Add SAML/SSO

Gemfile

@@ -45,6 +45,9 @@ gem 'jwt'
 # 2FA/TOTP
 gem 'rotp', '~> 6.2'
 
+# SSO
+gem 'workos'
+
 # Scopes and pagination
 gem 'has_scope'
 gem 'kaminari', '~> 1.2.0'

Gemfile.lock

@@ -500,6 +500,7 @@ GEM
     websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
+    workos (5.2.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.6.15)
@@ -579,6 +580,7 @@ DEPENDENCIES
   typed_params (~> 1.2.5)
   uri (>= 0.12.2)
   webmock (~> 3.14.0)
+  workos
 
 RUBY VERSION
    ruby 3.3.4p94

README.md

@@ -69,7 +69,8 @@ Keygen Enterprise Edition:
 - **Environments**: manage separate environments within a Keygen account, from
   test environments, to a sandbox, to QA, to production.
 - **Permissions**: enterprise-grade roles and permissions.
-- **SSO/SAML**: support for SSO/SAML coming soon.
+- **Import/export**: migrate from Keygen Cloud to Keygen EE.
+- **SSO/SAML**: support for SSO/SAML/OAuth.
 
 Keygen uses Keygen EE in production to run Keygen Cloud, which is used to
 license Keygen EE. It's ~~turtles~~ Keygens all the way down (we love

app/controllers/api/v1/accounts/actions/subscription_controller.rb

@@ -3,7 +3,7 @@
 module Api::V1::Accounts::Actions
   class SubscriptionController < Api::V1::BaseController
     before_action :scope_to_current_account!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
 
     def manage
       authorize! with: Accounts::SubscriptionPolicy

app/controllers/api/v1/accounts/relationships/billings_controller.rb

@@ -3,7 +3,7 @@
 module Api::V1::Accounts::Relationships
   class BillingsController < Api::V1::BaseController
     before_action :scope_to_current_account!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_billing
 
     def show

app/controllers/api/v1/accounts/relationships/plans_controller.rb

@@ -3,7 +3,7 @@
 module Api::V1::Accounts::Relationships
   class PlansController < Api::V1::BaseController
     before_action :scope_to_current_account!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
 
     def show
       plan = current_account.plan

app/controllers/api/v1/accounts_controller.rb

@@ -3,7 +3,7 @@
 module Api::V1
   class AccountsController < Api::V1::BaseController
     before_action :scope_to_current_account!, only: %i[show update destroy]
-    before_action :authenticate_with_token!, only: %i[show update destroy]
+    before_action :authenticate!, only: %i[show update destroy]
     before_action :set_account, only: %i[show update destroy]
 
     def show

app/controllers/api/v1/analytics/actions/counts_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Analytics::Actions
   class CountsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
 
     def count
       authorize! to: :show?, with: Accounts::AnalyticsPolicy

app/controllers/api/v1/entitlements_controller.rb

@@ -4,7 +4,7 @@ module Api::V1
   class EntitlementsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_entitlement, only: %i[show update destroy]
 
     def index

app/controllers/api/v1/environments/relationships/tokens_controller.rb

@@ -5,7 +5,7 @@ class TokensController < Api::V1::BaseController
     before_action :require_ee!
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_environment
 
     def index

app/controllers/api/v1/environments_controller.rb

@@ -5,7 +5,7 @@ class EnvironmentsController < Api::V1::BaseController
     before_action :require_ee!
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_environment, only: %i[show update destroy]
 
     def index

app/controllers/api/v1/event_logs_controller.rb

@@ -12,7 +12,7 @@ class EventLogsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
     before_action :require_ent_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_event_log, only: %i[show]
 
     def index

app/controllers/api/v1/groups/relationships/group_owners_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Groups::Relationships
   class GroupOwnersController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_group
 
     authorize :group

app/controllers/api/v1/groups/relationships/licenses_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Groups::Relationships
   class LicensesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_group
 
     authorize :group

app/controllers/api/v1/groups/relationships/machines_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Groups::Relationships
   class MachinesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_group
 
     authorize :group

app/controllers/api/v1/groups/relationships/users_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Groups::Relationships
   class UsersController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_group
 
     authorize :group

app/controllers/api/v1/groups_controller.rb

@@ -4,7 +4,7 @@ module Api::V1
   class GroupsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_group, only: %i[show update destroy]
 
     def index

app/controllers/api/v1/keys/relationships/policies_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Keys::Relationships
   class PoliciesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_key
 
     authorize :key

app/controllers/api/v1/keys/relationships/products_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Keys::Relationships
   class ProductsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_key
 
     authorize :key

app/controllers/api/v1/keys_controller.rb

@@ -7,7 +7,7 @@ class KeysController < Api::V1::BaseController
 
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_key, only: %i[show update destroy]
 
     def index

app/controllers/api/v1/licenses/actions/checkouts_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Actions
   class CheckoutsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/actions/permits_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Actions
   class PermitsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     def check_in

app/controllers/api/v1/licenses/actions/uses_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Actions
   class UsesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/actions/validations_controller.rb

@@ -4,8 +4,8 @@ module Api::V1::Licenses::Actions
   class ValidationsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!, except: %i[validate_by_key]
-    before_action :authenticate_with_token, only: %i[validate_by_key]
+    before_action :authenticate!, except: %i[validate_by_key]
+    before_action :authenticate, only: %i[validate_by_key]
     before_action :set_license, only: %i[quick_validate_by_id validate_by_id]
 
     def quick_validate_by_id

app/controllers/api/v1/licenses/relationships/entitlements_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class EntitlementsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/groups_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class GroupsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/machines_controller.rb

@@ -8,7 +8,7 @@ class MachinesController < Api::V1::BaseController
 
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/owners_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class OwnersController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/policies_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class PoliciesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/products_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class ProductsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/tokens_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class TokensController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/users_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships
   class UsersController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses/relationships/v1x5/users_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::Licenses::Relationships::V1x5
   class UsersController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license
 
     authorize :license

app/controllers/api/v1/licenses_controller.rb

@@ -25,7 +25,7 @@ class LicensesController < Api::V1::BaseController
 
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_license, only: %i[show update destroy]
 
     def index

app/controllers/api/v1/machine_components/relationships/licenses_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineComponents::Relationships
   class LicensesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_component
 
     authorize :machine_component

app/controllers/api/v1/machine_components/relationships/machines_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineComponents::Relationships
   class MachinesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_component
 
     authorize :machine_component

app/controllers/api/v1/machine_components/relationships/products_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineComponents::Relationships
   class ProductsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_component
 
     authorize :machine_component

app/controllers/api/v1/machine_components_controller.rb

@@ -10,7 +10,7 @@ class MachineComponentsController < Api::V1::BaseController
 
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_component, only: %i[show update destroy]
 
     def index

app/controllers/api/v1/machine_processes/actions/heartbeats_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineProcesses::Actions
   class HeartbeatsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_process
 
     authorize :machine_process

app/controllers/api/v1/machine_processes/relationships/licenses_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineProcesses::Relationships
   class LicensesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_process
 
     authorize :machine_process

app/controllers/api/v1/machine_processes/relationships/machines_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineProcesses::Relationships
   class MachinesController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_process
 
     authorize :machine_process

app/controllers/api/v1/machine_processes/relationships/products_controller.rb

@@ -4,7 +4,7 @@ module Api::V1::MachineProcesses::Relationships
   class ProductsController < Api::V1::BaseController
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_process
 
     authorize :machine_process

app/controllers/api/v1/machine_processes_controller.rb

@@ -11,7 +11,7 @@ class MachineProcessesController < Api::V1::BaseController
 
     before_action :scope_to_current_account!
     before_action :require_active_subscription!
-    before_action :authenticate_with_token!
+    before_action :authenticate!
     before_action :set_machine_process, only: %i[show update destroy]
 
     def index