strapi-plugin-oidc 1.7.5 → 1.8.0

package/README.md

@@ -44,19 +44,38 @@ module.exports = ({ env }) => ({
       OIDC_GRANT_TYPE: 'authorization_code',
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
-      OIDC_END_SESSION_ENDPOINT: '', // Provider end-session URL for RP-initiated logout
+      OIDC_END_SESSION_ENDPOINT: '', // Provider end-session URL (from discovery `end_session_endpoint`)
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
       OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
       REMEMBER_ME: false, // Persist session across browser restarts
       AUDIT_LOG_RETENTION_DAYS: 90, // Set to 0 to disable audit logging; otherwise entries older than this many days are purged daily at midnight
       OIDC_GROUP_FIELD: 'groups', // OIDC claim field containing group membership
       OIDC_GROUP_ROLE_MAP: '{}', // JSON map of group names to Strapi role names
+      OIDC_REQUIRE_EMAIL_VERIFIED: true, // Reject logins when provider does not report email_verified=true (set false to disable)
+      OIDC_TRUSTED_IP_HEADER: '', // Optional: 'cf-connecting-ip' for Cloudflare; read only when Strapi trusts the proxy
+      OIDC_JWKS_URI: '', // Provider's JWKS URI (from discovery `jwks_uri`) — enables ID token signature verification
+      OIDC_ISSUER: '', // Provider's issuer (from discovery `issuer`) — verified against ID token's `iss`
+      OIDC_FORCE_SECURE_COOKIES: false, // Set true when behind a trusted HTTPS proxy that Strapi can't auto-detect
     },
   },
 });
 ```
 
-All required values come from your provider's OIDC discovery document, typically available at `https://your-provider/.well-known/openid-configuration`.
+All OIDC values come from your provider's discovery document, typically available at `https://your-provider/.well-known/openid-configuration`.
+
+### Security features
+
+- **ID token verification** — `OIDC_JWKS_URI` and `OIDC_ISSUER` enable signature, issuer, audience, and expiry validation via [`jose`](https://github.com/panva/jose)
+- **Email verification** — `OIDC_REQUIRE_EMAIL_VERIFIED: true` (default) rejects unverified emails
+- **CSRF protection** — OIDC state/nonce and POST-only logout endpoint
+- **Rate limiting** — 1 000 req/min per IP+UA (in-process; use a reverse-proxy-level limiter for multi-node)
+- **Secure cookies** — `OIDC_FORCE_SECURE_COOKIES` ensures cookies are marked Secure
+
+### Client IP attribution and reverse proxies
+
+The plugin logs client IPs for rate-limit buckets and audit logs. When Strapi runs behind a reverse proxy, **set `server.proxy: true`** so Koa trusts `X-Forwarded-For`; otherwise all IPs will be the proxy's.
+
+Set `OIDC_TRUSTED_IP_HEADER: 'cf-connecting-ip'` when behind Cloudflare. The header is only honoured when `server.proxy: true` is set.
 
 ## Login
 
@@ -64,27 +83,27 @@ Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Lo
 
 ## Logout
 
-When `OIDC_END_SESSION_ENDPOINT` is set, clicking logout in Strapi redirects the browser to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
+When `OIDC_END_SESSION_ENDPOINT` is set, clicking logout redirects to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
+
+The logout endpoint is `POST /strapi-plugin-oidc/logout`. Using POST instead of GET prevents CSRF-forced-logout attacks.
 
 ## Admin Settings
 
 Manage the plugin under **Settings → OIDC Plugin**.
 
-**Default Roles** — Select which Strapi admin role(s) are assigned to new users on first login.
+**Default Roles** — Strapi admin role(s) assigned to new users on first login.
 
-**Whitelist** — Restrict access to specific email addresses. When enabled, only listed emails can log in. When empty, any successfully authenticated OIDC user gets an account. The whitelist supports:
+**Whitelist** — Restrict access to specific email addresses. When empty, any authenticated OIDC user gets an account. Supports:
 
-- Adding individual emails with optional role overrides
-- JSON import / export (see [format](#import-format) below)
+- Individual emails with optional role overrides
+- JSON import / export
 - Bulk delete with confirmation
-- Unsaved changes are held in the UI until **Save Changes** is clicked
 
-**Audit Logs** — Every authentication event is recorded in the plugin's audit log table and visible in the **Audit Logs** section at the bottom of the settings page. Entries can be filtered by action, email, IP address, and date, and a **Download** button exports the current (filtered) view as NDJSON (newline-delimited JSON), compatible with SIEM tools and log processors. Setting `AUDIT_LOG_RETENTION_DAYS` to `0` disables audit logging entirely. Otherwise records older than the configured value (default: 90 days) are automatically purged by a daily cron job. The audit log is also accessible [via API](#audit-log-api).
+**Audit Logs** — Authentication events recorded and visible in the settings page. Filter by action, email, IP, and date. **Download** exports the current view as NDJSON. Set `AUDIT_LOG_RETENTION_DAYS` to `0` to disable. Records older than the configured value (default: 90 days) are purged daily.
 
-**Enforce OIDC Login** — Removes the standard email/password fields from the login page and blocks direct login API calls server-side. Automatically disabled when the whitelist is empty to prevent lockout.
+**Enforce OIDC Login** — Removes email/password fields from the login page and blocks direct login API calls. Automatically disabled when the whitelist is empty to prevent lockout.
 
-- The toggle is grayed out and locked when `OIDC_ENFORCE` is set in config.
-- **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi. This writes through to the database so removing the variable afterwards keeps the setting.
+The toggle is grayed out when `OIDC_ENFORCE` is set in config. **Lockout recovery**: set `OIDC_ENFORCE: false` in your plugin config and restart Strapi.
 
 ## Group-to-Role Mapping
 
@@ -118,18 +137,26 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
 
 ### Role assignment precedence
 
-1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
-2. **No group match or no mapping configured** → use the default OIDC roles (new users only — see below)
+1. **OIDC groups match `OIDC_GROUP_ROLE_MAP`** → mapped Strapi roles
+2. **No match or no mapping** → default OIDC roles (new users only)
 
 ### Role updates on subsequent logins
 
-- **New users** — Roles are always assigned on first login: group-mapped roles if a match is found, otherwise the configured default OIDC roles.
-- **Existing users with a group mapping match** — Roles are updated to reflect the current mapping. If a user's groups change between logins, their Strapi roles are updated accordingly.
-- **Existing users with no group mapping match** — Roles are left unchanged, regardless of what the default OIDC roles are set to. Manually-assigned roles are never overwritten by a default fallback.
+- **New users** — Roles assigned on first login (group-mapped or default).
+- **Existing users with group match** — Roles updated to reflect current mapping.
+- **Existing users without group match** — Roles left unchanged. Manually-assigned roles are never overwritten.
 
 ## Whitelist API
 
-The whitelist can be managed programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+The whitelist can be managed programmatically using a Strapi **API token**. All endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+
+**Full-access tokens** can call all routes. **Custom tokens** must be granted one of the following scopes (Settings → API Tokens → Custom → plugin permissions):
+
+| Scope                                         | Routes                                          |
+| --------------------------------------------- | ----------------------------------------------- |
+| `plugin::strapi-plugin-oidc.whitelist.read`   | `GET /whitelist`, `GET /whitelist/export`       |
+| `plugin::strapi-plugin-oidc.whitelist.write`  | `POST /whitelist`, `POST /whitelist/import`     |
+| `plugin::strapi-plugin-oidc.whitelist.delete` | `DELETE /whitelist`, `DELETE /whitelist/:email` |
 
 | Method   | Path                                       | Description            |
 | -------- | ------------------------------------------ | ---------------------- |
@@ -185,7 +212,14 @@ curl -X DELETE -H "Authorization: Bearer <token>" \
 
 ## Audit Log API
 
-Audit log entries can be fetched programmatically using a Strapi **API token** (Settings → API Tokens → Full Access). Endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+Audit log entries can be fetched programmatically using a Strapi **API token**. Endpoints are under `/api/strapi-plugin-oidc` and require `Authorization: Bearer <token>`.
+
+**Full-access tokens** can call all routes. **Custom tokens** must be granted one of the following scopes:
+
+| Scope                                     | Routes                                      |
+| ----------------------------------------- | ------------------------------------------- |
+| `plugin::strapi-plugin-oidc.audit.read`   | `GET /audit-logs`, `GET /audit-logs/export` |
+| `plugin::strapi-plugin-oidc.audit.delete` | `DELETE /audit-logs`                        |
 
 | Method   | Path                                        | Description                         |
 | -------- | ------------------------------------------- | ----------------------------------- |
@@ -246,18 +280,20 @@ curl -H "Authorization: Bearer <token>" -G \
 
 ### Recorded actions
 
-| Action                  | Trigger                                             |
-| ----------------------- | --------------------------------------------------- |
-| `login_success`         | Successful OIDC authentication                      |
-| `user_created`          | New Strapi admin user created during login          |
-| `login_failure`         | Unexpected error during the OIDC login flow         |
-| `missing_code`          | Callback received without an authorisation code     |
-| `state_mismatch`        | CSRF state cookie does not match callback parameter |
-| `nonce_mismatch`        | ID token nonce does not match the session nonce     |
-| `token_exchange_failed` | Provider returned an error during token exchange    |
-| `whitelist_rejected`    | Email not present in the active whitelist           |
-| `logout`                | User logged out via `/logout`                       |
-| `session_expired`       | Logout attempted but provider session already stale |
+| Action                  | Trigger                                                           |
+| ----------------------- | ----------------------------------------------------------------- |
+| `login_success`         | Successful OIDC authentication                                    |
+| `user_created`          | New Strapi admin user created during login                        |
+| `login_failure`         | Unexpected error during the OIDC login flow                       |
+| `missing_code`          | Callback received without an authorisation code                   |
+| `state_mismatch`        | CSRF state cookie does not match callback parameter               |
+| `nonce_mismatch`        | ID token nonce does not match the session nonce                   |
+| `token_exchange_failed` | Provider returned an error during token exchange                  |
+| `whitelist_rejected`    | Email not present in the active whitelist                         |
+| `email_not_verified`    | Provider did not report `email_verified=true`                     |
+| `id_token_invalid`      | ID token failed signature, issuer, audience, or expiry validation |
+| `logout`                | User logged out via `/logout`                                     |
+| `session_expired`       | Logout attempted but provider session already stale               |
 
 Each event is also emitted on Strapi's internal eventHub as `strapi-plugin-oidc::auth.<action>`, which Enterprise audit log listeners pick up automatically.
 
@@ -280,16 +316,16 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
 
 ### Changes from the original:
 
-- Removed alternative SSO methods to focus solely on OIDC.
-- Redesigned the Whitelist and Role management UI using native Strapi components.
-- Added OIDC enforcement with an admin toggle and config override (`OIDC_ENFORCE`).
-- Added RP-initiated logout with smart session detection — skips the provider redirect if the session is already expired.
-- Migrated to Vitest with comprehensive e2e test coverage.
-- Config variable names aligned with OIDC discovery document field names (`OIDC_SCOPE`, `OIDC_USERINFO_ENDPOINT`, `OIDC_END_SESSION_ENDPOINT`).
-- Always injects a **Login via SSO** button on the Strapi login page. Button text is configurable via `OIDC_SSO_BUTTON_TEXT`.
-- Whitelist: programmatic REST API with JSON import/export, bulk delete, delete by email, and unsaved changes guard.
-- Hardened OIDC flow: server-generated state and nonce, PKCE, Bearer token auth for userinfo, and generic error messages on failure.
-- Audit log: records all auth events to a queryable table with Admin UI, JSON export, and REST API. API responses use a single `datetime` field and omit framework metadata (id, documentId, locale, publishedAt, etc.). A separate `user_created` event is emitted when a Strapi admin is provisioned during login.
+- OIDC-only (removed other SSO methods)
+- Redesigned whitelist and role management UI using native Strapi components
+- OIDC enforcement via admin toggle or `OIDC_ENFORCE` config
+- RP-initiated logout with smart session detection
+- Migrated to Vitest with e2e coverage
+- Config variable names aligned with OIDC discovery document field names
+- **Login via SSO** button always injected; text configurable via `OIDC_SSO_BUTTON_TEXT`
+- Whitelist REST API with JSON import/export, bulk delete, delete by email
+- Hardened OIDC flow: server-generated state and nonce, PKCE, Bearer token auth for userinfo, generic error messages on failure
+- Audit log: records all auth events to a queryable table with UI, JSON/NDJSON export, and REST API
 
 ## License
 

package/dist/admin/{index-BjmTHbr9.mjs → index-8YTLPV3h.mjs}

@@ -2,10 +2,10 @@ import { jsxs, Fragment, jsx } from "react/jsx-runtime";
 import { useBlocker, Routes, Route } from "react-router-dom";
 import { useNotification, useFetchClient, Page, Layouts } from "@strapi/strapi/admin";
 import { useState, useRef, useId, useEffect, useCallback, useReducer, useMemo, memo } from "react";
-import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Dialog, Button, Table, Pagination, PreviousLink, NextLink, PageLink, Field, Divider, Thead, Tr, Th, Tbody, Td, IconButton, Tooltip, Alert } from "@strapi/design-system";
+import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Button, Dialog, Table, Pagination, PreviousLink, NextLink, PageLink, Field, Divider, Thead, Tr, Th, Tbody, Td, IconButton, Tooltip, Alert } from "@strapi/design-system";
 import { Cross, WarningCircle, Plus, Download, Upload, Trash, Calendar, Mail, Information } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { g as getTrad } from "./index-BfX_taLq.mjs";
+import { g as getTrad } from "./index-B-K4X_N9.mjs";
 import styled from "styled-components";
 import { Filter, ClipboardList, Server } from "lucide-react";
 function Role({ oidcRoles, roles, onChangeRole }) {
@@ -66,15 +66,21 @@ const TagInputWrapper = styled(Box)`
   flex-wrap: wrap;
   gap: 4px;
   align-items: center;
-  padding: 8px 16px;
+  padding-inline: ${({ theme }) => theme.spaces[4]};
+  padding-block: ${({ theme }) => theme.spaces[3]};
   border-radius: 4px;
   border: 1px solid ${({ theme }) => theme.colors.neutral200};
   background-color: ${({ theme }) => theme.colors.neutral0};
   cursor: text;
   min-width: 220px;
-  min-height: 4rem;
+  min-height: 4.8rem;
   flex: 0 0 auto;
 
+  ${({ theme }) => theme.breakpoints.medium} {
+    padding-block: ${({ theme }) => theme.spaces[2]};
+    min-height: 4rem;
+  }
+
   &:focus-within {
     border-color: ${({ theme }) => theme.colors.primary600};
     box-shadow: 0 0 0 2px ${({ theme }) => theme.colors.primary100};
@@ -139,7 +145,6 @@ function TagInputShell({
   inputProps,
   children
 }) {
-  const inputId = useId();
   return /* @__PURE__ */ jsxs(TagInputWrapper, { ref: wrapperRef, onClick: () => inputRef.current?.focus(), children: [
     /* @__PURE__ */ jsxs(Flex, { gap: 2, wrap: "wrap", alignItems: "center", style: { flex: 1, minWidth: 0 }, children: [
       startIcon && /* @__PURE__ */ jsx(StartIconSlot, { children: startIcon }),
@@ -151,14 +156,6 @@ function TagInputShell({
           type: "text",
           placeholder: value.length === 0 ? placeholder : "",
           "aria-label": placeholder,
-          autoComplete: "off",
-          autoCorrect: "off",
-          autoCapitalize: "off",
-          spellCheck: false,
-          name: `tag-input-${inputId}`,
-          "data-form-type": "other",
-          "data-lpignore": "true",
-          "data-1p-ignore": "true",
           ...inputProps
         }
       )
@@ -743,6 +740,16 @@ function TagDateInput({ value = [], onChange, placeholder, startIcon }) {
     }
   );
 }
+const SizedButton = styled(Button)`
+  && {
+    height: 4.8rem;
+  }
+  ${({ theme }) => theme.breakpoints.medium} {
+    && {
+      height: 4rem;
+    }
+  }
+`;
 const Icon = styled.span`
   display: inline-flex;
   align-items: center;
@@ -907,91 +914,98 @@ function Whitelist({
   return /* @__PURE__ */ jsxs(Box, { children: [
     /* @__PURE__ */ jsx(Typography, { tag: "p", variant: "omega", textColor: "neutral600", marginBottom: 4, children: formatMessage(getTrad("whitelist.description")) }),
     useWhitelist && /* @__PURE__ */ jsxs(Fragment, { children: [
-      /* @__PURE__ */ jsxs(Flex, { gap: 8, marginTop: 5, marginBottom: 5, alignItems: "stretch", wrap: "wrap", children: [
-        /* @__PURE__ */ jsxs(Flex, { gap: 2, alignItems: "center", style: { minWidth: "280px", flex: "1 1 280px" }, children: [
-          /* @__PURE__ */ jsx(Box, { style: { flex: 1, minWidth: "200px" }, children: /* @__PURE__ */ jsx(Field.Root, { children: /* @__PURE__ */ jsx(
-            Field.Input,
-            {
-              type: "text",
-              disabled: loading,
-              value: email,
-              hasError: Boolean(email && !EMAIL_REGEX.test(email)),
-              onChange: (e) => setEmail(e.currentTarget.value),
-              placeholder: formatMessage(getTrad("whitelist.email.placeholder")),
-              style: { fontSize: "1.4rem", lineHeight: "2.2rem" }
-            }
-          ) }) }),
-          /* @__PURE__ */ jsx(
-            Button,
-            {
-              size: "S",
-              startIcon: /* @__PURE__ */ jsx(Plus, {}),
-              style: { paddingTop: "1.1rem", paddingBottom: "1.1rem", height: "auto" },
-              disabled: loading || email.trim() === "" || !EMAIL_REGEX.test(email),
-              loading,
-              onClick: onSaveEmail,
-              children: formatMessage(getTrad("page.add"))
-            }
-          )
-        ] }),
-        /* @__PURE__ */ jsxs(Flex, { gap: 2, alignItems: "center", children: [
-          /* @__PURE__ */ jsx(
-            Button,
-            {
-              size: "S",
-              variant: "tertiary",
-              startIcon: /* @__PURE__ */ jsx(Download, {}),
-              onClick: onExport,
-              disabled: users.length === 0,
-              style: { paddingTop: "1.1rem", paddingBottom: "1.1rem", height: "auto" },
-              children: formatMessage(getTrad("whitelist.export"))
-            }
-          ),
-          /* @__PURE__ */ jsx(
-            Button,
-            {
-              size: "S",
-              variant: "tertiary",
-              startIcon: /* @__PURE__ */ jsx(Upload, {}),
-              onClick: () => fileInputRef.current?.click(),
-              style: { paddingTop: "1.1rem", paddingBottom: "1.1rem", height: "auto" },
-              children: formatMessage(getTrad("whitelist.import"))
-            }
-          ),
-          /* @__PURE__ */ jsx(
-            "input",
-            {
-              ref: fileInputRef,
-              type: "file",
-              accept: ".json,application/json",
-              style: { display: "none" },
-              onChange: handleImport
-            }
-          ),
-          /* @__PURE__ */ jsx(
-            ConfirmDialog,
-            {
-              trigger: /* @__PURE__ */ jsx(
-                Button,
+      /* @__PURE__ */ jsxs(
+        Flex,
+        {
+          gap: 8,
+          marginTop: 5,
+          marginBottom: 5,
+          alignItems: "stretch",
+          wrap: "wrap",
+          style: { rowGap: "0.8rem" },
+          children: [
+            /* @__PURE__ */ jsxs(Flex, { gap: 2, alignItems: "center", style: { minWidth: "280px", flex: "1 1 280px" }, children: [
+              /* @__PURE__ */ jsx(Box, { style: { flex: 1, minWidth: "200px" }, children: /* @__PURE__ */ jsx(Field.Root, { children: /* @__PURE__ */ jsx(
+                Field.Input,
+                {
+                  type: "text",
+                  disabled: loading,
+                  value: email,
+                  hasError: Boolean(email && !EMAIL_REGEX.test(email)),
+                  onChange: (e) => setEmail(e.currentTarget.value),
+                  placeholder: formatMessage(getTrad("whitelist.email.placeholder")),
+                  style: { fontSize: "1.4rem", lineHeight: "2.2rem" }
+                }
+              ) }) }),
+              /* @__PURE__ */ jsx(
+                SizedButton,
                 {
                   size: "S",
-                  variant: "danger-light",
-                  startIcon: /* @__PURE__ */ jsx(Trash, {}),
+                  startIcon: /* @__PURE__ */ jsx(Plus, {}),
+                  disabled: loading || email.trim() === "" || !EMAIL_REGEX.test(email),
+                  loading,
+                  onClick: onSaveEmail,
+                  children: formatMessage(getTrad("page.add"))
+                }
+              )
+            ] }),
+            /* @__PURE__ */ jsxs(Flex, { gap: 2, alignItems: "center", children: [
+              /* @__PURE__ */ jsx(
+                SizedButton,
+                {
+                  size: "S",
+                  variant: "tertiary",
+                  startIcon: /* @__PURE__ */ jsx(Download, {}),
+                  onClick: onExport,
                   disabled: users.length === 0,
-                  style: { paddingTop: "1.1rem", paddingBottom: "1.1rem", height: "auto" },
-                  children: formatMessage(getTrad("whitelist.delete.all.label"))
+                  children: formatMessage(getTrad("whitelist.export"))
                 }
               ),
-              title: formatMessage(getTrad("whitelist.delete.all.title")),
-              body: /* @__PURE__ */ jsx(Flex, { justifyContent: "center", children: /* @__PURE__ */ jsx(Typography, { textColor: "neutral800", textAlign: "center", children: formatMessage(getTrad("whitelist.delete.all.description"), {
-                count: users.length
-              }) }) }),
-              confirmLabel: formatMessage(getTrad("whitelist.delete.all.label")),
-              onConfirm: onDeleteAll
-            }
-          )
-        ] })
-      ] }),
+              /* @__PURE__ */ jsx(
+                SizedButton,
+                {
+                  size: "S",
+                  variant: "tertiary",
+                  startIcon: /* @__PURE__ */ jsx(Upload, {}),
+                  onClick: () => fileInputRef.current?.click(),
+                  children: formatMessage(getTrad("whitelist.import"))
+                }
+              ),
+              /* @__PURE__ */ jsx(
+                "input",
+                {
+                  ref: fileInputRef,
+                  type: "file",
+                  accept: ".json,application/json",
+                  style: { display: "none" },
+                  onChange: handleImport
+                }
+              ),
+              /* @__PURE__ */ jsx(
+                ConfirmDialog,
+                {
+                  trigger: /* @__PURE__ */ jsx(
+                    SizedButton,
+                    {
+                      size: "S",
+                      variant: "danger-light",
+                      startIcon: /* @__PURE__ */ jsx(Trash, {}),
+                      disabled: users.length === 0,
+                      children: formatMessage(getTrad("whitelist.delete.all.label"))
+                    }
+                  ),
+                  title: formatMessage(getTrad("whitelist.delete.all.title")),
+                  body: /* @__PURE__ */ jsx(Flex, { justifyContent: "center", children: /* @__PURE__ */ jsx(Typography, { textColor: "neutral800", textAlign: "center", children: formatMessage(getTrad("whitelist.delete.all.description"), {
+                    count: users.length
+                  }) }) }),
+                  confirmLabel: formatMessage(getTrad("whitelist.delete.all.label")),
+                  onConfirm: onDeleteAll
+                }
+              )
+            ] })
+          ]
+        }
+      ),
       /* @__PURE__ */ jsx(Divider, {}),
       /* @__PURE__ */ jsxs(CustomTable, { colCount: 4, rowCount: users.length, children: [
         /* @__PURE__ */ jsx(Thead, { children: /* @__PURE__ */ jsxs(Tr, { children: [
@@ -3597,6 +3611,8 @@ const AUDIT_ACTIONS = [
   "nonce_mismatch",
   "token_exchange_failed",
   "whitelist_rejected",
+  "email_not_verified",
+  "id_token_invalid",
   "logout",
   "session_expired",
   "user_created"
@@ -3736,14 +3752,13 @@ function AuditLog({ title } = {}) {
       title ?? /* @__PURE__ */ jsx("span", {}),
       /* @__PURE__ */ jsxs(Flex, { gap: 2, children: [
         /* @__PURE__ */ jsx(
-          Button,
+          SizedButton,
           {
             size: "S",
             variant: "tertiary",
             startIcon: /* @__PURE__ */ jsx(Download, {}),
             onClick: handleExport,
             disabled: pagination.total === 0,
-            style: { paddingTop: "1.1rem", paddingBottom: "1.1rem", height: "auto" },
             children: formatMessage(getTrad("auditlog.export"))
           }
         ),
@@ -3751,13 +3766,12 @@ function AuditLog({ title } = {}) {
           ConfirmDialog,
           {
             trigger: /* @__PURE__ */ jsx(
-              Button,
+              SizedButton,
               {
                 size: "S",
                 variant: "danger-light",
                 startIcon: /* @__PURE__ */ jsx(Trash, {}),
                 disabled: pagination.total === 0,
-                style: { paddingTop: "1.1rem", paddingBottom: "1.1rem", height: "auto" },
                 children: formatMessage(getTrad("auditlog.clear"))
               }
             ),
@@ -3838,13 +3852,12 @@ function AuditLog({ title } = {}) {
               }
             ),
             hasActiveFilters && /* @__PURE__ */ jsx(
-              Button,
+              SizedButton,
               {
                 size: "S",
                 variant: "danger-light",
                 startIcon: /* @__PURE__ */ jsx(Trash, {}),
                 onClick: clearFilters,
-                style: { height: "4rem" },
                 children: formatMessage(getTrad("auditlog.filters.clear"))
               }
             )
@@ -4365,7 +4378,7 @@ function HomePage() {
           ] }) })
         ] })
       ] }),
-      /* @__PURE__ */ jsx(Flex, { justifyContent: "flex-end", children: /* @__PURE__ */ jsx(
+      /* @__PURE__ */ jsx(Flex, { justifyContent: "flex-end", marginBottom: 8, children: /* @__PURE__ */ jsx(
         Button,
         {
           size: "L",

package/dist/admin/{index-BfX_taLq.mjs → index-B-K4X_N9.mjs}

@@ -125,6 +125,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -165,7 +167,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-BjmTHbr9.mjs");
+          return await import("./index-8YTLPV3h.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -268,7 +270,11 @@ const index = {
         window.sessionStorage.removeItem("isLoggedIn");
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        window.location.href = "/strapi-plugin-oidc/logout";
+        const form = document.createElement("form");
+        form.method = "POST";
+        form.action = "/strapi-plugin-oidc/logout";
+        document.body.appendChild(form);
+        form.submit();
         return new Promise(() => {
         });
       }

package/dist/admin/{index-CLUIKIK3.js → index-BSgVStns.js}

@@ -126,6 +126,8 @@ const en = {
   "auditlog.action.nonce_mismatch": "The nonce in the ID token did not match the one generated at login. This may indicate a token replay attack.",
   "auditlog.action.token_exchange_failed": "The authorisation code could not be exchanged for tokens. The OIDC provider rejected the request.",
   "auditlog.action.whitelist_rejected": "The user's email address is not on the whitelist. Access was denied.",
+  "auditlog.action.email_not_verified": "The OIDC provider did not confirm the user's email address as verified. Access was denied.",
+  "auditlog.action.id_token_invalid": "The ID token failed signature, issuer, audience, or expiry validation. Access was denied.",
   "auth.page.authenticating.title": "Authenticating...",
   "auth.page.authenticating.noscript.heading": "JavaScript Required",
   "auth.page.authenticating.noscript.body": "JavaScript must be enabled for authentication to complete.",
@@ -166,7 +168,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await Promise.resolve().then(() => require("./index-CacQfQ3a.js"));
+          return await Promise.resolve().then(() => require("./index-CgG_mHzZ.js"));
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -269,7 +271,11 @@ const index = {
         window.sessionStorage.removeItem("isLoggedIn");
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        window.location.href = "/strapi-plugin-oidc/logout";
+        const form = document.createElement("form");
+        form.method = "POST";
+        form.action = "/strapi-plugin-oidc/logout";
+        document.body.appendChild(form);
+        form.submit();
         return new Promise(() => {
         });
       }