local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions
mitgliederverwaltung/docs/admin-bootstrap-and-oidc-role-sync.md
Moritz c5f1fdce0a
All checks were successful
continuous-integration/drone/push Build is passing
Details
Code-review follow-ups: policy, docs, seed_admin behaviour 
- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk.
- seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test.
- Fix DE translation for 'access this page'; add get? true comment in User.
2026-02-04 19:44:43 +01:00

2.5 KiB
Raw Blame History

Admin Bootstrap and OIDC Role Sync

Overview

  • Admin bootstrap: In production, no seeds run. The first admin user is created/updated from environment variables in the Docker entrypoint (after migrate, before server). Password can be changed without redeploy via bin/mv eval "Mv.Release.seed_admin()".
  • OIDC role sync: Optional mapping from OIDC groups (e.g. from Authentik profile scope) to the Admin role. Users in the configured admin group get the Admin role on registration and on each sign-in.

Admin Bootstrap (Part A)

Environment Variables

  • ADMIN_EMAIL Email of the admin user to create/update. If unset, seed_admin/0 does nothing.
  • ADMIN_PASSWORD Password for the admin user. If unset (and no file), no new user is created; if a user with ADMIN_EMAIL already exists (e.g. OIDC-only), their role is set to Admin (no password change).
  • ADMIN_PASSWORD_FILE Path to a file containing the password (e.g. Docker secret).

Release Task

  • Mv.Release.seed_admin/0 Reads ADMIN_EMAIL and password from ADMIN_PASSWORD or ADMIN_PASSWORD_FILE. If both email and password are set: creates or updates the user with the Admin role. If only ADMIN_EMAIL is set: sets the Admin role on an existing user with that email (for OIDC-only admins); does not create a user. Idempotent.

Entrypoint

  • rel/overlays/bin/docker-entrypoint.sh After migrate, runs seed_admin(), then starts the server.

Seeds (Dev/Test)

  • priv/repo/seeds.exs Uses ADMIN_PASSWORD or ADMIN_PASSWORD_FILE when set; otherwise fallback "testpassword" only in dev/test.

OIDC Role Sync (Part B)

Configuration

  • OIDC_ADMIN_GROUP_NAME OIDC group name that maps to the Admin role. If unset, no role sync.
  • OIDC_GROUPS_CLAIM JWT claim name for group list (default "groups").
  • Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0).

Sync Logic

  • Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info) If admin group configured, sets user role to Admin or Mitglied based on user_info groups.

Where It Runs

  1. Registration: register_with_rauthy after_action calls OidcRoleSync.
  2. Sign-in: sign_in_with_rauthy prepare after_action calls OidcRoleSync for each user.

Internal Action

  • User.set_role_from_oidc_sync Internal update (role_id only). Used by OidcRoleSync; not exposed.

See Also

  • .env.example Admin and OIDC group env vars.
  • lib/mv/release.ex seed_admin/0.
  • lib/mv/oidc_role_sync.ex Sync implementation.
  • docs/oidc-account-linking.md OIDC account linking.