feat: OIDC configuration in global Settings (ENV or DB)

- Add oidc_* attributes to Setting, migration and Config helpers
- Secrets and OidcRoleSyncConfig read from Config (ENV overrides DB)
- GlobalSettingsLive: OIDC section with disabled fields when ENV set
- OIDC role sync tests use DataCase for DB access

lib/mv/config.ex

@@ -263,6 +263,10 @@ defmodule Mv.Config do
   end
 
   defp get_vereinfacht_from_settings(key) do
+    get_from_settings(key)
+  end
+
+  defp get_from_settings(key) do
     case Mv.Membership.get_settings() do
       {:ok, settings} -> settings |> Map.get(key) |> trim_nil()
       {:error, _} -> nil
@@ -298,4 +302,77 @@ defmodule Mv.Config do
   defp present?(nil), do: false
   defp present?(s) when is_binary(s), do: String.trim(s) != ""
   defp present?(_), do: false
+
+  # ---------------------------------------------------------------------------
+  # OIDC authentication
+  # ENV variables take priority; fallback to Settings from database.
+  # ---------------------------------------------------------------------------
+
+  @doc """
+  Returns the OIDC client ID. ENV first, then Settings.
+  """
+  @spec oidc_client_id() :: String.t() | nil
+  def oidc_client_id do
+    env_or_setting("OIDC_CLIENT_ID", :oidc_client_id)
+  end
+
+  @doc """
+  Returns the OIDC provider base URL. ENV first, then Settings.
+  """
+  @spec oidc_base_url() :: String.t() | nil
+  def oidc_base_url do
+    env_or_setting("OIDC_BASE_URL", :oidc_base_url)
+  end
+
+  @doc """
+  Returns the OIDC redirect URI. ENV first, then Settings.
+  """
+  @spec oidc_redirect_uri() :: String.t() | nil
+  def oidc_redirect_uri do
+    env_or_setting("OIDC_REDIRECT_URI", :oidc_redirect_uri)
+  end
+
+  @doc """
+  Returns the OIDC client secret. ENV first, then Settings.
+  """
+  @spec oidc_client_secret() :: String.t() | nil
+  def oidc_client_secret do
+    env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+  end
+
+  @doc """
+  Returns the OIDC admin group name (for role sync). ENV first, then Settings.
+  """
+  @spec oidc_admin_group_name() :: String.t() | nil
+  def oidc_admin_group_name do
+    env_or_setting("OIDC_ADMIN_GROUP_NAME", :oidc_admin_group_name)
+  end
+
+  @doc """
+  Returns the OIDC groups claim name (default "groups"). ENV first, then Settings.
+  """
+  @spec oidc_groups_claim() :: String.t() | nil
+  def oidc_groups_claim do
+    case env_or_setting("OIDC_GROUPS_CLAIM", :oidc_groups_claim) do
+      nil -> "groups"
+      v -> v
+    end
+  end
+
+  @doc """
+  Returns true if any OIDC ENV variable is set (used to show hint in Settings UI).
+  """
+  @spec oidc_env_configured?() :: boolean()
+  def oidc_env_configured? do
+    oidc_client_id_env_set?() or oidc_base_url_env_set?() or
+      oidc_redirect_uri_env_set?() or oidc_client_secret_env_set?() or
+      oidc_admin_group_name_env_set?() or oidc_groups_claim_env_set?()
+  end
+
+  def oidc_client_id_env_set?, do: env_set?("OIDC_CLIENT_ID")
+  def oidc_base_url_env_set?, do: env_set?("OIDC_BASE_URL")
+  def oidc_redirect_uri_env_set?, do: env_set?("OIDC_REDIRECT_URI")
+  def oidc_client_secret_env_set?, do: env_set?("OIDC_CLIENT_SECRET")
+  def oidc_admin_group_name_env_set?, do: env_set?("OIDC_ADMIN_GROUP_NAME")
+  def oidc_groups_claim_env_set?, do: env_set?("OIDC_GROUPS_CLAIM")
 end