JwtAuthenticationFilter.tryOidcToken validated external access tokens
against the IdP's JWKS but never upserted the subject into `users`. Any
later write that FKs `users(user_id)` (deployments.created_by,
alert_rules.created_by, outbound_connections.created_by, ...) blew up
with a foreign-key violation — the interactive /auth/oidc/callback path
upserts here, the resource-server path silently skipped it.
Add OidcAccountSyncService: short-circuits when the user already exists,
otherwise honours OidcConfig.autoSignup (defaulting to true when no DB
row, since OIDC-via-env-var implies admin opt-in), enforces the
max_users license cap, and persists UserInfo with provider, email, and
displayName drawn from the JWT claims. The filter falls through to
anonymous (Spring → 401) on refusal instead of authenticating an
un-persisted principal that would 5xx on the next FK insert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
99d9d193ac