yorick/pics
1
0
Fork 0
forked from Public/pics
Code Pull Requests Activity

Match OIDC users by sub claim, auto-enroll, sync admin from groups

Browse Source 
Switch from email-based OIDC matching to the stable `sub` claim.
Existing users are migrated by email on first login, new users are
auto-enrolled from OIDC claims, and admin status is synced from the
IdP's groups claim. Also expose oidc_sub on the admin edit-user page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Yorick van Pelt
2026-02-15 19:37:14 +01:00
parent 65d5cb62e5
commit d631a07d3d
6 changed files with 128 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config.php.dist
View File

@@ -40,3 +40,4 @@ const OIDC_PROVIDER_URL = ''; // e.g. 'https://kanidm.example.com/oauth2/op
const OIDC_CLIENT_ID = '';
const OIDC_CLIENT_SECRET = '';
const OIDC_PROVIDER_NAME = ''; // e.g. 'Kanidm' — used as button label
const OIDC_ADMIN_GROUP = ''; // OIDC group claim value that grants admin, e.g. 'pics_admins'