feat(oidc): automatic admin mapping based on OIDC group claims

[gaetan-steininger]

This Pull Request introduces a new feature that automatically maps administrative users based on group information provided in OIDC claims.

This PR extends the existing OIDC integration by leveraging group claims to determine admin privileges dynamically, removing the need for manual admin assignment.

How It Works

Adding 2 options in the oidc_providers config:

• groups_claim: the name of the claim with user groups in the claims
• admin_group: the name of the admin group

If the admin_group is included in the user’s groups, the user is promoted to admin upon login; otherwise, the user is assigned a regular user role.

Full config example with gitlab app

{
  "sqlite": {
    "host": "/tmp/database.sqlite"
  },
  "dialect": "sqlite",
  "tmp_path": "/tmp/semaphore",
  "web_host": "http://127.0.0.1:3000",
  "cookie_hash": "************",
  "cookie_encryption": "**************",
  "access_key_encryption": "***************",
  "port": "3000",
  "interface": "127.0.0.1",
  "oidc_providers": {
    "gitlab": {
      "display_name": "Gitlab",
      "provider_url": "https://gitlab.com",
      "client_id": "******************",
      "client_secret": "***********************",
      "redirect_url": "http://127.0.0.1:3000/api/auth/oidc/gitlab/redirect",
      "groups_claim": "groups_direct",
      "admin_group": "myadmingroup"
    }
  }
}

[fiftin]

Hi! Thank you for PR. Reviewing.

[Copilot]

Pull request overview

This pull request introduces automatic admin privilege assignment for OIDC-authenticated users based on group claims. The feature allows administrators to configure an admin group name in the OIDC provider settings, and users who are members of that group will automatically receive admin privileges upon login.

Changes:

• Added groups_claim and admin_group configuration options to OIDC providers
• Extended the ClaimsProvider interface with methods to check admin mapping status and validate admin group membership
• Modified the login flow to automatically set admin status based on group claims during OIDC authentication
• Implemented stub methods for LDAP to maintain interface compatibility (LDAP admin mapping not supported)

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
util/OdbcProvider.go	Added new config fields (GroupsClaim, AdminGroup) and implemented ClaimsProvider interface methods for admin group checking
util/config.go	Added stub implementations of ClaimsProvider methods to LdapMappings to satisfy interface requirements
api/login.go	Extended claimResult struct with admin field, integrated admin checking into claims parsing, and added user update logic to persist admin status

[gaetan-steininger]

Hi,

Review fixes:

• Added missing unit test
• Fix grammatical error
• Improvement of comments
• Add an explanation of why group‑name comparisons are case‑sensitive
• Added debug logs for groups claim
• Set admin flag correctly without redundant updates

Thanks for the review!