ENG-3473: Add IDP-driven identity verification to Privacy Center

[galvana]

Ticket ENG-3473

Description Of Changes

Adds IDP/SSO-based identity verification to the Privacy Center as an alternative to email OTP. Users authenticate with their organization's IDP (Google, Okta, Azure AD, or custom OIDC) before seeing the Privacy Center homepage. Once authenticated, they can submit privacy requests without further identity verification.

Flow: Authenticate via IDP on homepage -> See action cards -> Click card -> Fill custom fields (pre-populated with IDP name) -> Submit -> Success

Configurable per deployment via config.json (optional identity_verification block). When omitted, the existing OTP flow is completely untouched.

Dependency: Requires fidesplus#3445 for the backend service, routes, and token infrastructure.

Code Changes

Backend schema (src/fides/api/schemas/privacy_center_config.py):

• Add IDPProviderConfig and IdentityVerificationConfig Pydantic schemas
• Add optional identity_verification field to PrivacyCenterConfig (backward compatible)

Frontend types and validation:

• Add IDPProviderConfig, IdentityVerificationConfig interfaces to types/config.ts
• Add identity_verification to API-driven PrivacyCenterConfig.ts type
• Add config validation for identity_verification block in validation.ts

Frontend feature (features/idp-verification/):

• IDPLoginButtons.tsx — Provider buttons with auto-fetched icons from /plus/openid-provider/simple
• IDPCallbackHandler.tsx — Exchanges OAuth code, stores email/name/token in sessionStorage, redirects to homepage
• Types, constants, barrel export

Privacy Center pages:

• New /idp-callback pages (root + [propertyPath] variants)
• HomePage.tsx — Gates on IDP session; shows IDP login buttons when unauthenticated
• PrivacyRequestFormPage.tsx — Reads stored IDP token, passes to form
• PrivacyRequestForm.tsx — Hides identity fields (name/email/phone) when IDP token present
• usePrivacyRequestForm.ts — Skips identity validation in IDP mode, submits to /plus/privacy-request/idp-verified, pre-populates first_name/last_name from IDP session

Assets:

• OAuth login provider icons (google, okta, azure, custom, github SVGs) copied to privacy-center public

Steps to Confirm

1. Create an OpenID Provider in the backend (e.g., Google with profile scope)
2. Add identity_verification block to config.json:

   "identity_verification": {
     "method": "idp",
     "idp_providers": [{ "identifier": "google", "label": "Sign in with Google" }]
   }

3. Register http://localhost:3001/idp-callback as authorized redirect URI in IDP
4. Visit Privacy Center homepage — should show IDP login button instead of action cards
5. Click IDP button, authenticate — should redirect back to homepage showing action cards
6. Click an action card — should show form with identity fields hidden, first/last name pre-populated from IDP
7. Submit — should succeed and show success page
8. Submit a second request (different action) — should work without re-authenticating
9. Remove identity_verification from config — verify OTP flow works as before

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
• Followup issues:
  • Followup issues created
• Database migrations:
  • No migrations
• Documentation:
  • Documentation issue created in fidesdocs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Apr 21, 2026 8:27pm
fides-privacy-center	Ignored		Apr 21, 2026 8:27pm

[codecov]

Codecov Report

❌ Patch coverage is 76.92308% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.94%. Comparing base (e7a6527) to head (506a7a5).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
src/fides/api/schemas/privacy_center_config.py	76.92%	3 Missing ⚠️

❌ Your project check has failed because the head coverage (84.94%) is below the target coverage (85.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7984      +/-   ##
==========================================
- Coverage   84.94%   84.94%   -0.01%     
==========================================
  Files         630      630              
  Lines       41086    41099      +13     
  Branches     4769     4770       +1     
==========================================
+ Hits        34901    34911      +10     
- Misses       5102     5105       +3     
  Partials     1083     1083              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.