From 08720a43c13c974a07483e324bd43ea4813f7bd9 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Mon, 22 Sep 2025 20:27:01 +0200
Subject: [PATCH] feat(web-app-openwebui): enable OIDC role-based admin mapping

Activate ENABLE_OAUTH_ROLE_MANAGEMENT and configure OAUTH_ROLES_CLAIM from
RBAC.GROUP.CLAIM. Define OAUTH_ADMIN_ROLES dynamically based on RBAC group
and application administrator naming convention.

Conversation: https://chatgpt.com/share/68d18e02-d6b8-800f-aaab-920c61b9284a
---
 roles/web-app-openwebui/templates/env.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/web-app-openwebui/templates/env.j2 b/roles/web-app-openwebui/templates/env.j2
index 23d333b2..d1ee056e 100644
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -35,10 +35,10 @@ OAUTH_SCOPES=openid email profile
 # Optional: Role Management
 # =========================
 # Enable automatic role mapping from token claims
-# ENABLE_OAUTH_ROLE_MANAGEMENT=true
-# OAUTH_ROLES_CLAIM=roles
+ENABLE_OAUTH_ROLE_MANAGEMENT=true
+OAUTH_ROLES_CLAIM={{ RBAC.GROUP.CLAIM }}
 # OAUTH_ALLOWED_ROLES=user
-# OAUTH_ADMIN_ROLES=admin
+OAUTH_ADMIN_ROLES={{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}
 
 # =========================
 # Optional: Group Management