99d9d193ac
JwtAuthenticationFilter.tryOidcToken validated external access tokens against the IdP's JWKS but never upserted the subject into `users`. Any later write that FKs `users(user_id)` (deployments.created_by, alert_rules.created_by, outbound_connections.created_by, ...) blew up with a foreign-key violation — the interactive /auth/oidc/callback path upserts here, the resource-server path silently skipped it. Add OidcAccountSyncService: short-circuits when the user already exists, otherwise honours OidcConfig.autoSignup (defaulting to true when no DB row, since OIDC-via-env-var implies admin opt-in), enforces the max_users license cap, and persists UserInfo with provider, email, and displayName drawn from the JWT claims. The filter falls through to anonymous (Spring → 401) on refusal instead of authenticating an un-persisted principal that would 5xx on the next FK insert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>