fix(auth): forward iss param in OIDC callback for RFC 9207 compliance

[Sanamy-ManNguyen]

Description

OIDC SSO login fails with SSO Authentication Failed for all users whose identity provider advertises authorization_response_iss_parameter_supported: true in its discovery document (Keycloak 19+ by default, and other OPs following RFC 9207).

The backend logs show the real error:

ERROR [OidcService] OIDC callback error: iss missing from the response

openid-client v5 enforces RFC 9207: when the issuer's discovery metadata declares authorization_response_iss_parameter_supported: true, the library validates that iss is present in the parameters passed to client.callback(). The callback controller in auth.controller.ts only reads code and state from the query string, so iss is dropped even though the IdP sends it in the redirect. Every fresh SSO login fails.

This PR threads the iss authorization-response parameter from the callback query string through AuthController.oidcCallback into OidcService.handleCallback, and includes it in the params object passed to oidcClient.callback() when present.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

Reproduction

1. Configure SSO against a Keycloak realm (19+) where authorization_response_iss_parameter_supported is true (the default).
2. Log out, click the SSO login button.
3. Keycloak redirects back with ?code=...&state=...&iss=https://... but Taskosaur responds with SSO Authentication Failed.
4. Server logs show OIDC callback error: iss missing from the response.

After this fix, the same flow completes successfully.

Changes

• backend/src/modules/auth/auth.controller.ts — add @Query('iss') iss: string and pass it into handleCallback.
• backend/src/modules/auth/services/oidc.service.ts — accept optional iss, build the params object conditionally so it is included only when the IdP sends it (backwards compatible with IdPs that don't advertise RFC 9207 support).
• backend/src/modules/auth/services/oidc.service.spec.ts — new unit tests covering:
  • iss is forwarded to openid-client when provided
  • iss is omitted when not provided (backwards compatible)
  • iss is omitted when passed as an empty string

Testing

• Code builds successfully (npm run build)
• New unit tests pass (npx jest src/modules/auth/services/oidc.service.spec.ts — 3/3 passing)
• No console errors or warnings introduced; formatting and lint verified on touched files
• Manually verified end-to-end against Keycloak 26 — SSO login now completes instead of returning "SSO Authentication Failed"

Checklist

• Code follows style guidelines (prettier + eslint clean on touched files)
• Self-review completed
• Documentation updated (not applicable — internal bug fix, no public API change beyond an additive optional parameter)
• No breaking changes — iss is optional, existing IdPs that don't advertise authorization_response_iss_parameter_supported continue to work unchanged

References

• RFC 9207 — OAuth 2.0 Authorization Server Issuer Identification: https://www.rfc-editor.org/rfc/rfc9207
• openid-client enforcement: https://github.com/panva/node-openid-client (v5.x validates iss when the issuer advertises support)