chore: update migration name

* fix(dashboard-v2): align list & patch code with the generated client

Match the now-upstream V2 client: PatchOpDTO (was JSONPatchOperationDTOOp),
ListedDashboardV2DTO as the list item, and ListSortDTO/ListOrderDTO casts on the
list params. No behaviour change — these files are still parked here.

* feat(dashboard-v2): serve V2 dashboard pages behind use_dashboard_v2 flag

Gate the dashboards list & detail entry points on useIsDashboardV2() — V1 falls
through when the flag is off (V1 detail logic moved into DashboardPage.tsx). Un-park
the V2 page directories in tsconfig so they typecheck and ship.

Also convert the // header comments in states.module.scss to /* */ — once the V2
list is wired into the import graph, vite compiles that stylesheet and the
backtick in the // comment crashed the CSS-modules parser ('Unclosed string').

* refactor(dashboard-v2): type list sort/order with the generated enums

Drop the local string-literal SortColumn/SortOrder unions and the `as` casts:
the nuqs query-state hooks now return DashboardtypesListSortDTO / ListOrderDTO
directly, and ListHeader/DashboardsList use the enum members.

docs/api/openapi.yml

@@ -470,25 +470,6 @@ components:
         role:
           type: string
       type: object
-    AuthtypesAuthDomainConfig:
-      oneOf:
-      - $ref: '#/components/schemas/AuthtypesSamlConfig'
-      - $ref: '#/components/schemas/AuthtypesGoogleConfig'
-      - $ref: '#/components/schemas/AuthtypesOIDCConfig'
-      properties:
-        googleAuthConfig:
-          $ref: '#/components/schemas/AuthtypesGoogleConfig'
-        oidcConfig:
-          $ref: '#/components/schemas/AuthtypesOIDCConfig'
-        roleMapping:
-          $ref: '#/components/schemas/AuthtypesRoleMapping'
-        samlConfig:
-          $ref: '#/components/schemas/AuthtypesSamlConfig'
-        ssoEnabled:
-          type: boolean
-        ssoType:
-          $ref: '#/components/schemas/AuthtypesAuthNProvider'
-      type: object
     AuthtypesAuthNProvider:
       enum:
       - google_auth
@@ -515,6 +496,48 @@ components:
           nullable: true
           type: array
       type: object
+    AuthtypesAuthProviderEnvelope:
+      discriminator:
+        mapping:
+          google_auth: '#/components/schemas/AuthtypesAuthProviderGoogle'
+          oidc: '#/components/schemas/AuthtypesAuthProviderOIDC'
+          saml: '#/components/schemas/AuthtypesAuthProviderSAML'
+        propertyName: type
+      oneOf:
+      - $ref: '#/components/schemas/AuthtypesAuthProviderSAML'
+      - $ref: '#/components/schemas/AuthtypesAuthProviderOIDC'
+      - $ref: '#/components/schemas/AuthtypesAuthProviderGoogle'
+      type: object
+    AuthtypesAuthProviderGoogle:
+      properties:
+        config:
+          $ref: '#/components/schemas/AuthtypesGoogleConfig'
+        type:
+          $ref: '#/components/schemas/AuthtypesAuthNProvider'
+      required:
+      - type
+      - config
+      type: object
+    AuthtypesAuthProviderOIDC:
+      properties:
+        config:
+          $ref: '#/components/schemas/AuthtypesOIDCConfig'
+        type:
+          $ref: '#/components/schemas/AuthtypesAuthNProvider'
+      required:
+      - type
+      - config
+      type: object
+    AuthtypesAuthProviderSAML:
+      properties:
+        config:
+          $ref: '#/components/schemas/AuthtypesSAMLConfig'
+        type:
+          $ref: '#/components/schemas/AuthtypesAuthNProvider'
+      required:
+      - type
+      - config
+      type: object
     AuthtypesCallbackAuthNSupport:
       properties:
         provider:
@@ -526,8 +549,6 @@ components:
       properties:
         authNProviderInfo:
           $ref: '#/components/schemas/AuthtypesAuthNProviderInfo'
-        config:
-          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
         createdAt:
           format: date-time
           type: string
@@ -537,6 +558,12 @@ components:
           type: string
         orgId:
           type: string
+        provider:
+          $ref: '#/components/schemas/AuthtypesAuthProviderEnvelope'
+        roleMapping:
+          $ref: '#/components/schemas/AuthtypesRoleMapping'
+        ssoEnabled:
+          type: boolean
         updatedAt:
           format: date-time
           type: string
@@ -634,10 +661,14 @@ components:
       type: object
     AuthtypesPostableAuthDomain:
       properties:
-        config:
-          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
         name:
           type: string
+        provider:
+          $ref: '#/components/schemas/AuthtypesAuthProviderEnvelope'
+        roleMapping:
+          $ref: '#/components/schemas/AuthtypesRoleMapping'
+        ssoEnabled:
+          type: boolean
       type: object
     AuthtypesPostableEmailPasswordSession:
       properties:
@@ -710,7 +741,7 @@ components:
         useRoleAttribute:
           type: boolean
       type: object
-    AuthtypesSamlConfig:
+    AuthtypesSAMLConfig:
       properties:
         attributeMapping:
           $ref: '#/components/schemas/AuthtypesAttributeMapping'
@@ -745,8 +776,12 @@ components:
       type: object
     AuthtypesUpdatableAuthDomain:
       properties:
-        config:
-          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
+        provider:
+          $ref: '#/components/schemas/AuthtypesAuthProviderEnvelope'
+        roleMapping:
+          $ref: '#/components/schemas/AuthtypesRoleMapping'
+        ssoEnabled:
+          type: boolean
       type: object
     AuthtypesUserRole:
       properties:

ee/authn/callbackauthn/oidccallbackauthn/authn.go

@@ -53,7 +53,7 @@ func New(store authtypes.AuthNStore, licensing licensing.Licensing, providerSett
 }
 
 func (a *AuthN) LoginURL(ctx context.Context, siteURL *url.URL, authDomain *authtypes.AuthDomain) (string, error) {
-	if authDomain.AuthDomainConfig().AuthNProvider != authtypes.AuthNProviderOIDC {
+	if authDomain.AuthDomainConfig().Provider.Type != authtypes.AuthNProviderOIDC {
 		return "", errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthDomainMismatch, "domain type is not oidc")
 	}
 
@@ -106,14 +106,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, err
 	}
 
-	if claims == nil && authDomain.AuthDomainConfig().OIDC.GetUserInfo {
+	if claims == nil && authDomain.AuthDomainConfig().Oidc().GetUserInfo {
 		claims, err = a.claimsFromUserInfo(ctx, oidcProvider, token)
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	emailClaim, ok := claims[authDomain.AuthDomainConfig().OIDC.ClaimMapping.Email].(string)
+	emailClaim, ok := claims[authDomain.AuthDomainConfig().Oidc().ClaimMapping.Email].(string)
 	if !ok {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "oidc: missing email in claims")
 	}
@@ -123,7 +123,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "oidc: failed to parse email").WithAdditional(err.Error())
 	}
 
-	if !authDomain.AuthDomainConfig().OIDC.InsecureSkipEmailVerified {
+	if !authDomain.AuthDomainConfig().Oidc().InsecureSkipEmailVerified {
 		emailVerifiedClaim, ok := claims["email_verified"].(bool)
 		if !ok {
 			return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "oidc: missing email_verified in claims")
@@ -135,14 +135,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 	}
 
 	name := ""
-	if nameClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Name; nameClaim != "" {
+	if nameClaim := authDomain.AuthDomainConfig().Oidc().ClaimMapping.Name; nameClaim != "" {
 		if n, ok := claims[nameClaim].(string); ok {
 			name = n
 		}
 	}
 
 	var groups []string
-	if groupsClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Groups; groupsClaim != "" {
+	if groupsClaim := authDomain.AuthDomainConfig().Oidc().ClaimMapping.Groups; groupsClaim != "" {
 		if claimValue, exists := claims[groupsClaim]; exists {
 			switch g := claimValue.(type) {
 			case []any:
@@ -161,7 +161,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 	}
 
 	role := ""
-	if roleClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Role; roleClaim != "" {
+	if roleClaim := authDomain.AuthDomainConfig().Oidc().ClaimMapping.Role; roleClaim != "" {
 		if r, ok := claims[roleClaim].(string); ok {
 			role = r
 		}
@@ -177,11 +177,11 @@ func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDoma
 }
 
 func (a *AuthN) oidcProviderAndoauth2Config(ctx context.Context, siteURL *url.URL, authDomain *authtypes.AuthDomain) (*oidc.Provider, *oauth2.Config, error) {
-	if authDomain.AuthDomainConfig().OIDC.IssuerAlias != "" {
-		ctx = oidc.InsecureIssuerURLContext(ctx, authDomain.AuthDomainConfig().OIDC.IssuerAlias)
+	if authDomain.AuthDomainConfig().Oidc().IssuerAlias != "" {
+		ctx = oidc.InsecureIssuerURLContext(ctx, authDomain.AuthDomainConfig().Oidc().IssuerAlias)
 	}
 
-	oidcProvider, err := oidc.NewProvider(ctx, authDomain.AuthDomainConfig().OIDC.Issuer)
+	oidcProvider, err := oidc.NewProvider(ctx, authDomain.AuthDomainConfig().Oidc().Issuer)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -194,8 +194,8 @@ func (a *AuthN) oidcProviderAndoauth2Config(ctx context.Context, siteURL *url.UR
 	}
 
 	return oidcProvider, &oauth2.Config{
-		ClientID:     authDomain.AuthDomainConfig().OIDC.ClientID,
-		ClientSecret: authDomain.AuthDomainConfig().OIDC.ClientSecret,
+		ClientID:     authDomain.AuthDomainConfig().Oidc().ClientID,
+		ClientSecret: authDomain.AuthDomainConfig().Oidc().ClientSecret,
 		Endpoint:     oidcProvider.Endpoint(),
 		Scopes:       scopes,
 		RedirectURL: (&url.URL{
@@ -212,7 +212,7 @@ func (a *AuthN) claimsFromIDToken(ctx context.Context, authDomain *authtypes.Aut
 		return nil, errors.New(errors.TypeNotFound, errors.CodeNotFound, "oidc: no id_token in token response")
 	}
 
-	verifier := provider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().OIDC.ClientID})
+	verifier := provider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().Oidc().ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "oidc: failed to verify token").WithAdditional(err.Error())

ee/authn/callbackauthn/samlcallbackauthn/authn.go

@@ -40,7 +40,7 @@ func New(ctx context.Context, store authtypes.AuthNStore, licensing licensing.Li
 }
 
 func (a *AuthN) LoginURL(ctx context.Context, siteURL *url.URL, authDomain *authtypes.AuthDomain) (string, error) {
-	if authDomain.AuthDomainConfig().AuthNProvider != authtypes.AuthNProviderSAML {
+	if authDomain.AuthDomainConfig().Provider.Type != authtypes.AuthNProviderSAML {
 		return "", errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthDomainMismatch, "saml: domain type is not saml")
 	}
 
@@ -101,19 +101,19 @@ func (a *AuthN) HandleCallback(ctx context.Context, formValues url.Values) (*aut
 	}
 
 	name := ""
-	if nameAttribute := authDomain.AuthDomainConfig().SAML.AttributeMapping.Name; nameAttribute != "" {
+	if nameAttribute := authDomain.AuthDomainConfig().Saml().AttributeMapping.Name; nameAttribute != "" {
 		if val := assertionInfo.Values.Get(nameAttribute); val != "" {
 			name = val
 		}
 	}
 
 	var groups []string
-	if groupAttribute := authDomain.AuthDomainConfig().SAML.AttributeMapping.Groups; groupAttribute != "" {
+	if groupAttribute := authDomain.AuthDomainConfig().Saml().AttributeMapping.Groups; groupAttribute != "" {
 		groups = assertionInfo.Values.GetAll(groupAttribute)
 	}
 
 	role := ""
-	if roleAttribute := authDomain.AuthDomainConfig().SAML.AttributeMapping.Role; roleAttribute != "" {
+	if roleAttribute := authDomain.AuthDomainConfig().Saml().AttributeMapping.Role; roleAttribute != "" {
 		if val := assertionInfo.Values.Get(roleAttribute); val != "" {
 			role = val
 		}
@@ -142,11 +142,11 @@ func (a *AuthN) serviceProvider(siteURL *url.URL, authDomain *authtypes.AuthDoma
 	// The ServiceProviderIssuer is the client id in case of keycloak. Since we set it to the host here, we need to set the client id == host in keycloak.
 	// For AWSSSO, this is the value of Application SAML audience.
 	return &saml2.SAMLServiceProvider{
-		IdentityProviderSSOURL:      authDomain.AuthDomainConfig().SAML.SamlIdp,
-		IdentityProviderIssuer:      authDomain.AuthDomainConfig().SAML.SamlEntity,
+		IdentityProviderSSOURL:      authDomain.AuthDomainConfig().Saml().SamlIdp,
+		IdentityProviderIssuer:      authDomain.AuthDomainConfig().Saml().SamlEntity,
 		ServiceProviderIssuer:       siteURL.Host,
 		AssertionConsumerServiceURL: acsURL.String(),
-		SignAuthnRequests:           !authDomain.AuthDomainConfig().SAML.InsecureSkipAuthNRequestsSigned,
+		SignAuthnRequests:           !authDomain.AuthDomainConfig().Saml().InsecureSkipAuthNRequestsSigned,
 		AllowMissingAttributes:      true,
 		IDPCertificateStore:         certStore,
 		SPKeyStore:                  dsig.RandomKeyStoreForTest(),
@@ -159,15 +159,15 @@ func (a *AuthN) getCertificateStore(authDomain *authtypes.AuthDomain) (dsig.X509
 	}
 
 	var certBytes []byte
-	if strings.Contains(authDomain.AuthDomainConfig().SAML.SamlCert, "-----BEGIN CERTIFICATE-----") {
-		block, _ := pem.Decode([]byte(authDomain.AuthDomainConfig().SAML.SamlCert))
+	if strings.Contains(authDomain.AuthDomainConfig().Saml().SamlCert, "-----BEGIN CERTIFICATE-----") {
+		block, _ := pem.Decode([]byte(authDomain.AuthDomainConfig().Saml().SamlCert))
 		if block == nil {
 			return certStore, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "no valid pem cert found")
 		}
 
 		certBytes = block.Bytes
 	} else {
-		certData, err := base64.StdEncoding.DecodeString(authDomain.AuthDomainConfig().SAML.SamlCert)
+		certData, err := base64.StdEncoding.DecodeString(authDomain.AuthDomainConfig().Saml().SamlCert)
 		if err != nil {
 			return certStore, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "failed to read certificate: %s", err.Error())
 		}

frontend/src/container/AIAssistant/hooks/useSpeechRecognition.ts

@@ -40,13 +40,31 @@ type SpeechRecognitionConstructor = new () => ISpeechRecognition;
 
 // ── Vendor-prefix shim for Safari / older browsers ────────────────────────────
 
-const SpeechRecognitionAPI: SpeechRecognitionConstructor | null =
-	typeof window !== 'undefined'
-		? // eslint-disable-next-line @typescript-eslint/no-explicit-any
-			((window as any).SpeechRecognition ??
+// Some hardened/enterprise browsers install a getter
+// on window.SpeechRecognition that THROWS on access ("Web Speech API is disabled
+// due to your security policy") instead of leaving the property undefined.
+// Because this resolves at module-evaluation time, an uncaught throw here aborts
+// the entire bundle and the app renders a blank page. Read defensively so a
+// throwing getter degrades to "unsupported" rather than crashing the app.
+function resolveSpeechRecognitionAPI(): SpeechRecognitionConstructor | null {
+	if (typeof window === 'undefined') {
+		return null;
+	}
+	try {
+		return (
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+			(window as any).SpeechRecognition ??
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
 			(window as any).webkitSpeechRecognition ??
-			null)
-		: null;
+			null
+		);
+	} catch {
+		return null;
+	}
+}
+
+const SpeechRecognitionAPI: SpeechRecognitionConstructor | null =
+	resolveSpeechRecognitionAPI();
 
 export type SpeechRecognitionError =
 	| 'not-supported'

frontend/src/container/ResetPassword/ResetPassword.styles.scss

@@ -142,6 +142,15 @@
 		}
 	}
 
+	.reset-password-back-action {
+		margin-top: var(--spacing-12);
+		width: 100%;
+
+		button {
+			width: 100%;
+		}
+	}
+
 	@media (max-width: 768px) {
 		width: 100%;
 		padding: 0 16px;

frontend/src/container/ResetPassword/TokenError.tsx

@@ -1,7 +1,10 @@
-import { CircleAlert } from '@signozhq/icons';
+import { ArrowLeft, CircleAlert } from '@signozhq/icons';
+import { Button } from '@signozhq/ui/button';
 import { Typography } from '@signozhq/ui/typography';
 import AuthError from 'components/AuthError/AuthError';
 import AuthPageContainer from 'components/AuthPageContainer';
+import ROUTES from 'constants/routes';
+import history from 'lib/history';
 import APIError from 'types/api/error';
 
 import './ResetPassword.styles.scss';
@@ -59,6 +62,16 @@ function TokenError({ error }: TokenErrorProps): JSX.Element {
 					</Typography.Text>
 				</div>
 				{error && <AuthError error={error} />}
+				<div className="reset-password-back-action">
+					<Button
+						variant="solid"
+						data-testid="back-to-login"
+						prefix={<ArrowLeft size={12} />}
+						onClick={(): void => history.push(ROUTES.LOGIN)}
+					>
+						Back to login
+					</Button>
+				</div>
 			</div>
 		</AuthPageContainer>
 	);

frontend/src/container/SideNav/SideNav.styles.scss

@@ -119,6 +119,10 @@
 
 				border-radius: 0px 4px 4px 0px;
 				background: var(--l3-background);
+
+				&.version-container-standalone {
+					border-radius: 4px;
+				}
 			}
 
 			.version {

frontend/src/container/SideNav/SideNav.tsx

@@ -1010,7 +1010,7 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 								<img src={signozBrandLogoUrl} alt="SigNoz" />
 							</div>
 
-							{licenseTag && (
+							{(licenseTag || currentVersion) && (
 								<div
 									className={cx(
 										'brand-title-section',
@@ -1021,7 +1021,7 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 											'version-update-notification',
 									)}
 								>
-									<span className="license-type"> {licenseTag} </span>
+									{licenseTag && <span className="license-type"> {licenseTag} </span>}
 
 									{currentVersion && (
 										<Tooltip
@@ -1043,7 +1043,12 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 												)
 											}
 										>
-											<div className="version-container">
+											<div
+												className={cx(
+													'version-container',
+													!licenseTag && 'version-container-standalone',
+												)}
+											>
 												<span
 													className={cx('version', changelog && 'version-clickable')}
 													onClick={onClickVersionHandler}

frontend/src/pages/DashboardPage/DashboardPage.tsx

@@ -0,0 +1,53 @@
+import { useEffect } from 'react';
+import { useParams } from 'react-router-dom';
+import { Modal } from 'antd';
+import { Typography } from '@signozhq/ui/typography';
+import { AxiosError } from 'axios';
+import NotFound from 'components/NotFound';
+import Spinner from 'components/Spinner';
+import DashboardContainer from 'container/DashboardContainer';
+import { useDashboardBootstrap } from 'hooks/dashboard/useDashboardBootstrap';
+import { useDashboardStore } from 'providers/Dashboard/store/useDashboardStore';
+import { ErrorType } from 'types/common';
+
+function DashboardPage(): JSX.Element {
+	const { dashboardId } = useParams<{ dashboardId: string }>();
+
+	const [onModal, Content] = Modal.useModal();
+
+	const { isLoading, isError, isFetching, error } = useDashboardBootstrap(
+		dashboardId,
+		{ confirm: onModal.confirm },
+	);
+
+	const dashboardTitle = useDashboardStore((s) => s.dashboardData?.data.title);
+
+	useEffect(() => {
+		document.title = dashboardTitle || document.title;
+	}, [dashboardTitle]);
+
+	const errorMessage = isError
+		? (error as AxiosError<{ errorType: string }>)?.response?.data?.errorType
+		: 'Something went wrong';
+
+	if (isError && !isFetching && errorMessage === ErrorType.NotFound) {
+		return <NotFound />;
+	}
+
+	if (isError && errorMessage) {
+		return <Typography>{errorMessage}</Typography>;
+	}
+
+	if (isLoading) {
+		return <Spinner tip="Loading.." />;
+	}
+
+	return (
+		<>
+			{Content}
+			<DashboardContainer />
+		</>
+	);
+}
+
+export default DashboardPage;

frontend/src/pages/DashboardPage/index.tsx

@@ -1,53 +1,15 @@
-import { useEffect } from 'react';
-import { useParams } from 'react-router-dom';
-import { Modal } from 'antd';
-import { Typography } from '@signozhq/ui/typography';
-import { AxiosError } from 'axios';
-import NotFound from 'components/NotFound';
-import Spinner from 'components/Spinner';
-import DashboardContainer from 'container/DashboardContainer';
-import { useDashboardBootstrap } from 'hooks/dashboard/useDashboardBootstrap';
-import { useDashboardStore } from 'providers/Dashboard/store/useDashboardStore';
-import { ErrorType } from 'types/common';
+import { useIsDashboardV2 } from 'hooks/useIsDashboardV2';
+import DashboardPageV2 from 'pages/DashboardPageV2';
 
-function DashboardPage(): JSX.Element {
-	const { dashboardId } = useParams<{ dashboardId: string }>();
+import DashboardPage from './DashboardPage';
 
-	const [onModal, Content] = Modal.useModal();
+// Serves the V2 dashboard detail page when the `use_dashboard_v2` flag is active;
+// otherwise the existing V1 page. Lets V2 dark-ship behind the flag without
+// changing route definitions.
+function DashboardPageEntry(): JSX.Element {
+	const isDashboardV2 = useIsDashboardV2();
 
-	const { isLoading, isError, isFetching, error } = useDashboardBootstrap(
-		dashboardId,
-		{ confirm: onModal.confirm },
-	);
-
-	const dashboardTitle = useDashboardStore((s) => s.dashboardData?.data.title);
-
-	useEffect(() => {
-		document.title = dashboardTitle || document.title;
-	}, [dashboardTitle]);
-
-	const errorMessage = isError
-		? (error as AxiosError<{ errorType: string }>)?.response?.data?.errorType
-		: 'Something went wrong';
-
-	if (isError && !isFetching && errorMessage === ErrorType.NotFound) {
-		return <NotFound />;
-	}
-
-	if (isError && errorMessage) {
-		return <Typography>{errorMessage}</Typography>;
-	}
-
-	if (isLoading) {
-		return <Spinner tip="Loading.." />;
-	}
-
-	return (
-		<>
-			{Content}
-			<DashboardContainer />
-		</>
-	);
+	return isDashboardV2 ? <DashboardPageV2 /> : <DashboardPage />;
 }
 
-export default DashboardPage;
+export default DashboardPageEntry;

frontend/src/pages/DashboardPageV2/DashboardContainer/patchOps.ts

@@ -4,7 +4,7 @@ import type {
 	DashboardtypesLayoutDTO,
 	DashboardtypesPanelDTO,
 } from 'api/generated/services/sigNoz.schemas';
-import { DashboardtypesJSONPatchOperationDTOOp } from 'api/generated/services/sigNoz.schemas';
+import { DashboardtypesPatchOpDTO } from 'api/generated/services/sigNoz.schemas';
 
 import type { GridItem } from './utils';
 
@@ -16,7 +16,7 @@ import type { GridItem } from './utils';
  * patches in DashboardSettings/General and DashboardDescription).
  */
 
-const { add, replace, remove } = DashboardtypesJSONPatchOperationDTOOp;
+const { add, replace, remove } = DashboardtypesPatchOpDTO;
 
 const PANEL_REF_PREFIX = '#/spec/panels/';
 

frontend/src/pages/DashboardsListPage/index.tsx

@@ -1,3 +1,15 @@
+import { useIsDashboardV2 } from 'hooks/useIsDashboardV2';
+import DashboardsListPageV2 from 'pages/DashboardsListPageV2';
+
 import DashboardsListPage from './DashboardsListPage';
 
-export default DashboardsListPage;
+// Serves the V2 dashboards list when the `use_dashboard_v2` flag is active;
+// otherwise the existing V1 list. Lets V2 dark-ship behind the flag without
+// changing route definitions.
+function DashboardsListPageEntry(): JSX.Element {
+	const isDashboardV2 = useIsDashboardV2();
+
+	return isDashboardV2 ? <DashboardsListPageV2 /> : <DashboardsListPage />;
+}
+
+export default DashboardsListPageEntry;

frontend/src/pages/DashboardsListPageV2/components/DashboardsList/DashboardsList.tsx

@@ -8,6 +8,10 @@ import {
 	createDashboardV2,
 	useListDashboardsV2,
 } from 'api/generated/services/dashboard';
+import {
+	DashboardtypesListOrderDTO,
+	DashboardtypesListSortDTO,
+} from 'api/generated/services/sigNoz.schemas';
 import ROUTES from 'constants/routes';
 import { RequestDashboardBtn } from 'container/ListOfDashboard/RequestDashboardBtn';
 import useComponentPermission from 'hooks/useComponentPermission';
@@ -24,8 +28,6 @@ import {
 	useSearch,
 	useSortColumn,
 	useSortOrder,
-	type SortColumn,
-	type SortOrder,
 } from '../../hooks/useDashboardsListQueryParams';
 import type { DashboardListItem } from '../../utils';
 import ConfigureMetadataModal from '../ConfigureMetadataModal/ConfigureMetadataModal';
@@ -150,7 +152,7 @@ function DashboardsList(): JSX.Element {
 	}, []);
 
 	const onSortChange = useCallback(
-		(column: SortColumn): void => {
+		(column: DashboardtypesListSortDTO): void => {
 			void setSortColumn(column);
 			void setPage(1);
 		},
@@ -158,7 +160,7 @@ function DashboardsList(): JSX.Element {
 	);
 
 	const onOrderChange = useCallback(
-		(order: SortOrder): void => {
+		(order: DashboardtypesListOrderDTO): void => {
 			void setSortOrder(order);
 			void setPage(1);
 		},

frontend/src/pages/DashboardsListPageV2/components/ListHeader/ListHeader.tsx

@@ -7,18 +7,18 @@ import {
 	HdmiPort,
 } from '@signozhq/icons';
 
-import type {
-	SortColumn,
-	SortOrder,
-} from '../../hooks/useDashboardsListQueryParams';
+import {
+	DashboardtypesListOrderDTO,
+	DashboardtypesListSortDTO,
+} from 'api/generated/services/sigNoz.schemas';
 
 import styles from './ListHeader.module.scss';
 
 interface Props {
-	sortColumn: SortColumn;
-	onSortChange: (column: SortColumn) => void;
-	sortOrder: SortOrder;
-	onOrderChange: (order: SortOrder) => void;
+	sortColumn: DashboardtypesListSortDTO;
+	onSortChange: (column: DashboardtypesListSortDTO) => void;
+	sortOrder: DashboardtypesListOrderDTO;
+	onOrderChange: (order: DashboardtypesListOrderDTO) => void;
 	onConfigureMetadata: () => void;
 }
 
@@ -44,49 +44,57 @@ function ListHeader({
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onSortChange('name')}
+									onClick={(): void => onSortChange(DashboardtypesListSortDTO.name)}
 									data-testid="sort-by-name"
 								>
 									Name
-									{sortColumn === 'name' && <Check size={14} />}
+									{sortColumn === DashboardtypesListSortDTO.name && <Check size={14} />}
 								</Button>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onSortChange('created_at')}
+									onClick={(): void =>
+										onSortChange(DashboardtypesListSortDTO.created_at)
+									}
 									data-testid="sort-by-last-created"
 								>
 									Last created
-									{sortColumn === 'created_at' && <Check size={14} />}
+									{sortColumn === DashboardtypesListSortDTO.created_at && (
+										<Check size={14} />
+									)}
 								</Button>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onSortChange('updated_at')}
+									onClick={(): void =>
+										onSortChange(DashboardtypesListSortDTO.updated_at)
+									}
 									data-testid="sort-by-last-updated"
 								>
 									Last updated
-									{sortColumn === 'updated_at' && <Check size={14} />}
+									{sortColumn === DashboardtypesListSortDTO.updated_at && (
+										<Check size={14} />
+									)}
 								</Button>
 								<div className={styles.sortDivider} />
 								<Typography.Text className={styles.sortHeading}>Order</Typography.Text>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onOrderChange('asc')}
+									onClick={(): void => onOrderChange(DashboardtypesListOrderDTO.asc)}
 									data-testid="sort-order-asc"
 								>
 									Ascending
-									{sortOrder === 'asc' && <Check size={14} />}
+									{sortOrder === DashboardtypesListOrderDTO.asc && <Check size={14} />}
 								</Button>
 								<Button
 									type="text"
 									className={styles.sortButton}
-									onClick={(): void => onOrderChange('desc')}
+									onClick={(): void => onOrderChange(DashboardtypesListOrderDTO.desc)}
 									data-testid="sort-order-desc"
 								>
 									Descending
-									{sortOrder === 'desc' && <Check size={14} />}
+									{sortOrder === DashboardtypesListOrderDTO.desc && <Check size={14} />}
 								</Button>
 							</div>
 						}

frontend/src/pages/DashboardsListPageV2/components/states/states.module.scss

@@ -1,5 +1,5 @@
-// Shared building blocks for the dashboards-list view states.
-// Composed via CSS-modules `composes:` from each state's own SCSS.
+/* Shared building blocks for the dashboards-list view states. */
+/* Composed via CSS-modules `composes:` from each state's own SCSS. */
 
 .cardWrapper {
 	display: flex;

frontend/src/pages/DashboardsListPageV2/hooks/useDashboardsListQueryParams.ts

@@ -1,3 +1,7 @@
+import {
+	DashboardtypesListOrderDTO,
+	DashboardtypesListSortDTO,
+} from 'api/generated/services/sigNoz.schemas';
 import {
 	parseAsInteger,
 	parseAsString,
@@ -7,26 +11,31 @@ import {
 	type UseQueryStateReturn,
 } from 'nuqs';
 
-export const SORT_COLUMNS = ['updated_at', 'created_at', 'name'] as const;
-export type SortColumn = (typeof SORT_COLUMNS)[number];
-
-export const SORT_ORDERS = ['asc', 'desc'] as const;
-export type SortOrder = (typeof SORT_ORDERS)[number];
+export const SORT_COLUMNS = Object.values(DashboardtypesListSortDTO);
+export const SORT_ORDERS = Object.values(DashboardtypesListOrderDTO);
 
 const opts: Options = { history: 'push' };
 
-export const useSortColumn = (): UseQueryStateReturn<SortColumn, SortColumn> =>
+export const useSortColumn = (): UseQueryStateReturn<
+	DashboardtypesListSortDTO,
+	DashboardtypesListSortDTO
+> =>
 	useQueryState(
 		'sort',
 		parseAsStringLiteral(SORT_COLUMNS)
-			.withDefault('updated_at')
+			.withDefault(DashboardtypesListSortDTO.updated_at)
 			.withOptions(opts),
 	);
 
-export const useSortOrder = (): UseQueryStateReturn<SortOrder, SortOrder> =>
+export const useSortOrder = (): UseQueryStateReturn<
+	DashboardtypesListOrderDTO,
+	DashboardtypesListOrderDTO
+> =>
 	useQueryState(
 		'order',
-		parseAsStringLiteral(SORT_ORDERS).withDefault('desc').withOptions(opts),
+		parseAsStringLiteral(SORT_ORDERS)
+			.withDefault(DashboardtypesListOrderDTO.desc)
+			.withOptions(opts),
 	);
 
 export const usePage = (): UseQueryStateReturn<number, number> =>

frontend/src/pages/DashboardsListPageV2/utils.ts

@@ -1,8 +1,8 @@
 import dayjs from 'dayjs';
 import { isEmpty } from 'lodash-es';
-import type { DashboardtypesGettableDashboardWithPinDTO } from 'api/generated/services/sigNoz.schemas';
+import type { DashboardtypesListedDashboardV2DTO } from 'api/generated/services/sigNoz.schemas';
 
-export type DashboardListItem = DashboardtypesGettableDashboardWithPinDTO;
+export type DashboardListItem = DashboardtypesListedDashboardV2DTO;
 
 export const tagsToStrings = (
 	tags: { key: string; value: string }[] | null | undefined,

frontend/src/pages/ResetPassword/__tests__/ResetPasswordPage.test.tsx

@@ -2,7 +2,7 @@ import { Logout } from 'api/utils';
 import ROUTES from 'constants/routes';
 import history from 'lib/history';
 import { createErrorResponse, rest, server } from 'mocks-server/server';
-import { render, screen, waitFor } from 'tests/test-utils';
+import { render, screen, waitFor, fireEvent } from 'tests/test-utils';
 
 import ResetPassword from '../index';
 
@@ -103,6 +103,7 @@ describe('ResetPassword Page', () => {
 			expect(
 				screen.getByText(/reset password token does not exist/i),
 			).toBeInTheDocument();
+			expect(screen.getByTestId('back-to-login')).toBeInTheDocument();
 		});
 
 		it('shows "token is expired" when token is expired (401) without redirecting to login', async () => {
@@ -137,6 +138,32 @@ describe('ResetPassword Page', () => {
 			// 401 from this endpoint must NOT trigger logout/redirect
 			expect(mockHistoryPush).not.toHaveBeenCalledWith(ROUTES.LOGIN);
 			expect(Logout).not.toHaveBeenCalled();
+			expect(screen.getByTestId('back-to-login')).toBeInTheDocument();
+		});
+
+		it('navigates to login when "Back to login" is clicked on error screen', async () => {
+			server.use(
+				rest.post(
+					VERIFY_TOKEN_ENDPOINT,
+					createErrorResponse(
+						404,
+						'reset_password_token_not_found',
+						'reset password token does not exist',
+					),
+				),
+			);
+
+			window.history.pushState({}, '', '/password-reset?token=invalid-token');
+			render(<ResetPassword />, undefined, {
+				initialRoute: '/password-reset?token=invalid-token',
+			});
+
+			await waitFor(() => {
+				expect(screen.getByTestId('back-to-login')).toBeInTheDocument();
+			});
+
+			fireEvent.click(screen.getByTestId('back-to-login'));
+			expect(mockHistoryPush).toHaveBeenCalledWith(ROUTES.LOGIN);
 		});
 
 		it('redirects to login when no token is in the URL', async () => {

frontend/tsconfig.json

@@ -48,9 +48,7 @@
 		"node_modules",
 		"src/parser/*.ts",
 		"src/parser/TraceOperatorParser/*.ts",
-		"orval.config.ts",
-		"src/pages/DashboardsListPageV2/**/*",
-		"src/pages/DashboardPageV2/**/*"
+		"orval.config.ts"
 	],
 	"include": [
 		"./src",

pkg/authn/callbackauthn/googlecallbackauthn/authn.go

@@ -59,7 +59,7 @@ func (a *AuthN) LoginURL(ctx context.Context, siteURL *url.URL, authDomain *auth
 		return "", err
 	}
 
-	if authDomain.AuthDomainConfig().AuthNProvider != authtypes.AuthNProviderGoogleAuth {
+	if authDomain.AuthDomainConfig().Provider.Type != authtypes.AuthNProviderGoogleAuth {
 		return "", errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthDomainMismatch, "domain type is not google")
 	}
 
@@ -111,7 +111,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "google: no id_token in token response")
 	}
 
-	verifier := oidcProvider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().Google.ClientID})
+	verifier := oidcProvider.Verifier(&oidc.Config{ClientID: authDomain.AuthDomainConfig().Google().ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		a.settings.Logger().ErrorContext(ctx, "google: failed to verify token", errors.Attr(err))
@@ -135,7 +135,7 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "google: unexpected hd claim")
 	}
 
-	if !authDomain.AuthDomainConfig().Google.InsecureSkipEmailVerified {
+	if !authDomain.AuthDomainConfig().Google().InsecureSkipEmailVerified {
 		if !claims.EmailVerified {
 			a.settings.Logger().ErrorContext(ctx, "google: email is not verified", slog.String("email", claims.Email))
 			return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "google: email is not verified")
@@ -148,14 +148,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 	}
 
 	var groups []string
-	if authDomain.AuthDomainConfig().Google.FetchGroups {
-		groups, err = a.fetchGoogleWorkspaceGroups(ctx, claims.Email, authDomain.AuthDomainConfig().Google)
+	if authDomain.AuthDomainConfig().Google().FetchGroups {
+		groups, err = a.fetchGoogleWorkspaceGroups(ctx, claims.Email, authDomain.AuthDomainConfig().Google())
 		if err != nil {
 			a.settings.Logger().ErrorContext(ctx, "google: could not fetch groups", errors.Attr(err))
 			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "google: could not fetch groups").WithAdditional(err.Error())
 		}
 
-		allowedGroups := authDomain.AuthDomainConfig().Google.AllowedGroups
+		allowedGroups := authDomain.AuthDomainConfig().Google().AllowedGroups
 		if len(allowedGroups) > 0 {
 			groups = filterGroups(groups, allowedGroups)
 			if len(groups) == 0 {
@@ -175,8 +175,8 @@ func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDoma
 
 func (a *AuthN) oauth2Config(siteURL *url.URL, authDomain *authtypes.AuthDomain, provider *oidc.Provider) *oauth2.Config {
 	return &oauth2.Config{
-		ClientID:     authDomain.AuthDomainConfig().Google.ClientID,
-		ClientSecret: authDomain.AuthDomainConfig().Google.ClientSecret,
+		ClientID:     authDomain.AuthDomainConfig().Google().ClientID,
+		ClientSecret: authDomain.AuthDomainConfig().Google().ClientSecret,
 		Endpoint:     provider.Endpoint(),
 		Scopes:       scopes,
 		RedirectURL: (&url.URL{

pkg/modules/authdomain/implauthdomain/handler.go

@@ -38,7 +38,7 @@ func (handler *handler) Create(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	authDomain, err := authtypes.NewAuthDomainFromConfig(body.Name, &body.Config, valuer.MustNewUUID(claims.OrgID))
+	authDomain, err := authtypes.NewAuthDomainFromConfig(body.Name, &body.AuthDomainConfig, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -154,7 +154,7 @@ func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = authDomain.Update(&body.Config)
+	err = authDomain.Update(&body.AuthDomainConfig)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/authdomain/implauthdomain/module.go

@@ -27,7 +27,7 @@ func (module *module) Get(ctx context.Context, id valuer.UUID) (*authtypes.AuthD
 }
 
 func (module *module) GetAuthNProviderInfo(ctx context.Context, domain *authtypes.AuthDomain) *authtypes.AuthNProviderInfo {
-	if callbackAuthN, ok := module.authNs[domain.AuthDomainConfig().AuthNProvider].(authn.CallbackAuthN); ok {
+	if callbackAuthN, ok := module.authNs[domain.AuthDomainConfig().Provider.Type].(authn.CallbackAuthN); ok {
 		return callbackAuthN.ProviderInfo(ctx, domain)
 	}
 	return &authtypes.AuthNProviderInfo{}
@@ -62,7 +62,7 @@ func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 	stats := make(map[string]any)
 
 	for _, domain := range domains {
-		key := "authdomain." + domain.AuthDomainConfig().AuthNProvider.StringValue() + ".count"
+		key := "authdomain." + domain.AuthDomainConfig().Provider.Type.StringValue() + ".count"
 		if value, ok := stats[key]; ok {
 			stats[key] = value.(int64) + 1
 		} else {

pkg/modules/session/implsession/module.go

@@ -201,7 +201,7 @@ func (module *module) getOrgSessionContext(ctx context.Context, org *types.Organ
 		return authtypes.NewOrgSessionContext(org.ID, org.Name).AddPasswordAuthNSupport(authtypes.AuthNProviderEmailPassword), nil
 	}
 
-	provider, err := getProvider[authn.CallbackAuthN](authDomain.AuthDomainConfig().AuthNProvider, module.authNs)
+	provider, err := getProvider[authn.CallbackAuthN](authDomain.AuthDomainConfig().Provider.Type, module.authNs)
 	if err != nil {
 		return nil, err
 	}
@@ -211,7 +211,7 @@ func (module *module) getOrgSessionContext(ctx context.Context, org *types.Organ
 		return nil, err
 	}
 
-	return authtypes.NewOrgSessionContext(org.ID, org.Name).AddCallbackAuthNSupport(authDomain.AuthDomainConfig().AuthNProvider, loginURL), nil
+	return authtypes.NewOrgSessionContext(org.ID, org.Name).AddCallbackAuthNSupport(authDomain.AuthDomainConfig().Provider.Type, loginURL), nil
 }
 
 func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs map[authtypes.AuthNProvider]authn.AuthN) (T, error) {

pkg/signoz/provider.go

@@ -212,6 +212,7 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewFixChangelogOperationTypeFactory(sqlstore, sqlschema),
 		sqlmigration.NewCloudIntegrationRemoveCascadeDeleteFactory(sqlschema),
 		sqlmigration.NewAddUserDashboardPreferenceFactory(sqlstore, sqlschema),
+		sqlmigration.NewMigrateAuthDomainPayloadFactory(),
 	)
 }
 

pkg/sqlmigration/093_migrate_auth_domain_payload.go

@@ -0,0 +1,118 @@
+package sqlmigration
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type migrateAuthDomainPayload struct{}
+
+type authDomainPayloadRaw struct {
+	bun.BaseModel `bun:"table:auth_domain"`
+
+	ID   string `bun:"id"`
+	Data string `bun:"data"`
+}
+
+// auth config type -> old sso type.
+var legacyConfigKeyByType = map[string]string{
+	"saml":        "samlConfig",
+	"oidc":        "oidcConfig",
+	"google_auth": "googleAuthConfig",
+}
+
+func NewMigrateAuthDomainPayloadFactory() factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(
+		factory.MustNewName("migrate_auth_domain_payload"),
+		func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+			return &migrateAuthDomainPayload{}, nil
+		},
+	)
+}
+
+func (migration *migrateAuthDomainPayload) Register(migrations *migrate.Migrations) error {
+	return migrations.Register(migration.Up, migration.Down)
+}
+
+func (migration *migrateAuthDomainPayload) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	var rows []*authDomainPayloadRaw
+	if err := tx.NewSelect().Model(&rows).Scan(ctx); err != nil {
+		return err
+	}
+
+	for _, row := range rows {
+		var oldData map[string]json.RawMessage
+		if err := json.Unmarshal([]byte(row.Data), &oldData); err != nil {
+			return err
+		}
+
+		// idempotency - we skip the ones which already migrated.
+		if _, hasProvider := oldData["provider"]; hasProvider {
+			continue
+		}
+		if _, hasSSOType := oldData["ssoType"]; !hasSSOType {
+			continue
+		}
+
+		var ssoType string
+		if err := json.Unmarshal(oldData["ssoType"], &ssoType); err != nil {
+			return err
+		}
+
+		provider := map[string]json.RawMessage{
+			"type": oldData["ssoType"],
+		}
+
+		// get from old data and set config in provider.
+		if configKey, ok := legacyConfigKeyByType[ssoType]; ok {
+			if cfg, ok := oldData[configKey]; ok {
+				provider["config"] = cfg
+			}
+		}
+
+		providerRaw, err := json.Marshal(provider)
+		if err != nil {
+			return err
+		}
+
+		updatedData := map[string]json.RawMessage{
+			"provider": providerRaw,
+		}
+		if v, ok := oldData["ssoEnabled"]; ok {
+			updatedData["ssoEnabled"] = v
+		}
+		if v, ok := oldData["roleMapping"]; ok {
+			updatedData["roleMapping"] = v
+		}
+
+		updatedDataRaw, err := json.Marshal(updatedData)
+		if err != nil {
+			return err
+		}
+
+		row.Data = string(updatedDataRaw)
+
+		if _, err := tx.NewUpdate().Model(row).Column("data").Where("id = ?", row.ID).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *migrateAuthDomainPayload) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/types/authtypes/domain.go

@@ -9,6 +9,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/swaggest/jsonschema-go"
 	"github.com/uptrace/bun"
 )
 
@@ -30,7 +31,7 @@ var (
 
 type GettableAuthDomain struct {
 	StorableAuthDomain
-	Config            AuthDomainConfig   `json:"config"`
+	AuthDomainConfig
 	AuthNProviderInfo *AuthNProviderInfo `json:"authNProviderInfo"`
 }
 
@@ -39,12 +40,12 @@ type AuthNProviderInfo struct {
 }
 
 type PostableAuthDomain struct {
-	Config AuthDomainConfig `json:"config"`
-	Name   string           `json:"name"`
+	Name string `json:"name"`
+	AuthDomainConfig
 }
 
 type UpdatableAuthDomain struct {
-	Config AuthDomainConfig `json:"config"`
+	AuthDomainConfig
 }
 
 type StorableAuthDomain struct {
@@ -57,22 +58,114 @@ type StorableAuthDomain struct {
 	types.TimeAuditable
 }
 
-// TODO: the oneOf emitted by JSONSchemaOneOf is not the shape OpenAPI wants
-// for a discriminated union. OpenAPI's discriminator requires every oneOf
-// branch to be a $ref to a named component and a sibling property whose value
-// selects the variant. ssoType is already discriminator-shaped, but the
-// variant payload lives in a sibling field (samlConfig / googleAuthConfig /
-// oidcConfig) instead of being the payload itself, so no discriminator can
-// be attached. Refactor AuthDomainConfig into an envelope (see
-// ruletypes.RuleThresholdData for the pattern) where the chosen config is
-// the payload and ssoType is the discriminator.
 type AuthDomainConfig struct {
-	SSOEnabled    bool          `json:"ssoEnabled"`
-	AuthNProvider AuthNProvider `json:"ssoType"`
-	SAML          *SamlConfig   `json:"samlConfig"`
-	Google        *GoogleConfig `json:"googleAuthConfig"`
-	OIDC          *OIDCConfig   `json:"oidcConfig"`
-	RoleMapping   *RoleMapping  `json:"roleMapping"`
+	SSOEnabled  bool                 `json:"ssoEnabled"`
+	RoleMapping *RoleMapping         `json:"roleMapping,omitempty"`
+	Provider    AuthProviderEnvelope `json:"provider"`
+}
+
+func (config AuthDomainConfig) Saml() *SAMLConfig {
+	cfg, _ := config.Provider.Config.(*SAMLConfig)
+	return cfg
+}
+
+func (config AuthDomainConfig) Google() *GoogleConfig {
+	cfg, _ := config.Provider.Config.(*GoogleConfig)
+	return cfg
+}
+
+func (config AuthDomainConfig) Oidc() *OIDCConfig {
+	cfg, _ := config.Provider.Config.(*OIDCConfig)
+	return cfg
+}
+
+type AuthProviderEnvelope struct {
+	Type   AuthNProvider `json:"type" required:"true"`
+	Config any           `json:"config" required:"true"` // this can be either of SamlConfig, OIDCConfig and GoogleConfig
+}
+
+// internal - drives the oneOf thing in open api spec.
+type authProviderSAML struct {
+	Type   AuthNProvider `json:"type" required:"true"`
+	Config SAMLConfig    `json:"config" required:"true"`
+}
+
+type authProviderOIDC struct {
+	Type   AuthNProvider `json:"type" required:"true"`
+	Config OIDCConfig    `json:"config" required:"true"`
+}
+
+type authProviderGoogle struct {
+	Type   AuthNProvider `json:"type" required:"true"`
+	Config GoogleConfig  `json:"config" required:"true"`
+}
+
+var (
+	_ jsonschema.OneOfExposer = AuthProviderEnvelope{}
+	_ jsonschema.Preparer     = AuthProviderEnvelope{}
+)
+
+func (AuthProviderEnvelope) JSONSchemaOneOf() []any {
+	return []any{
+		authProviderSAML{},
+		authProviderOIDC{},
+		authProviderGoogle{},
+	}
+}
+
+func (AuthProviderEnvelope) PrepareJSONSchema(schema *jsonschema.Schema) error {
+	if schema.ExtraProperties == nil {
+		schema.ExtraProperties = map[string]any{}
+	}
+
+	schema.ExtraProperties["x-signoz-discriminator"] = map[string]any{
+		"propertyName": "type",
+		"mapping": map[string]string{
+			"saml":        "#/components/schemas/AuthtypesAuthProviderSAML",
+			"oidc":        "#/components/schemas/AuthtypesAuthProviderOIDC",
+			"google_auth": "#/components/schemas/AuthtypesAuthProviderGoogle",
+		},
+	}
+
+	return nil
+}
+
+func (envelop *AuthProviderEnvelope) UnmarshalJSON(data []byte) error {
+	var raw struct {
+		Type   AuthNProvider   `json:"type"`
+		Config json.RawMessage `json:"config"`
+	}
+
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "failed to unmarshal auth provider: %v", err)
+	}
+
+	envelop.Type = raw.Type
+
+	switch raw.Type {
+	case AuthNProviderSAML:
+		cfg := new(SAMLConfig)
+		if err := json.Unmarshal(raw.Config, cfg); err != nil {
+			return err
+		}
+		envelop.Config = cfg
+	case AuthNProviderOIDC:
+		cfg := new(OIDCConfig)
+		if err := json.Unmarshal(raw.Config, cfg); err != nil {
+			return err
+		}
+		envelop.Config = cfg
+	case AuthNProviderGoogleAuth:
+		cfg := new(GoogleConfig)
+		if err := json.Unmarshal(raw.Config, cfg); err != nil {
+			return err
+		}
+		envelop.Config = cfg
+	default:
+		return errors.NewInvalidInputf(errors.CodeInvalidInput, "unknown auth provider type: %s", raw.Type.StringValue())
+	}
+
+	return nil
 }
 
 type AuthDomain struct {
@@ -121,7 +214,7 @@ func NewAuthDomainFromStorableAuthDomain(storableAuthDomain *StorableAuthDomain)
 func NewGettableAuthDomainFromAuthDomain(authDomain *AuthDomain, authNProviderInfo *AuthNProviderInfo) *GettableAuthDomain {
 	return &GettableAuthDomain{
 		StorableAuthDomain: *authDomain.StorableAuthDomain(),
-		Config:             *authDomain.AuthDomainConfig(),
+		AuthDomainConfig:   *authDomain.AuthDomainConfig(),
 		AuthNProviderInfo:  authNProviderInfo,
 	}
 }
@@ -158,51 +251,14 @@ func (typ *PostableAuthDomain) UnmarshalJSON(data []byte) error {
 		return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidName, "invalid domain name %s", temp.Name)
 	}
 
+	if temp.Provider.Config == nil {
+		return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "provider config is required")
+	}
+
 	*typ = PostableAuthDomain(temp)
 	return nil
 }
 
-func (typ *AuthDomainConfig) UnmarshalJSON(data []byte) error {
-	type Alias AuthDomainConfig
-
-	var temp Alias
-	if err := json.Unmarshal(data, &temp); err != nil {
-		return err
-	}
-
-	switch temp.AuthNProvider {
-	case AuthNProviderGoogleAuth:
-		if temp.Google == nil {
-			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "google auth config is required")
-		}
-
-	case AuthNProviderSAML:
-		if temp.SAML == nil {
-			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "saml config is required")
-		}
-
-	case AuthNProviderOIDC:
-		if temp.OIDC == nil {
-			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "oidc config is required")
-		}
-
-	default:
-		return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthDomainInvalidConfig, "invalid authn provider %q", temp.AuthNProvider.StringValue())
-	}
-
-	*typ = AuthDomainConfig(temp)
-	return nil
-
-}
-
-func (AuthDomainConfig) JSONSchemaOneOf() []any {
-	return []any{
-		SamlConfig{},
-		GoogleConfig{},
-		OIDCConfig{},
-	}
-}
-
 type AuthDomainStore interface {
 	// Get by id.
 	Get(context.Context, valuer.UUID) (*AuthDomain, error)

pkg/types/authtypes/domain_test.go

@@ -0,0 +1,154 @@
+package authtypes
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/stretchr/testify/require"
+)
+
+// Verifies the new flat wire shape: ssoType/provider configs collapse into a
+// single discriminated `provider:{type,config}`, and the typed payload survives
+// a marshal -> unmarshal round-trip. This fails if UnmarshalJSON forgets to
+// assign envelop.Config (the decoded config would be lost).
+func TestAuthDomainConfigWireRoundTrip(t *testing.T) {
+	tests := []struct {
+		name         string
+		provider     AuthNProvider
+		config       any
+		wantType     string
+		assertConfig func(t *testing.T, c AuthDomainConfig)
+	}{
+		{
+			name:     "saml",
+			provider: AuthNProviderSAML,
+			config: &SAMLConfig{
+				SamlEntity: "https://idp.example.com",
+				SamlIdp:    "https://idp.example.com/sso",
+				SamlCert:   "cert-bytes",
+			},
+			wantType: "saml",
+			assertConfig: func(t *testing.T, c AuthDomainConfig) {
+				require.NotNil(t, c.Saml())
+				require.Equal(t, "https://idp.example.com", c.Saml().SamlEntity)
+			},
+		},
+		{
+			name:     "google",
+			provider: AuthNProviderGoogleAuth,
+			config:   &GoogleConfig{ClientID: "cid", ClientSecret: "secret"},
+			wantType: "google_auth",
+			assertConfig: func(t *testing.T, c AuthDomainConfig) {
+				require.NotNil(t, c.Google())
+				require.Equal(t, "cid", c.Google().ClientID)
+			},
+		},
+		{
+			name:     "oidc",
+			provider: AuthNProviderOIDC,
+			config:   &OIDCConfig{Issuer: "https://issuer", ClientID: "cid", ClientSecret: "secret"},
+			wantType: "oidc",
+			assertConfig: func(t *testing.T, c AuthDomainConfig) {
+				require.NotNil(t, c.Oidc())
+				require.Equal(t, "https://issuer", c.Oidc().Issuer)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			in := AuthDomainConfig{
+				SSOEnabled: true,
+				Provider:   AuthProviderEnvelope{Type: tt.provider, Config: tt.config},
+			}
+
+			raw, err := json.Marshal(in)
+			require.NoError(t, err)
+
+			js := string(raw)
+			require.Contains(t, js, `"provider"`)
+			require.Contains(t, js, `"type":"`+tt.wantType+`"`)
+			// legacy keys must be gone
+			require.NotContains(t, js, "ssoType")
+			require.NotContains(t, js, "samlConfig")
+			require.NotContains(t, js, "googleAuthConfig")
+			require.NotContains(t, js, "oidcConfig")
+
+			var out AuthDomainConfig
+			require.NoError(t, json.Unmarshal(raw, &out))
+			require.True(t, out.SSOEnabled)
+			require.Equal(t, tt.provider, out.Provider.Type)
+			tt.assertConfig(t, out)
+		})
+	}
+}
+
+// Unknown discriminator values are rejected, and the nested provider config's
+// own validators still run through the envelope.
+func TestAuthDomainConfigUnmarshalRejects(t *testing.T) {
+	tests := []struct {
+		name string
+		json string
+	}{
+		{
+			name: "unknown provider type",
+			json: `{"ssoEnabled":true,"provider":{"type":"ldap","config":{}}}`,
+		},
+		{
+			name: "oidc config missing clientId",
+			json: `{"ssoEnabled":true,"provider":{"type":"oidc","config":{"issuer":"https://issuer","clientSecret":"secret"}}}`,
+		},
+		{
+			name: "saml config missing samlEntity",
+			json: `{"ssoEnabled":true,"provider":{"type":"saml","config":{"samlIdp":"https://idp/sso","samlCert":"abc"}}}`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var c AuthDomainConfig
+			require.Error(t, json.Unmarshal([]byte(tt.json), &c))
+		})
+	}
+}
+
+// The config is marshaled into the `data` column and unmarshaled back when the
+// domain is loaded, so the typed provider config must survive that round-trip.
+func TestAuthDomainStorageRoundTrip(t *testing.T) {
+	cfg := AuthDomainConfig{
+		SSOEnabled: true,
+		Provider: AuthProviderEnvelope{
+			Type:   AuthNProviderSAML,
+			Config: &SAMLConfig{SamlEntity: "https://idp", SamlIdp: "https://idp/sso", SamlCert: "abc"},
+		},
+	}
+
+	domain, err := NewAuthDomainFromConfig("example.com", &cfg, valuer.GenerateUUID())
+	require.NoError(t, err)
+
+	got := domain.AuthDomainConfig()
+	require.Equal(t, AuthNProviderSAML, got.Provider.Type)
+	require.NotNil(t, got.Saml())
+	require.Equal(t, "https://idp", got.Saml().SamlEntity)
+}
+
+// Postable keeps name-regex validation and still decodes the embedded provider.
+func TestPostableAuthDomainUnmarshal(t *testing.T) {
+	valid := `{
+		"name":"example.com",
+		"ssoEnabled":true,
+		"provider":{"type":"saml","config":{"samlEntity":"https://idp","samlIdp":"https://idp/sso","samlCert":"abc"}}
+	}`
+
+	var p PostableAuthDomain
+	require.NoError(t, json.Unmarshal([]byte(valid), &p))
+	require.Equal(t, "example.com", p.Name)
+	require.True(t, p.SSOEnabled)
+	require.NotNil(t, p.Saml())
+	require.Equal(t, "https://idp", p.Saml().SamlEntity)
+
+	invalid := `{"name":"not a domain!","provider":{"type":"saml","config":{"samlEntity":"https://idp","samlIdp":"https://idp/sso","samlCert":"abc"}}}`
+	var bad PostableAuthDomain
+	require.Error(t, json.Unmarshal([]byte(invalid), &bad))
+}

pkg/types/authtypes/saml.go

@@ -6,7 +6,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 )
 
-type SamlConfig struct {
+type SAMLConfig struct {
 	// The entityID of the SAML identity provider. It can typically be found in the EntityID attribute of the EntityDescriptor element in the SAML metadata of the identity provider. Example: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="{samlEntity}">
 	SamlEntity string `json:"samlEntity"`
 
@@ -25,8 +25,8 @@ type SamlConfig struct {
 	AttributeMapping AttributeMapping `json:"attributeMapping"`
 }
 
-func (config *SamlConfig) UnmarshalJSON(data []byte) error {
-	type Alias SamlConfig
+func (config *SAMLConfig) UnmarshalJSON(data []byte) error {
+	type Alias SAMLConfig
 
 	var temp Alias
 	if err := json.Unmarshal(data, &temp); err != nil {
@@ -51,6 +51,6 @@ func (config *SamlConfig) UnmarshalJSON(data []byte) error {
 		}
 	}
 
-	*config = SamlConfig(temp)
+	*config = SAMLConfig(temp)
 	return nil
 }

tests/fixtures/idp.py

@@ -371,10 +371,11 @@ def idp_login(driver: webdriver.Chrome) -> Callable[[str, str], None]:
 
         # Click the login button
         login_button = wait.until(EC.element_to_be_clickable((By.ID, "kc-login")))
+        current_url = driver.current_url
         login_button.click()
 
-        # Wait till kc-login element has vanished from the page, which means that a redirection is taking place.
-        wait.until(EC.invisibility_of_element((By.ID, "kc-login")))
+        # Wait till the page redirects away from the login form. We poll the URL.
+        wait.until(EC.url_changes(current_url))
 
     return _idp_login
 
@@ -686,6 +687,8 @@ def perform_saml_login(
     url = session_context["orgs"][0]["authNSupport"]["callback"][0]["url"]
     driver.get(url)
     idp_login(email, password)
+    # wait until the browser lands back on SigNoz
+    WebDriverWait(driver, 15).until(lambda d: d.current_url.startswith(signoz.self.host_configs["8080"].base()))
 
 
 def delete_keycloak_client(idp: types.TestContainerIDP, client_id: str) -> None:

tests/integration/tests/basepath/01_oidc.py

@@ -53,10 +53,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/signoz/api/v1/domains"),
         json={
             "name": "oidc.basepath.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "oidc",
-                "oidcConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "oidc",
+                "config": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     # Change the hostname of the issuer to the internal resolvable hostname of the idp

tests/integration/tests/basepath/02_saml.py

@@ -51,10 +51,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/signoz/api/v1/domains"),
         json={
             "name": "saml.basepath.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],

tests/integration/tests/callbackauthn/01_domain.py

@@ -31,10 +31,10 @@ def test_create_and_get_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "domain-google.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "google_auth",
-                "googleAuthConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "google_auth",
+                "config": {
                     "clientId": "client-id",
                     "clientSecret": "client-secret",
                     "redirectURI": "redirect-uri",
@@ -52,10 +52,10 @@ def test_create_and_get_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "domain-saml.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
@@ -86,7 +86,7 @@ def test_create_and_get_domain(
             "domain-google.integration.test",
             "domain-saml.integration.test",
         ]
-        assert domain["config"]["ssoType"] in ["google_auth", "saml"]
+        assert domain["provider"]["type"] in ["google_auth", "saml"]
 
 
 def test_create_invalid(
@@ -96,15 +96,16 @@ def test_create_invalid(
 ):
     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
 
-    # Create a domain with type saml and body for oidc, this should fail because oidcConfig is not allowed for saml
+    # Create a domain with type saml but an oidc-shaped config; this should fail
+    # because the config is decoded as SAML and fails SAML validation.
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "domain.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "oidcConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "clientId": "client-id",
                     "clientSecret": "client-secret",
                     "issuer": "issuer",
@@ -122,10 +123,10 @@ def test_create_invalid(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "$%^invalid",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
@@ -142,15 +143,15 @@ def test_create_invalid(
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-            }
+            },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
@@ -158,7 +159,7 @@ def test_create_invalid(
 
     assert response.status_code == HTTPStatus.BAD_REQUEST
 
-    # Create a domain with no config
+    # Create a domain with no provider
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
@@ -184,17 +185,17 @@ def test_create_invalid_role_mapping(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "invalid-role-test.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-                "roleMapping": {
-                    "defaultRole": "SUPERADMIN",  # Invalid role
-                },
+            },
+            "roleMapping": {
+                "defaultRole": "SUPERADMIN",  # Invalid role
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
@@ -208,19 +209,19 @@ def test_create_invalid_role_mapping(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "invalid-group-role.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-                "roleMapping": {
-                    "defaultRole": "VIEWER",
-                    "groupMappings": {
-                        "admins": "SUPERUSER",  # Invalid role
-                    },
+            },
+            "roleMapping": {
+                "defaultRole": "VIEWER",
+                "groupMappings": {
+                    "admins": "SUPERUSER",  # Invalid role
                 },
             },
         },
@@ -235,20 +236,20 @@ def test_create_invalid_role_mapping(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "valid-role-mapping.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": "saml-entity",
                     "samlIdp": "saml-idp",
                     "samlCert": "saml-cert",
                 },
-                "roleMapping": {
-                    "defaultRole": "VIEWER",
-                    "groupMappings": {
-                        "signoz-admins": "ADMIN",
-                        "signoz-editors": "EDITOR",
-                    },
+            },
+            "roleMapping": {
+                "defaultRole": "VIEWER",
+                "groupMappings": {
+                    "signoz-admins": "ADMIN",
+                    "signoz-editors": "EDITOR",
                 },
             },
         },

tests/integration/tests/callbackauthn/02_saml.py

@@ -53,10 +53,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "saml.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],
@@ -176,10 +176,10 @@ def test_saml_update_domain_with_group_mappings(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],
@@ -189,15 +189,15 @@ def test_saml_update_domain_with_group_mappings(
                         "role": "signoz_role",
                     },
                 },
-                "roleMapping": {
-                    "defaultRole": "VIEWER",
-                    "groupMappings": {
-                        "signoz-admins": "ADMIN",
-                        "signoz-editors": "EDITOR",
-                        "signoz-viewers": "VIEWER",
-                    },
-                    "useRoleAttribute": False,
+            },
+            "roleMapping": {
+                "defaultRole": "VIEWER",
+                "groupMappings": {
+                    "signoz-admins": "ADMIN",
+                    "signoz-editors": "EDITOR",
+                    "signoz-viewers": "VIEWER",
                 },
+                "useRoleAttribute": False,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
@@ -340,10 +340,10 @@ def test_saml_update_domain_with_use_role_claim(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "saml",
-                "samlConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "saml",
+                "config": {
                     "samlEntity": settings["entityID"],
                     "samlIdp": settings["singleSignOnServiceLocation"],
                     "samlCert": settings["certificate"],
@@ -353,14 +353,14 @@ def test_saml_update_domain_with_use_role_claim(
                         "role": "signoz_role",
                     },
                 },
-                "roleMapping": {
-                    "defaultRole": "VIEWER",
-                    "groupMappings": {
-                        "signoz-admins": "ADMIN",
-                        "signoz-editors": "EDITOR",
-                    },
-                    "useRoleAttribute": True,
+            },
+            "roleMapping": {
+                "defaultRole": "VIEWER",
+                "groupMappings": {
+                    "signoz-admins": "ADMIN",
+                    "signoz-editors": "EDITOR",
                 },
+                "useRoleAttribute": True,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},

tests/integration/tests/callbackauthn/03_oidc.py

@@ -57,10 +57,10 @@ def test_create_auth_domain(
         signoz.self.host_configs["8080"].get("/api/v1/domains"),
         json={
             "name": "oidc.integration.test",
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "oidc",
-                "oidcConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "oidc",
+                "config": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     # Change the hostname of the issuer to the internal resolvable hostname of the idp
@@ -132,10 +132,10 @@ def test_oidc_update_domain_with_group_mappings(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "oidc",
-                "oidcConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "oidc",
+                "config": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",
@@ -148,15 +148,15 @@ def test_oidc_update_domain_with_group_mappings(
                         "role": "signoz_role",
                     },
                 },
-                "roleMapping": {
-                    "defaultRole": "VIEWER",
-                    "groupMappings": {
-                        "signoz-admins": "ADMIN",
-                        "signoz-editors": "EDITOR",
-                        "signoz-viewers": "VIEWER",
-                    },
-                    "useRoleAttribute": False,
+            },
+            "roleMapping": {
+                "defaultRole": "VIEWER",
+                "groupMappings": {
+                    "signoz-admins": "ADMIN",
+                    "signoz-editors": "EDITOR",
+                    "signoz-viewers": "VIEWER",
                 },
+                "useRoleAttribute": False,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},
@@ -301,10 +301,10 @@ def test_oidc_update_domain_with_use_role_claim(
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
         json={
-            "config": {
-                "ssoEnabled": True,
-                "ssoType": "oidc",
-                "oidcConfig": {
+            "ssoEnabled": True,
+            "provider": {
+                "type": "oidc",
+                "config": {
                     "clientId": settings["client_id"],
                     "clientSecret": settings["client_secret"],
                     "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",
@@ -317,14 +317,14 @@ def test_oidc_update_domain_with_use_role_claim(
                         "role": "signoz_role",
                     },
                 },
-                "roleMapping": {
-                    "defaultRole": "VIEWER",
-                    "groupMappings": {
-                        "signoz-admins": "ADMIN",
-                        "signoz-editors": "EDITOR",
-                    },
-                    "useRoleAttribute": True,
+            },
+            "roleMapping": {
+                "defaultRole": "VIEWER",
+                "groupMappings": {
+                    "signoz-admins": "ADMIN",
+                    "signoz-editors": "EDITOR",
                 },
+                "useRoleAttribute": True,
             },
         },
         headers={"Authorization": f"Bearer {admin_token}"},