From e775fe118bbb29c3df5d59b375b44a7f96f5e310 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 24 Feb 2026 15:07:41 +0100
Subject: [PATCH] Setting: add oidc_only boolean attribute (ENV + DB)

---
 lib/membership/setting.ex | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/membership/setting.ex b/lib/membership/setting.ex
index 6e987de..894725f 100644
--- a/lib/membership/setting.ex
+++ b/lib/membership/setting.ex
@@ -85,7 +85,8 @@ defmodule Mv.Membership.Setting do
         :oidc_redirect_uri,
         :oidc_client_secret,
         :oidc_admin_group_name,
-        :oidc_groups_claim
+        :oidc_groups_claim,
+        :oidc_only
       ]
     end
 
@@ -108,7 +109,8 @@ defmodule Mv.Membership.Setting do
         :oidc_redirect_uri,
         :oidc_client_secret,
         :oidc_admin_group_name,
-        :oidc_groups_claim
+        :oidc_groups_claim,
+        :oidc_only
       ]
     end
 
@@ -372,6 +374,14 @@ defmodule Mv.Membership.Setting do
       description "JWT claim name for group list (e.g. from OIDC_GROUPS_CLAIM, default 'groups')"
     end
 
+    attribute :oidc_only, :boolean do
+      allow_nil? false
+      default false
+      public? true
+
+      description "When true and OIDC is configured, sign-in shows only OIDC (password login hidden)"
+    end
+
     timestamps()
   end