/components/devise/omniauth_form_component.rb

@@ -17,7 +17,8 @@ class Devise::OmniauthFormComponent < ApplicationComponent
         (:facebook if feature?(:facebook_login)),
         (:google_oauth2 if feature?(:google_login)),
         (:wordpress_oauth2 if feature?(:wordpress_login)),
-        (:saml if feature?(:saml_login))
+        (:saml if feature?(:saml_login)),
+        (:oidc if feature?(:oidc_login))
       ].compact
     end
 end

app/controllers/users/omniauth_callbacks_controller.rb

@@ -21,6 +21,10 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     sign_in_with :saml_login, :saml
   end
 
+  def oidc
+    sign_in_with :oidc_login, :oidc
+  end
+
   def after_sign_in_path_for(resource)
     if resource.registering_with_oauth
       finish_signup_path

app/lib/omniauth_tenant_setup.rb

@@ -21,6 +21,11 @@ module OmniauthTenantSetup
                 secrets.saml_idp_metadata_url, secrets.saml_idp_sso_service_url)
     end
 
+    def oidc(env)
+      oidc_auth(env, secrets.oidc_client_id,
+                secrets.oidc_client_secret, secrets.oidc_issuer, secrets.oidc_redirect_uri)
+    end
+
     private
 
       def oauth(env, key, secret)
@@ -55,6 +60,17 @@ module OmniauthTenantSetup
         end
       end
 
+      def oidc_auth(env, client_id, client_secret, issuer, redirect_uri)
+        unless Tenant.default?
+          strategy = env["omniauth.strategy"]
+
+          strategy.options[:client_id] = client_id if client_id.present?
+          strategy.options[:client_secret] = client_secret if client_secret.present?
+          strategy.options[:issuer] = issuer if issuer.present?
+          strategy.options[:redirect_uri] = redirect_uri if redirect_uri.present?
+        end
+      end
+
       def secrets
         Tenant.current_secrets
       end

app/models/setting.rb

@@ -85,6 +85,7 @@ class Setting < ApplicationRecord
         "feature.remote_census": nil,
         "feature.valuation_comment_notification": true,
         "feature.graphql_api": true,
+        "feature.oidc_login": false,
         "feature.saml_login": false,
         "feature.sdg": true,
         "feature.machine_learning": false,