OIDC Admin Group assigment in Docker Compose file

[s-juozaitis]

Describe the bug
Currently the OIDC have admin group hard coded in /var/www/config/config.php file as group name "filerise-admins" for the hacker it is easy target. During OIDC authentication JWT payload can inject user group to "filerise-admins" to access admin rights.

To Reproduce
Steps to reproduce the behavior:

1. Go to '/var/www/config/config.php'
2. Line '76'
3. 'define('FR_OIDC_ADMIN_GROUP', 'filerise-admins');'
4. See error

Advice to change to docker compose environment values to determent admin group:
#FR_OIDC_AUTO_CREATE: "true/false"
#FR_OIDC_GROUP_CLAIM: "groups"
#FR_OIDC_ADMIN_GROUP: "....."
#FR_OIDC_ALLOW_DEMOTE: "true/false"

1. Go to '/var/www/config/config.php'
2. Line '76'
3. Replace to 'define('FR_OIDC_ADMIN_GROUP', getenv('FR_OIDC_ADMIN_GROUP') ?: '');'

[error311]

Thanks for the report. The admin group name in config.php isn’t a secret, it’s just a policy string. OIDC tokens are verified (signature + issuer), so a user can’t simply “inject” a group claim unless they can forge a valid token or the IdP is misconfigured/compromised. If the IdP issues a token that says the user is in the admin group, then they are admin by design which that remains true regardless of what the group is named.

The real control is on the IdP side: ensure only trusted admins can be assigned to the admin group and that tokens are properly signed. Changing the default group name doesn’t prevent escalation if the IdP can be abused.

That said, using env vars is a nice configurability improvement.