feat: OIDC configuration in global Settings (ENV or DB)

- Add oidc_* attributes to Setting, migration and Config helpers - Secrets and OidcRoleSyncConfig read from Config (ENV overrides DB) - GlobalSettingsLive: OIDC section with disabled fields when ENV set - OIDC role sync tests use DataCase for DB access
2026-02-24 13:55:19 +01:00 · 2026-02-24 13:55:19 +01:00 · 8edbbac95f
commit 8edbbac95f
parent f29bbb02a2
8 changed files with 487 additions and 136 deletions
--- a/lib/membership/setting.ex
+++ b/lib/membership/setting.ex
@ -79,7 +79,13 @@ defmodule Mv.Membership.Setting do
        :vereinfacht_api_url,
        :vereinfacht_api_key,
        :vereinfacht_club_id,
-        :vereinfacht_app_url
+        :vereinfacht_app_url,
+        :oidc_client_id,
+        :oidc_base_url,
+        :oidc_redirect_uri,
+        :oidc_client_secret,
+        :oidc_admin_group_name,
+        :oidc_groups_claim
      ]
    end

@ -96,7 +102,13 @@ defmodule Mv.Membership.Setting do
        :vereinfacht_api_url,
        :vereinfacht_api_key,
        :vereinfacht_club_id,
-        :vereinfacht_app_url
+        :vereinfacht_app_url,
+        :oidc_client_id,
+        :oidc_base_url,
+        :oidc_redirect_uri,
+        :oidc_client_secret,
+        :oidc_admin_group_name,
+        :oidc_groups_claim
      ]
    end

@ -322,6 +334,44 @@ defmodule Mv.Membership.Setting do
      description "Vereinfacht app base URL for contact view links (e.g. https://app.verein.visuel.dev)"
    end

+    # OIDC authentication (can be overridden by ENV)
+    attribute :oidc_client_id, :string do
+      allow_nil? true
+      public? true
+      description "OIDC client ID (e.g. from OIDC_CLIENT_ID)"
+    end
+
+    attribute :oidc_base_url, :string do
+      allow_nil? true
+      public? true
+      description "OIDC provider base URL (e.g. from OIDC_BASE_URL)"
+    end
+
+    attribute :oidc_redirect_uri, :string do
+      allow_nil? true
+      public? true
+      description "OIDC redirect URI for callback (e.g. from OIDC_REDIRECT_URI)"
+    end
+
+    attribute :oidc_client_secret, :string do
+      allow_nil? true
+      public? false
+      description "OIDC client secret (e.g. from OIDC_CLIENT_SECRET)"
+      sensitive? true
+    end
+
+    attribute :oidc_admin_group_name, :string do
+      allow_nil? true
+      public? true
+      description "OIDC group name that maps to Admin role (e.g. from OIDC_ADMIN_GROUP_NAME)"
+    end
+
+    attribute :oidc_groups_claim, :string do
+      allow_nil? true
+      public? true
+      description "JWT claim name for group list (e.g. from OIDC_GROUPS_CLAIM, default 'groups')"
+    end
+
    timestamps()
  end