Add OIDC admin config page with auto-signup toggle

Backend: add autoSignup field to OidcConfig, ClickHouse schema, repository, and admin controller. Gate OIDC login when auto-signup is disabled and user is not pre-created (returns 403). Frontend: add OIDC admin page with full CRUD (save/test/delete), role-gated Admin nav link parsed from JWT, and matching design system styles. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 13:56:02 +01:00
parent 377908cc61
commit 0c47ac9b1a
12 changed files with 802 additions and 14 deletions
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
@@ -90,8 +90,15 @@ public class OidcAuthController {
            String issuerHost = URI.create(config.get().issuerUri()).getHost();
            String provider = "oidc:" + issuerHost;

+            // Check auto-signup gate: if disabled, user must already exist
+            Optional<UserInfo> existingUser = userRepository.findById(userId);
+            if (!config.get().autoSignup() && existingUser.isEmpty()) {
+                return ResponseEntity.status(403)
+                        .body(Map.of("message", "Account not provisioned. Contact your administrator."));
+            }
+
            // Resolve roles: DB override > OIDC claim > default
-            List<String> roles = resolveRoles(userId, oidcUser.roles(), config.get());
+            List<String> roles = resolveRoles(existingUser, oidcUser.roles(), config.get());

            userRepository.upsert(new UserInfo(
                    userId, provider, oidcUser.email(), oidcUser.name(), roles, Instant.now()));
@@ -110,8 +117,7 @@ public class OidcAuthController {
        }
    }

-    private List<String> resolveRoles(String userId, List<String> oidcRoles, OidcConfig config) {
-        Optional<UserInfo> existing = userRepository.findById(userId);
+    private List<String> resolveRoles(Optional<UserInfo> existing, List<String> oidcRoles, OidcConfig config) {
        if (existing.isPresent() && !existing.get().roles().isEmpty()) {
            return existing.get().roles();
        }
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/SecurityBeanConfig.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/SecurityBeanConfig.java
@@ -73,7 +73,8 @@ public class SecurityBeanConfig {
                        envOidc.getClientId(),
                        envOidc.getClientSecret() != null ? envOidc.getClientSecret() : "",
                        envOidc.getRolesClaim(),
-                        envOidc.getDefaultRoles()
+                        envOidc.getDefaultRoles(),
+                        true
                );
                configRepository.save(config);
                log.info("OIDC config seeded from environment variables: issuer={}", envOidc.getIssuerUri());