Redirect to the only OAuth2 provider when no other login methods and fix various problems

[navneet102]

Fixes: #36846

1. When there is only on OAuth2 login method, automatically direct to it
2. Fix legacy problems in code, including:
   • Rename template filename and fix TODO comments
   • Fix legacy variable names
   • Add missing SSPI variable for template
   • Fix unnecessary layout, remove garbage styles
   • Only do AppUrl(ROOT_URL) check when it is needed (avoid unnecessary warnings to end users)

[wxiaoguang]

• Added skipAutoLogin URL param to bypass this feature by including ?skipAutoLogin=true

What will it be used for? Who will use it? Any real world use case for it?

If it is not used by our code, not clearly documented for real world use cases, then it doesn't make sense.

---

Update: added screenshots for the UI changes:

[navneet102]

I included it because it was mentioned in this comment, it could be used if auth source is unavailable.

What do you suggest, should I?

1. Document it.
2. Remove it.

[navneet102]

@wxiaoguang I have added some tests. Could you check this now please?

[wxiaoguang]

• Added skipAutoLogin URL param to bypass this feature by including ?skipAutoLogin=true

What will it be used for? Who will use it? Any real world use case for it?

If it is not used by our code, not clearly documented for real world use cases, then it doesn't make sense.

I included it because it was mentioned in this comment, it could be used if auth source is unavailable.

What do you suggest, should I?

1. Document it.

2. Remove it.

I don't understand it

[navneet102]

Sorry for being vague.

• Added skipAutoLogin URL param to bypass this feature by including ?skipAutoLogin=true

What will it be used for? Who will use it? Any real world use case for it?

If it is not used by our code, not clearly documented for real world use cases, then it doesn't make sense.

I think you asked here about why I included the skipAutoLogin URL parameter if there was no documentation for it.

In the reply, I mentioned that it was a design choice specified by @silverwind while accepting the feature proposal in this issue's (#36846 ) discussion.

What do you suggest, should I?

1. Document it.
2. Remove it.

Here I asked you, if I should remove the skipAutoLogin URL param or should I add documentation for it.

[wxiaoguang]

What do you suggest, should I?

1. Document it.
2. Remove it.

Here I asked you, if I should remove the skipAutoLogin URL param or should I add documentation for it.

As I said, I don't understand it.

You are the author so you need to propose reasonable and feasible designs.

[wxiaoguang]

You can explain your design by answering the questions:

1. For "Document it": why it is useful, in which case it will be used, how end users can know how to use it.
   • "useful when the auth source is temporarily unavailable": you already have !EnablePasswordSignInForm check, so users can do nothing on the login page even if the auth source is unavailable
   • I don't think such reason makes sense.
2. For "Remove it": why the extra parameter is useless, why the suggestion from silverwind (If there is just 1 login provider configured, redirect to it #36846 (comment)) is not right.

[Copilot]

Pull request overview

Adds an auto-redirect behavior on the /login page to streamline sign-in when only a single OAuth2 auth source is available and all other sign-in methods are disabled, with a skipAutoLogin=true escape hatch.

Changes:

• Implement performAutoLoginOAuth2 and invoke it from SignIn under a “OAuth2-only” configuration.
• Add a unit test covering the auto-redirect behavior and skipAutoLogin bypass.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
routers/web/auth/auth.go	Adds OAuth2-only auto-redirect logic when rendering /login.
routers/web/auth/auth_test.go	Adds a unit test validating redirect + bypass behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[silverwind]

I have to correct my request: skipAutoLogin only makes sense if there is more than 1 login option. If there is only 1 auto-login-able action (like only sso button), its not needed. As I understand the PR handles only the case of 1 SSO option, so we don't need it for this use case.

[navneet102]

Thank you everyone for the review, and sorry for the late reply. I have removed the skipAutoLogin param. Currently there is no solution for situations when OAuth service is unavailable because after being redirected (to OAuth provider) we cannot do anything until SignInOAuthCallback is called. The only solution would be to check for the availability of the service before redirection, which would be slow.

[silverwind]

1. performAutoLoginOAuth2 reads OAuth2Providers from ctx.Data which creates a fragile implicit dependency on prepareSignInPageData having been called first. As wxiaoguang noted, these should be return values of prepareSignInPageData instead.

2. The test only covers the happy path (single provider + redirect_to). Consider adding cases for:

   1. 0 OAuth providers → should render login page
   2. 2+ OAuth providers → should render login page
   3. No redirect_to query param → should redirect without query string
   4. Any of EnablePasswordSignInForm/EnableOpenIDSignIn/EnablePasskeyAuth/SSPI enabled → should render login page, not redirect

---

This comment was written by Claude Opus 4.6.

[silverwind]

Would still add those test cases mentioned in #36901 (comment). If you like I can exercise AI on it, or you do it yourself.

[wxiaoguang]

Would still add those test cases mentioned in #36901 (comment). If you like I can exercise AI on it, or you do it yourself.

Have you read the new code by yourself?

[silverwind]

Ok, but a test with 2 providers is still missing it seems?

[wxiaoguang]

Ok, but a test with 2 providers is still missing it seems?