From d9160b7d0e05fb204dde5d8dcf11bca484d220d4 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Wed, 8 Apr 2026 09:09:24 +0200
Subject: [PATCH] fix: allow local login to coexist with OIDC

Local login was blocked when OIDC env vars were present, causing
bootstrap to fail (chicken-and-egg: bootstrap needs local auth to
configure OIDC). The backend now accepts both auth paths; the
frontend/UI decides which login flow to present.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../server/app/security/JwtAuthenticationFilter.java     | 6 ------
 .../cameleer3/server/app/security/UiAuthController.java  | 9 ---------
 2 files changed, 15 deletions(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
index ad0f74e6..66d4e231 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
@@ -74,12 +74,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
             JwtValidationResult result = jwtService.validateAccessToken(token);
             String subject = result.subject();
 
-            // In OIDC mode, only accept agent tokens via internal validation.
-            // User tokens must go through the OIDC decoder path.
-            if (oidcDecoder != null && subject != null && subject.startsWith("user:")) {
-                return false;
-            }
-
             List<String> roles = result.roles();
             if (!subject.startsWith("user:") && roles.isEmpty()) {
                 roles = List.of("AGENT");
diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/UiAuthController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/UiAuthController.java
index 8938e062..6049514b 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/UiAuthController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/UiAuthController.java
@@ -71,10 +71,6 @@ public class UiAuthController {
             content = @Content(schema = @Schema(implementation = ErrorResponse.class)))
     public ResponseEntity<AuthTokenResponse> login(@RequestBody LoginRequest request,
                                                        HttpServletRequest httpRequest) {
-        if (isOidcEnabled()) {
-            return ResponseEntity.status(HttpStatus.NOT_FOUND)
-                    .body(new AuthTokenResponse(null, null, "Local login disabled when OIDC is configured", null));
-        }
         String configuredUser = properties.getUiUser();
         String configuredPassword = properties.getUiPassword();
         String subject = "user:" + request.username();
@@ -153,11 +149,6 @@ public class UiAuthController {
         }
     }
 
-    private boolean isOidcEnabled() {
-        String issuer = properties.getOidcIssuerUri();
-        return issuer != null && !issuer.isBlank();
-    }
-
     public record LoginRequest(String username, String password) {}
     public record RefreshRequest(String refreshToken) {}
 }