fix: use m-admin token for admin tenant console user creation

The m-default token has audience https://default.logto.app/api which
is rejected by port 3002's admin tenant API. Use m-admin client with
audience https://admin.logto.app/api instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -379,19 +379,38 @@ fi
 # --- Grant SaaS admin Logto console access (admin tenant, port 3002) ---
 log "Granting SaaS admin Logto console access..."
 
-# Admin-tenant API helpers (port 3002)
+# Get admin-tenant M2M token (m-default token has wrong audience for port 3002)
-admin_api_get() {
+ADMIN_MGMT_RESOURCE="https://admin.logto.app/api"
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+log "Reading m-admin secret from database..."
-}
+M_ADMIN_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \
-admin_api_post() {
+  "SELECT secret FROM applications WHERE id = 'm-admin' AND tenant_id = 'admin';" 2>/dev/null)
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
-    -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
-}
 
-# Check if admin user already exists on admin tenant
+if [ -z "$M_ADMIN_SECRET" ]; then
-ADMIN_USERS_RESPONSE=$(admin_api_get "/api/users?search=$SAAS_ADMIN_USER")
+  log "WARNING: m-admin app not found — skipping console access"
-log "Admin tenant users response: $(echo "$ADMIN_USERS_RESPONSE" | head -c 200)"
+else
-ADMIN_TENANT_USER_ID=$(echo "$ADMIN_USERS_RESPONSE" | jq -r ".[] | select(.username == \"$SAAS_ADMIN_USER\") | .id" 2>/dev/null)
+  ADMIN_TOKEN_RESPONSE=$(curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -H "Host: ${HOST}:3002" \
+    -d "grant_type=client_credentials&client_id=m-admin&client_secret=${M_ADMIN_SECRET}&resource=${ADMIN_MGMT_RESOURCE}&scope=all")
+  ADMIN_TOKEN=$(echo "$ADMIN_TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
+
+  if [ -z "$ADMIN_TOKEN" ] || [ "$ADMIN_TOKEN" = "null" ]; then
+    log "WARNING: Failed to get admin tenant token — skipping console access"
+    log "Response: $(echo "$ADMIN_TOKEN_RESPONSE" | head -c 200)"
+  else
+    log "Got admin tenant token."
+
+    # Admin-tenant API helpers (port 3002, admin token)
+    admin_api_get() {
+      curl -s -H "Authorization: Bearer $ADMIN_TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+    }
+    admin_api_post() {
+      curl -s -X POST -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
+        -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
+    }
+
+    # Check if admin user already exists on admin tenant
+    ADMIN_TENANT_USER_ID=$(admin_api_get "/api/users?search=$SAAS_ADMIN_USER" | jq -r ".[] | select(.username == \"$SAAS_ADMIN_USER\") | .id" 2>/dev/null)
 if [ -z "$ADMIN_TENANT_USER_ID" ] || [ "$ADMIN_TENANT_USER_ID" = "null" ]; then
   log "Creating admin console user '$SAAS_ADMIN_USER'..."
   ADMIN_TENANT_RESPONSE=$(admin_api_post "/api/users" "{
@@ -427,6 +446,9 @@ else
   log "WARNING: Could not create admin console user"
 fi
 
+  fi  # end: ADMIN_TOKEN check
+fi  # end: M_ADMIN_SECRET check
+
 # --- Tenant Admin ---
 log "Checking for tenant admin '$TENANT_ADMIN_USER'..."
 TENANT_USER_ID=$(api_get "/api/users?search=$TENANT_ADMIN_USER" | jq -r ".[] | select(.username == \"$TENANT_ADMIN_USER\") | .id")