Skip to content

Bootstrap admin user and link upstream-provisioned users on first OID…#512

Merged
yasithdev merged 13 commits into
masterfrom
collab-readiness
Jul 3, 2026
Merged

Bootstrap admin user and link upstream-provisioned users on first OID…#512
yasithdev merged 13 commits into
masterfrom
collab-readiness

Conversation

@lahirujayathilake

@lahirujayathilake lahirujayathilake commented Jun 30, 2026

Copy link
Copy Markdown
Member

Closes #511

Today the resolver only accepts OIDC sign-ins for users that already have a matching user_identities row with an oidc_sub. That leaves two paths broken: the bootstrap super-admin (created from an env var, never has an OIDC binding) and every AMIE-provisioned user (the handler creates the user with oidc_sub NULL). Both require an admin to hand-insert a row before the user can sign in.

  • New PENDING user lifecycle state and SYSTEM user type. Provisioners (bootstrap, AMIE) write PENDING, the resolver flips to ACTIVE once the user signs in
  • Resolver gains a tightly gated email-fallback. When the JWT's sub has no binding, the resolver checks the JWT's email/email_verified, matches a single PENDING user by email, refuses if that user has any other OIDC binding already, then inserts the binding, sets the user ACTIVE, and emits an IDENTITY_LINKED audit event.
  • BootstrapSuperAdmin self-contained - if CUSTOS_BOOTSTRAP_ADMIN_EMAIL points at a missing user, the bootstrap path creates the system org + a PENDING SYSTEM user, grants super_admin, and emits USER_BOOTSTRAPPED.
  • AMIE handlers (request_project_create, request_account_create) provision users as PENDING.
  • super_admin now auto-loads every registered privilege at bootstrap, instead of the two-privilege hardcoded pair, so new backend privileges flow through automatically.
  • Expanded the core privilege catalogue with keys for allocations, projects, and traces so the portal can gate the corresponding screens.
  • Aligned the portal with the new privilege model so a signed-in super_admin actually sees the sidebar populated.
  • Updated the INSTALL.md as a clean end-to-end walk-through: database, OIDC (bundled Keycloak or any external provider), server, portal, sign-in, and a short pointer for loading sample data.

@lahirujayathilake lahirujayathilake changed the base branch from web to master July 2, 2026 19:29

@yasithdev yasithdev left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍🏽

@yasithdev yasithdev merged commit 6b795aa into master Jul 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Sign-in fails for any user provisioned through allocation upstreams

2 participants