lib/accounts/user.ex

@@ -258,6 +258,7 @@ defmodule Mv.Accounts.User do
     end
 
     read :sign_in_with_rauthy do
+      get? true
       argument :user_info, :map, allow_nil?: false
       argument :oauth_tokens, :map, allow_nil?: false
       prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
@@ -271,9 +272,10 @@ defmodule Mv.Accounts.User do
       # Sync role from OIDC groups after sign-in (e.g. admin group → Admin role)
       prepare Ash.Resource.Preparation.Builtins.after_action(fn query, records, _context ->
                 user_info = Ash.Query.get_argument(query, :user_info) || %{}
+                oauth_tokens = Ash.Query.get_argument(query, :oauth_tokens) || %{}
 
                 Enum.each(records, fn user ->
-                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info)
+                  Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info, oauth_tokens)
                 end)
 
                 {:ok, records}
@@ -319,10 +321,12 @@ defmodule Mv.Accounts.User do
       # Sync role from OIDC groups (e.g. admin group → Admin role) after user is created/updated
       change fn changeset, _ctx ->
         user_info = Ash.Changeset.get_argument(changeset, :user_info)
+        oauth_tokens = Ash.Changeset.get_argument(changeset, :oauth_tokens) || %{}
 
         Ash.Changeset.after_action(changeset, fn _cs, record ->
-          Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info)
-          {:ok, Ash.get!(__MODULE__, record.id, authorize?: false, domain: Mv.Accounts)}
+          Mv.OidcRoleSync.apply_admin_role_from_user_info(record, user_info, oauth_tokens)
+          # Return original record so __metadata__.token (from GenerateTokenChange) is preserved
+          {:ok, record}
         end)
       end
     end