feat(auth): admin_role config; drop manual admin-subject from wizard

OIDC settings page + setup wizard now configure the bootstrap admin role instead of a hand-typed OIDC subject. The OIDC-only admin link is handled automatically by the backend admin-role auto-connect on first sign-in (explained inline in both the wizard and settings page). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 21:05:40 +01:00
parent 782e42ac64
commit 73da3926e7
2 changed files with 26 additions and 10 deletions
--- a/src/pages/OidcSettingsPage.tsx
+++ b/src/pages/OidcSettingsPage.tsx
@@ -10,6 +10,7 @@ interface Settings {
  redirect_uri: string | null
  scopes: string | null
  post_login_redirect: string | null
+  admin_role: string
  oidc_only: boolean
  effective_enabled: boolean
  source: string
@@ -31,6 +32,7 @@ export default function OidcSettingsPage() {
    redirect_uri: '',
    scopes: 'openid email profile',
    post_login_redirect: '',
+    admin_role: 'admin',
  })

  useEffect(() => {
@@ -46,6 +48,7 @@ export default function OidcSettingsPage() {
          redirect_uri: data.redirect_uri || '',
          scopes: data.scopes || 'openid email profile',
          post_login_redirect: data.post_login_redirect || '',
+          admin_role: data.admin_role || 'admin',
        })
      })
      .catch((e) => setMessage(e.response?.data?.detail || 'Failed to load OIDC settings'))
@@ -63,6 +66,7 @@ export default function OidcSettingsPage() {
        redirect_uri: form.redirect_uri.trim(),
        scopes: form.scopes.trim(),
        post_login_redirect: form.post_login_redirect.trim(),
+        admin_role: form.admin_role.trim() || 'admin',
      }
      if (form.client_secret) payload.client_secret = form.client_secret
      const { data } = await api.put<Settings>('/auth/oidc/settings', payload)
@@ -150,6 +154,14 @@ export default function OidcSettingsPage() {
          Post-login redirect (frontend)
          <input placeholder="https://hf.example.com/oidc/callback" value={form.post_login_redirect} onChange={(e) => setForm({ ...form, post_login_redirect: e.target.value })} />
        </label>
+        <label>
+          Admin role (bootstrap)
+          <input placeholder="admin" value={form.admin_role} onChange={(e) => setForm({ ...form, admin_role: e.target.value })} />
+        </label>
+        <p className="text-dim">
+          OIDC-only bootstrap: before any admin is linked, an IdP user whose token carries this role
+          auto-connects to the HarborForge admin account on first sign-in. Disables itself once an admin is bound.
+        </p>
        <button className="btn-primary" disabled={saving} onClick={save}>
          {saving ? 'Saving...' : 'Save OIDC Settings'}
        </button>