feat(rauthy): auto-seed mv OIDC client via bootstrap dir

.env.example

@@ -24,7 +24,7 @@ ASSOCIATION_NAME="Sportsclub XYZ"
 # OIDC_CLIENT_ID=mv
 # OIDC_BASE_URL=http://localhost:8080/auth/v1
 # OIDC_REDIRECT_URI=http://localhost:4001/auth/user/oidc/callback
-# OIDC_CLIENT_SECRET=your-oidc-client-secret
+# OIDC_CLIENT_SECRET=mv-dev-shared-secret-not-for-production-do-not-use-anywhere-else
 
 # Optional: OIDC group → Admin role sync (e.g. Authentik groups from profile scope)
 # If OIDC_ADMIN_GROUP_NAME is set, users in that group get Admin role on registration/sign-in.

README.md

@@ -124,8 +124,8 @@ mix archive.install hex phx_new
 1. Copy env file:  
    ```bash
    cp .env.example .env
-   # Set OIDC_CLIENT_SECRET inside .env
    ```
+   The dev `OIDC_CLIENT_SECRET` is already preset — no manual GUI step needed.
 
 2. Start everything (database, Mailcrab, Rauthy, app):  
    ```bash
@@ -139,21 +139,9 @@ mix archive.install hex phx_new
 
 ## 🔐 Testing SSO locally
 
-Mila uses OIDC for Single Sign-On. In development, a local **Rauthy** instance is provided.  
+A local **Rauthy** instance is provided in dev. The `mv` client is auto-seeded from `rauthy-bootstrap/clients.json` on first start (and after `docker compose down -v`), so the secret in `.env.example` always matches.
 
-1. `just run`
+Rauthy admin UI: <http://localhost:8080> — login `admin@localhost`, password from `BOOTSTRAP_ADMIN_PASSWORD_PLAIN` in `docker-compose.yml`.
-2. go to [localhost:8080](http://localhost:8080), go to the Admin area
-3. Login with "admin@localhost" and password from `BOOTSTRAP_ADMIN_PASSWORD_PLAIN` in docker-compose.yml
-4. add client from the admin panel
-    - Client ID: mv
-    - redirect uris: http://localhost:4000/auth/user/oidc/callback
-    - Authorization Flows: authorization_code
-    - allowed origins: http://localhost:4000
-    - access/id token algortihm: RS256 (EDDSA did not work for me, found just few infos in the ashauthentication docs)
-5. copy client secret to `.env` file
-6. abort and run `just run` again
-
-Now you can log in to Mila via OIDC!
 
 ### OIDC with other providers (Authentik, Keycloak, etc.)
 

docker-compose.yml

@@ -36,6 +36,9 @@ services:
       - BOOTSTRAP_ADMIN_PASSWORD_PLAIN=RauthyTest12345
       # Disable strict IP validation to allow access from multiple Docker networks
       - SESSION_VALIDATE_IP=false
+      # Auto-seed the `mv` OIDC client (id + plain secret) on first DB init.
+      # Re-runs after `docker compose down -v` because the DB is empty again.
+      - BOOTSTRAP_DIR=/app/bootstrap
     ports:
       - "8080:8080"
     depends_on:
@@ -46,6 +49,7 @@ services:
       - local
     volumes:
       - rauthy-data:/app/data
+      - ./rauthy-bootstrap:/app/bootstrap:ro
 
 volumes:
   postgres-data:

rauthy-bootstrap/clients.json

@@ -0,0 +1,20 @@
+[
+  {
+    "id": "mv",
+    "name": "Mila dev",
+    "secret": { "Plain": "mv-dev-shared-secret-not-for-production-do-not-use-anywhere-else" },
+    "redirect_uris": ["http://localhost:4000/auth/user/oidc/callback"],
+    "post_logout_redirect_uris": ["http://localhost:4000/"],
+    "allowed_origins": ["http://localhost:4000"],
+    "enabled": true,
+    "flows_enabled": ["authorization_code", "refresh_token"],
+    "access_token_alg": "RS256",
+    "id_token_alg": "RS256",
+    "auth_code_lifetime": 60,
+    "access_token_lifetime": 1800,
+    "scopes": ["openid", "profile", "email", "groups"],
+    "default_scopes": ["openid", "profile", "email", "groups"],
+    "challenges": ["S256"],
+    "force_mfa": false
+  }
+]