From 58a5b086adcb2c28bce6803a3276ae2fdc28ddba Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Wed, 4 Feb 2026 18:03:15 +0100
Subject: [PATCH] OIDC: pass oauth_tokens to role sync; get? true for sign_in;
 return record in register

- sign_in_with_rauthy: get? true so Ash returns single user; pass oauth_tokens to OidcRoleSync.
- register_with_rauthy: pass oauth_tokens to OidcRoleSync; return {:ok, record} to preserve token.
---
 lib/accounts/user.ex | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex
index fc04bfa..8e7e70f 100644
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@@ -258,6 +258,7 @@ defmodule Mv.Accounts.User do
     end
 
     read :sign_in_with_rauthy do
+      get? true
       argument :user_info, :map, allow_nil?: false
       argument :oauth_tokens, :map, allow_nil?: false
       prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
@@ -271,9 +272,10 @@ defmodule Mv.Accounts.User do
       # Sync role from OIDC groups after sign-in (e.g. admin group → Admin role)
       prepare Ash.Resource.Preparation.Builtins.after_action(fn query, records, _context ->
                 user_info = Ash.Query.get_argument(query, :user_info) || %{}
+                oauth_tokens = Ash.Query.get_argument(query, :oauth_tokens) || %{}
 
                 Enum.each(records, fn user ->
-                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info)
+                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info, oauth_tokens)
                 end)
 
                 {:ok, records}
@@ -319,10 +321,12 @@ defmodule Mv.Accounts.User do
       # Sync role from OIDC groups (e.g. admin group → Admin role) after user is created/updated
       change fn changeset, _ctx ->
         user_info = Ash.Changeset.get_argument(changeset, :user_info)
+        oauth_tokens = Ash.Changeset.get_argument(changeset, :oauth_tokens) || %{}
 
         Ash.Changeset.after_action(changeset, fn _cs, record ->
-          Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info)
-          {:ok, Ash.get!(__MODULE__, record.id, authorize?: false, domain: Mv.Accounts)}
+          Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info, oauth_tokens)
+          # Return original record so __metadata__.token (from GenerateTokenChange) is preserved
+          {:ok, record}
         end)
       end
     end