feat: Validate Google, Azure, OIDC SSO access (#3590)

* chore: Store expiresAt on UserAuthentications. This represents the time that the accessToken is no longer valid and should be exchanged using the refreshToken

* feat: Check and expire Google SSO

* fix: Better handling of multiple auth methods
Added more docs

* fix: Retry access validation with network errors

* Small refactor, add Azure token validation support

* doc

* test

* lint

* OIDC refresh support

* CheckSSOAccessTask -> ValidateSSOAccessTask
Added lastValidatedAt column
Skip checks if validated within 5min
Some edge cases around encrypted columns

server/models/AuthenticationProvider.ts

@@ -12,6 +12,10 @@ import {
   IsUUID,
   PrimaryKey,
 } from "sequelize-typescript";
+import env from "@server/env";
+import AzureClient from "@server/utils/azure";
+import GoogleClient from "@server/utils/google";
+import OIDCClient from "@server/utils/oidc";
 import { ValidationError } from "../errors";
 import Team from "./Team";
 import UserAuthentication from "./UserAuthentication";
@@ -57,6 +61,33 @@ class AuthenticationProvider extends Model {
 
   // instance methods
 
+  /**
+   * Create an OAuthClient for this provider, if possible.
+   *
+   * @returns A configured OAuthClient instance
+   */
+  get oauthClient() {
+    switch (this.name) {
+      case "google":
+        return new GoogleClient(
+          env.GOOGLE_CLIENT_ID || "",
+          env.GOOGLE_CLIENT_SECRET || ""
+        );
+      case "azure":
+        return new AzureClient(
+          env.AZURE_CLIENT_ID || "",
+          env.AZURE_CLIENT_SECRET || ""
+        );
+      case "oidc":
+        return new OIDCClient(
+          env.OIDC_CLIENT_ID || "",
+          env.OIDC_CLIENT_SECRET || ""
+        );
+      default:
+        return undefined;
+    }
+  }
+
   disable = async () => {
     const res = await (this
       .constructor as typeof AuthenticationProvider).findAndCountAll({