ENG-8753 docs: add enterprise auth documentation section

[FarhanAliRaza]

Add docs for the OIDC AuthPlugin covering the secure-by-default model, providers, custom auth pages, and testing guarded code. Register the new pages in the enterprise sidebar, add an Authentication category to the enterprise overview, and whitelist the section for preview.

All Submissions:

• Have you followed the guidelines stated in CONTRIBUTING.md file?
• Have you checked to ensure there aren't any other open Pull Requests for the desired changed?

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality)

New Feature Submission:

• Does your submission pass the tests?
• Have you linted your code locally prior to submission?

Changes To Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?

[codspeed-hq]

Merging this PR will not alter performance

✅ 26 untouched benchmarks
⏩ 8 skipped benchmarks¹

---

_{Comparing FarhanAliRaza:auth-docs (cb304f4) with main (8b56f52)}

Footnotes

1. 8 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[greptile-apps]

Greptile Summary

This PR adds a complete enterprise authentication documentation section covering the rxe.AuthPlugin OIDC integration, registering six new pages and wiring them into the enterprise sidebar and overview.

• New auth docs: overview, secure-by-default, providers, custom-pages, testing, and deployment pages document the full lifecycle of OIDC auth in Reflex Enterprise, including the secure-by-default model, authorization checks, provider subclassing, custom page builders, unit-testing patterns, and production deployment requirements.
• Sidebar and overview updated: The new pages are registered in the enterprise sidebar under a new "Authentication" group and listed in the enterprise/overview.md feature table with correct counts and links.
• Whitelist correctly reset: WHITELISTED_PAGES is empty, ensuring the full docs site builds; an earlier dev-only non-empty state was reverted in a prior commit on this branch.

Confidence Score: 4/5

Safe to merge after fixing one broken code snippet in the providers page.

The UserInfo TypedDict example in providers.md references rx.State without importing reflex as rx, so the snippet fails with a NameError for anyone who copies it verbatim. All other docs pages have correct imports and accurate cross-links. The whitelist is correctly empty.

docs/enterprise/auth/providers.md — the UserInfo TypedDict code block at line 263 is missing import reflex as rx.

Important Files Changed

Filename	Overview
docs/app/reflex_docs/whitelist.py	Whitelist is correctly reset to an empty list (WHITELISTED_PAGES = []), building all pages; the dev-only non-empty state from an earlier commit was reverted in commit 34b71c8.
docs/enterprise/auth/overview.md	New AuthPlugin overview covering quickstart, four protected surfaces, reading the current user, signing out, and the login flow; cross-links are consistent and prose is accurate.
docs/enterprise/auth/secure-by-default.md	Thorough coverage of the auth= API (bool/callable), page/event/field/var surfaces, authorization checks, context objects, CSRF logout protection, and the User facade; imports in all code snippets are correct.
docs/enterprise/auth/providers.md	Covers GenericOIDCAuthState, named providers, environment variables, scopes, multi-provider setups, hooks, and token access; the UserInfo TypedDict snippet at line 263 is missing import reflex as rx, causing a NameError for copy-pasters.
docs/enterprise/auth/custom-pages.md	Documents the page-builder contract for login, callback, logout, and forbidden pages with examples, auth-failure UX, and wiring instructions; content is accurate and well-structured.
docs/enterprise/auth/testing.md	Testing guide covers unit-testing auth checks with hand-built contexts, async checks with @pytest.mark.asyncio, and end-to-end mock-IdP flows with oidc-provider-mock and Playwright.
docs/enterprise/auth/deployment.md	Deployment guide covering HTTPS requirements, callback URL registration, reverse proxy/multi-replica behaviour, IdP-specific examples, and a troubleshooting table.
docs/enterprise/overview.md	Adds an Authentication category (6 entries, count=6) with correct links to the new auth docs pages alongside the existing categories.
docs/app/reflex_docs/templates/docpage/sidebar/sidebar_items/enterprise.py	Adds a new Authentication sidebar section with 6 entries; structure is consistent with the rest of the file.

_{Reviews (9): Last reviewed commit: "Merge branch 'main' into auth-docs" | Re-trigger Greptile}

[masenf]

this sentence is kind of confusing; sounds like you make openfga checks with get_state... but that function is only for accessing other states

[masenf]

i don't love this example, but we should at the least be using a backend var for anything related to auth checks

[masenf]

i dont really like the overall tone of the docs, it reads as very LLMish.

Stuff like this is particularly bad:

• "The plugin auto-installs middleware that blocks cross-site GET navigations to /logout — using the browser-set, JS-unspoofable Sec-Fetch-Site header — so an attacker's <iframe> can't silently log the user out (it is redirected to the frontend root before the SPA boots)"
• "User is an alias of AuthUserState; you can read claims off either name."
  • the part after the semicolon is obvious if it's an alias, we don't need to patronize our readers. The sentence could be improved by saying "User is an alias of reflex_enterprise.auth.AuthUserState and may be used interchangeably"
• "This page covers the default provider, naming your own, the environment variables each one reads, registering providers with the plugin, scopes and refresh tokens, running several providers at once, the claims they return, and the advanced hooks you can override."
  • No one wants to read a long running inline list. Either bullet or remove. The headings are visible on the right anyway, so the user knows what to expect on this page.
• "Render a login button for the provider with its get_login_button() classmethod (pass children to customize the clickable element):"
  • This seems like it should maybe be under the customization section, feels kind of out of place on the OIDC provider page, especially because we would prefer them to redirect to /login and display the palette rather than rendering provider-specific login buttons themselves.
• The dash then rephrasing what was obviously stated is an annoying LLMism. These should be rephrased more like reference material, not like an LLM explaining/justifying a PR.
  • "When the app detects it is embedded in an iframe, login and logout automatically switch from a top-level redirect to a popup window with a postMessage token hand-off — so a Reflex auth app embeds inside another product with no extra configuration. "
  • "This auto-switch only works through the provider's get_login_button() — it mounts the message listener that receives the tokens posted from the popup"

idk i could keep going, but my recommendation is to have your agent reword a lot of this material to be less conversational and LLMish and moreso fit the tone of reference documentation.