feat(auth): OIDC-only admin-role bootstrap auto-connect

In OIDC-only mode, before any admin is linked, an IdP user whose token carries the configured admin role (default "admin"; OIDC_ADMIN_ROLE / oidc_settings.admin_role) auto-connects to the unbound hf admin on first OIDC sign-in, then the window self-closes once any admin is bound. Roles are scanned across userinfo + the (unverified) access token: realm_access.roles, resource_access.*.roles, roles/role/groups. Adds admin_role to settings model/env/effective/API and to the wizard bootstrap config. Replaces the manual admin-subject approach. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 21:05:39 +01:00
parent 0229fbb54c
commit 9429e37542
5 changed files with 80 additions and 1 deletions
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -46,6 +46,7 @@ class Settings(BaseSettings):
    OIDC_REDIRECT_URI: str = ""      # backend callback, e.g. https://hf-api.example.com/auth/oidc/callback
    OIDC_SCOPES: str = "openid email profile"
    OIDC_POST_LOGIN_REDIRECT: str = ""   # frontend URL to return to (token in fragment). Falls back to "/"
+    OIDC_ADMIN_ROLE: str = "admin"       # OIDC role name that bootstraps the unbound hf admin (OIDC-only)

    # When true: no password login at all. Password login endpoint rejects,
    # user creation ignores any password (passwordless user that can only use