local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions
mitgliederverwaltung/docs/admin-bootstrap-and-oidc-role-sync.md
Moritz 5b3eab4d5d Docs and .env.example for admin bootstrap and OIDC role sync 
Documents ADMIN_EMAIL/PASSWORD, seed_admin, entrypoint; OIDC_ADMIN_GROUP_NAME,
OIDC_GROUPS_CLAIM and role sync on register/sign-in.
2026-02-04 16:20:39 +01:00

2.3 KiB
Raw Blame History

Admin Bootstrap and OIDC Role Sync

Overview

  • Admin bootstrap: In production, no seeds run. The first admin user is created/updated from environment variables in the Docker entrypoint (after migrate, before server). Password can be changed without redeploy via bin/mv eval "Mv.Release.seed_admin()".
  • OIDC role sync: Optional mapping from OIDC groups (e.g. from Authentik profile scope) to the Admin role. Users in the configured admin group get the Admin role on registration and on each sign-in.

Admin Bootstrap (Part A)

Environment Variables

  • ADMIN_EMAIL Email of the admin user to create/update. If unset, seed_admin/0 does nothing.
  • ADMIN_PASSWORD Password for the admin user. If unset (and no file), no user is created in production.
  • ADMIN_PASSWORD_FILE Path to a file containing the password (e.g. Docker secret).

Release Task

  • Mv.Release.seed_admin/0 Reads ADMIN_EMAIL and password from ADMIN_PASSWORD or ADMIN_PASSWORD_FILE. If both are set, creates or updates the user with the Admin role. Idempotent.

Entrypoint

  • rel/overlays/bin/docker-entrypoint.sh After migrate, runs seed_admin(), then starts the server.

Seeds (Dev/Test)

  • priv/repo/seeds.exs Uses ADMIN_PASSWORD or ADMIN_PASSWORD_FILE when set; otherwise fallback "testpassword" only in dev/test.

OIDC Role Sync (Part B)

Configuration

  • OIDC_ADMIN_GROUP_NAME OIDC group name that maps to the Admin role. If unset, no role sync.
  • OIDC_GROUPS_CLAIM JWT claim name for group list (default "groups").
  • Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0).

Sync Logic

  • Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info) If admin group configured, sets user role to Admin or Mitglied based on user_info groups.

Where It Runs

  1. Registration: register_with_rauthy after_action calls OidcRoleSync.
  2. Sign-in: sign_in_with_rauthy prepare after_action calls OidcRoleSync for each user.

Internal Action

  • User.set_role_from_oidc_sync Internal update (role_id only). Used by OidcRoleSync; not exposed.

See Also

  • .env.example Admin and OIDC group env vars.
  • lib/mv/release.ex seed_admin/0.
  • lib/mv/oidc_role_sync.ex Sync implementation.
  • docs/oidc-account-linking.md OIDC account linking.