From 7fa291789625c5eacac2c0dd352b69feb999057f Mon Sep 17 00:00:00 2001
From: Copilot <copilot@github.com>
Date: Mon, 2 Mar 2026 13:02:25 -0800
Subject: [PATCH] docs(admin): document OIDC security.toml configuration

---
 weed/admin/README.md                | 31 ++++++++++++++++++++++++++++-
 weed/command/scaffold/security.toml | 27 +++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/weed/admin/README.md b/weed/admin/README.md
index ce36f773d..d6777a4f1 100644
--- a/weed/admin/README.md
+++ b/weed/admin/README.md
@@ -139,6 +139,9 @@ weed admin -port=8080 -masters="master1:9333,master2:9333"
 # Start with authentication
 weed admin -adminUser=admin -adminPassword=secret123
 
+# Start with OIDC authentication (configured in security.toml)
+weed admin
+
 # Start with HTTPS
 weed admin -port=443 -tlsCert=/path/to/cert.pem -tlsKey=/path/to/key.pem
 ```
@@ -154,6 +157,32 @@ weed admin -port=443 -tlsCert=/path/to/cert.pem -tlsKey=/path/to/key.pem
 | `-tlsCert` | "" | Path to TLS certificate |
 | `-tlsKey` | "" | Path to TLS private key |
 
+### OIDC Authentication (security.toml)
+
+The admin UI supports OIDC authorization code flow on the same login page as local credentials.
+Configure it in `security.toml`:
+
+```toml
+[admin.oidc]
+enabled = true
+issuer = "https://idp.example.com/realms/seaweed"
+client_id = "seaweedfs-admin-ui"
+client_secret = "your-client-secret"
+redirect_url = "https://admin.example.com/login/oidc/callback"
+scopes = ["openid", "profile", "email"]
+
+[admin.oidc.role_mapping]
+default_role = "readonly"
+
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-admin"
+role = "admin"
+```
+
+Role mapping must resolve to either `admin` or `readonly`.
+OIDC sessions are capped to the ID token expiration time.
+
 ### Docker Usage
 
 ```bash
@@ -214,7 +243,7 @@ make fmt
 
 ### Security Considerations
 
-1. **Authentication**: Always set `adminPassword` in production
+1. **Authentication**: Use strong local credentials and/or OIDC with strict role mapping
 2. **HTTPS**: Use TLS certificates for encrypted connections
 3. **Firewall**: Restrict admin interface access to authorized networks
 
diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml
index b47549a94..32681637b 100644
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -165,6 +165,33 @@ cert = ""
 key = ""
 ca = ""
 
+# Admin UI OIDC authentication (authorization code flow)
+# If enabled=true, users can sign in with OIDC on /login.
+# Session duration is capped to the ID token expiration.
+[admin.oidc]
+enabled = false
+issuer = "https://idp.example.com/realms/seaweed"
+client_id = "seaweedfs-admin-ui"
+client_secret = ""
+redirect_url = "https://admin.example.com/login/oidc/callback"
+scopes = ["openid", "profile", "email"]
+jwks_uri = ""                     # optional override; defaults from OIDC discovery
+tls_ca_cert = ""                  # optional absolute path for custom CA bundle
+tls_insecure_skip_verify = false  # testing only; do not use in production
+
+[admin.oidc.role_mapping]
+default_role = "readonly"
+
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-admin"
+role = "admin"
+
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-readonly"
+role = "readonly"
+
 # white list. It's checking request ip address.
 [guard]
 white_list = ""