Skip to content

Bootstrap admin user and link upstream-provisioned users on first OID…#512

Draft
lahirujayathilake wants to merge 10 commits into
webfrom
collab-readiness
Draft

Bootstrap admin user and link upstream-provisioned users on first OID…#512
lahirujayathilake wants to merge 10 commits into
webfrom
collab-readiness

Conversation

@lahirujayathilake

Copy link
Copy Markdown
Member

Closes #511

Today the resolver only accepts OIDC sign-ins for users that already have a matching user_identities row with an oidc_sub. That leaves two paths broken: the bootstrap super-admin (created from an env var, never has an OIDC binding) and every AMIE-provisioned user (the handler creates the user with oidc_sub NULL). Both require an admin to hand-insert a row before the user can sign in.

  • New PENDING user lifecycle state and SYSTEM user type. Provisioners (bootstrap, AMIE) write PENDING, the resolver flips to ACTIVE once the user signs in
  • Resolver gains a tightly gated email-fallback. When the JWT's sub has no binding, the resolver checks the JWT's email/email_verified, matches a single PENDING user by email, refuses if that user has any other OIDC binding already, then inserts the binding, sets the user ACTIVE, and emits an IDENTITY_LINKED audit event.
  • BootstrapSuperAdmin self-contained - if CUSTOS_BOOTSTRAP_ADMIN_EMAIL points at a missing user, the bootstrap path creates the system org + a PENDING SYSTEM user, grants super_admin, and emits USER_BOOTSTRAPPED.
  • AMIE handlers (request_project_create, request_account_create) provision users as PENDING.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant