feat(auth): OIDC-only admin-role bootstrap auto-connect

In OIDC-only mode, before any admin is linked, an IdP user whose token carries the configured admin role (default "admin"; OIDC_ADMIN_ROLE / oidc_settings.admin_role) auto-connects to the unbound hf admin on first OIDC sign-in, then the window self-closes once any admin is bound. Roles are scanned across userinfo + the (unverified) access token: realm_access.roles, resource_access.*.roles, roles/role/groups. Adds admin_role to settings model/env/effective/API and to the wizard bootstrap config. Replaces the manual admin-subject approach. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 21:05:39 +01:00
parent 0229fbb54c
commit 9429e37542
5 changed files with 80 additions and 1 deletions
--- a/app/init_wizard.py
+++ b/app/init_wizard.py
@@ -351,6 +351,7 @@ def init_oidc_settings(db: Session, oidc_cfg: dict, admin_user: models.User | No
            redirect_uri=(oidc_cfg.get("redirect_uri") or "").strip() or None,
            scopes=(oidc_cfg.get("scopes") or "").strip() or None,
            post_login_redirect=(oidc_cfg.get("post_login_redirect") or "").strip() or None,
+            admin_role=(oidc_cfg.get("admin_role") or "").strip() or None,
        ))
        db.commit()
        logger.info("OIDC settings bootstrapped from wizard config")