Bootstrap admin user and link upstream-provisioned users on first OID…#512
Draft
lahirujayathilake wants to merge 10 commits into
Draft
Bootstrap admin user and link upstream-provisioned users on first OID…#512lahirujayathilake wants to merge 10 commits into
lahirujayathilake wants to merge 10 commits into
Conversation
3dd1f5d to
c2a3f83
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #511
Today the resolver only accepts OIDC sign-ins for users that already have a matching
user_identitiesrow with anoidc_sub. That leaves two paths broken: the bootstrap super-admin (created from an env var, never has an OIDC binding) and every AMIE-provisioned user (the handler creates the user withoidc_subNULL). Both require an admin to hand-insert a row before the user can sign in.PENDINGuser lifecycle state andSYSTEMuser type. Provisioners (bootstrap, AMIE) writePENDING, the resolver flips toACTIVEonce the user signs insubhas no binding, the resolver checks the JWT'semail/email_verified, matches a single PENDING user by email, refuses if that user has any other OIDC binding already, then inserts the binding, sets the user ACTIVE, and emits anIDENTITY_LINKEDaudit event.BootstrapSuperAdminself-contained - ifCUSTOS_BOOTSTRAP_ADMIN_EMAILpoints at a missing user, the bootstrap path creates thesystemorg + a PENDING SYSTEM user, grantssuper_admin, and emitsUSER_BOOTSTRAPPED.request_project_create,request_account_create) provision users as PENDING.