Support admin assignment via OIDC group or role claim

[jgoedeke]

Problem:
Currently, there is no way to automatically assign Kutt admin privileges to users based on a group or role claim from an OIDC (OpenID Connect) identity provider (such as Azure Entra ID, Auth0, Keycloak, etc). Admin status can only be set locally, and OIDC login only matches the email claim. As a result, organizations cannot leverage IdP group or app role assignment for admin user management.

Proposed Solution:

• Add configuration options (e.g., OIDC_ADMIN_GROUP and/or OIDC_ROLE_CLAIM) that allow Kutt to assign the admin role to users who present a specific group or role claim via OIDC during login.
• Administrator group/role assignment should be checked both for new users (on first login) and on every authentication (to allow removing admin if the group/role is removed in the IdP).

Expected Usage Scenario:

• IdP (e.g. Azure Entra) issues claim roles or groups.
• If the configured value is present in that claim, the user is marked as admin.

Benefit:

• Enable unified identity management and automated admin assignment using standard IdP features.
• Reduce manual effort, increase security, and support enterprise integration.

References:

• OIDC standard claims
• Azure Entra roles
• Source code: server/passport.js

[smartcoder0777]

Hi @jgoedeke
I'd like to contribute to your project.
Can I work on this issue?
Looking forward to your response.

Thanks,
Pavel

[jgoedeke]

Hi @smartcoder0777
from my side feel free to open a PR. A maintainer can assign you to the issue.
I am happy to help testing!

[smartcoder0777]

Hi @jgoedeke
Thanks for your response. I will open a PR soon.

[smartcoder0777]

@jgoedeke
I just opened a PR: #966
I am looking forward to your review.

Thanks