feat: OIDC configuration in global Settings (ENV or DB)

- Add oidc_* attributes to Setting, migration and Config helpers
- Secrets and OidcRoleSyncConfig read from Config (ENV overrides DB)
- GlobalSettingsLive: OIDC section with disabled fields when ENV set
- OIDC role sync tests use DataCase for DB access
This commit is contained in:
Moritz 2026-02-24 13:55:19 +01:00
parent f29bbb02a2
commit 8edbbac95f
Signed by: moritz
GPG key ID: 1020A035E5DD0824
8 changed files with 487 additions and 136 deletions

View file

@ -7,12 +7,12 @@ defmodule Mv.Secrets do
particularly for OIDC (Rauthy) authentication.
## Configuration Source
Secrets are read from the `:oidc` key in the application configuration,
which is typically set in `config/runtime.exs` from environment variables:
- `OIDC_CLIENT_ID`
- `OIDC_CLIENT_SECRET`
- `OIDC_BASE_URL`
- `OIDC_REDIRECT_URI`
Secrets are read via `Mv.Config` which prefers environment variables and
falls back to Settings from the database:
- OIDC_CLIENT_ID / settings.oidc_client_id
- OIDC_CLIENT_SECRET / settings.oidc_client_secret
- OIDC_BASE_URL / settings.oidc_base_url
- OIDC_REDIRECT_URI / settings.oidc_redirect_uri
## Usage
This module is automatically called by AshAuthentication when resolving
@ -26,7 +26,7 @@ defmodule Mv.Secrets do
_opts,
_meth
) do
get_config(:client_id)
{:ok, Mv.Config.oidc_client_id()}
end
def secret_for(
@ -35,7 +35,7 @@ defmodule Mv.Secrets do
_opts,
_meth
) do
get_config(:redirect_uri)
{:ok, Mv.Config.oidc_redirect_uri()}
end
def secret_for(
@ -44,7 +44,7 @@ defmodule Mv.Secrets do
_opts,
_meth
) do
get_config(:client_secret)
{:ok, Mv.Config.oidc_client_secret()}
end
def secret_for(
@ -53,13 +53,6 @@ defmodule Mv.Secrets do
_opts,
_meth
) do
get_config(:base_url)
end
defp get_config(key) do
:mv
|> Application.fetch_env!(:oidc)
|> Keyword.fetch!(key)
|> then(&{:ok, &1})
{:ok, Mv.Config.oidc_base_url()}
end
end