hzhang
1c91cb32fc
In OIDC-only mode, before any admin is linked, an IdP user whose token carries the configured admin role (default "admin"; OIDC_ADMIN_ROLE / oidc_settings.admin_role) auto-connects to the unbound hf admin on first OIDC sign-in, then the window self-closes once any admin is bound. Roles are scanned across userinfo + the (unverified) access token: realm_access.roles, resource_access.*.roles, roles/role/groups. Adds admin_role to settings model/env/effective/API and to the wizard bootstrap config. Replaces the manual admin-subject approach. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
26 lines
1.1 KiB
Python
26 lines
1.1 KiB
Python
from sqlalchemy import Column, Integer, String, Boolean, DateTime
|
|
from sqlalchemy.sql import func
|
|
from app.core.config import Base
|
|
|
|
|
|
class OidcSettings(Base):
|
|
"""Single-row (id=1) runtime OIDC configuration.
|
|
|
|
When a row exists its non-empty fields override the OIDC_* env vars,
|
|
so the provider can be configured from the admin UI without a redeploy.
|
|
"""
|
|
__tablename__ = "oidc_settings"
|
|
|
|
id = Column(Integer, primary_key=True, default=1)
|
|
enabled = Column(Boolean, default=False, nullable=False)
|
|
issuer = Column(String(255), nullable=True)
|
|
client_id = Column(String(255), nullable=True)
|
|
client_secret = Column(String(512), nullable=True)
|
|
redirect_uri = Column(String(512), nullable=True)
|
|
scopes = Column(String(255), nullable=True)
|
|
post_login_redirect = Column(String(512), nullable=True)
|
|
# OIDC role name that, in OIDC-only mode, auto-connects an unbound
|
|
# hf admin on first login (bootstrap). Default "admin".
|
|
admin_role = Column(String(128), nullable=True)
|
|
updated_at = Column(DateTime(timezone=True), server_default=func.now(), onupdate=func.now())
|