Match OIDC users by sub claim, auto-enroll, sync admin from groups

Switch from email-based OIDC matching to the stable `sub` claim.
Existing users are migrated by email on first login, new users are
auto-enrolled from OIDC claims, and admin status is synced from the
IdP's groups claim. Also expose oidc_sub on the admin edit-user page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controllers/EditUser.php

@@ -109,6 +109,14 @@ class EditUser extends HTMLController
 					'maxlength' => 255,
 					'is_optional' => true,
 				],
+				'oidc_sub' => [
+					'header' => 'OIDC',
+					'type' => 'text',
+					'label' => 'OIDC subject identifier',
+					'size' => 50,
+					'maxlength' => 255,
+					'is_optional' => true,
+				],
 				'is_admin' => [
 					'header' => 'Privileges',
 					'type' => 'checkbox',
@@ -145,6 +153,10 @@ class EditUser extends HTMLController
 			// Quick stripping.
 			$data['slug'] = strtr(strtolower($data['slug']), [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '/' => '-', '\\' => '-']);
 
+			// Normalise empty OIDC sub to null (unique constraint).
+			if (empty($data['oidc_sub']))
+				$data['oidc_sub'] = null;
+
 			// Checkboxes, fun!
 			$data['is_admin'] = empty($data['is_admin']) ? 0 : 1;