Backend-driven Authorization Code Flow with @azure/msal-node:
- EntraIdService: MSAL ConfidentialClientApplication, auth URL generation, token exchange
- SsoController: /auth/sso/microsoft (initiate) + /auth/sso/microsoft/callback (callback)
- AuthService.loginViaSso(): User provisioning (find by OID, auto-link by email, or create new)
- CSRF protection via state parameter stored in Redis
- SSO status endpoint for frontend feature detection
Frontend:
- "Mit Microsoft anmelden" button on login page (shown only when SSO is configured)
- SsoCallbackPage: handles redirect from backend, sets token, loads user profile
- AuthContext.loginWithToken(): new method for SSO token handling
Configuration:
- AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_REDIRECT_URI env vars
- docker-compose.yml updated to pass Azure vars to core service
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The `traefik healthcheck` CLI command doesn't reliably detect the
ping configuration. Using wget against the /ping endpoint instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The `traefik healthcheck` command requires `--ping=true` to be set.
Without it, the healthcheck always fails even though Traefik works fine.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The edoburu/pgbouncer image listens on port 5432 internally,
not 6432. Updated healthcheck and DATABASE_URL accordingly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
