OIDC: pass oauth_tokens to role sync; get? true for sign_in; return record in register

- sign_in_with_rauthy: get? true so Ash returns single user; pass oauth_tokens to OidcRoleSync. - register_with_rauthy: pass oauth_tokens to OidcRoleSync; return {:ok, record} to preserve token.
2026-02-04 18:03:15 +01:00 · 2026-02-04 18:03:15 +01:00 · 58a5b086ad
commit 58a5b086ad
parent d441009c8a
1 changed files with 7 additions and 3 deletions
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@ -258,6 +258,7 @@ defmodule Mv.Accounts.User do
    end

    read :sign_in_with_rauthy do
+      get? true
      argument :user_info, :map, allow_nil?: false
      argument :oauth_tokens, :map, allow_nil?: false
      prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
@ -271,9 +272,10 @@ defmodule Mv.Accounts.User do
      # Sync role from OIDC groups after sign-in (e.g. admin group → Admin role)
      prepare Ash.Resource.Preparation.Builtins.after_action(fn query, records, _context ->
                user_info = Ash.Query.get_argument(query, :user_info) || %{}
+                oauth_tokens = Ash.Query.get_argument(query, :oauth_tokens) || %{}

                Enum.each(records, fn user ->
-                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info)
+                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info, oauth_tokens)
                end)

                {:ok, records}
@ -319,10 +321,12 @@ defmodule Mv.Accounts.User do
      # Sync role from OIDC groups (e.g. admin group → Admin role) after user is created/updated
      change fn changeset, _ctx ->
        user_info = Ash.Changeset.get_argument(changeset, :user_info)
+        oauth_tokens = Ash.Changeset.get_argument(changeset, :oauth_tokens) || %{}

        Ash.Changeset.after_action(changeset, fn _cs, record ->
-          Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info)
-          {:ok, Ash.get!(__MODULE__, record.id, authorize?: false, domain: Mv.Accounts)}
+          Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info, oauth_tokens)
+          # Return original record so __metadata__.token (from GenerateTokenChange) is preserved
+          {:ok, record}
        end)
      end
    end