What is the user interaction of your feature

Users should be able to sign up and log in to ApeRAG using their existing social media accounts instead of creating a new username/password combination. This provides a more convenient and secure authentication experience.

User Stories:

• As a new user, I want to sign up using my Google/GitHub/Microsoft account so that I don't need to remember another password
• As an existing user, I want to link my social accounts to my profile for easier login
• As a user, I want to choose my preferred social login method from multiple options
• As an admin, I want to configure which social login providers are available

Is your feature request related to a problem? Please describe.

Currently, ApeRAG only supports traditional email/password authentication, which creates friction for users who:

• Don't want to create yet another account with username/password
• Prefer the security and convenience of OAuth2 social login
• Are already authenticated with major platforms like Google, GitHub, Microsoft, etc.
• Want to leverage their existing professional accounts (especially for enterprise users)

If this is a new feature, please describe the motivation and goals.

Motivation:

• Reduce user onboarding friction and improve conversion rates
• Enhance security by leveraging established OAuth2 providers
• Provide enterprise-friendly authentication options
• Follow modern authentication best practices

Goals:

• Implement OAuth2 social login using fastapi-users built-in support
• Support major providers: Google, GitHub, Microsoft, potentially others
• Maintain existing email/password authentication as an option
• Ensure secure token handling and user data privacy
• Provide admin configuration for enabling/disabling providers

Describe the solution you'd like

Implement social login using fastapi-users OAuth2 support with the following providers:

Phase 1 - Core Implementation:

• Google OAuth2
• GitHub OAuth2
• Microsoft OAuth2 (Azure AD)

Technical Implementation:

• Leverage fastapi-users[oauth] package capabilities
• Add OAuth2 client configurations to settings
• Create social login buttons on frontend login/signup pages
• Handle OAuth2 callback endpoints
• Implement account linking for existing users
• Add user profile management for linked accounts

Frontend Changes:

• Add social login buttons to login/signup forms
• Create account linking interface in user settings
• Handle OAuth2 redirect flows
• Display linked accounts in user profile

Backend Changes:

• Configure OAuth2 clients in aperag/auth/
• Add OAuth2 callback routes
• Extend user model to store social account links
• Add admin settings for OAuth2 provider configuration

Describe alternatives you've considered

1. Custom OAuth2 implementation - More work, reinventing the wheel when fastapi-users already provides this
2. Third-party auth services (Auth0, Firebase Auth) - Adds external dependency and cost
3. SAML/LDAP only - Limited to enterprise, doesn't help individual users
4. Single provider only - Less flexible, doesn't meet diverse user needs

Additional context

Technical References:

• fastapi-users OAuth2 documentation
• OAuth2 providers supported by fastapi-users

Security Considerations:

• Implement proper CSRF protection for OAuth2 flows
• Secure storage of OAuth2 client secrets
• Proper scope handling for user data access
• Account takeover prevention when linking social accounts

Configuration Requirements:

• Environment variables for OAuth2 client IDs and secrets
• Admin interface for enabling/disabling providers
• Proper redirect URI configuration for different environments

Priority: High - This is a common user request that significantly improves user experience and reduces onboarding friction.